2010-10-13 04:22:49 +02:00
|
|
|
### SILVERSTRIPE START ###
|
2014-11-18 20:31:04 +01:00
|
|
|
|
|
|
|
# Deny access to templates (but allow from localhost)
|
2010-10-13 04:22:49 +02:00
|
|
|
<Files *.ss>
|
|
|
|
Order deny,allow
|
|
|
|
Deny from all
|
|
|
|
Allow from 127.0.0.1
|
|
|
|
</Files>
|
|
|
|
|
2014-11-18 20:31:04 +01:00
|
|
|
# Deny access to IIS configuration
|
2010-10-13 04:22:49 +02:00
|
|
|
<Files web.config>
|
|
|
|
Order deny,allow
|
|
|
|
Deny from all
|
|
|
|
</Files>
|
|
|
|
|
2014-11-18 20:31:04 +01:00
|
|
|
# Deny access to YAML configuration files which might include sensitive information
|
2013-07-01 02:59:31 +02:00
|
|
|
<Files ~ "\.ya?ml$">
|
2012-12-12 21:02:56 +01:00
|
|
|
Order allow,deny
|
|
|
|
Deny from all
|
|
|
|
</Files>
|
|
|
|
|
2014-11-18 20:31:04 +01:00
|
|
|
# Route errors to static pages automatically generated by SilverStripe
|
2010-10-15 03:18:46 +02:00
|
|
|
ErrorDocument 404 /assets/error-404.html
|
|
|
|
ErrorDocument 500 /assets/error-500.html
|
|
|
|
|
2015-05-25 04:28:27 +02:00
|
|
|
<IfModule mod_env.c>
|
|
|
|
# Ensure that X-Forwarded-Host is only allowed to determine the request
|
|
|
|
# hostname for servers ips defined by SS_TRUSTED_PROXY_IPS in your _ss_environment.php
|
|
|
|
# Note that in a future release this setting will be always on.
|
2015-05-29 01:46:47 +02:00
|
|
|
SetEnv BlockUntrustedIPs true
|
2015-05-25 04:28:27 +02:00
|
|
|
</IfModule>
|
|
|
|
|
2010-10-13 04:53:34 +02:00
|
|
|
<IfModule mod_rewrite.c>
|
2015-02-16 17:36:23 +01:00
|
|
|
|
|
|
|
# Turn off index.php handling requests to the homepage fixes issue in apache >=2.4
|
|
|
|
<IfModule mod_dir.c>
|
|
|
|
DirectoryIndex disabled
|
2017-02-02 09:03:09 +01:00
|
|
|
DirectorySlash Off
|
2015-02-16 17:36:23 +01:00
|
|
|
</IfModule>
|
|
|
|
|
2010-11-18 06:08:12 +01:00
|
|
|
SetEnv HTTP_MOD_REWRITE On
|
2014-11-18 20:31:04 +01:00
|
|
|
RewriteEngine On
|
2014-12-08 19:36:46 +01:00
|
|
|
|
2015-01-20 01:28:05 +01:00
|
|
|
# Enable HTTP Basic authentication workaround for PHP running in CGI mode
|
|
|
|
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
|
2017-02-02 09:03:09 +01:00
|
|
|
|
2014-11-18 20:31:04 +01:00
|
|
|
# Deny access to potentially sensitive files and folders
|
2017-01-30 18:19:55 +01:00
|
|
|
RewriteRule ^\.env - [F,L,NC]
|
2013-04-20 09:31:47 +02:00
|
|
|
RewriteRule ^vendor(/|$) - [F,L,NC]
|
|
|
|
RewriteRule silverstripe-cache(/|$) - [F,L,NC]
|
|
|
|
RewriteRule composer\.(json|lock) - [F,L,NC]
|
2017-02-02 09:03:09 +01:00
|
|
|
|
2014-11-18 20:31:04 +01:00
|
|
|
# Process through SilverStripe if no file with the requested name exists.
|
|
|
|
# Pass through the original path as a query parameter, and retain the existing parameters.
|
2010-10-13 04:53:34 +02:00
|
|
|
RewriteCond %{REQUEST_URI} ^(.*)$
|
|
|
|
RewriteCond %{REQUEST_FILENAME} !-f
|
2012-11-08 21:59:14 +01:00
|
|
|
RewriteRule .* framework/main.php?url=%1 [QSA]
|
2017-02-02 09:03:09 +01:00
|
|
|
|
2014-11-18 20:31:04 +01:00
|
|
|
# If framework isn't in a subdirectory, rewrite to installer
|
2012-11-08 21:59:14 +01:00
|
|
|
RewriteCond %{REQUEST_URI} ^(.*)/framework/main.php$
|
|
|
|
RewriteCond %{REQUEST_FILENAME} !-f
|
|
|
|
RewriteRule . %1/install.php? [R,L]
|
|
|
|
|
2010-10-13 04:53:34 +02:00
|
|
|
</IfModule>
|
|
|
|
### SILVERSTRIPE END ###
|