silverstripe-installer/.htaccess

### SILVERSTRIPE START ###

# Deny access to templates (but allow from localhost)
<Files *.ss>
	Order deny,allow
	Deny from all
	Allow from 127.0.0.1
</Files>

# Deny access to IIS configuration
<Files web.config>
	Order deny,allow
	Deny from all
</Files>

# Deny access to YAML configuration files which might include sensitive information
<Files ~ "\.ya?ml$">
	Order allow,deny
	Deny from all
</Files>

# Route errors to static pages automatically generated by SilverStripe
ErrorDocument 404 /assets/error-404.html
ErrorDocument 500 /assets/error-500.html

<IfModule mod_env.c>
	# Ensure that X-Forwarded-Host is only allowed to determine the request
	# hostname for servers ips defined by SS_TRUSTED_PROXY_IPS in your _ss_environment.php
	# Note that in a future release this setting will be always on.
	SetEnv BlockUntrustedIPs true
</IfModule>

<IfModule mod_rewrite.c>

	# Turn off index.php handling requests to the homepage fixes issue in apache >=2.4
	<IfModule mod_dir.c>
		DirectoryIndex disabled
	</IfModule>

	SetEnv HTTP_MOD_REWRITE On
	RewriteEngine On

	# Enable HTTP Basic authentication workaround for PHP running in CGI mode
	RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
	
	# Deny access to potentially sensitive files and folders
	RewriteRule ^vendor(/|$) - [F,L,NC]
	RewriteRule silverstripe-cache(/|$) - [F,L,NC]
	RewriteRule composer\.(json|lock) - [F,L,NC]
	
	# Process through SilverStripe if no file with the requested name exists.
	# Pass through the original path as a query parameter, and retain the existing parameters.
	RewriteCond %{REQUEST_URI} ^(.*)$
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteRule .* framework/main.php?url=%1 [QSA]
	
	# If framework isn't in a subdirectory, rewrite to installer
	RewriteCond %{REQUEST_URI} ^(.*)/framework/main.php$
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteRule . %1/install.php? [R,L]

</IfModule>
### SILVERSTRIPE END ###
ENHANCEMENT Easier installation for IIS based configurations by providing the web.config file out of the box, an inaccessible file on Apache based web servers (from r93255) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/phpinstaller/trunk@112086 467b73ca-7a2a-4603-9d3b-597d59a354a9 2010-10-13 04:22:49 +02:00			`### SILVERSTRIPE START ###`
Improve .htaccess commenting Done alongside improvements of the execution-pipeline.md docs. Installer comment taken from d5723f7b0e1 2014-11-18 20:31:04 +01:00
			`# Deny access to templates (but allow from localhost)`
ENHANCEMENT Easier installation for IIS based configurations by providing the web.config file out of the box, an inaccessible file on Apache based web servers (from r93255) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/phpinstaller/trunk@112086 467b73ca-7a2a-4603-9d3b-597d59a354a9 2010-10-13 04:22:49 +02:00			`<Files *.ss>`
			`Order deny,allow`
			`Deny from all`
			`Allow from 127.0.0.1`
			`</Files>`

Improve .htaccess commenting Done alongside improvements of the execution-pipeline.md docs. Installer comment taken from d5723f7b0e1 2014-11-18 20:31:04 +01:00			`# Deny access to IIS configuration`
ENHANCEMENT Easier installation for IIS based configurations by providing the web.config file out of the box, an inaccessible file on Apache based web servers (from r93255) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/phpinstaller/trunk@112086 467b73ca-7a2a-4603-9d3b-597d59a354a9 2010-10-13 04:22:49 +02:00			`<Files web.config>`
			`Order deny,allow`
			`Deny from all`
			`</Files>`

Improve .htaccess commenting Done alongside improvements of the execution-pipeline.md docs. Installer comment taken from d5723f7b0e1 2014-11-18 20:31:04 +01:00			`# Deny access to YAML configuration files which might include sensitive information`
Block access to .yaml files as well as .yml 2013-07-01 02:59:31 +02:00			`<Files ~ "\.ya?ml$">`
API Block all yaml files by default, to reduce the change of information leakage 2012-12-12 21:02:56 +01:00			`Order allow,deny`
			`Deny from all`
			`</Files>`

Improve .htaccess commenting Done alongside improvements of the execution-pipeline.md docs. Installer comment taken from d5723f7b0e1 2014-11-18 20:31:04 +01:00			`# Route errors to static pages automatically generated by SilverStripe`
ENHANCEMENT ErrorDocument in default .htaccess so Apache serves default 404 and 500 server error pages (from r108663) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/phpinstaller/trunk@112415 467b73ca-7a2a-4603-9d3b-597d59a354a9 2010-10-15 03:18:46 +02:00			`ErrorDocument 404 /assets/error-404.html`
			`ErrorDocument 500 /assets/error-500.html`

Enforce trusted proxy servers 2015-05-25 04:28:27 +02:00			`<IfModule mod_env.c>`
			`# Ensure that X-Forwarded-Host is only allowed to determine the request`
			`# hostname for servers ips defined by SS_TRUSTED_PROXY_IPS in your _ss_environment.php`
			`# Note that in a future release this setting will be always on.`
Ensure BlockUntrustedProxyHeaders is enabled by default 2015-05-29 01:46:47 +02:00			`SetEnv BlockUntrustedIPs true`
Enforce trusted proxy servers 2015-05-25 04:28:27 +02:00			`</IfModule>`

BUGFIX If mod_rewrite isn't enabled on Apache, a 500 server error won't be generated which prevents the installer from opening and telling you there's no rewrite support (from r98887) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/phpinstaller/trunk@112108 467b73ca-7a2a-4603-9d3b-597d59a354a9 2010-10-13 04:53:34 +02:00			`<IfModule mod_rewrite.c>`
FIX Requests to root dir circumvent index.php fixes #58 2015-02-16 17:36:23 +01:00
			`# Turn off index.php handling requests to the homepage fixes issue in apache >=2.4`
			`<IfModule mod_dir.c>`
			`DirectoryIndex disabled`
			`</IfModule>`

MINOR Merged r112269 through r113912 from phpinstaller/branches/2.4 git-svn-id: svn://svn.silverstripe.com/silverstripe/open/phpinstaller/trunk@113914 467b73ca-7a2a-4603-9d3b-597d59a354a9 2010-11-18 06:08:12 +01:00			`SetEnv HTTP_MOD_REWRITE On`
Improve .htaccess commenting Done alongside improvements of the execution-pipeline.md docs. Installer comment taken from d5723f7b0e1 2014-11-18 20:31:04 +01:00			`RewriteEngine On`
Add rewrite rule to enable Basic auithentication workaround for PHP running in CGI mode See https://github.com/silverstripe/silverstripe-framework/pull/3689 2014-12-08 19:36:46 +01:00
Fix #80 2015-01-20 01:28:05 +01:00			`# Enable HTTP Basic authentication workaround for PHP running in CGI mode`
			`RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]`

Improve .htaccess commenting Done alongside improvements of the execution-pipeline.md docs. Installer comment taken from d5723f7b0e1 2014-11-18 20:31:04 +01:00			`# Deny access to potentially sensitive files and folders`
BUGFIX #34 Only block root vendor folder Use RewriteRule instead to take in account any subfolder via RewriteBase. Deny ss-cache and composer via RewriteRule too. Move to RewriteRules 2013-04-20 09:31:47 +02:00			`RewriteRule ^vendor(/\|$) - [F,L,NC]`
			`RewriteRule silverstripe-cache(/\|$) - [F,L,NC]`
			`RewriteRule composer\.(json\|lock) - [F,L,NC]`
Improve .htaccess commenting Done alongside improvements of the execution-pipeline.md docs. Installer comment taken from d5723f7b0e1 2014-11-18 20:31:04 +01:00
			`# Process through SilverStripe if no file with the requested name exists.`
			`# Pass through the original path as a query parameter, and retain the existing parameters.`
BUGFIX If mod_rewrite isn't enabled on Apache, a 500 server error won't be generated which prevents the installer from opening and telling you there's no rewrite support (from r98887) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/phpinstaller/trunk@112108 467b73ca-7a2a-4603-9d3b-597d59a354a9 2010-10-13 04:53:34 +02:00			`RewriteCond %{REQUEST_URI} ^(.*)$`
			`RewriteCond %{REQUEST_FILENAME} !-f`
Reverted junk-commits from "Removed .mergesources.yml, not used since the dark SVN days" This partially reverts commit 744605d21a8e58966611a4c774b489657f8097ac. 2012-11-08 21:59:14 +01:00			`RewriteRule .* framework/main.php?url=%1 [QSA]`
Improve .htaccess commenting Done alongside improvements of the execution-pipeline.md docs. Installer comment taken from d5723f7b0e1 2014-11-18 20:31:04 +01:00
			`# If framework isn't in a subdirectory, rewrite to installer`
Reverted junk-commits from "Removed .mergesources.yml, not used since the dark SVN days" This partially reverts commit 744605d21a8e58966611a4c774b489657f8097ac. 2012-11-08 21:59:14 +01:00			`RewriteCond %{REQUEST_URI} ^(.*)/framework/main.php$`
			`RewriteCond %{REQUEST_FILENAME} !-f`
			`RewriteRule . %1/install.php? [R,L]`

BUGFIX If mod_rewrite isn't enabled on Apache, a 500 server error won't be generated which prevents the installer from opening and telling you there's no rewrite support (from r98887) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/phpinstaller/trunk@112108 467b73ca-7a2a-4603-9d3b-597d59a354a9 2010-10-13 04:53:34 +02:00			`</IfModule>`
			`### SILVERSTRIPE END ###`