Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(285)

Unified Diff: joomla-master-htaccess.txt

Issue 4370051: Joomla master .htaccess - differences 2.4.4 - 3.1.l (r) Base URL: http://joomla-master-htaccess.googlecode.com/svn/trunk/
Patch Set: Joomla master .htaccess - differences 3.1.12 - 2.4.4 Created 12 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: joomla-master-htaccess.txt
===================================================================
--- joomla-master-htaccess.txt (revision 19)
+++ joomla-master-htaccess.txt (working copy)
@@ -1,7 +1,7 @@
###############################################################################
## The Master .htaccess
##
-## Version 3.1 - March 29th, 2010
g1smd 2011/04/10 00:00:18 2011.
+## Version 2.4 (proposed) - April 7th, 2010
g1smd 2011/04/10 00:00:18 2011.
##
## ----------
## This file is designed to be the template .htaccess file to put on your new
@@ -45,18 +45,8 @@
## Lead Developer, AkeebaBackup.com
##
## CHANGELOG:
-## Version 3.1 (April 5th, 2011)
-## - Expiration time of static resources adjusted to 1 month instead of 1 year
-## - GET variables not passed along in the index.php to site root redirection
-## - Fixed typos
-## - Alternative for HTTP to HTTPS redirection
-## - Common exploits protection: Minor changes in comments, combined base64_encode/base64_decode rule
-## - Bug in query string protection rule
-## - Back-end & front-end protection optimization
-## - Fixed the UNION SELECT SQLi rule to actually work against real attacks
-## - Added comments to Joomla! core SEF section
-## Version 3.0 (March 28th, 2011)
-## - Massive rewrite
+## Version 2.4 (proposed) (April 7th, 2011)
+## - Dozens of speed optimisations and many logic and syntax corrections.
## Version 2.3 (November 18th, 2010)
## - Added .ico to the pass-through rules, for favicons to load
## Version 2.2 (October 25th, 2010)
@@ -78,9 +68,9 @@
########## End - RewriteEngine enabled
########## Begin - RewriteBase
-# Uncomment following line if your webserver's URL
-# is not directly related to physical file paths.
-# Update Your Joomla! Directory (just / for root)
+# Uncomment following line if your webserver's URL
+# is not directly related to physical file paths.
+# Update Your Joomla! Directory (just / for root)
# RewriteBase /
########## End - RewriteBase
@@ -106,20 +96,18 @@
########## Begin - Optimal default expiration time
## Note: this might cause problems and you might have to comment it out by
## placing a hash in front of this section's lines
-## Note: Some people prefer using "now plus 1 month" instead of "now plus 1 year".
-## Suit to taste.
g1smd 2011/04/10 08:44:34 No longer needed.
<IfModule mod_expires.c>
# Enable expiration control
ExpiresActive On
# Default expiration: 1 hour after request
ExpiresDefault "now plus 1 hour"
-
+
# CSS and JS expiration: 1 week after request
ExpiresByType text/css "now plus 1 week"
ExpiresByType application/javascript "now plus 1 week"
ExpiresByType application/x-javascript "now plus 1 week"
-
+
# Image files expiration: 1 month after request
ExpiresByType image/bmp "now plus 1 month"
ExpiresByType image/gif "now plus 1 month"
@@ -138,7 +126,7 @@
ExpiresByType image/vnd.wap.wbmp "now plus 1 month"
ExpiresByType application/vnd.wap.wbxml "now plus 1 month"
ExpiresByType application/smil "now plus 1 month"
-
+
# Audio files expiration: 1 month after request
ExpiresByType audio/basic "now plus 1 month"
ExpiresByType audio/mid "now plus 1 month"
@@ -148,7 +136,7 @@
ExpiresByType audio/x-mpegurl "now plus 1 month"
ExpiresByType audio/x-pn-realaudio "now plus 1 month"
ExpiresByType audio/x-wav "now plus 1 month"
-
+
# Movie files expiration: 1 month after request
ExpiresByType application/x-shockwave-flash "now plus 1 month"
ExpiresByType x-world/x-vrml "now plus 1 month"
@@ -192,19 +180,16 @@
########## Begin - Google Apps redirection, by Komra.de
## Uncomment the following line to enable:
-# Redirect 301 /mail http://mail.google.com/a/example.com
-## If the above doesn't work on your server, try this:
-## RewriteRule ^mail http://mail.google.com/a/example.com [R=301,L]
+# RewriteRule ^mail http://mail.google.com/a/example.com [R=301,L]
########## End - Google Apps redirection
########## Begin - Redirect index.php to /
-## Note: Change example.com to reflect your own domain
+## Note: Change example.com to reflect your own domain name
RewriteCond %{THE_REQUEST} !^POST
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteCond %{SERVER_PORT}>s ^(443>(s)|[0-9]+>s)$
RewriteRule ^index\.php$ http%2://www.example.com/$1 [R=301,L]
-# If the above line throws a 500 error, try this instead:
-# RewriteRule ^index\.php$ http%2://www.example.com/$1 [R,L]
+# If the above line throws a 500 error, change [R=301,L] to [R,L]
########## End - Redirect index.php to /
########## Begin - Redirect non-www to www
@@ -224,12 +209,13 @@
## Note: olddomain.com is your old domain name, you want to redirect FROM,
## whereas www.example.com is the new domain name you want to redirect TO.
## Change those names to reflect your current configuration. Remember, this
-## part of the file is supposed to be placed in www.example.com!
-## Note: Replace [L=301,R] with [L,R] if you get error 500.
g1smd 2011/04/10 00:00:18 [L=301,R] -> [R=301,L]
+## small part of the file is supposed to be placed in olddomain.com!
+## Note: Replace [R=301,L] with [R,L] if you get error 500.
## Uncomment the following lines to enable:
-# RewriteCond %{HTTP_HOST} ^(www\.)?olddomain\.com [NC]
g1smd 2011/04/10 00:00:18 Trailing space.
+# RewriteCond %{HTTP_HOST} ^(www\.)?olddomain\.com [NC]
# RewriteRule (.*) http://www.example.com/$1 [R=301,L]
-########## End - Redirect olddomain.com to www.domain.com
+## Note: The above section is only required if you are changing your domain name.
+########## End - Redirect (www.)olddomain.com to www.example.com
########## Begin - Force HTTPS for certain pages
# Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says.
@@ -242,7 +228,7 @@
# RewriteCond %{HTTPS} ^off$ [NC]
RewriteRule ^foobar\.html$ https://www.example.com/foobar.html [R=301,L]
## NOTE: If you get an HTTP 500 error, please swap [R=301,L] with [R,L]
-# Add more rules below this line
+# Add more rules below this line as required
########## End - Force HTTPS for certain pages
########## Begin - Rewrite rules to block out some common exploits
@@ -251,10 +237,11 @@
#
# If the request query string contains /proc/self/environ (by SigSiu.net)
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
-# Legacy variable injection (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin)
+# Block out any script trying to set a mosConfig value through the URL
+# (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin)
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
-# Block out any script trying to base64_encode/base64_decode stuff to send via URL
-RewriteCond %{QUERY_STRING} base64_(en|de)code\(.*\) [OR]
+# Block out any script trying to base64_encode or base64_decode data within the URL
+RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR]
## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines:
# RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR]
# RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR]
@@ -264,7 +251,7 @@
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
-# Return a 403 Forbidden
+# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
########## End - Rewrite rules to block out some common exploits
@@ -272,8 +259,8 @@
########## Begin - File injection protection, by SigSiu.net
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
-RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.\/{1,2}){1,} [OR]
-RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]/{1,2}){1,} [NC]
+RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
g1smd 2011/04/10 00:00:18 //? is one or two slashes
+RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
g1smd 2011/04/10 00:00:18 //? is one or two slashes
RewriteRule .* - [F]
########## End - File injection protection
@@ -316,14 +303,14 @@
# Advanced server protection, version 2.0 - August 2010
# by Nicholas K. Dionysopoulos
-## Referrer filtering for common media files. Replace with your own domain.
+## Referrer filtering for common media files. Replace with your own domain name.
## This blocks most common fingerprinting attacks ;)
-## Note: Change www\.example\.com with your own domain name, substituting the dots with
-## \., i.e.: www\.example\.com for www.example.com
-RewriteRule ^images/stories/([^.]+)\.(jp(eg|g|2)?|png|gif|bmp|css|js|swf|ico|html?)$ - [L]
+## Note: Change www\.example\.com with your own domain name, substituting
+## the dots with \. i.e. use www\.example\.com for www.example.com
+RewriteRule ^images/stories/[^.]+\.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico|html?)$ - [L]
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]
-RewriteRule \.(jp(eg|g|2)?|png|gif|bmp|css|js|swf|ico|html?)$ - [F]
+RewriteRule \.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico|html?)$ - [F]
## Disallow visual fingerprinting of Joomla! sites (module position dump)
## Initial idea by Brian Teeman and Ken Crowder, see:
@@ -338,7 +325,7 @@
## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
## your PHP version). See http://www.0php.com/php_easter_egg.php and
## http://osvdb.org/12184 for more information
-RewriteCond %{QUERY_STRING} \=PHP[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12} [NC]
+RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteRule .* - [F]
## Back-end protection
@@ -346,7 +333,7 @@
RewriteRule ^administrator/?$ - [L]
RewriteRule ^administrator/index\.(php|html?)$ - [L]
RewriteRule ^administrator/index[23]\.php$ - [L]
-RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^.]+)\.(jp(eg|g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og(g|v)|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]
+RewriteRule ^administrator/(components|modules|templates|images|plugins)/[^.]+\.(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]
RewriteRule ^administrator/ - [F]
## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory
@@ -358,23 +345,23 @@
RewriteRule ^(cache|includes|language|libraries|logs|tmp)/ - [F]
## Allow limited access for certain Joomla! system directories with client-accessible content
-RewriteRule ^(components|modules|plugins|templates)/([^.]+)\.(jp(eg|g|2)?|png|gif|bmp|css|js|swf|html?|mp(e|eg|3|4)|avi|wav|og(g|v)|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]
+RewriteRule ^(components|modules|plugins|templates)/[^.]+\.(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]
## Uncomment this line if you have extensions which require direct access to their own
## custom index.php files. Note that this is UNSAFE and the developer should be ashamed
## for being so lame, lazy and security unconscious.
-# RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)? - [F]
g1smd 2011/04/10 00:00:18 [F] should be [L] I think.
+# RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)?$ - [L]
g1smd 2011/04/10 00:00:18 Add $.
## Uncomment the following line if your template requires direct access to PHP files
## inside its directory, e.g. GZip compressed copies of its CSS files
-# RewriteRule ^templates/([^.]+)\.php$ - [L]
g1smd 2011/05/14 16:32:31 The backreference is not required.
+# RewriteRule ^templates/[^.]+\.php$ - [L]
RewriteRule ^(components|modules|plugins|templates)/ - [F]
## Disallow rogue scripts in your site's root
# Exception: Allow Joomla!'s index.php and index2.php files
RewriteRule ^index2?\.php$ - [L]
-RewriteRule ^[^/]+\.php$ - [F]
g1smd 2011/04/10 00:00:18 / should be .
g1smd 2011/04/10 16:52:50 [^/]+ may well accidentally "consume" the ".php" p
+RewriteRule ^[^.]+\.php$ - [F]
g1smd 2011/04/10 08:44:34 Alternatively: RewriteRule ^([^/]+/)*[^.]+\.php$ -
g1smd 2011/04/10 16:52:50 Is this meant to be "root only" or what? Perhaps:
-## Disallow access to htaccess.txt and configuration.php-dist
-RewriteRule ^(htaccess\.txt|configuration\.php-dist)$ - [F]
+## Disallow access to htaccess.txt, configuration.php, configuration.php-dist and php.ini
g1smd 2011/05/14 16:32:31 ... and php.ini
+RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [F]
g1smd 2011/04/10 00:00:18 Matches several extra filenames to block.
## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html
@@ -393,27 +380,28 @@
RewriteCond %{QUERY_STRING} \b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b [NC,OR]
-## Note: The final RewriteCond must NOT use the [OR] flag.
RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b [NC]
+## Note: The final RewriteCond must NOT use the [OR] flag.
RewriteRule .* - [F]
## Note: The previous lines are a "compressed" version
## of the filters. You can add your own filters as:
## RewriteCond %{QUERY_STRING} \bbadword\b [NC,OR]
-## where "badword" is the word you want to exclude
+## where "badword" is the word you want to exclude.
########## End - Basic antispam Filter, by SigSiu.net
########## Begin - Joomla! core SEF Section
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+#
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
-RewriteCond %{REQUEST_URI} !^/index.php
g1smd 2011/04/10 00:00:18 . -> \.
+RewriteCond %{REQUEST_URI} !^/index\.php
g1smd 2011/04/10 08:44:34 Escape the literal period.
# and the request is for the site root, or for an extensionless URL,
# or the requested URL ends with one of the listed extensions
RewriteCond %{REQUEST_URI} (/[^.]*|\.(php|html?|feed|pdf|raw|ini|zip|json|file))$ [NC]
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
-# and the requested path and file doesn't match a physical folder
g1smd 2011/04/10 00:00:18 Folder doesn't match a file.
+# and the requested path doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b