Index: joomla-master-htaccess.txt |
=================================================================== |
--- joomla-master-htaccess.txt (revision 19) |
+++ joomla-master-htaccess.txt (working copy) |
@@ -1,7 +1,7 @@ |
############################################################################### |
## The Master .htaccess |
## |
-## Version 3.1 - March 29th, 2010 |
g1smd
2011/04/10 00:00:18
2011.
|
+## Version 2.4 (proposed) - April 7th, 2010 |
g1smd
2011/04/10 00:00:18
2011.
|
## |
## ---------- |
## This file is designed to be the template .htaccess file to put on your new |
@@ -45,18 +45,8 @@ |
## Lead Developer, AkeebaBackup.com |
## |
## CHANGELOG: |
-## Version 3.1 (April 5th, 2011) |
-## - Expiration time of static resources adjusted to 1 month instead of 1 year |
-## - GET variables not passed along in the index.php to site root redirection |
-## - Fixed typos |
-## - Alternative for HTTP to HTTPS redirection |
-## - Common exploits protection: Minor changes in comments, combined base64_encode/base64_decode rule |
-## - Bug in query string protection rule |
-## - Back-end & front-end protection optimization |
-## - Fixed the UNION SELECT SQLi rule to actually work against real attacks |
-## - Added comments to Joomla! core SEF section |
-## Version 3.0 (March 28th, 2011) |
-## - Massive rewrite |
+## Version 2.4 (proposed) (April 7th, 2011) |
+## - Dozens of speed optimisations and many logic and syntax corrections. |
## Version 2.3 (November 18th, 2010) |
## - Added .ico to the pass-through rules, for favicons to load |
## Version 2.2 (October 25th, 2010) |
@@ -78,9 +68,9 @@ |
########## End - RewriteEngine enabled |
########## Begin - RewriteBase |
-# Uncomment following line if your webserver's URL |
-# is not directly related to physical file paths. |
-# Update Your Joomla! Directory (just / for root) |
+# Uncomment following line if your webserver's URL |
+# is not directly related to physical file paths. |
+# Update Your Joomla! Directory (just / for root) |
# RewriteBase / |
########## End - RewriteBase |
@@ -106,20 +96,18 @@ |
########## Begin - Optimal default expiration time |
## Note: this might cause problems and you might have to comment it out by |
## placing a hash in front of this section's lines |
-## Note: Some people prefer using "now plus 1 month" instead of "now plus 1 year". |
-## Suit to taste. |
g1smd
2011/04/10 08:44:34
No longer needed.
|
<IfModule mod_expires.c> |
# Enable expiration control |
ExpiresActive On |
# Default expiration: 1 hour after request |
ExpiresDefault "now plus 1 hour" |
- |
+ |
# CSS and JS expiration: 1 week after request |
ExpiresByType text/css "now plus 1 week" |
ExpiresByType application/javascript "now plus 1 week" |
ExpiresByType application/x-javascript "now plus 1 week" |
- |
+ |
# Image files expiration: 1 month after request |
ExpiresByType image/bmp "now plus 1 month" |
ExpiresByType image/gif "now plus 1 month" |
@@ -138,7 +126,7 @@ |
ExpiresByType image/vnd.wap.wbmp "now plus 1 month" |
ExpiresByType application/vnd.wap.wbxml "now plus 1 month" |
ExpiresByType application/smil "now plus 1 month" |
- |
+ |
# Audio files expiration: 1 month after request |
ExpiresByType audio/basic "now plus 1 month" |
ExpiresByType audio/mid "now plus 1 month" |
@@ -148,7 +136,7 @@ |
ExpiresByType audio/x-mpegurl "now plus 1 month" |
ExpiresByType audio/x-pn-realaudio "now plus 1 month" |
ExpiresByType audio/x-wav "now plus 1 month" |
- |
+ |
# Movie files expiration: 1 month after request |
ExpiresByType application/x-shockwave-flash "now plus 1 month" |
ExpiresByType x-world/x-vrml "now plus 1 month" |
@@ -192,19 +180,16 @@ |
########## Begin - Google Apps redirection, by Komra.de |
## Uncomment the following line to enable: |
-# Redirect 301 /mail http://mail.google.com/a/example.com |
-## If the above doesn't work on your server, try this: |
-## RewriteRule ^mail http://mail.google.com/a/example.com [R=301,L] |
+# RewriteRule ^mail http://mail.google.com/a/example.com [R=301,L] |
########## End - Google Apps redirection |
########## Begin - Redirect index.php to / |
-## Note: Change example.com to reflect your own domain |
+## Note: Change example.com to reflect your own domain name |
RewriteCond %{THE_REQUEST} !^POST |
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/ |
RewriteCond %{SERVER_PORT}>s ^(443>(s)|[0-9]+>s)$ |
RewriteRule ^index\.php$ http%2://www.example.com/$1 [R=301,L] |
-# If the above line throws a 500 error, try this instead: |
-# RewriteRule ^index\.php$ http%2://www.example.com/$1 [R,L] |
+# If the above line throws a 500 error, change [R=301,L] to [R,L] |
########## End - Redirect index.php to / |
########## Begin - Redirect non-www to www |
@@ -224,12 +209,13 @@ |
## Note: olddomain.com is your old domain name, you want to redirect FROM, |
## whereas www.example.com is the new domain name you want to redirect TO. |
## Change those names to reflect your current configuration. Remember, this |
-## part of the file is supposed to be placed in www.example.com! |
-## Note: Replace [L=301,R] with [L,R] if you get error 500. |
g1smd
2011/04/10 00:00:18
[L=301,R] -> [R=301,L]
|
+## small part of the file is supposed to be placed in olddomain.com! |
+## Note: Replace [R=301,L] with [R,L] if you get error 500. |
## Uncomment the following lines to enable: |
-# RewriteCond %{HTTP_HOST} ^(www\.)?olddomain\.com [NC] |
g1smd
2011/04/10 00:00:18
Trailing space.
|
+# RewriteCond %{HTTP_HOST} ^(www\.)?olddomain\.com [NC] |
# RewriteRule (.*) http://www.example.com/$1 [R=301,L] |
-########## End - Redirect olddomain.com to www.domain.com |
+## Note: The above section is only required if you are changing your domain name. |
+########## End - Redirect (www.)olddomain.com to www.example.com |
########## Begin - Force HTTPS for certain pages |
# Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says. |
@@ -242,7 +228,7 @@ |
# RewriteCond %{HTTPS} ^off$ [NC] |
RewriteRule ^foobar\.html$ https://www.example.com/foobar.html [R=301,L] |
## NOTE: If you get an HTTP 500 error, please swap [R=301,L] with [R,L] |
-# Add more rules below this line |
+# Add more rules below this line as required |
########## End - Force HTTPS for certain pages |
########## Begin - Rewrite rules to block out some common exploits |
@@ -251,10 +237,11 @@ |
# |
# If the request query string contains /proc/self/environ (by SigSiu.net) |
RewriteCond %{QUERY_STRING} proc/self/environ [OR] |
-# Legacy variable injection (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin) |
+# Block out any script trying to set a mosConfig value through the URL |
+# (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin) |
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] |
-# Block out any script trying to base64_encode/base64_decode stuff to send via URL |
-RewriteCond %{QUERY_STRING} base64_(en|de)code\(.*\) [OR] |
+# Block out any script trying to base64_encode or base64_decode data within the URL |
+RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR] |
## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines: |
# RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR] |
# RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR] |
@@ -264,7 +251,7 @@ |
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] |
# Block out any script trying to modify a _REQUEST variable via URL |
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) |
-# Return a 403 Forbidden |
+# Return 403 Forbidden header and show the content of the root homepage |
RewriteRule .* index.php [F] |
# |
########## End - Rewrite rules to block out some common exploits |
@@ -272,8 +259,8 @@ |
########## Begin - File injection protection, by SigSiu.net |
RewriteCond %{REQUEST_METHOD} GET |
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] |
-RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.\/{1,2}){1,} [OR] |
-RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]/{1,2}){1,} [NC] |
+RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] |
g1smd
2011/04/10 00:00:18
//? is one or two slashes
|
+RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC] |
g1smd
2011/04/10 00:00:18
//? is one or two slashes
|
RewriteRule .* - [F] |
########## End - File injection protection |
@@ -316,14 +303,14 @@ |
# Advanced server protection, version 2.0 - August 2010 |
# by Nicholas K. Dionysopoulos |
-## Referrer filtering for common media files. Replace with your own domain. |
+## Referrer filtering for common media files. Replace with your own domain name. |
## This blocks most common fingerprinting attacks ;) |
-## Note: Change www\.example\.com with your own domain name, substituting the dots with |
-## \., i.e.: www\.example\.com for www.example.com |
-RewriteRule ^images/stories/([^.]+)\.(jp(eg|g|2)?|png|gif|bmp|css|js|swf|ico|html?)$ - [L] |
+## Note: Change www\.example\.com with your own domain name, substituting |
+## the dots with \. i.e. use www\.example\.com for www.example.com |
+RewriteRule ^images/stories/[^.]+\.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico|html?)$ - [L] |
RewriteCond %{HTTP_REFERER} . |
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC] |
-RewriteRule \.(jp(eg|g|2)?|png|gif|bmp|css|js|swf|ico|html?)$ - [F] |
+RewriteRule \.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico|html?)$ - [F] |
## Disallow visual fingerprinting of Joomla! sites (module position dump) |
## Initial idea by Brian Teeman and Ken Crowder, see: |
@@ -338,7 +325,7 @@ |
## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine |
## your PHP version). See http://www.0php.com/php_easter_egg.php and |
## http://osvdb.org/12184 for more information |
-RewriteCond %{QUERY_STRING} \=PHP[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12} [NC] |
+RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC] |
RewriteRule .* - [F] |
## Back-end protection |
@@ -346,7 +333,7 @@ |
RewriteRule ^administrator/?$ - [L] |
RewriteRule ^administrator/index\.(php|html?)$ - [L] |
RewriteRule ^administrator/index[23]\.php$ - [L] |
-RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^.]+)\.(jp(eg|g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og(g|v)|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L] |
+RewriteRule ^administrator/(components|modules|templates|images|plugins)/[^.]+\.(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L] |
RewriteRule ^administrator/ - [F] |
## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory |
@@ -358,23 +345,23 @@ |
RewriteRule ^(cache|includes|language|libraries|logs|tmp)/ - [F] |
## Allow limited access for certain Joomla! system directories with client-accessible content |
-RewriteRule ^(components|modules|plugins|templates)/([^.]+)\.(jp(eg|g|2)?|png|gif|bmp|css|js|swf|html?|mp(e|eg|3|4)|avi|wav|og(g|v)|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L] |
+RewriteRule ^(components|modules|plugins|templates)/[^.]+\.(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L] |
## Uncomment this line if you have extensions which require direct access to their own |
## custom index.php files. Note that this is UNSAFE and the developer should be ashamed |
## for being so lame, lazy and security unconscious. |
-# RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)? - [F] |
g1smd
2011/04/10 00:00:18
[F] should be [L] I think.
|
+# RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)?$ - [L] |
g1smd
2011/04/10 00:00:18
Add $.
|
## Uncomment the following line if your template requires direct access to PHP files |
## inside its directory, e.g. GZip compressed copies of its CSS files |
-# RewriteRule ^templates/([^.]+)\.php$ - [L] |
g1smd
2011/05/14 16:32:31
The backreference is not required.
|
+# RewriteRule ^templates/[^.]+\.php$ - [L] |
RewriteRule ^(components|modules|plugins|templates)/ - [F] |
## Disallow rogue scripts in your site's root |
# Exception: Allow Joomla!'s index.php and index2.php files |
RewriteRule ^index2?\.php$ - [L] |
-RewriteRule ^[^/]+\.php$ - [F] |
g1smd
2011/04/10 00:00:18
/ should be .
g1smd
2011/04/10 16:52:50
[^/]+ may well accidentally "consume" the ".php" p
|
+RewriteRule ^[^.]+\.php$ - [F] |
g1smd
2011/04/10 08:44:34
Alternatively:
RewriteRule ^([^/]+/)*[^.]+\.php$ -
g1smd
2011/04/10 16:52:50
Is this meant to be "root only" or what? Perhaps:
|
-## Disallow access to htaccess.txt and configuration.php-dist |
-RewriteRule ^(htaccess\.txt|configuration\.php-dist)$ - [F] |
+## Disallow access to htaccess.txt, configuration.php, configuration.php-dist and php.ini |
g1smd
2011/05/14 16:32:31
... and php.ini
|
+RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [F] |
g1smd
2011/04/10 00:00:18
Matches several extra filenames to block.
|
## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @ |
## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html |
@@ -393,27 +380,28 @@ |
RewriteCond %{QUERY_STRING} \b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b [NC,OR] |
RewriteCond %{QUERY_STRING} \b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b [NC,OR] |
RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b [NC,OR] |
-## Note: The final RewriteCond must NOT use the [OR] flag. |
RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b [NC] |
+## Note: The final RewriteCond must NOT use the [OR] flag. |
RewriteRule .* - [F] |
## Note: The previous lines are a "compressed" version |
## of the filters. You can add your own filters as: |
## RewriteCond %{QUERY_STRING} \bbadword\b [NC,OR] |
-## where "badword" is the word you want to exclude |
+## where "badword" is the word you want to exclude. |
########## End - Basic antispam Filter, by SigSiu.net |
########## Begin - Joomla! core SEF Section |
# |
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] |
+# |
# If the requested path and file is not /index.php and the request |
# has not already been internally rewritten to the index.php script |
-RewriteCond %{REQUEST_URI} !^/index.php |
g1smd
2011/04/10 00:00:18
. -> \.
|
+RewriteCond %{REQUEST_URI} !^/index\.php |
g1smd
2011/04/10 08:44:34
Escape the literal period.
|
# and the request is for the site root, or for an extensionless URL, |
# or the requested URL ends with one of the listed extensions |
RewriteCond %{REQUEST_URI} (/[^.]*|\.(php|html?|feed|pdf|raw|ini|zip|json|file))$ [NC] |
# and the requested path and file doesn't directly match a physical file |
RewriteCond %{REQUEST_FILENAME} !-f |
-# and the requested path and file doesn't match a physical folder |
g1smd
2011/04/10 00:00:18
Folder doesn't match a file.
|
+# and the requested path doesn't directly match a physical folder |
RewriteCond %{REQUEST_FILENAME} !-d |
# internally rewrite the request to the index.php script |
RewriteRule .* index.php [L] |