Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(509)

Side by Side Diff: joomla-master-htaccess.txt

Issue 4370051: Joomla master .htaccess - differences 2.4.4 - 3.1.l (r) Base URL: http://joomla-master-htaccess.googlecode.com/svn/trunk/
Patch Set: Joomla master .htaccess - differences 3.1.12 - 2.4.4 Created 3 years ago
Left:
Right:
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 ############################################################################### 1 ###############################################################################
2 ## The Master .htaccess 2 ## The Master .htaccess
3 ## 3 ##
4 ## Version 3.1 - March 29th, 2010 4 ## Version 2.4 (proposed) - April 7th, 2010
g1smd 2011/04/10 00:00:18 2011.
g1smd 2011/04/10 00:00:18 2011.
5 ## 5 ##
6 ## ---------- 6 ## ----------
7 ## This file is designed to be the template .htaccess file to put on your new 7 ## This file is designed to be the template .htaccess file to put on your new
8 ## sites, increasing your site's security and performance. It is not meant to 8 ## sites, increasing your site's security and performance. It is not meant to
9 ## be just dropped in your site, though. You should go through all of its 9 ## be just dropped in your site, though. You should go through all of its
10 ## sections and modify it to match your site. Most notably, all instances of 10 ## sections and modify it to match your site. Most notably, all instances of
11 ## example.com and example\.com should be replaced with your real domain name. 11 ## example.com and example\.com should be replaced with your real domain name.
12 ## 12 ##
13 ## Some sections are too picky and may cause problems with legitimate requests. 13 ## Some sections are too picky and may cause problems with legitimate requests.
14 ## You are ultimately responsible for disabling them or writing exception rules 14 ## You are ultimately responsible for disabling them or writing exception rules
(...skipping 23 matching lines...) Expand all
38 ## 38 ##
39 ## Learn more: http://www.akeebabackup.com/software/admin-tools.html 39 ## Learn more: http://www.akeebabackup.com/software/admin-tools.html
40 ## ---------------------------------------------------------------------- 40 ## ----------------------------------------------------------------------
41 ## 41 ##
42 ## Have fun, stay safe. 42 ## Have fun, stay safe.
43 ## 43 ##
44 ## Nicholas K. Dionysopoulos 44 ## Nicholas K. Dionysopoulos
45 ## Lead Developer, AkeebaBackup.com 45 ## Lead Developer, AkeebaBackup.com
46 ## 46 ##
47 ## CHANGELOG: 47 ## CHANGELOG:
48 ## Version 3.1 (April 5th, 2011) 48 ## Version 2.4 (proposed) (April 7th, 2011)
49 ## - Expiration time of static resources adjusted to 1 month instead of 1 year 49 ## - Dozens of speed optimisations and many logic and syntax corrections.
50 ## - GET variables not passed along in the index.php to site root redirection
51 ## - Fixed typos
52 ## - Alternative for HTTP to HTTPS redirection
53 ## - Common exploits protection: Minor changes in comments, combined base64_enco de/base64_decode rule
54 ## - Bug in query string protection rule
55 ## - Back-end & front-end protection optimization
56 ## - Fixed the UNION SELECT SQLi rule to actually work against real attacks
57 ## - Added comments to Joomla! core SEF section
58 ## Version 3.0 (March 28th, 2011)
59 ## - Massive rewrite
60 ## Version 2.3 (November 18th, 2010) 50 ## Version 2.3 (November 18th, 2010)
61 ## - Added .ico to the pass-through rules, for favicons to load 51 ## - Added .ico to the pass-through rules, for favicons to load
62 ## Version 2.2 (October 25th, 2010) 52 ## Version 2.2 (October 25th, 2010)
63 ## - Bug in the tmpl=component rule 53 ## - Bug in the tmpl=component rule
64 ## Version 2.1 (October 19th, 2010) 54 ## Version 2.1 (October 19th, 2010)
65 ## - index.php to root redirection would kill some AJAX requests 55 ## - index.php to root redirection would kill some AJAX requests
66 ## - Referer filtering was screwed up 56 ## - Referer filtering was screwed up
67 ## - Simplified and more thorough PHP Easter Egg code (thanks Jon!) 57 ## - Simplified and more thorough PHP Easter Egg code (thanks Jon!)
68 ## - The tp/template/tmpl filter was not thorough and killed some components 58 ## - The tp/template/tmpl filter was not thorough and killed some components
69 ## - Optimized Joomla! core SEF section 59 ## - Optimized Joomla! core SEF section
70 ## - Bot filters and GZip optimization would never run for dynamic content 60 ## - Bot filters and GZip optimization would never run for dynamic content
71 ## - Content expiration optimization got more optimized 61 ## - Content expiration optimization got more optimized
72 ## - Added ETag rule 62 ## - Added ETag rule
73 ## 63 ##
74 ############################################################################### 64 ###############################################################################
75 65
76 ########## Begin - RewriteEngine enabled 66 ########## Begin - RewriteEngine enabled
77 RewriteEngine On 67 RewriteEngine On
78 ########## End - RewriteEngine enabled 68 ########## End - RewriteEngine enabled
79 69
80 ########## Begin - RewriteBase 70 ########## Begin - RewriteBase
81 # Uncomment following line if your webserver's URL 71 # Uncomment following line if your webserver's URL
82 # is not directly related to physical file paths. 72 # is not directly related to physical file paths.
83 # Update Your Joomla! Directory (just / for root) 73 # Update Your Joomla! Directory (just / for root)
84 74
85 # RewriteBase / 75 # RewriteBase /
86 ########## End - RewriteBase 76 ########## End - RewriteBase
87 77
88 ########## Begin - No directory listings 78 ########## Begin - No directory listings
89 ## Note: +FollowSymlinks may cause problems and you might have to remove it 79 ## Note: +FollowSymlinks may cause problems and you might have to remove it
90 IndexIgnore * 80 IndexIgnore *
91 Options +FollowSymLinks All -Indexes 81 Options +FollowSymLinks All -Indexes
92 ########## End - No directory listings 82 ########## End - No directory listings
93 83
94 ########## Begin - File execution order, by Komra.de 84 ########## Begin - File execution order, by Komra.de
95 DirectoryIndex index.php index.html 85 DirectoryIndex index.php index.html
96 ########## End - File execution order 86 ########## End - File execution order
97 87
98 ########## Begin - ETag Optimization 88 ########## Begin - ETag Optimization
99 ## This rule will create an ETag for files based only on the modification 89 ## This rule will create an ETag for files based only on the modification
100 ## timestamp and their size. This works wonders if you are using rsync'ed 90 ## timestamp and their size. This works wonders if you are using rsync'ed
101 ## servers, where the inode number of identical files differs. 91 ## servers, where the inode number of identical files differs.
102 ## Note: It may cause problems on your server and you may need to remove it 92 ## Note: It may cause problems on your server and you may need to remove it
103 FileETag MTime Size 93 FileETag MTime Size
104 ########## End - ETag Optimization 94 ########## End - ETag Optimization
105 95
106 ########## Begin - Optimal default expiration time 96 ########## Begin - Optimal default expiration time
107 ## Note: this might cause problems and you might have to comment it out by 97 ## Note: this might cause problems and you might have to comment it out by
108 ## placing a hash in front of this section's lines 98 ## placing a hash in front of this section's lines
109 ## Note: Some people prefer using "now plus 1 month" instead of "now plus 1 year ".
110 ## Suit to taste.
g1smd 2011/04/10 08:44:34 No longer needed.
111 <IfModule mod_expires.c> 99 <IfModule mod_expires.c>
112 # Enable expiration control 100 # Enable expiration control
113 ExpiresActive On 101 ExpiresActive On
114 102
115 # Default expiration: 1 hour after request 103 # Default expiration: 1 hour after request
116 ExpiresDefault "now plus 1 hour" 104 ExpiresDefault "now plus 1 hour"
117 105
118 # CSS and JS expiration: 1 week after request 106 # CSS and JS expiration: 1 week after request
119 ExpiresByType text/css "now plus 1 week" 107 ExpiresByType text/css "now plus 1 week"
120 ExpiresByType application/javascript "now plus 1 week" 108 ExpiresByType application/javascript "now plus 1 week"
121 ExpiresByType application/x-javascript "now plus 1 week" 109 ExpiresByType application/x-javascript "now plus 1 week"
122 110
123 # Image files expiration: 1 month after request 111 # Image files expiration: 1 month after request
124 ExpiresByType image/bmp "now plus 1 month" 112 ExpiresByType image/bmp "now plus 1 month"
125 ExpiresByType image/gif "now plus 1 month" 113 ExpiresByType image/gif "now plus 1 month"
126 ExpiresByType image/jpeg "now plus 1 month" 114 ExpiresByType image/jpeg "now plus 1 month"
127 ExpiresByType image/jp2 "now plus 1 month" 115 ExpiresByType image/jp2 "now plus 1 month"
128 ExpiresByType image/pipeg "now plus 1 month" 116 ExpiresByType image/pipeg "now plus 1 month"
129 ExpiresByType image/png "now plus 1 month" 117 ExpiresByType image/png "now plus 1 month"
130 ExpiresByType image/svg+xml "now plus 1 month" 118 ExpiresByType image/svg+xml "now plus 1 month"
131 ExpiresByType image/tiff "now plus 1 month" 119 ExpiresByType image/tiff "now plus 1 month"
132 ExpiresByType image/vnd.microsoft.icon "now plus 1 month" 120 ExpiresByType image/vnd.microsoft.icon "now plus 1 month"
133 ExpiresByType image/x-icon "now plus 1 month" 121 ExpiresByType image/x-icon "now plus 1 month"
134 ExpiresByType image/ico "now plus 1 month" 122 ExpiresByType image/ico "now plus 1 month"
135 ExpiresByType image/icon "now plus 1 month" 123 ExpiresByType image/icon "now plus 1 month"
136 ExpiresByType text/ico "now plus 1 month" 124 ExpiresByType text/ico "now plus 1 month"
137 ExpiresByType application/ico "now plus 1 month" 125 ExpiresByType application/ico "now plus 1 month"
138 ExpiresByType image/vnd.wap.wbmp "now plus 1 month" 126 ExpiresByType image/vnd.wap.wbmp "now plus 1 month"
139 ExpiresByType application/vnd.wap.wbxml "now plus 1 month" 127 ExpiresByType application/vnd.wap.wbxml "now plus 1 month"
140 ExpiresByType application/smil "now plus 1 month" 128 ExpiresByType application/smil "now plus 1 month"
141 129
142 # Audio files expiration: 1 month after request 130 # Audio files expiration: 1 month after request
143 ExpiresByType audio/basic "now plus 1 month" 131 ExpiresByType audio/basic "now plus 1 month"
144 ExpiresByType audio/mid "now plus 1 month" 132 ExpiresByType audio/mid "now plus 1 month"
145 ExpiresByType audio/midi "now plus 1 month" 133 ExpiresByType audio/midi "now plus 1 month"
146 ExpiresByType audio/mpeg "now plus 1 month" 134 ExpiresByType audio/mpeg "now plus 1 month"
147 ExpiresByType audio/x-aiff "now plus 1 month" 135 ExpiresByType audio/x-aiff "now plus 1 month"
148 ExpiresByType audio/x-mpegurl "now plus 1 month" 136 ExpiresByType audio/x-mpegurl "now plus 1 month"
149 ExpiresByType audio/x-pn-realaudio "now plus 1 month" 137 ExpiresByType audio/x-pn-realaudio "now plus 1 month"
150 ExpiresByType audio/x-wav "now plus 1 month" 138 ExpiresByType audio/x-wav "now plus 1 month"
151 139
152 # Movie files expiration: 1 month after request 140 # Movie files expiration: 1 month after request
153 ExpiresByType application/x-shockwave-flash "now plus 1 month" 141 ExpiresByType application/x-shockwave-flash "now plus 1 month"
154 ExpiresByType x-world/x-vrml "now plus 1 month" 142 ExpiresByType x-world/x-vrml "now plus 1 month"
155 ExpiresByType video/x-msvideo "now plus 1 month" 143 ExpiresByType video/x-msvideo "now plus 1 month"
156 ExpiresByType video/mpeg "now plus 1 month" 144 ExpiresByType video/mpeg "now plus 1 month"
157 ExpiresByType video/mp4 "now plus 1 month" 145 ExpiresByType video/mp4 "now plus 1 month"
158 ExpiresByType video/quicktime "now plus 1 month" 146 ExpiresByType video/quicktime "now plus 1 month"
159 ExpiresByType video/x-la-asf "now plus 1 month" 147 ExpiresByType video/x-la-asf "now plus 1 month"
160 ExpiresByType video/x-ms-asf "now plus 1 month" 148 ExpiresByType video/x-ms-asf "now plus 1 month"
161 </IfModule> 149 </IfModule>
(...skipping 23 matching lines...) Expand all
185 # Compress text, html, javascript, css, xml, kudos to Komra.de 173 # Compress text, html, javascript, css, xml, kudos to Komra.de
186 # May kill access to your site for old versions of Internet Explorer 174 # May kill access to your site for old versions of Internet Explorer
187 # The server needs to be compiled with mod_deflate otherwise it will send HTTP 5 00 Error. 175 # The server needs to be compiled with mod_deflate otherwise it will send HTTP 5 00 Error.
188 # mod_deflate is not available on Apache 1.x series. Can only be used with Apach e 2.x server. 176 # mod_deflate is not available on Apache 1.x series. Can only be used with Apach e 2.x server.
189 # AddOutputFilterByType is now deprecated by Apache. Use mod_filter in the futur e. 177 # AddOutputFilterByType is now deprecated by Apache. Use mod_filter in the futur e.
190 AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application /xml application/xhtml+xml application/rss+xml application/javascript applicatio n/x-javascript 178 AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application /xml application/xhtml+xml application/rss+xml application/javascript applicatio n/x-javascript
191 ########## End - Automatic compression of resources 179 ########## End - Automatic compression of resources
192 180
193 ########## Begin - Google Apps redirection, by Komra.de 181 ########## Begin - Google Apps redirection, by Komra.de
194 ## Uncomment the following line to enable: 182 ## Uncomment the following line to enable:
195 # Redirect 301 /mail http://mail.google.com/a/example.com 183 # RewriteRule ^mail http://mail.google.com/a/example.com [R=301,L]
196 ## If the above doesn't work on your server, try this:
197 ## RewriteRule ^mail http://mail.google.com/a/example.com [R=301,L]
198 ########## End - Google Apps redirection 184 ########## End - Google Apps redirection
199 185
200 ########## Begin - Redirect index.php to / 186 ########## Begin - Redirect index.php to /
201 ## Note: Change example.com to reflect your own domain 187 ## Note: Change example.com to reflect your own domain name
202 RewriteCond %{THE_REQUEST} !^POST 188 RewriteCond %{THE_REQUEST} !^POST
203 RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/ 189 RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
204 RewriteCond %{SERVER_PORT}>s ^(443>(s)|[0-9]+>s)$ 190 RewriteCond %{SERVER_PORT}>s ^(443>(s)|[0-9]+>s)$
205 RewriteRule ^index\.php$ http%2://www.example.com/$1 [R=301,L] 191 RewriteRule ^index\.php$ http%2://www.example.com/$1 [R=301,L]
206 # If the above line throws a 500 error, try this instead: 192 # If the above line throws a 500 error, change [R=301,L] to [R,L]
207 # RewriteRule ^index\.php$ http%2://www.example.com/$1 [R,L]
208 ########## End - Redirect index.php to / 193 ########## End - Redirect index.php to /
209 194
210 ########## Begin - Redirect non-www to www 195 ########## Begin - Redirect non-www to www
211 RewriteCond %{HTTP_HOST} !^www\. [NC] 196 RewriteCond %{HTTP_HOST} !^www\. [NC]
212 RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L] 197 RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
213 ## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L] 198 ## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L]
214 ########## End - Redirect non-www to www 199 ########## End - Redirect non-www to www
215 200
216 ########## Begin - Redirect www to non-www 201 ########## Begin - Redirect www to non-www
217 ## WARNING: Comment out the non-www to www rule if you choose to use this 202 ## WARNING: Comment out the non-www to www rule if you choose to use this
218 # RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] 203 # RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
219 # RewriteRule ^(.*)$ http://%1/$1 [R=301,L] 204 # RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
220 ## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L] 205 ## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L]
221 ########## End - Redirect non-www to www 206 ########## End - Redirect non-www to www
222 207
223 ########## Begin - Redirect (www.)olddomain.com to www.example.com 208 ########## Begin - Redirect (www.)olddomain.com to www.example.com
224 ## Note: olddomain.com is your old domain name, you want to redirect FROM, 209 ## Note: olddomain.com is your old domain name, you want to redirect FROM,
225 ## whereas www.example.com is the new domain name you want to redirect TO. 210 ## whereas www.example.com is the new domain name you want to redirect TO.
226 ## Change those names to reflect your current configuration. Remember, this 211 ## Change those names to reflect your current configuration. Remember, this
227 ## part of the file is supposed to be placed in www.example.com! 212 ## small part of the file is supposed to be placed in olddomain.com!
228 ## Note: Replace [L=301,R] with [L,R] if you get error 500. 213 ## Note: Replace [R=301,L] with [R,L] if you get error 500.
g1smd 2011/04/10 00:00:18 [L=301,R] -> [R=301,L]
229 ## Uncomment the following lines to enable: 214 ## Uncomment the following lines to enable:
230 # RewriteCond %{HTTP_HOST} ^(www\.)?olddomain\.com [NC] 215 # RewriteCond %{HTTP_HOST} ^(www\.)?olddomain\.com [NC]
g1smd 2011/04/10 00:00:18 Trailing space.
231 # RewriteRule (.*) http://www.example.com/$1 [R=301,L] 216 # RewriteRule (.*) http://www.example.com/$1 [R=301,L]
232 ########## End - Redirect olddomain.com to www.domain.com 217 ## Note: The above section is only required if you are changing your domain name .
218 ########## End - Redirect (www.)olddomain.com to www.example.com
233 219
234 ########## Begin - Force HTTPS for certain pages 220 ########## Begin - Force HTTPS for certain pages
235 # Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says. 221 # Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says.
236 # This is a sample redirection for foobar.html. Do note that you have to change 222 # This is a sample redirection for foobar.html. Do note that you have to change
237 # www.example.com to reflect your own domain. Remember to escape the dots using 223 # www.example.com to reflect your own domain. Remember to escape the dots using
238 # \. in the left hand side of each rule. You need BOTH LINES PER URL for the rul e 224 # \. in the left hand side of each rule. You need BOTH LINES PER URL for the rul e
239 # to work. 225 # to work.
240 RewriteCond %{SERVER_PORT} !^443$ 226 RewriteCond %{SERVER_PORT} !^443$
241 ## Alternatively, comment the above line and uncomment the following line: 227 ## Alternatively, comment the above line and uncomment the following line:
242 # RewriteCond %{HTTPS} ^off$ [NC] 228 # RewriteCond %{HTTPS} ^off$ [NC]
243 RewriteRule ^foobar\.html$ https://www.example.com/foobar.html [R=301,L] 229 RewriteRule ^foobar\.html$ https://www.example.com/foobar.html [R=301,L]
244 ## NOTE: If you get an HTTP 500 error, please swap [R=301,L] with [R,L] 230 ## NOTE: If you get an HTTP 500 error, please swap [R=301,L] with [R,L]
245 # Add more rules below this line 231 # Add more rules below this line as required
246 ########## End - Force HTTPS for certain pages 232 ########## End - Force HTTPS for certain pages
247 233
248 ########## Begin - Rewrite rules to block out some common exploits 234 ########## Begin - Rewrite rules to block out some common exploits
249 ## If you experience problems on your site block out the operations listed below 235 ## If you experience problems on your site block out the operations listed below
250 ## This attempts to block the most common type of exploit `attempts` to Joomla! 236 ## This attempts to block the most common type of exploit `attempts` to Joomla!
251 # 237 #
252 # If the request query string contains /proc/self/environ (by SigSiu.net) 238 # If the request query string contains /proc/self/environ (by SigSiu.net)
253 RewriteCond %{QUERY_STRING} proc/self/environ [OR] 239 RewriteCond %{QUERY_STRING} proc/self/environ [OR]
254 # Legacy variable injection (these attacks wouldn't work w/out Joomla! 1.5's Leg acy Mode plugin) 240 # Block out any script trying to set a mosConfig value through the URL
241 # (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin)
255 RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] 242 RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
256 # Block out any script trying to base64_encode/base64_decode stuff to send via U RL 243 # Block out any script trying to base64_encode or base64_decode data within the URL
257 RewriteCond %{QUERY_STRING} base64_(en|de)code\(.*\) [OR] 244 RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR]
258 ## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines: 245 ## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines:
259 # RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR] 246 # RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR]
260 # RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR] 247 # RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR]
261 # Block out any script that includes a <script> tag in URL 248 # Block out any script that includes a <script> tag in URL
262 RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] 249 RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
263 # Block out any script trying to set a PHP GLOBALS variable via URL 250 # Block out any script trying to set a PHP GLOBALS variable via URL
264 RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] 251 RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
265 # Block out any script trying to modify a _REQUEST variable via URL 252 # Block out any script trying to modify a _REQUEST variable via URL
266 RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) 253 RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
267 # Return a 403 Forbidden 254 # Return 403 Forbidden header and show the content of the root homepage
268 RewriteRule .* index.php [F] 255 RewriteRule .* index.php [F]
269 # 256 #
270 ########## End - Rewrite rules to block out some common exploits 257 ########## End - Rewrite rules to block out some common exploits
271 258
272 ########## Begin - File injection protection, by SigSiu.net 259 ########## Begin - File injection protection, by SigSiu.net
273 RewriteCond %{REQUEST_METHOD} GET 260 RewriteCond %{REQUEST_METHOD} GET
274 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] 261 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
275 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.\/{1,2}){1,} [OR] 262 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
g1smd 2011/04/10 00:00:18 //? is one or two slashes
276 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]/{1,2}){1,} [NC] 263 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
g1smd 2011/04/10 00:00:18 //? is one or two slashes
277 RewriteRule .* - [F] 264 RewriteRule .* - [F]
278 ########## End - File injection protection 265 ########## End - File injection protection
279 266
280 ########## Begin - Advanced server protection rules exceptions #### 267 ########## Begin - Advanced server protection rules exceptions ####
281 ## 268 ##
282 ## These are sample exceptions to the Advanced Server Protection 3.0 269 ## These are sample exceptions to the Advanced Server Protection 3.0
283 ## rule set further down this file. 270 ## rule set further down this file.
284 ## 271 ##
285 ## Allow UddeIM CAPTCHA 272 ## Allow UddeIM CAPTCHA
286 RewriteRule ^components/com_uddeim/captcha15\.php$ - [L] 273 RewriteRule ^components/com_uddeim/captcha15\.php$ - [L]
(...skipping 22 matching lines...) Expand all
309 #RewriteRule ^tmp/ - [L] 296 #RewriteRule ^tmp/ - [L]
310 297
311 # Add more full access rules here 298 # Add more full access rules here
312 299
313 ########## End - Advanced server protection rules exceptions #### 300 ########## End - Advanced server protection rules exceptions ####
314 301
315 ########## Begin - Advanced server protection 302 ########## Begin - Advanced server protection
316 # Advanced server protection, version 2.0 - August 2010 303 # Advanced server protection, version 2.0 - August 2010
317 # by Nicholas K. Dionysopoulos 304 # by Nicholas K. Dionysopoulos
318 305
319 ## Referrer filtering for common media files. Replace with your own domain. 306 ## Referrer filtering for common media files. Replace with your own domain name.
320 ## This blocks most common fingerprinting attacks ;) 307 ## This blocks most common fingerprinting attacks ;)
321 ## Note: Change www\.example\.com with your own domain name, substituting the do ts with 308 ## Note: Change www\.example\.com with your own domain name, substituting
322 ## \., i.e.: www\.example\.com for www.example.com 309 ## the dots with \. i.e. use www\.example\.com for www.example.com
323 RewriteRule ^images/stories/([^.]+)\.(jp(eg|g|2)?|png|gif|bmp|css|js|swf|ico|htm l?)$ - [L] 310 RewriteRule ^images/stories/[^.]+\.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico|html?) $ - [L]
324 RewriteCond %{HTTP_REFERER} . 311 RewriteCond %{HTTP_REFERER} .
325 RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC] 312 RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]
326 RewriteRule \.(jp(eg|g|2)?|png|gif|bmp|css|js|swf|ico|html?)$ - [F] 313 RewriteRule \.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico|html?)$ - [F]
327 314
328 ## Disallow visual fingerprinting of Joomla! sites (module position dump) 315 ## Disallow visual fingerprinting of Joomla! sites (module position dump)
329 ## Initial idea by Brian Teeman and Ken Crowder, see: 316 ## Initial idea by Brian Teeman and Ken Crowder, see:
330 ## http://www.slideshare.net/brianteeman/hidden-joomla-secrets 317 ## http://www.slideshare.net/brianteeman/hidden-joomla-secrets
331 ## Improved by @nikosdion to work more efficiently and handle template 318 ## Improved by @nikosdion to work more efficiently and handle template
332 ## and tmpl query parameters 319 ## and tmpl query parameters
333 RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC] 320 RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC]
334 RewriteRule .* - [L] 321 RewriteRule .* - [L]
335 RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC] 322 RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC]
336 RewriteRule .* - [F] 323 RewriteRule .* - [F]
337 324
338 ## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine 325 ## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
339 ## your PHP version). See http://www.0php.com/php_easter_egg.php and 326 ## your PHP version). See http://www.0php.com/php_easter_egg.php and
340 ## http://osvdb.org/12184 for more information 327 ## http://osvdb.org/12184 for more information
341 RewriteCond %{QUERY_STRING} \=PHP[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4} -[a-f0-9]{12} [NC] 328 RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4} -[0-9a-f]{12} [NC]
342 RewriteRule .* - [F] 329 RewriteRule .* - [F]
343 330
344 ## Back-end protection 331 ## Back-end protection
345 ## This also blocks fingerprinting attacks browsing for XML and INI files 332 ## This also blocks fingerprinting attacks browsing for XML and INI files
346 RewriteRule ^administrator/?$ - [L] 333 RewriteRule ^administrator/?$ - [L]
347 RewriteRule ^administrator/index\.(php|html?)$ - [L] 334 RewriteRule ^administrator/index\.(php|html?)$ - [L]
348 RewriteRule ^administrator/index[23]\.php$ - [L] 335 RewriteRule ^administrator/index[23]\.php$ - [L]
349 RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^.]+) \.(jp(eg|g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og(g|v)|xlsx?|d ocx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L] 336 RewriteRule ^administrator/(components|modules|templates|images|plugins)/[^.]+\. (jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx? |pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]
350 RewriteRule ^administrator/ - [F] 337 RewriteRule ^administrator/ - [F]
351 338
352 ## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ d irectory 339 ## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ d irectory
353 RewriteRule ^xmlrpc/(index\.php)?$ - [L] 340 RewriteRule ^xmlrpc/(index\.php)?$ - [L]
354 RewriteRule ^xmlrpc/ - [F] 341 RewriteRule ^xmlrpc/ - [F]
355 342
356 ## Disallow front-end access for certain Joomla! system directories 343 ## Disallow front-end access for certain Joomla! system directories
357 RewriteRule ^includes/js/ - [L] 344 RewriteRule ^includes/js/ - [L]
358 RewriteRule ^(cache|includes|language|libraries|logs|tmp)/ - [F] 345 RewriteRule ^(cache|includes|language|libraries|logs|tmp)/ - [F]
359 346
360 ## Allow limited access for certain Joomla! system directories with client-acces sible content 347 ## Allow limited access for certain Joomla! system directories with client-acces sible content
361 RewriteRule ^(components|modules|plugins|templates)/([^.]+)\.(jp(eg|g|2)?|png|gi f|bmp|css|js|swf|html?|mp(e|eg|3|4)|avi|wav|og(g|v)|xlsx?|docx?|pptx?|zip|rar|pd f|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L] 348 RewriteRule ^(components|modules|plugins|templates)/[^.]+\.(jp(e?g|2)?|png|gif|b mp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xp s|txt|7z|svg|od[tsp]|flv|mov)$ - [L]
362 ## Uncomment this line if you have extensions which require direct access to the ir own 349 ## Uncomment this line if you have extensions which require direct access to the ir own
363 ## custom index.php files. Note that this is UNSAFE and the developer should be ashamed 350 ## custom index.php files. Note that this is UNSAFE and the developer should be ashamed
364 ## for being so lame, lazy and security unconscious. 351 ## for being so lame, lazy and security unconscious.
365 # RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)? - [ F] 352 # RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)?$ - [L]
g1smd 2011/04/10 00:00:18 [F] should be [L] I think.
g1smd 2011/04/10 00:00:18 Add $.
366 ## Uncomment the following line if your template requires direct access to PHP f iles 353 ## Uncomment the following line if your template requires direct access to PHP f iles
367 ## inside its directory, e.g. GZip compressed copies of its CSS files 354 ## inside its directory, e.g. GZip compressed copies of its CSS files
368 # RewriteRule ^templates/([^.]+)\.php$ - [L] 355 # RewriteRule ^templates/[^.]+\.php$ - [L]
g1smd 2011/05/14 16:32:31 The backreference is not required.
369 RewriteRule ^(components|modules|plugins|templates)/ - [F] 356 RewriteRule ^(components|modules|plugins|templates)/ - [F]
370 357
371 ## Disallow rogue scripts in your site's root 358 ## Disallow rogue scripts in your site's root
372 # Exception: Allow Joomla!'s index.php and index2.php files 359 # Exception: Allow Joomla!'s index.php and index2.php files
373 RewriteRule ^index2?\.php$ - [L] 360 RewriteRule ^index2?\.php$ - [L]
374 RewriteRule ^[^/]+\.php$ - [F] 361 RewriteRule ^[^.]+\.php$ - [F]
g1smd 2011/04/10 00:00:18 / should be .
g1smd 2011/04/10 16:52:50 [^/]+ may well accidentally "consume" the ".php" p
g1smd 2011/04/10 08:44:34 Alternatively: RewriteRule ^([^/]+/)*[^.]+\.php$ -
g1smd 2011/04/10 16:52:50 Is this meant to be "root only" or what? Perhaps:
375 362
376 ## Disallow access to htaccess.txt and configuration.php-dist 363 ## Disallow access to htaccess.txt, configuration.php, configuration.php-dist an d php.ini
g1smd 2011/05/14 16:32:31 ... and php.ini
377 RewriteRule ^(htaccess\.txt|configuration\.php-dist)$ - [F] 364 RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [F]
g1smd 2011/04/10 00:00:18 Matches several extra filenames to block.
378 365
379 ## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @ 366 ## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
380 ## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html 367 ## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html
381 ## May cause problems on legitimate requests 368 ## May cause problems on legitimate requests
382 RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] 369 RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
383 RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] 370 RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
384 RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC] 371 RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]
385 RewriteRule .* - [F] 372 RewriteRule .* - [F]
386 373
387 ########## End - Advanced server protection 374 ########## End - Advanced server protection
388 375
389 ########## Begin - Basic antispam Filter, by SigSiu.net 376 ########## Begin - Basic antispam Filter, by SigSiu.net
390 ## I removed some common words, tweak to your liking 377 ## I removed some common words, tweak to your liking
391 ## This code uses PCRE and works only with Apache 2.x. 378 ## This code uses PCRE and works only with Apache 2.x.
392 ## This code will NOT work with Apache 1.x servers. 379 ## This code will NOT work with Apache 1.x servers.
393 RewriteCond %{QUERY_STRING} \b(ambien|blue\spill|cialis|cocaine|ejaculation|erec tile)\b [NC,OR] 380 RewriteCond %{QUERY_STRING} \b(ambien|blue\spill|cialis|cocaine|ejaculation|erec tile)\b [NC,OR]
394 RewriteCond %{QUERY_STRING} \b(erections|hoodia|huronriveracres|impotence|levitr a|libido)\b [NC,OR] 381 RewriteCond %{QUERY_STRING} \b(erections|hoodia|huronriveracres|impotence|levitr a|libido)\b [NC,OR]
395 RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|t royhamby)\b [NC,OR] 382 RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|t royhamby)\b [NC,OR]
383 RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxai eo)\b [NC]
396 ## Note: The final RewriteCond must NOT use the [OR] flag. 384 ## Note: The final RewriteCond must NOT use the [OR] flag.
397 RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxai eo)\b [NC]
398 RewriteRule .* - [F] 385 RewriteRule .* - [F]
399 ## Note: The previous lines are a "compressed" version 386 ## Note: The previous lines are a "compressed" version
400 ## of the filters. You can add your own filters as: 387 ## of the filters. You can add your own filters as:
401 ## RewriteCond %{QUERY_STRING} \bbadword\b [NC,OR] 388 ## RewriteCond %{QUERY_STRING} \bbadword\b [NC,OR]
402 ## where "badword" is the word you want to exclude 389 ## where "badword" is the word you want to exclude.
403 ########## End - Basic antispam Filter, by SigSiu.net 390 ########## End - Basic antispam Filter, by SigSiu.net
404 391
405 ########## Begin - Joomla! core SEF Section 392 ########## Begin - Joomla! core SEF Section
406 # 393 #
407 RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] 394 RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
395 #
408 # If the requested path and file is not /index.php and the request 396 # If the requested path and file is not /index.php and the request
409 # has not already been internally rewritten to the index.php script 397 # has not already been internally rewritten to the index.php script
410 RewriteCond %{REQUEST_URI} !^/index.php 398 RewriteCond %{REQUEST_URI} !^/index\.php
g1smd 2011/04/10 00:00:18 . -> \.
g1smd 2011/04/10 08:44:34 Escape the literal period.
411 # and the request is for the site root, or for an extensionless URL, 399 # and the request is for the site root, or for an extensionless URL,
412 # or the requested URL ends with one of the listed extensions 400 # or the requested URL ends with one of the listed extensions
413 RewriteCond %{REQUEST_URI} (/[^.]*|\.(php|html?|feed|pdf|raw|ini|zip|json|file)) $ [NC] 401 RewriteCond %{REQUEST_URI} (/[^.]*|\.(php|html?|feed|pdf|raw|ini|zip|json|file)) $ [NC]
414 # and the requested path and file doesn't directly match a physical file 402 # and the requested path and file doesn't directly match a physical file
415 RewriteCond %{REQUEST_FILENAME} !-f 403 RewriteCond %{REQUEST_FILENAME} !-f
416 # and the requested path and file doesn't match a physical folder 404 # and the requested path doesn't directly match a physical folder
g1smd 2011/04/10 00:00:18 Folder doesn't match a file.
417 RewriteCond %{REQUEST_FILENAME} !-d 405 RewriteCond %{REQUEST_FILENAME} !-d
418 # internally rewrite the request to the index.php script 406 # internally rewrite the request to the index.php script
419 RewriteRule .* index.php [L] 407 RewriteRule .* index.php [L]
420 # 408 #
421 ########## End - Joomla! core SEF Section 409 ########## End - Joomla! core SEF Section
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld 1278:e6ce13d99bf5