-
-
Notifications
You must be signed in to change notification settings - Fork 106
/
.htaccess
364 lines (337 loc) · 16.3 KB
/
.htaccess
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
# Advanced PHP 7 eCommerce Website (https://22digital.co.za)
#
# (!) Using `.htaccess` files slows down Apache, therefore, if you have
# access to the main server configuration file (which is usually called
# `httpd.conf`), you should add this logic there and delete whatever is not
# relevant below.
#
# https://httpd.apache.org/docs/current/howto/htaccess.html
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
#
# @copyright Copyright (c) 22 Digital (https://22digital.co.za)
# @copyright Copyright (c) Justin Hartman (https://justinhartman.co)
# @author Justin Hartman <justin@hartman.me> (https://justinhartman.co)
# @link https://github.com/justinhartman/complete-php7-ecom-website GitHub Project
# @since 0.5.0
# @license https://opensource.org/licenses/AGPL-3.0 AGPL-3.0
# Set Default Resources.
DirectoryIndex index.php index.html index.htm
# Customize what Apache returns to the client in case of an error.
# https://httpd.apache.org/docs/current/mod/core.html#errordocument
ErrorDocument 404 /404.php
# Disable the pattern matching based on filenames.
# https://httpd.apache.org/docs/current/content-negotiation.html#multiviews
Options -MultiViews
# Serve all resources labeled as `text/html` or `text/plain`
# with the media type `charset` parameter set to `UTF-8`.
AddDefaultCharset utf-8
# Rewrite Rules
# Enable the Rewrite rules below if mod_rewrite is enabled in Apache.
<IfModule mod_rewrite.c>
# Turn Rewrite engine on to enable the rewrite rules.
RewriteEngine on
# Enable the `FollowSymLinks` option if it isn't already.
Options +FollowSymLinks
# If you are getting 500 or 404 errors on subpages, you may have to
# uncomment the RewriteBase entry. You should change the '/' to your
# appropriate subfolder. For example if you have your Shop installed at the
# root of your site, '/' should work, else it might be something along the
# lines of: RewriteBase /<your_sub_folder>
#
RewriteBase /
# Set %{ENV:PROTO} variable, to allow rewrites to redirect with the
# appropriate schema automatically (http or https).
RewriteCond %{HTTPS} =on
RewriteRule ^ - [env=proto:https]
RewriteCond %{HTTPS} !=on
RewriteRule ^ - [env=proto:http]
# Redirect http to https
# RewriteCond %{HTTPS} !=on
# RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Redirect www to non-www
# (!) NEVER USE BOTH WWW-RELATED RULES AT THE SAME TIME!
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ %{ENV:PROTO}://%1%{REQUEST_URI} [R=301,L]
# Redirect non-www to www
# (!) NEVER USE BOTH WWW-RELATED RULES AT THE SAME TIME!
# RewriteCond %{HTTP_HOST} !^www\. [NC]
# RewriteRule ^ %{ENV:PROTO}://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Working rules to redirect login as well as login messages.
# RewriteRule ^login([^/]*)$ login.php [L]
# RewriteRule ^login/message/([^/]*)$ login.php?message=$1 [L]
RewriteRule ^shop/([^/]*)$ index.php?id=$1 [L]
RewriteRule ^shop/([^/]*)/$ index.php?id=$1 [L]
# RewriteRule ^index/([^/]*)$ index.php?id=$1 [L]
# RewriteRule login(.*) login.php [L]
RewriteRule login/message/(.*)/ login.php?message=$1 [L]
RewriteRule login/message/(.*) login.php?message=$1 [L]
# Exploits
# If you experience problems on your site block out the operations listed
# below. This attempts to block the most common type of exploit `attempts`.
#
# Block out any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block out any script that includes a <script> tag in URL.
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL.
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL.
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage.
RewriteRule .* index.php [F]
# Security
# Block all direct access for these folders.
RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
# Block access to specific file types for these system folders.
RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
# Block access to specific file types for these user folders.
RewriteRule ^(user)/(.*)\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
# Block all direct access to .md files.
RewriteRule \.md$ error [F]
# Block all direct access to files and folders beginning with a dot.
RewriteRule (^|/)\.(?!well-known) - [F]
# Block access to specific files in the root folder.
RewriteRule ^(LICENSE|composer\.lock|composer\.json|\.htaccess)$ error [F]
RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\." - [F]
# Cache static assets for 8 Hours (default). If you'd like to change the period,
# here are the values you can use. Replace "max-age" with one of these below:
# 1 Month = 160704000
# 1 Week = 36288000
# 1 Day = 86400
# 1 Hour = 3600
# 1 Minute = 60
<FilesMatch "\.(jpg|png|css|js)$">
# Header set Cache-Control "public, proxy-revalidate, max-age=28800"
</FilesMatch>
# Prevent viewing of .htaccess file directly.
<Files .htaccess>
order allow,deny
deny from all
</Files>
</IfModule>
# Indexes
# Block access to directories without a default document.
<IfModule mod_autoindex.c>
Options -Indexes
</IfModule>
# Security
# Uncomment the following to prevent the httpoxy vulnerability
# See: https://httpoxy.org/
# <IfModule mod_headers.c>
# RequestHeader unset Proxy
# </IfModule>
# Allow cross-origin requests.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
# See: https://enable-cors.org/
# See: https://www.w3.org/TR/cors/
# <IfModule mod_headers.c>
# Header set Access-Control-Allow-Origin "*"
# </IfModule>
# Send the CORS header for images when browsers request it.
# See: https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
<FilesMatch "\.(bmp|cur|gif|ico|jpe?g|png|svgz?|webp)$">
SetEnvIf Origin ":" IS_CORS
Header set Access-Control-Allow-Origin "*" env=IS_CORS
</FilesMatch>
</IfModule>
</IfModule>
# Headers Module
# Allow cross-origin access to web fonts.
<IfModule mod_headers.c>
<FilesMatch "\.(eot|otf|tt[cf]|woff2?)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
# Prevent some browsers from MIME-sniffing the response.
<IfModule mod_headers.c>
Header set X-Content-Type-Options "nosniff"
</IfModule>
# Set XSS Protection.
<IfModule mod_headers.c>
# Try to re-enable the cross-site scripting (XSS) filter built into most web
# browsers. Prevent web browsers from rendering the web page if a potential
# reflected (a.k.a non-persistent) XSS attack is detected by the filter.
Header set X-XSS-Protection "1; mode=block"
# `mod_headers` cannot match based on the content-type, however, the
# `X-XSS-Protection` response header should be send only for HTML documents
# and not for the other resources.
<FilesMatch "\.(appcache|atom|bbaw|bmp|br|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|gz|htc|ic[os]|jpe?g|m?js|json(ld)?|m4[av]|manifest|map|markdown|md|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|wasm|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
Header unset X-XSS-Protection
</FilesMatch>
</IfModule>
# Document Modes
# Force Internet Explorer 8/9/10 to render pages in the highest mode
# available in the various cases when it may not.
<IfModule mod_headers.c>
Header set X-UA-Compatible "IE=edge"
# `mod_headers` cannot match based on the content-type, however,
# the `X-UA-Compatible` response header should be send only for
# HTML documents and not for the other resources.
<FilesMatch "\.(appcache|atom|bbaw|bmp|br|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|gz|htc|ic[os]|jpe?g|m?js|json(ld)?|m4[av]|manifest|map|markdown|md|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|wasm|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
Header unset X-UA-Compatible
</FilesMatch>
</IfModule>
# Media Types
# Serve resources with the proper media types (f.k.a. MIME types).
# See: https://www.iana.org/assignments/media-types/media-types.xhtml
# See: https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype
<IfModule mod_mime.c>
# Data interchange
AddType application/atom+xml atom
AddType application/json json map topojson
AddType application/ld+json jsonld
AddType application/rss+xml rss
AddType application/vnd.geo+json geojson
AddType application/xml rdf xml
# JavaScript
# Servers should use text/javascript for JavaScript resources.
# https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages
AddType text/javascript js mjs
# Manifest files
AddType application/manifest+json webmanifest
AddType application/x-web-app-manifest+json webapp
AddType text/cache-manifest appcache
# Media files
AddType audio/mp4 f4a f4b m4a
AddType audio/ogg oga ogg opus
AddType image/bmp bmp
AddType image/svg+xml svg svgz
AddType image/webp webp
AddType video/mp4 f4v f4p m4v mp4
AddType video/ogg ogv
AddType video/webm webm
AddType video/x-flv flv
# Serving `.ico` image files with a different media type
# prevents Internet Explorer from displaying them as images:
# https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee
AddType image/x-icon cur ico
# WebAssembly
AddType application/wasm wasm
# Web fonts
AddType font/woff woff
AddType font/woff2 woff2
AddType application/vnd.ms-fontobject eot
AddType font/ttf ttf
AddType font/collection ttc
AddType font/otf otf
# Other
AddType application/octet-stream safariextz
AddType application/x-bb-appworld bbaw
AddType application/x-chrome-extension crx
AddType application/x-opera-extension oex
AddType application/x-xpinstall xpi
AddType text/calendar ics
AddType text/markdown markdown md
AddType text/vcard vcard vcf
AddType text/vnd.rim.location.xloc xloc
AddType text/vtt vtt
AddType text/x-component htc
</IfModule>
# Mime Types
# Serve the following file types with the media type `charset` set to `UTF-8`.
# See: https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset
<IfModule mod_mime.c>
AddCharset utf-8 .atom \
.bbaw \
.css \
.geojson \
.ics \
.js \
.json \
.jsonld \
.manifest \
.markdown \
.md \
.mjs \
.rdf \
.rss \
.topojson \
.vtt \
.webapp \
.webmanifest \
.xloc \
.xml
</IfModule>
# Access
# Block access to files that can expose sensitive information.
<IfModule mod_authz_core.c>
<FilesMatch "(^#.*#|\.(bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$">
Require all denied
</FilesMatch>
</IfModule>
# Compression / Web Performance
<IfModule mod_deflate.c>
# Force compression for mangled `Accept-Encoding` request headers.
# See: https://developer.yahoo.com/blogs/ydn/pushing-beyond-gzipping-25601.html
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
</IfModule>
</IfModule>
# Compress all output labeled with one of the following media types.
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE "application/atom+xml" \
"application/javascript" \
"application/json" \
"application/ld+json" \
"application/manifest+json" \
"application/rdf+xml" \
"application/rss+xml" \
"application/schema+json" \
"application/vnd.geo+json" \
"application/vnd.ms-fontobject" \
"application/wasm" \
"application/x-font-ttf" \
"application/x-javascript" \
"application/x-web-app-manifest+json" \
"application/xhtml+xml" \
"application/xml" \
"font/collection" \
"font/eot" \
"font/opentype" \
"font/otf" \
"font/ttf" \
"image/bmp" \
"image/svg+xml" \
"image/vnd.microsoft.icon" \
"image/x-icon" \
"text/cache-manifest" \
"text/calendar" \
"text/css" \
"text/html" \
"text/javascript" \
"text/plain" \
"text/markdown" \
"text/vcard" \
"text/vnd.rim.location.xloc" \
"text/vtt" \
"text/x-component" \
"text/x-cross-domain-policy" \
"text/xml"
</IfModule>
# Map the following filename extensions to the specified
# encoding type in order to make Apache serve the file types
# with the appropriate `Content-Encoding` response header
# (do note that this will NOT make Apache compress them!).
<IfModule mod_mime.c>
AddEncoding gzip svgz
</IfModule>
</IfModule>