I'm trying to get browsers to cache assets over HTTPS. I am using MD5 fingerprinting method to allow long-term caching and I have this part working OK.
What doesn't work is setting the Cache-Control headers in Apache.
My config for both regular and SSL vhost contains:
ExpiresActive On
ExpiresByType text/css "now plus 1 year"
HTTP request to /test.css produces headers:
Cache-Control: max-age=31536000
Content-Type: text/css
Date: Wed, 15 May 2013 10:33:01 GMT
Etag: "7e572-19-4dcbdc8c04529"
Expires: Thu, 15 May 2014 10:33:01 GMT
Last-Modified: Wed, 15 May 2013 08:46:21 GMT
Server: Apache/2.2.15 (Oracle)
Vary: Accept-Encoding,User-Agent
But HTTPS request to same file produces headers:
Cache-Control: private, must-revalidate, no-cache, no-store
Content-Type: text/css
Date: Wed, 15 May 2013 10:33:58 GMT
Etag: "7e572-19-4dcbdc8c04529"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Last-Modified: Wed, 15 May 2013 08:46:21 GMT
Server: Apache/2.2.15 (Oracle)
Vary: Accept-Encoding,User-Agent
BTW, Adding this right after the ExpiresByType:
Header unset Expires
Header unset Cache-Control
removes these headers from HTTP, but not from HTTPS request.
Also, I have verified that any other header I set gets passed, but not cache related headers like Cache-Control or Expires - these get overwritten somewhere.
Is this normal Apache behavior or some Oracle or Red Hat patch that aims to security?
Can this be turned off somehow?
System info:
OS: Oracle Linux 6.4 (RHEL 6.4 based)
Apache: 2.2.15 (from rpm)
