forked from processwire/processwire
-
Notifications
You must be signed in to change notification settings - Fork 0
/
htaccess.txt
481 lines (361 loc) · 24 KB
/
htaccess.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
#################################################################################################
# START PROCESSWIRE HTACCESS DIRECTIVES
# @version 3.0
# @htaccessVersion 301
#################################################################################################
#
# Upgrading htaccess (or index) version 300 to 301
# -----------------------------------------------------------------------------------------------
# If you never modified your previous .htaccess file, then you can simply replace it with this
# one. If you have modified your .htaccess file, then you will want to copy/paste some updates
# to the old one instead:
# If your htaccess/index version is 300, upgrade to this version by replacing all of sections #5
# and #15 (Access Restrictions). Also take a look at section #9, which you might also consider
# replacing if using HTTPS, though it is not required. (For instance, HSTS might be worthwhile)
#
# Following that, optionally review the rest of the file to see if there are any other changes
# you also want to apply. Sections tagged "(v301)" are new or have significant changes.
#
# When finished, add a line at the top identical to the "htaccessVersion 301" that you see at
# the top of this file. This tells ProcessWire your .htaccess file is up-to-date.
#
# Resolving 500 errors
# -----------------------------------------------------------------------------------------------
# Depending on your server, some htaccess rules may not be compatible and result in a 500 error.
# If you experience this, find all instances of the term "(500)" in this file for suggestions on
# things you can change to resolve 500 errors.
#
# Optional features
# -----------------------------------------------------------------------------------------------
# Many of the rules in this .htaccess file are optional and commented out by default. While the
# defaults are okay for many, you may want to review each section in this .htaccess file for
# optional rules that you can enable to increase security, speed or best practices. To quickly
# locate all optional rules, search this file for all instances of "(O)".
#
# If using a load balancer
# -----------------------------------------------------------------------------------------------
# If using a load balancer (like those available from AWS) some htaccess rules will need to
# change. Search this file for instances of "(L)" for details.
#
# -----------------------------------------------------------------------------------------------
# 1. Apache Options
#
# Note: If you experience a (500) error, it may indicate your host does not allow setting one or
# more of these options. First try replacing the +FollowSymLinks with +SymLinksifOwnerMatch.
# If that does not work, try commenting them all out, then uncommenting one at a time to
# determine which one is the source of the 500 error.
# -----------------------------------------------------------------------------------------------
# Do not show directory indexes (strongly recommended)
Options -Indexes
# Do not use multiviews (v301)
Options -MultiViews
# Do follow symbolic links
Options +FollowSymLinks
# Options +SymLinksifOwnerMatch
# Character encoding: Serve text/html or text/plain as UTF-8
AddDefaultCharset UTF-8
# -----------------------------------------------------------------------------------------------
# 2. ErrorDocument settings: Have ProcessWire handle 404s
#
# For options and optimizations (O) see:
# https://processwire.com/blog/posts/optimizing-404s-in-processwire/
# -----------------------------------------------------------------------------------------------
ErrorDocument 404 /index.php
# -----------------------------------------------------------------------------------------------
# 3. Handle request for missing favicon.ico/robots.txt files (no ending quote for Apache 1.3)
# -----------------------------------------------------------------------------------------------
<Files favicon.ico>
ErrorDocument 404 "The requested file favicon.ico was not found.
</Files>
<Files robots.txt>
ErrorDocument 404 "The requested file robots.txt was not found.
</Files>
# -----------------------------------------------------------------------------------------------
# 4. Protect from XSS with Apache headers
# -----------------------------------------------------------------------------------------------
<IfModule mod_headers.c>
# prevent site from being loaded in an iframe on another site
# you will need to remove this one if you want to allow external iframes
Header always append X-Frame-Options SAMEORIGIN
# To prevent cross site scripting (IE8+ proprietary)
Header set X-XSS-Protection "1; mode=block"
# Optionally (O) prevent mime-based attacks via content sniffing (IE+Chrome)
# Header set X-Content-Type-Options "nosniff"
</IfModule>
# -----------------------------------------------------------------------------------------------
# 5. Prevent access to various types of files (v301)
#
# Note that some of these rules are duplicated by RewriteRules or other .htaccess files, as we
# try to maintain two layers of protection when/where possible.
# -----------------------------------------------------------------------------------------------
# 5A. Block access to inc, info, info.json/php, module/php, sh, sql and composer files
# -----------------------------------------------------------------------------------------------
<FilesMatch "\.(inc|info|info\.(json|php)|module|module\.php|sh|sql)$|^\..*$|composer\.(json|lock)$">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
</IfModule>
</FilesMatch>
# 5B. Block bak, conf, dist, ini, log, orig, sh, sql, swo, swp, ~, and more
# -----------------------------------------------------------------------------------------------
<FilesMatch "(^#.*#|\.(bak|conf|dist|in[ci]|log|orig|sh|sql|sw[op])|~)$">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
</IfModule>
</FilesMatch>
# -----------------------------------------------------------------------------------------------
# 6. Override a few PHP settings that can't be changed at runtime (not required)
# Note: try commenting out this entire section below if getting Apache (500) errors.
# -----------------------------------------------------------------------------------------------
<IfModule mod_php5.c>
php_flag magic_quotes_gpc off
php_flag magic_quotes_sybase off
php_flag register_globals off
</IfModule>
# -----------------------------------------------------------------------------------------------
# 7. Set default directory index files
# -----------------------------------------------------------------------------------------------
DirectoryIndex index.php index.html index.htm
# -----------------------------------------------------------------------------------------------
# 8. Enable Apache mod_rewrite (required)
# -----------------------------------------------------------------------------------------------
<IfModule mod_rewrite.c>
RewriteEngine On
# 8A. Optionally (O) set a rewrite base if rewrites are not working properly on your server.
# -----------------------------------------------------------------------------------------------
# In addition, if your site directory starts with a "~" you will most likely have to use this.
# https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritebase
# Examples of RewriteBase (root and subdirectories):
# RewriteBase /
# RewriteBase /pw/
# RewriteBase /~user/
# 8B. Set an environment variable so the installer can detect that mod_rewrite is active.
# -----------------------------------------------------------------------------------------------
# Note that some web hosts don't support this. If you get a (500) error, try commenting out this
# SetEnv line below.
<IfModule mod_env.c>
SetEnv HTTP_MOD_REWRITE On
</IfModule>
# -----------------------------------------------------------------------------------------------
# 9. Optionally Force HTTPS (O)
# -----------------------------------------------------------------------------------------------
# Note that on some web hosts you may need to replace %{HTTPS} with %{ENV:HTTPS} in order
# for it to work (in sections 9A and 9D below). If on a load balancer or proxy setup, you will
# likely need to use 9B rather than 9A, and 9E rather than 9D.
# -----------------------------------------------------------------------------------------------
# 9A. To redirect HTTP requests to HTTPS, uncomment the lines below (also see note above):
# -----------------------------------------------------------------------------------------------
# RewriteCond %{HTTPS} !=on
# RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# 9B. If using load balancer/AWS or behind proxy, use the following rather than 9A above: (L)
# -----------------------------------------------------------------------------------------------
# RewriteCond %{HTTP:X-Forwarded-Proto} =http
# RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# 9C. If using cPanel AutoSSL or Let's Encrypt webroot you may need to MOVE one of the below
# lines after the first RewriteCond in 9A or 9B to allow certificate validation:
# -----------------------------------------------------------------------------------------------
# RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
# RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[\w-]+$
# RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
# 9D. Store current scheme in a 'proto' environment variable for later use
# -----------------------------------------------------------------------------------------------
RewriteCond %{HTTPS} =on
RewriteRule ^ - [env=proto:https]
RewriteCond %{HTTPS} !=on
RewriteRule ^ - [env=proto:http]
# 9E. If using load balancer/AWS or behind proxy, use lines below rather than 9D: (L)
# -----------------------------------------------------------------------------------------------
# RewriteCond %{HTTP:X-Forwarded-Proto} =https
# RewriteRule ^ - [env=proto:https]
# RewriteCond %{HTTP:X-Forwarded-Proto} =http
# RewriteRule ^ - [env=proto:http]
# 9F. Tell web browsers to only allow access via HSTS: Strict-Transport-Security (O) (v301)
# -----------------------------------------------------------------------------------------------
# This forces client-side SSL redirection. Before enabling be absolutely certain you can
# always serve via HTTPS because it becomes non-revokable for the duration of your max-age.
# See link below for details and options (note 'max-age=31536000' is 1-year):
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
<IfModule mod_headers.c>
# Uncomment one (1) line below & adjust as needed to enable Strict-Transport-Security (HSTS):
# Header always set Strict-Transport-Security "max-age=31536000;"
# Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains"
# Header always set Strict-Transport-Security "max-age=31536000; preload"
# Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>
# Section 10 intentionally omitted for future use
# -----------------------------------------------------------------------------------------------
# 11. Nuisance blocking/firewall
# -----------------------------------------------------------------------------------------------
# None of these are enabled by default, but are here for convenience when the need arises.
# Review and uncomment as needed. For more complete firewall (and more overhead), the 7G firewall
# (or latest version) is worth considering, see: https://perishablepress.com/7g-firewall/
# -----------------------------------------------------------------------------------------------
# 11A. Block via IP addresses
# -----------------------------------------------------------------------------------------------
# Note that IP addresses here are examples only and should be replaced with actual IPs.
# Block single IP address
# Deny from 111.222.333.444
# Block multiple IP addresses
# Deny from 111.222.333.444 44.33.22.11
# Block IP address ranges (999.88.*, 99.88.77.*, 1.2.3.*)
# Deny from 999.888 99.88.77 1.2.3
# 11B. Block via request URI (matches strings anywhere in request URL)
# -----------------------------------------------------------------------------------------------
# RewriteCond %{REQUEST_URI} (bad-word|wp-admin|wp-content) [NC]
# RewriteRule .* - [F,L]
# 11B. Block via user agent strings (matches strings anywhere in user-agent)
# -----------------------------------------------------------------------------------------------
# RewriteCond %{HTTP_USER_AGENT} (bad-bot|mean-bot) [NC]
# RewriteRule .* - [F,L]
# 11C. Block via remote hosts
# -----------------------------------------------------------------------------------------------
# RewriteCond %{REMOTE_HOST} (bad-host|annoying-host) [NC]
# RewriteRule .* - [F,L]
# 11D. Block via HTTP referrer (matches anywhere in referrer URL)
# -----------------------------------------------------------------------------------------------
# RewriteCond %{HTTP_REFERER} (bad-referrer|gross-referrer) [NC]
# RewriteRule .* - [F,L]
# 11E. Block unneeded request methods (only if you do not need them)
# -----------------------------------------------------------------------------------------------
# RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC]
# RewriteRule .* - [F,L]
# 11F. Limit file upload size from Apache (i.e. 10240000=10 MB, adjust as needed)
# -----------------------------------------------------------------------------------------------
# LimitRequestBody 10240000
# -----------------------------------------------------------------------------------------------
# 12. Access Restrictions: Keep web users out of dirs or files that begin with a period,
# but let services like Lets Encrypt use the webroot authentication method.
# -----------------------------------------------------------------------------------------------
RewriteRule "(^|/)\.(?!well-known)" - [F]
# -----------------------------------------------------------------------------------------------
# 13. Optional domain redirects (O)
#
# Redirect domain.com to www.domain.com redirect (or www to domain.com redirect).
# To use, uncomment either 13A, 13B or 13C. Do not use more than one of them. 13A and 13B
# redirect non-www hosts to www.domain.com, 13C redirects www.domain.com host to domain.com.
# -----------------------------------------------------------------------------------------------
# 13A. Redirect domain.com and *.domain.com to www.domain.com (see also 13B as alternate):
# -----------------------------------------------------------------------------------------------
# RewriteCond %{HTTP_HOST} !^www\. [NC]
# RewriteCond %{SERVER_ADDR} !=127.0.0.1
# RewriteCond %{SERVER_ADDR} !=::1
# RewriteRule ^ %{ENV:PROTO}://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# 13B. Alternate www redirect if 13A does not work for your server:
# -----------------------------------------------------------------------------------------------
# RewriteCond %{HTTP_HOST} !^www\. [NC]
# RewriteRule ^ %{ENV:PROTO}://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# 13C. Redirect www.domain.com to domain.com (do not combine with 13A or 13B):
# -----------------------------------------------------------------------------------------------
# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
# RewriteRule ^ %{ENV:PROTO}://%1%{REQUEST_URI} [R=301,L]
# -----------------------------------------------------------------------------------------------
# 14. Optionally send URLs with non-ASCII name-format characters to 404 page (optimization).
#
# This ensures that ProcessWire does not spend time processing URLs that we know ahead of time
# are going to result in 404s. Uncomment lines below to enable. (O)
# -----------------------------------------------------------------------------------------------
# RewriteCond %{REQUEST_URI} "[^-_.a-zA-Z0-9/~]"
# RewriteCond %{REQUEST_FILENAME} !-f
# RewriteCond %{REQUEST_FILENAME} !-d
# RewriteRule ^(.*)$ index.php?it=/http404/ [L,QSA]
# -----------------------------------------------------------------------------------------------
# 15. Access Restrictions (v301)
# -----------------------------------------------------------------------------------------------
# 15A. Keep http requests out of specific files and directories
# -----------------------------------------------------------------------------------------------
# Prevent all the following rules from blocking images in site install directories
RewriteCond %{REQUEST_URI} !(^|/)site-[^/]+/install/[^/]+\.(jpg|jpeg|png|gif|webp|svg)$
# Block access to any htaccess files
RewriteCond %{REQUEST_URI} (^|/)(\.htaccess|htaccess\..*)$ [NC,OR]
# Block access to various assets directories
RewriteCond %{REQUEST_URI} (^|/)(site|site-[^/]+)/assets/(cache|logs|backups|sessions|config|install|tmp)($|/.*$) [NC,OR]
# Block access to the /site/install/ directories
RewriteCond %{REQUEST_URI} (^|/)(site|site-[^/]+)/install($|/.*$) [NC,OR]
# Block dirs in /site/assets/dirs that start with a hyphen (see config.pagefileSecure)
RewriteCond %{REQUEST_URI} (^|/)(site|site-[^/]+)/assets.*/-.+/.* [NC,OR]
# Block access to /wire/config.php, /site/config.php, /site/config-dev.php, /wire/index.config.php, etc.
RewriteCond %{REQUEST_URI} (^|/)(wire|site|site-[^/]+)/(config|index\.config|config-dev)\.php($|/) [NC,OR]
# Block access to any PHP-based files in /site/templates-admin/ or /wire/templates-admin/
RewriteCond %{REQUEST_URI} (^|/)(wire|site|site-[^/]+)/templates-admin($|/|/.*\.(php|html?|tpl|inc))($|/) [NC,OR]
# Block access to any PHP or markup files in /site/templates/ or /site-*/templates/
RewriteCond %{REQUEST_URI} (^|/)(site|site-[^/]+)/templates($|/|/.*\.(php|html?|tpl|inc))($|/) [NC,OR]
# Block access to any files in /site/classes/ or /site-*/classes/
RewriteCond %{REQUEST_URI} (^|/)(site|site-[^/]+)/classes($|/.*) [NC,OR]
# Block access to any PHP files within /site/assets/ and further
RewriteCond %{REQUEST_URI} (^|/)(site|site-[^/]+)/assets($|/|/.*\.ph(p|ps|tml|p[0-9]))($|/) [NC,OR]
# Block access to any PHP, module, inc or info files in core or core modules directories
RewriteCond %{REQUEST_URI} (^|/)wire/(core|modules)/.*\.(php|inc|tpl|module|info\.json)($|/) [NC,OR]
# Block access to any PHP, tpl or info.json files in /site/modules/ or /site-*/modules/
RewriteCond %{REQUEST_URI} (^|/)(site|site-[^/]+)/modules/.*\.(php|inc|tpl|module|info\.json)$ [NC,OR]
# Block access to any software identifying txt, markdown or textile files
RewriteCond %{REQUEST_URI} (^|/)(COPYRIGHT|INSTALL|README|htaccess)\.(txt|md|textile)$ [NC,OR]
# Block potential arbitrary backup files within site directories for things like config
RewriteCond %{REQUEST_URI} (^|/)(site|site-[^/]+)/(config[^/]*/?|[^/]+\.php.*)$ [NC,OR]
# Block access throughout to temporary files ending with tilde created by certain editors
RewriteCond %{REQUEST_URI} \.(html?|inc|json|lock|module|php|py|rb|sh|sql|tpl|tmpl|twig)~$ [NC,OR]
# Block access to names of potential backup file extensions within wire or site directories
RewriteCond %{REQUEST_URI} (^|/)(wire/|site[-/]).+\.(bak|old|sql|sw[op]|(bak|php|sql)[./]+.*)[\d.]*$ [NC,OR]
# Block all http access to the default/uninstalled site-default directory
RewriteCond %{REQUEST_URI} (^|/)site-default/
# If any conditions above match, issue a 403 forbidden
RewriteRule ^.*$ - [F,L]
# 15B. Block archive file types commonly used for backup purposes (O)
# -----------------------------------------------------------------------------------------------
# This blocks requests for zip, rar, tar, gz, and tgz files that are sometimes left on servers
# as backup files, and thus can be problematic for security. This rule blocks those files
# unless they are located within the /site/assets/files/ directory. This is not enabled by
# default since there are many legitimate use cases for these files, so uncomment the lines
# below if you want to enable this.
# RewriteCond %{REQUEST_URI} \.(zip|rar|tar|gz|tgz)$ [NC]
# RewriteCond %{REQUEST_URI} !(^|/)(site|site-[^/]+)/assets/files/\d+/ [NC]
# RewriteRule ^.*$ - [F,L]
# PW-PAGENAME
# -----------------------------------------------------------------------------------------------
# 16A. Ensure that the URL follows the name-format specification required by PW
# See also directive 16b below, you should choose and use either 16a or 16b.
# -----------------------------------------------------------------------------------------------
RewriteCond %{REQUEST_URI} "^/~?[-_.a-zA-Z0-9/]*$"
# -----------------------------------------------------------------------------------------------
# 16B. Alternative name-format specification for UTF8 page name support. (O)
# If used, comment out section 16a above and uncomment the directive below. If you have updated
# your $config->pageNameWhitelist make the characters below consistent with that.
# -----------------------------------------------------------------------------------------------
# RewriteCond %{REQUEST_URI} "^/~?[-_./a-zA-Z0-9æåäßöüđжхцчшщюяàáâèéëêěìíïîõòóôøùúûůñçčćďĺľńňŕřšťýžабвгдеёзийклмнопрстуфыэęąśłżź]*$"
# END-PW-PAGENAME
# -----------------------------------------------------------------------------------------------
# 17. If the request is for a file or directory that physically exists on the server,
# then don't give control to ProcessWire, and instead load the file
# -----------------------------------------------------------------------------------------------
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !(favicon\.ico|robots\.txt)
# -----------------------------------------------------------------------------------------------
# 18. Optionally (O) prevent PW from serving some file types, or anything in /site/assets/.
# Both of these lines are optional, but can help to reduce server load. However, they
# are not compatible with the $config->pagefileSecure option (if enabled) and they
# may produce an Apache 404 rather than your regular 404. You may uncomment the two lines
# below if you don't need to use the $config->pagefileSecure option. After uncommenting, test
# a URL like domain.com/site/assets/files/test.jpg to make sure you are getting a 404 and not
# your homepage. If getting your homepage, then either: do not use this option, or comment out
# section #2 above that makes ProcessWire the 404 handler.
# -----------------------------------------------------------------------------------------------
# RewriteCond %{REQUEST_URI} !\.(jpg|jpeg|gif|png|ico|webp|svg|js|css)$ [NC]
# RewriteCond %{REQUEST_FILENAME} !(^|/)site/assets/
# -----------------------------------------------------------------------------------------------
# 19. Pass control to ProcessWire if all the above directives allow us to this point.
# For regular VirtualHosts (most installs)
# -----------------------------------------------------------------------------------------------
RewriteRule ^(.*)$ index.php?it=$1 [L,QSA]
# -----------------------------------------------------------------------------------------------
# 20. If using VirtualDocumentRoot (500): comment out the one above and use this one instead
# -----------------------------------------------------------------------------------------------
# RewriteRule ^(.*)$ /index.php?it=$1 [L,QSA]
</IfModule>
#################################################################################################
# END PROCESSWIRE HTACCESS DIRECTIVES
#################################################################################################