forked from forkcms/forkcms
-
Notifications
You must be signed in to change notification settings - Fork 3
/
.htaccess
174 lines (151 loc) · 5.79 KB
/
.htaccess
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
# follow symlinks & disallow directory listing
# note: your hosting company might not allow these directives to be set. In that case,
# you should either find another hosting company (advised) or remove the line below.
Options +FollowSymlinks -Indexes
DirectorySlash Off
# Make sure the htaccessfile is protected
<Files .htaccess>
order allow,deny
deny from all
</Files>
# file etags (used when comparing local cached file to server file)
FileETag MTime Size
# The following rules are for bandwidth-hogging download tools
SetEnvIf user-agent "libwww-perl" stayout=1
SetEnvIf user-agent "Download Demon" stayout=1
SetEnvIf user-agent "GetRight" stayout=1
SetEnvIf user-agent "GetWeb!" stayout=1
SetEnvIf user-agent "Go!Zilla" stayout=1
SetEnvIf user-agent "Go-Ahead-Got-It" stayout=1
SetEnvIf user-agent "GrabNet" stayout=1
SetEnvIf user-agent "TurnitinBot" stayout=1
# This line denies access to all of the above tools
deny from env=stayout
########## End - Common hacking tools and bandwidth hoggers block
<IfModule mod_rewrite.c>
# set environment variable to let PHP know that urls are being rewritten
RewriteRule .* - [E=MOD_REWRITE:1]
# Protect against cross site tracing https://www.owasp.org/index.php/Cross_Site_Tracing
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
# nice urls
RewriteEngine On
RewriteBase /
# allow the ck connector
RewriteRule src/Backend/Core/Js/ckfinder/core/connector/php/connector\.php - [L]
# allow the php-opcache-reset.php file
RewriteRule ^php-opcache-reset\.php - [L]
# allow our root index.php
RewriteRule ^index\.php$ - [L]
# forbidden extensions
RewriteRule \.asp - [F]
RewriteRule \.cgi - [F]
RewriteRule \.jsp - [F]
RewriteRule \.md - [F]
RewriteRule \.phar - [F]
RewriteRule \.php - [F]
RewriteRule \.php2 - [F]
RewriteRule \.php3 - [F]
RewriteRule \.php4 - [F]
RewriteRule \.php5 - [F]
RewriteRule \.php6 - [F]
RewriteRule \.php7 - [F]
RewriteRule \.php8 - [F]
RewriteRule \.php9 - [F]
RewriteRule \.pht - [F]
RewriteRule \.phtml - [F]
RewriteRule \.pl - [F]
RewriteRule \.py - [F]
RewriteRule \.sh - [F]
RewriteRule \.shtml - [F]
RewriteRule \.twig - [F]
RewriteRule \.xhtml - [F]
# forbidden files
RewriteRule Dockerfile - [F]
RewriteRule \.dockerignore - [F]
RewriteRule \.editorconfig - [F]
RewriteRule \.env - [F]
RewriteRule \.env.dist - [F]
RewriteRule \.env.local - [F]
RewriteRule \.gitattributes - [F]
RewriteRule \.gitignore - [F]
RewriteRule \.htaccess - [F]
RewriteRule \.php-version - [F]
RewriteRule \.scrutinizer.yml - [F]
RewriteRule bower\.json - [F]
RewriteRule codecov\.yml - [F]
RewriteRule composer\.json - [F]
RewriteRule composer\.lock - [F]
RewriteRule docker-compose\.override\.yml - [F]
RewriteRule docker-compose\.yml - [F]
RewriteRule gulpfile\.js - [F]
RewriteRule package\.json - [F]
RewriteRule phpstan\.neon - [F]
RewriteRule phpunit\.xml\.dist - [F]
RewriteRule yarn\.lock - [F]
# forbidden directories
RewriteRule \.git - [F]
RewriteRule \.github - [F]
RewriteRule app/config - [F]
RewriteRule bin/.* - [F]
RewriteRule src/Backend/Cache/CompiledTemplates - [F]
RewriteRule src/Console/.* - [F]
RewriteRule src/Frontend/Cache/CompiledTemplates - [F]
RewriteRule src/Frontend/Files/MediaLibrary/uploads - [F]
RewriteRule var/docker/.* - [F]
RewriteRule var/logs - [F]
RewriteRule vendor/.* - [F]
RewriteRule tests - [F]
# redirect all traffic to https
# <IfModule headers_module>
# Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
# </IfModule>
# SetEnvIf X-Forwarded-Proto "https" HTTPS=on
# RewriteCond %{HTTP:X-Forwarded-Proto} !https
# RewriteCond %{HTTPS} off
# RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# one url to rule them all
# RewriteCond %{HTTP_HOST} !^www\.<domain>\.be [NC]
# RewriteRule ^(.*)$ https://www.<domain>.be/$1 [R=301,L]
# src dir should pass via the front controller
RewriteCond %{REQUEST_URI} ^/(src|src\/)$
RewriteRule . /index.php [NC,L]
# handle urls
RewriteCond %{REQUEST_URI} !^$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [NC,L]
</IfModule>
# file caching in browser
<IfModule mod_expires.c>
ExpiresActive On
<FilesMatch "\.(?i:ico|gif|jpe?g|png|svg|svgz|js|css|swf|ttf|otf|woff|woff2|eot)$">
ExpiresDefault "access plus 1 month"
</FilesMatch>
</IfModule>
# gzip on Apache 2
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml text/javascript text/css application/x-javascript application/xhtml+xml application/javascript application/json image/svg+xml
# these browsers do not support deflate
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force
</IfModule>
# gzip on Apache 1
<IfModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_item_include mime ^application/javascript$
mod_gzip_item_include mime ^application/x-javascript$
mod_gzip_item_include mime ^application/json$
mod_gzip_item_include mime ^application/xhtml+xml$
mod_gzip_item_include mime ^application/xml$
mod_gzip_item_include mime ^text/css$
mod_gzip_item_include mime ^text/html$
mod_gzip_item_include mime ^text/javascript$
mod_gzip_item_include mime ^text/plain$
mod_gzip_item_include mime ^text/xml$
mod_gzip_item_exclude mime ^image/
# browser issues
mod_gzip_item_exclude reqheader "User-agent: Mozilla/4.0[678]"
</IfModule>