Left: | ||
Right: |
OLD | NEW |
---|---|
1 ############################################################################### | 1 ############################################################################### |
2 ## The Master .htaccess | 2 ## The Master .htaccess |
3 ## | 3 ## |
4 ## Version 2.4 (proposed) - April 16th, 2011 | 4 ## Version 3.3 - WORK IN PROGRESS |
5 ## | 5 ## |
6 ## ---------- | 6 ## ---------- |
7 ## This file is designed to be the template .htaccess file to put on your new | 7 ## This file is designed to be the template .htaccess file to put on your new |
8 ## sites, increasing your site's security and performance. It is not meant to | 8 ## sites, increasing your site's security and performance. It is not meant to |
9 ## be just dropped in your site, though. You should go through all of its | 9 ## be just dropped in your site, though. You should go through all of its |
10 ## sections and modify it to match your site. Most notably, all instances of | 10 ## sections and modify it to match your site. Most notably, all instances of |
11 ## example.com and example\.com should be replaced with your real domain name. | 11 ## example.com and example\.com should be replaced with your real domain name. |
12 ## | 12 ## |
13 ## Some sections are too picky and may cause problems with legitimate requests. | 13 ## Some sections are too picky and may cause problems with legitimate requests. |
14 ## You are ultimately responsible for disabling them or writing exception rules | 14 ## You are ultimately responsible for disabling them or writing exception rules |
(...skipping 23 matching lines...) Expand all Loading... | |
38 ## | 38 ## |
39 ## Learn more: http://www.akeebabackup.com/software/admin-tools.html | 39 ## Learn more: http://www.akeebabackup.com/software/admin-tools.html |
40 ## ---------------------------------------------------------------------- | 40 ## ---------------------------------------------------------------------- |
41 ## | 41 ## |
42 ## Have fun, stay safe. | 42 ## Have fun, stay safe. |
43 ## | 43 ## |
44 ## Nicholas K. Dionysopoulos | 44 ## Nicholas K. Dionysopoulos |
45 ## Lead Developer, AkeebaBackup.com | 45 ## Lead Developer, AkeebaBackup.com |
46 ## | 46 ## |
47 ## CHANGELOG: | 47 ## CHANGELOG: |
48 ## Version 2.4 (proposed) (April 16th, 2011) | 48 ## Version 3.3 (PENDING RELEASE) |
49 ## - Dozens of speed optimisations and many logic and syntax corrections. | 49 ## - Version 3.2 wasn't tested and killed some sites |
50 ## Version 3.2 (April 8th, 2011) | |
51 ## - Some slight improvements with negligible (if any) performance impact | |
52 ## Version 3.1 (April 5th, 2011) | |
53 ## - Expiration time of static resources adjusted to 1 month instead of 1 year | |
54 ## - GET variables not passed along in the index.php to site root redirection | |
55 ## - Fixed typos | |
56 ## - Alternative for HTTP to HTTPS redirection | |
57 ## - Common exploits protection: Minor changes in comments, combined base64_enco de/base64_decode rule | |
58 ## - Bug in query string protection rule | |
59 ## - Back-end & front-end protection optimization | |
60 ## - Fixed the UNION SELECT SQLi rule to actually work against real attacks | |
61 ## - Added comments to Joomla! core SEF section | |
62 ## Version 3.0 (March 28th, 2011) | |
63 ## - Massive rewrite | |
50 ## Version 2.3 (November 18th, 2010) | 64 ## Version 2.3 (November 18th, 2010) |
51 ## - Added .ico to the pass-through rules, for favicons to load | 65 ## - Added .ico to the pass-through rules, for favicons to load |
52 ## Version 2.2 (October 25th, 2010) | 66 ## Version 2.2 (October 25th, 2010) |
53 ## - Bug in the tmpl=component rule | 67 ## - Bug in the tmpl=component rule |
54 ## Version 2.1 (October 19th, 2010) | 68 ## Version 2.1 (October 19th, 2010) |
55 ## - index.php to root redirection would kill some AJAX requests | 69 ## - index.php to root redirection would kill some AJAX requests |
56 ## - Referer filtering was screwed up | 70 ## - Referer filtering was screwed up |
57 ## - Simplified and more thorough PHP Easter Egg code (thanks Jon!) | 71 ## - Simplified and more thorough PHP Easter Egg code (thanks Jon!) |
58 ## - The tp/template/tmpl filter was not thorough and killed some components | 72 ## - The tp/template/tmpl filter was not thorough and killed some components |
59 ## - Optimized Joomla! core SEF section | 73 ## - Optimized Joomla! core SEF section |
60 ## - Bot filters and GZip optimization would never run for dynamic content | 74 ## - Bot filters and GZip optimization would never run for dynamic content |
61 ## - Content expiration optimization got more optimized | 75 ## - Content expiration optimization got more optimized |
62 ## - Added ETag rule | 76 ## - Added ETag rule |
63 ## | 77 ## |
64 ############################################################################### | 78 ############################################################################### |
65 | 79 |
66 ########## Begin - RewriteEngine enabled | 80 ########## Begin - RewriteEngine enabled |
67 RewriteEngine On | 81 RewriteEngine On |
68 ########## End - RewriteEngine enabled | 82 ########## End - RewriteEngine enabled |
69 | 83 |
70 ########## Begin - RewriteBase | 84 ########## Begin - RewriteBase |
71 # Uncomment following line if your webserver's URL | 85 # Uncomment following line if your webserver's URL |
g1smd
2011/04/23 17:00:09
Spaces to remove!
| |
72 # is not directly related to physical file paths. | 86 # is not directly related to physical file paths. |
g1smd
2011/04/23 17:00:09
Spaces to remove!
| |
73 # Update Your Joomla! Directory (just / for root) | 87 # Update Your Joomla! Directory (just / for root) |
g1smd
2011/04/23 17:00:09
Spaces to remove!
| |
74 | 88 |
75 # RewriteBase / | 89 # RewriteBase / |
76 ########## End - RewriteBase | 90 ########## End - RewriteBase |
77 | 91 |
78 ########## Begin - No directory listings | 92 ########## Begin - No directory listings |
79 ## Note: +FollowSymlinks may cause problems and you might have to remove it | 93 ## Note: +FollowSymlinks may cause problems and you might have to remove it |
80 IndexIgnore * | 94 IndexIgnore * |
81 Options +FollowSymLinks All -Indexes | 95 Options +FollowSymLinks All -Indexes |
82 ########## End - No directory listings | 96 ########## End - No directory listings |
83 | 97 |
84 ########## Begin - File execution order, by Komra.de | 98 ########## Begin - File execution order, by Komra.de |
85 DirectoryIndex index.php index.html | 99 DirectoryIndex index.php index.html |
86 ########## End - File execution order | 100 ########## End - File execution order |
87 | 101 |
88 ########## Begin - ETag Optimization | 102 ########## Begin - ETag Optimization |
89 ## This rule will create an ETag for files based only on the modification | 103 ## This rule will create an ETag for files based only on the modification |
90 ## timestamp and their size. This works wonders if you are using rsync'ed | 104 ## timestamp and their size. This works wonders if you are using rsync'ed |
91 ## servers, where the inode number of identical files differs. | 105 ## servers, where the inode number of identical files differs. |
92 ## Note: It may cause problems on your server and you may need to remove it | 106 ## Note: It may cause problems on your server and you may need to remove it |
93 FileETag MTime Size | 107 FileETag MTime Size |
94 ########## End - ETag Optimization | 108 ########## End - ETag Optimization |
95 | 109 |
96 ########## Begin - Optimal default expiration time | 110 ########## Begin - Optimal default expiration time |
97 ## Note: this might cause problems and you might have to comment it out by | 111 ## Note: this might cause problems and you might have to comment it out by |
98 ## placing a hash in front of this section's lines | 112 ## placing a hash in front of this section's lines |
113 ## Note: Some people prefer using "now plus 1 month" instead of "now plus 1 year ". | |
114 ## Suit to taste. | |
99 <IfModule mod_expires.c> | 115 <IfModule mod_expires.c> |
100 # Enable expiration control | 116 # Enable expiration control |
101 ExpiresActive On | 117 ExpiresActive On |
102 | 118 |
103 # Default expiration: 1 hour after request | 119 # Default expiration: 1 hour after request |
104 ExpiresDefault "now plus 1 hour" | 120 ExpiresDefault "now plus 1 hour" |
105 | 121 » |
106 # CSS and JS expiration: 1 week after request | 122 # CSS and JS expiration: 1 week after request |
107 ExpiresByType text/css "now plus 1 week" | 123 ExpiresByType text/css "now plus 1 week" |
108 ExpiresByType application/javascript "now plus 1 week" | 124 ExpiresByType application/javascript "now plus 1 week" |
109 ExpiresByType application/x-javascript "now plus 1 week" | 125 ExpiresByType application/x-javascript "now plus 1 week" |
110 | 126 » |
111 # Image files expiration: 1 month after request | 127 # Image files expiration: 1 month after request |
112 ExpiresByType image/bmp "now plus 1 month" | 128 ExpiresByType image/bmp "now plus 1 month" |
113 ExpiresByType image/gif "now plus 1 month" | 129 ExpiresByType image/gif "now plus 1 month" |
114 ExpiresByType image/jpeg "now plus 1 month" | 130 ExpiresByType image/jpeg "now plus 1 month" |
115 ExpiresByType image/jp2 "now plus 1 month" | 131 ExpiresByType image/jp2 "now plus 1 month" |
116 ExpiresByType image/pipeg "now plus 1 month" | 132 ExpiresByType image/pipeg "now plus 1 month" |
117 ExpiresByType image/png "now plus 1 month" | 133 ExpiresByType image/png "now plus 1 month" |
118 ExpiresByType image/svg+xml "now plus 1 month" | 134 ExpiresByType image/svg+xml "now plus 1 month" |
119 ExpiresByType image/tiff "now plus 1 month" | 135 ExpiresByType image/tiff "now plus 1 month" |
120 ExpiresByType image/vnd.microsoft.icon "now plus 1 month" | 136 ExpiresByType image/vnd.microsoft.icon "now plus 1 month" |
121 ExpiresByType image/x-icon "now plus 1 month" | 137 ExpiresByType image/x-icon "now plus 1 month" |
122 ExpiresByType image/ico "now plus 1 month" | 138 ExpiresByType image/ico "now plus 1 month" |
123 ExpiresByType image/icon "now plus 1 month" | 139 ExpiresByType image/icon "now plus 1 month" |
124 ExpiresByType text/ico "now plus 1 month" | 140 ExpiresByType text/ico "now plus 1 month" |
125 ExpiresByType application/ico "now plus 1 month" | 141 ExpiresByType application/ico "now plus 1 month" |
126 ExpiresByType image/vnd.wap.wbmp "now plus 1 month" | 142 ExpiresByType image/vnd.wap.wbmp "now plus 1 month" |
127 ExpiresByType application/vnd.wap.wbxml "now plus 1 month" | 143 ExpiresByType application/vnd.wap.wbxml "now plus 1 month" |
128 ExpiresByType application/smil "now plus 1 month" | 144 ExpiresByType application/smil "now plus 1 month" |
129 | 145 » |
130 # Audio files expiration: 1 month after request | 146 # Audio files expiration: 1 month after request |
131 ExpiresByType audio/basic "now plus 1 month" | 147 ExpiresByType audio/basic "now plus 1 month" |
132 ExpiresByType audio/mid "now plus 1 month" | 148 ExpiresByType audio/mid "now plus 1 month" |
133 ExpiresByType audio/midi "now plus 1 month" | 149 ExpiresByType audio/midi "now plus 1 month" |
134 ExpiresByType audio/mpeg "now plus 1 month" | 150 ExpiresByType audio/mpeg "now plus 1 month" |
135 ExpiresByType audio/x-aiff "now plus 1 month" | 151 ExpiresByType audio/x-aiff "now plus 1 month" |
136 ExpiresByType audio/x-mpegurl "now plus 1 month" | 152 ExpiresByType audio/x-mpegurl "now plus 1 month" |
137 ExpiresByType audio/x-pn-realaudio "now plus 1 month" | 153 ExpiresByType audio/x-pn-realaudio "now plus 1 month" |
138 ExpiresByType audio/x-wav "now plus 1 month" | 154 ExpiresByType audio/x-wav "now plus 1 month" |
139 | 155 » |
140 # Movie files expiration: 1 month after request | 156 # Movie files expiration: 1 month after request |
141 ExpiresByType application/x-shockwave-flash "now plus 1 month" | 157 ExpiresByType application/x-shockwave-flash "now plus 1 month" |
142 ExpiresByType x-world/x-vrml "now plus 1 month" | 158 ExpiresByType x-world/x-vrml "now plus 1 month" |
143 ExpiresByType video/x-msvideo "now plus 1 month" | 159 ExpiresByType video/x-msvideo "now plus 1 month" |
144 ExpiresByType video/mpeg "now plus 1 month" | 160 ExpiresByType video/mpeg "now plus 1 month" |
145 ExpiresByType video/mp4 "now plus 1 month" | 161 ExpiresByType video/mp4 "now plus 1 month" |
146 ExpiresByType video/quicktime "now plus 1 month" | 162 ExpiresByType video/quicktime "now plus 1 month" |
147 ExpiresByType video/x-la-asf "now plus 1 month" | 163 ExpiresByType video/x-la-asf "now plus 1 month" |
148 ExpiresByType video/x-ms-asf "now plus 1 month" | 164 ExpiresByType video/x-ms-asf "now plus 1 month" |
149 </IfModule> | 165 </IfModule> |
(...skipping 29 matching lines...) Expand all Loading... | |
179 ########## End - Automatic compression of resources | 195 ########## End - Automatic compression of resources |
180 | 196 |
181 ########## Begin - Google Apps redirection, by Komra.de | 197 ########## Begin - Google Apps redirection, by Komra.de |
182 ## Uncomment the following line to enable: | 198 ## Uncomment the following line to enable: |
183 # RewriteRule ^mail http://mail.google.com/a/example.com [R=301,L] | 199 # RewriteRule ^mail http://mail.google.com/a/example.com [R=301,L] |
184 ## If the above doesn't work on your server, try this: | 200 ## If the above doesn't work on your server, try this: |
185 ## RewriteRule ^mail http://mail.google.com/a/example.com [R,L] | 201 ## RewriteRule ^mail http://mail.google.com/a/example.com [R,L] |
186 ########## End - Google Apps redirection | 202 ########## End - Google Apps redirection |
187 | 203 |
188 ########## Begin - Redirect index.php to / | 204 ########## Begin - Redirect index.php to / |
189 ## Note: Change example.com to reflect your own domain name | 205 ## Note: Change example.com to reflect your own domain |
190 RewriteCond %{THE_REQUEST} !^POST | 206 RewriteCond %{THE_REQUEST} !^POST |
191 RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/ | 207 RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/ |
192 RewriteCond %{SERVER_PORT}>s ^(443>(s)|[0-9]+>s)$ | 208 RewriteCond %{SERVER_PORT}>s ^(443>(s)|[0-9]+>s)$ |
193 RewriteRule ^index\.php$ http%2://www.example.com/$1 [R=301,L] | 209 RewriteRule ^index\.php$ http%2://www.example.com/$1 [R=301,L] |
194 # If the above line throws a 500 error, change [R=301,L] to [R,L] | 210 # If the above line throws a 500 error, try this instead: |
211 # RewriteRule ^index\.php$ http%2://www.example.com/$1 [R,L] | |
195 ########## End - Redirect index.php to / | 212 ########## End - Redirect index.php to / |
196 | 213 |
197 ########## Begin - Redirect non-www to www | 214 ########## Begin - Redirect non-www to www |
198 RewriteCond %{HTTP_HOST} !^www\. [NC] | 215 RewriteCond %{HTTP_HOST} !^www\. [NC] |
199 RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L] | 216 RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L] |
200 ## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L] | 217 ## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L] |
201 ########## End - Redirect non-www to www | 218 ########## End - Redirect non-www to www |
202 | 219 |
203 ########## Begin - Redirect www to non-www | 220 ########## Begin - Redirect www to non-www |
204 ## WARNING: Comment out the non-www to www rule if you choose to use this | 221 ## WARNING: Comment out the non-www to www rule if you choose to use this |
205 # RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] | 222 # RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] |
206 # RewriteRule ^(.*)$ http://%1/$1 [R=301,L] | 223 # RewriteRule ^(.*)$ http://%1/$1 [R=301,L] |
207 ## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L] | 224 ## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L] |
208 ########## End - Redirect non-www to www | 225 ########## End - Redirect non-www to www |
209 | 226 |
210 ########## Begin - Redirect (www.)olddomain.com to www.example.com | 227 ########## Begin - Redirect (www.)olddomain.com to www.example.com |
211 ## Note: olddomain.com is your old domain name, you want to redirect FROM, | 228 ## Note: olddomain.com is your old domain name, you want to redirect FROM, |
212 ## whereas www.example.com is the new domain name you want to redirect TO. | 229 ## whereas www.example.com is the new domain name you want to redirect TO. |
213 ## Change those names to reflect your current configuration. Remember, this | 230 ## Change those names to reflect your current configuration. Remember, this |
214 ## small part of the file is supposed to be placed in www.olddomain.com! | 231 ## part of the file is supposed to be placed in www.olddomain.com! |
215 ## Note: Replace [R=301,L] with [R,L] if you get error 500. | 232 ## Note: Replace [R=301,L] with [R,L] if you get error 500. |
216 ## Uncomment the following lines to enable: | 233 ## Uncomment the following lines to enable: |
217 # RewriteCond %{HTTP_HOST} ^(www\.)?olddomain\.com [NC] | 234 # RewriteCond %{HTTP_HOST} ^(www\.)?olddomain\.com [NC] |
218 # RewriteRule (.*) http://www.example.com/$1 [R=301,L] | 235 # RewriteRule (.*) http://www.example.com/$1 [R=301,L] |
219 ## Note: The above section is only required if you are changing your domain name . | 236 ########## End - Redirect olddomain.com to www.example.com |
g1smd
2011/04/23 17:00:09
Add (www.) to oldomanin.com on RHS.
| |
220 ########## End - Redirect (www.)olddomain.com to www.example.com | |
g1smd
2011/04/23 17:00:09
Add (www.) to oldomanin.com on RHS.
| |
221 | 237 |
222 ########## Begin - Force HTTPS for certain pages | 238 ########## Begin - Force HTTPS for certain pages |
223 # Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says. | 239 # Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says. |
224 # This is a sample redirection for foobar.html. Do note that you have to change | 240 # This is a sample redirection for foobar.html. Do note that you have to change |
225 # www.example.com to reflect your own domain. Remember to escape the dots using | 241 # www.example.com to reflect your own domain. Remember to escape the dots using |
226 # \. in the left hand side of each rule. You need BOTH LINES PER URL for the rul e | 242 # \. in the left hand side of each rule. You need BOTH LINES PER URL for the rul e |
227 # to work. | 243 # to work. |
228 RewriteCond %{SERVER_PORT} !^443$ | 244 RewriteCond %{SERVER_PORT} !^443$ |
229 ## Alternatively, comment the above line and uncomment the following line: | 245 ## Alternatively, comment the above line and uncomment the following line: |
230 # RewriteCond %{HTTPS} ^off$ [NC] | 246 # RewriteCond %{HTTPS} ^off$ [NC] |
231 RewriteRule ^foobar\.html$ https://www.example.com/foobar.html [R=301,L] | 247 RewriteRule ^foobar\.html$ https://www.example.com/foobar.html [R=301,L] |
232 ## NOTE: If you get an HTTP 500 error, please swap [R=301,L] with [R,L] | 248 ## NOTE: If you get an HTTP 500 error, please swap [R=301,L] with [R,L] |
233 # Add more rules below this line as required | 249 # Add more rules below this line |
234 ########## End - Force HTTPS for certain pages | 250 ########## End - Force HTTPS for certain pages |
235 | 251 |
236 ########## Begin - Rewrite rules to block out some common exploits | 252 ########## Begin - Rewrite rules to block out some common exploits |
237 ## If you experience problems on your site block out the operations listed below | 253 ## If you experience problems on your site block out the operations listed below |
238 ## This attempts to block the most common type of exploit `attempts` to Joomla! | 254 ## This attempts to block the most common type of exploit `attempts` to Joomla! |
239 # | 255 # |
240 # If the request query string contains /proc/self/environ (by SigSiu.net) | 256 # If the request query string contains /proc/self/environ (by SigSiu.net) |
241 RewriteCond %{QUERY_STRING} proc/self/environ [OR] | 257 RewriteCond %{QUERY_STRING} proc/self/environ [OR] |
242 # Block out any script trying to set a mosConfig value through the URL | 258 # Legacy variable injection (these attacks wouldn't work w/out Joomla! 1.5's Leg acy Mode plugin) |
243 # (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin) | |
244 RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] | 259 RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] |
245 # Block out any script trying to base64_encode or base64_decode data within the URL | 260 # Block out any script trying to base64_encode/base64_decode data to send via UR L |
246 RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR] | 261 RewriteCond %{QUERY_STRING} base64_(en|de)code\(.*\) [OR] |
247 ## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines: | 262 ## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines: |
248 # RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR] | 263 # RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR] |
249 # RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR] | 264 # RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR] |
250 # Block out any script that includes a <script> tag in URL | 265 # Block out any script that includes a <script> tag in URL |
251 RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] | 266 RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] |
252 # Block out any script trying to set a PHP GLOBALS variable via URL | 267 # Block out any script trying to set a PHP GLOBALS variable via URL |
253 RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] | 268 RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] |
254 # Block out any script trying to modify a _REQUEST variable via URL | 269 # Block out any script trying to modify a _REQUEST variable via URL |
255 RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) | 270 RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) |
256 # Return 403 Forbidden header and show the content of the root homepage | 271 # Return a 403 Forbidden header and show the content of the root homepage |
257 RewriteRule .* index.php [F] | 272 RewriteRule .* index.php [F] |
258 # | 273 # |
259 ########## End - Rewrite rules to block out some common exploits | 274 ########## End - Rewrite rules to block out some common exploits |
260 | 275 |
261 ########## Begin - File injection protection, by SigSiu.net | 276 ########## Begin - File injection protection, by SigSiu.net |
262 RewriteCond %{REQUEST_METHOD} GET | 277 RewriteCond %{REQUEST_METHOD} GET |
263 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] | 278 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] |
264 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] | 279 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] |
265 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC] | 280 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC] |
266 RewriteRule .* - [F] | 281 RewriteRule .* - [F] |
267 ########## End - File injection protection | 282 ########## End - File injection protection |
268 | 283 |
269 ########## Begin - Advanced server protection rules exceptions #### | 284 ########## Begin - Advanced server protection rules exceptions #### |
270 ## | 285 ## |
271 ## These are sample exceptions to the Advanced Server Protection 3.1 | 286 ## These are sample exceptions to the Advanced Server Protection 3.0 |
g1smd
2011/04/23 17:00:09
The code is much altered since August 2010. The 3.
| |
272 ## rule set further down this file. | 287 ## rule set further down this file. |
273 ## | 288 ## |
274 ## Allow UddeIM CAPTCHA | 289 ## Allow UddeIM CAPTCHA |
275 RewriteRule ^components/com_uddeim/captcha15\.php$ - [L] | 290 RewriteRule ^components/com_uddeim/captcha15\.php$ - [L] |
276 ## Allow Phil Taylor's Turbo Gears | 291 ## Allow Phil Taylor's Turbo Gears |
277 RewriteRule ^plugins/system/GoogleGears/gears-manifest\.php$ - [L] | 292 RewriteRule ^plugins/system/GoogleGears/gears-manifest\.php$ - [L] |
278 ## Allow JoomlaWorks AllVideos | 293 ## Allow JoomlaWorks AllVideos |
279 RewriteRule ^plugins/content/jw_allvideos/includes/jw_allvideos_scripts\.php$ - [L] | 294 RewriteRule ^plugins/content/jw_allvideos/includes/jw_allvideos_scripts\.php$ - [L] |
280 ## Allow Admin Tools Joomla! updater to run | 295 ## Allow Admin Tools Joomla! updater to run |
281 RewriteRule ^administrator/components/com_admintools/restore\.php$ - [L] | 296 RewriteRule ^administrator/components/com_admintools/restore\.php$ - [L] |
282 ## Allow Akeeba Backup Professional's integrated restoration script to run | 297 ## Allow Akeeba Backup Professional's integrated restoration script to run |
283 RewriteRule ^administrator/components/com_akeeba/restore\.php$ - [L] | 298 RewriteRule ^administrator/components/com_akeeba/restore\.php$ - [L] |
284 ## Allow Akeeba Kickstart | 299 ## Allow Akeeba Kickstart |
285 RewriteRule ^kickstart\.php$ - [L] | 300 RewriteRule ^kickstart\.php$ - [L] |
286 | 301 |
287 # Add more rules to single PHP files here | 302 # Add more rules to single PHP files here |
288 | 303 |
289 ## Allow Agora attachments, but not PHP files in that directory! | 304 ## Allow Agora attachments, but not PHP files in that directory! |
290 RewriteCond %{REQUEST_FILENAME} !(\.php)$ | 305 RewriteCond %{REQUEST_FILENAME} !(\.php)$ |
291 RewriteCond %{REQUEST_FILENAME} -f | 306 RewriteCond %{REQUEST_FILENAME} -f |
292 RewriteRule ^components/com_agora/img/members/ - [L] | 307 RewriteRule ^components/com_agora/img/members/ - [L] |
293 | 308 |
294 # Add more rules for allowing full access (except PHP files) on more directories here | 309 # Add more rules for allowing full access (except PHP files) on more directories here |
295 | 310 |
296 ## Uncomment to allow full access to the cache directory (strongly not recommend ed!) | 311 ## Uncomment to allow full access to the cache directory (strongly not recommend ed!) |
297 #RewriteRule ^cache/ - [L] | 312 #RewriteRule ^cache/ - [L] |
298 ## Uncomment to allow full access to the tmp directory (strongly not recommended !) | 313 ## Uncomment to allow full access to the tmp directory (strongly not recommended !) |
299 #RewriteRule ^tmp/ - [L] | 314 #RewriteRule ^tmp/ $1 [L] |
g1smd
2011/04/23 17:00:09
The $1 is a typo. Should be - (hyphen).
| |
300 | 315 |
301 # Add more full access rules here | 316 # Add more full access rules here |
302 | 317 |
303 ########## End - Advanced server protection rules exceptions #### | 318 ########## End - Advanced server protection rules exceptions #### |
304 | 319 |
305 ########## Begin - Advanced server protection | 320 ########## Begin - Advanced server protection |
306 # Advanced server protection, version 3.1 - April 2011 | 321 # Advanced server protection, version 2.0 - August 2010 |
g1smd
2011/04/23 17:00:09
The code is much altered since August 2010. The 2.
| |
307 # by Nicholas K. Dionysopoulos | 322 # by Nicholas K. Dionysopoulos |
308 | 323 |
309 ## Referrer filtering for common media files. Replace with your own domain name. | 324 ## Referrer filtering for common media files. Replace with your own domain. |
310 ## This blocks most common fingerprinting attacks ;) | 325 ## This blocks most common fingerprinting attacks ;) |
311 ## Note: Change www\.example\.com with your own domain name, substituting the | 326 ## Note: Change www\.example\.com with your own domain name, substituting the |
312 ## dots with \. i.e. use www\.example\.com for www.example.com | 327 ## dots with \., i.e.: www\.example\.com for www.example.com |
313 RewriteRule ^images/stories/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|s wf|ico)$ - [L] | 328 RewriteRule ^images/stories/.*\.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [L] |
g1smd
2011/04/23 17:00:09
The .* is inefficient. ([^/]+/)*([^/.]+\.)+ will r
| |
314 RewriteCond %{HTTP_REFERER} . | 329 RewriteCond %{HTTP_REFERER} . |
315 RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC] | 330 RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC] |
316 RewriteRule \.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [F] | 331 RewriteRule \.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [F] |
317 | 332 |
318 ## Disallow visual fingerprinting of Joomla! sites (module position dump) | 333 ## Disallow visual fingerprinting of Joomla! sites (module position dump) |
319 ## Initial idea by Brian Teeman and Ken Crowder, see: | 334 ## Initial idea by Brian Teeman and Ken Crowder, see: |
320 ## http://www.slideshare.net/brianteeman/hidden-joomla-secrets | 335 ## http://www.slideshare.net/brianteeman/hidden-joomla-secrets |
321 ## Improved by @nikosdion to work more efficiently and handle template | 336 ## Improved by @nikosdion to work more efficiently and handle template |
322 ## and tmpl query parameters | 337 ## and tmpl query parameters |
323 RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC] | 338 RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC] |
324 RewriteRule .* - [L] | 339 RewriteRule .* - [L] |
325 RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC] | 340 RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC] |
326 RewriteRule .* - [F] | 341 RewriteRule .* - [F] |
327 | 342 |
328 ## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine | 343 ## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine |
329 ## your PHP version). See http://www.0php.com/php_easter_egg.php and | 344 ## your PHP version). See http://www.0php.com/php_easter_egg.php and |
330 ## http://osvdb.org/12184 for more information | 345 ## http://osvdb.org/12184 for more information |
331 RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4} -[0-9a-f]{12} [NC] | 346 RewriteCond %{QUERY_STRING} \=PHP[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4} -[a-f0-9]{12} [NC] |
g1smd
2011/04/23 17:00:09
This is a hexadecimal match: [0-9a-f] [NC].
|
g1smd
2011/04/23 17:00:09
This is a hexadecimal match: [0-9a-f] [NC].
|
332 RewriteRule .* - [F] | 347 RewriteRule .* - [F] |
333 | 348 |
334 ## Back-end protection | 349 ## Back-end protection |
335 ## This also blocks fingerprinting attacks browsing for XML and INI files | 350 ## This also blocks fingerprinting attacks browsing for XML and INI files |
336 RewriteRule ^administrator/?$ - [L] | 351 RewriteRule ^administrator/?$ - [L] |
337 RewriteRule ^administrator/index\.(php|html?)$ - [L] | 352 RewriteRule ^administrator/index\.(php|html?)$ - [L] |
338 RewriteRule ^administrator/index[23]\.php$ - [L] | 353 RewriteRule ^administrator/index[23]\.php$ - [L] |
339 RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^/]+/ )*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv ]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L] | 354 RewriteRule ^administrator/(components|modules|templates|images|plugins)/.*\.(jp (e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pp tx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L] |
g1smd
2011/04/23 17:00:09
The .* is inefficient. ([^/]+/)*([^/.]+\.)+ will r
| |
340 RewriteRule ^administrator/ - [F] | 355 RewriteRule ^administrator/ - [F] |
341 | 356 |
342 ## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ d irectory | 357 ## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ d irectory |
343 RewriteRule ^xmlrpc/(index\.php)?$ - [L] | 358 RewriteRule ^xmlrpc/(index\.php)?$ - [L] |
344 RewriteRule ^xmlrpc/ - [F] | 359 RewriteRule ^xmlrpc/ - [F] |
345 | 360 |
346 ## Disallow front-end access for certain Joomla! system directories | 361 ## Disallow front-end access for certain Joomla! system directories |
347 RewriteRule ^includes/js/ - [L] | 362 RewriteRule ^includes/js/ - [L] |
348 RewriteRule ^(cache|includes|language|libraries|logs|tmp)/ - [F] | 363 RewriteRule ^(cache|includes|language|libraries|logs|tmp)/ - [F] |
349 | 364 |
350 ## Allow limited access for certain Joomla! system directories with client-acces sible content | 365 ## Allow limited access for certain Joomla! system directories with client-acces sible content |
351 RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*([^/.]+\.)+(jp(e?g| 2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|z ip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L] | 366 RewriteRule ^(components|modules|plugins|templates)/.*\.(jp(e?g|2)?|png|gif|bmp| css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|t xt|7z|svg|od[tsp]|flv|mov)$ - [L] |
g1smd
2011/04/23 17:00:09
The .* is inefficient. ([^/]+/)*([^/.]+\.)+ will r
| |
352 ## Uncomment this line if you have extensions which require direct access to the ir own | 367 ## Uncomment this line if you have extensions which require direct access to the ir own |
353 ## custom index.php files. Note that this is UNSAFE and the developer should be ashamed | 368 ## custom index.php files. Note that this is UNSAFE and the developer should be ashamed |
354 ## for being so lame, lazy and security unconscious. | 369 ## for being so lame, lazy and security unconscious. |
355 # RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)?$ - [L] | 370 # RewriteRule ^(components|modules|plugins|templates)/.*(index\.php)?$ - [L] |
g1smd
2011/04/23 17:00:09
The .* is inefficient. ([^/]+/)* will recurse zero
| |
356 ## Uncomment the following line if your template requires direct access to PHP f iles | 371 ## Uncomment the following line if your template requires direct access to PHP f iles |
357 ## inside its directory, e.g. GZip compressed copies of its CSS files | 372 ## inside its directory, e.g. GZip compressed copies of its CSS files |
358 # RewriteRule ^templates/([^/]+/)*([^/.]+\.)+php$ - [L] | 373 # RewriteRule ^templates/.*\.php$ - [L] |
g1smd
2011/04/23 17:00:09
The .* is inefficient. ([^/]+/)*([^/.]+\.)+ will r
| |
359 RewriteRule ^(components|modules|plugins|templates)/ - [F] | 374 RewriteRule ^(components|modules|plugins|templates)/ - [F] |
360 | 375 |
361 ## Disallow rogue scripts in your site's root | 376 ## Disallow rogue scripts in your site's root |
362 # Exception: Allow Joomla!'s index.php and index2.php files | 377 # Exception: Allow Joomla!'s index.php and index2.php files |
363 RewriteRule ^index2?\.php$ - [L] | 378 RewriteRule ^index2?\.php$ - [L] |
364 ## If you disable the back-end protection above, please add this line: | 379 ## If you disable the back-end protection above, please add this line: |
365 # RewriteRule ^administrator/index[23]?\.php$ - [L] | 380 # RewriteRule ^administrator/index[23]?\.php$ - [L] |
366 RewriteRule ^([^/.]+\.)+php$ - [F] | 381 RewriteRule ^.*\.php$ - [F] |
g1smd
2011/04/23 17:00:09
The .* is inefficient. Also the comment says "root
| |
367 | 382 |
368 ## Disallow access to htaccess.txt, configuration.php, configuration.php-dist an d php.ini | 383 ## Disallow access to htaccess.txt and configuration.php-dist |
g1smd
2011/04/23 17:00:09
and php.ini
| |
369 RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [F] | 384 RewriteRule ^(htaccess\.txt|configuration\.php-dist|php\.ini)$ - [F] |
370 | 385 |
371 ## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @ | 386 ## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @ |
372 ## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html | 387 ## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html |
373 ## May cause problems on legitimate requests | 388 ## May cause problems on legitimate requests |
374 RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] | 389 RewriteCond %{QUERY_STRING} concat.*\( [NC,OR] |
375 RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] | 390 RewriteCond %{QUERY_STRING} union.*select.*\( [NC,OR] |
376 RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC] | 391 RewriteCond %{QUERY_STRING} union.*all.*select.* [NC] |
377 RewriteRule .* - [F] | 392 RewriteRule .* - [F] |
378 | 393 |
379 ########## End - Advanced server protection | 394 ########## End - Advanced server protection |
380 | 395 |
381 ########## Begin - Basic antispam Filter, by SigSiu.net | 396 ########## Begin - Basic antispam Filter, by SigSiu.net |
382 ## I removed some common words, tweak to your liking | 397 ## I removed some common words, tweak to your liking |
383 ## This code uses PCRE and works only with Apache 2.x. | 398 ## This code uses PCRE and works only with Apache 2.x. |
384 ## This code will NOT work with Apache 1.x servers. | 399 ## This code will NOT work with Apache 1.x servers. |
385 RewriteCond %{QUERY_STRING} \b(ambien|blue\spill|cialis|cocaine|ejaculation|erec tile)\b [NC,OR] | 400 RewriteCond %{QUERY_STRING} \b(ambien|blue\spill|cialis|cocaine|ejaculation|erec tile)\b [NC,OR] |
386 RewriteCond %{QUERY_STRING} \b(erections|hoodia|huronriveracres|impotence|levitr a|libido)\b [NC,OR] | 401 RewriteCond %{QUERY_STRING} \b(erections|hoodia|huronriveracres|impotence|levitr a|libido)\b [NC,OR] |
387 RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|t royhamby)\b [NC,OR] | 402 RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|t royhamby)\b [NC,OR] |
403 ## Note: The final RewriteCond must NOT use the [OR] flag. | |
388 RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxai eo)\b [NC] | 404 RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxai eo)\b [NC] |
389 ## Note: The final RewriteCond must NOT use the [OR] flag. | |
390 RewriteRule .* - [F] | 405 RewriteRule .* - [F] |
391 ## Note: The previous lines are a "compressed" version | 406 ## Note: The previous lines are a "compressed" version |
392 ## of the filters. You can add your own filters as: | 407 ## of the filters. You can add your own filters as: |
393 ## RewriteCond %{QUERY_STRING} \bbadword\b [NC,OR] | 408 ## RewriteCond %{QUERY_STRING} \bbadword\b [NC,OR] |
394 ## where "badword" is the word you want to exclude. | 409 ## where "badword" is the word you want to exclude |
395 ########## End - Basic antispam Filter, by SigSiu.net | 410 ########## End - Basic antispam Filter, by SigSiu.net |
396 | 411 |
397 ########## Begin - Joomla! core SEF Section | 412 ########## Begin - Joomla! core SEF Section |
398 # | 413 # |
399 RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] | 414 RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] |
400 # | |
401 # If the requested path and file is not /index.php and the request | 415 # If the requested path and file is not /index.php and the request |
402 # has not already been internally rewritten to the index.php script | 416 # has not already been internally rewritten to the index.php script |
403 RewriteCond %{REQUEST_URI} !^/index\.php | 417 RewriteCond %{REQUEST_URI} !^/index\.php |
404 # and the request is for the site root, or for an extensionless URL, | 418 # and the request is for the site root, or for an extensionless URL, |
405 # or the requested URL ends with one of the listed extensions | 419 # or the requested URL ends with one of the listed extensions |
406 RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw|ini |zip|json|file))$ [NC] | 420 RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|raw|ini|zip |json|file|vcf))$ [NC] |
g1smd
2011/04/23 17:00:09
vcf is after pdf and before raw in the official fi
|
g1smd
2011/04/23 17:00:09
vcf is after pdf and before raw in the official fi
|
407 # and the requested path and file doesn't directly match a physical file | 421 # and the requested path and file doesn't directly match a physical file |
408 RewriteCond %{REQUEST_FILENAME} !-f | 422 RewriteCond %{REQUEST_FILENAME} !-f |
409 # and the requested path doesn't directly match a physical folder | 423 # and the requested path doesn't match a physical folder |
410 RewriteCond %{REQUEST_FILENAME} !-d | 424 RewriteCond %{REQUEST_FILENAME} !-d |
411 # internally rewrite the request to the index.php script | 425 # internally rewrite the request to the index.php script |
412 RewriteRule .* index.php [L] | 426 RewriteRule .* index.php [L] |
413 # | 427 # |
414 ########## End - Joomla! core SEF Section | 428 ########## End - Joomla! core SEF Section |
OLD | NEW |