167 lines
6.5 KiB
Plaintext
167 lines
6.5 KiB
Plaintext
RewriteEngine On
|
|
|
|
# Redirect to no-WWW
|
|
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
|
|
RewriteRule ^(.*)$ http://%1%{REQUEST_URI} [R=301,QSA,NC,L]
|
|
|
|
# Redirect to WWW
|
|
#RewriteCond %{HTTP_HOST} !^www\. [NC]
|
|
#RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
|
|
|
|
# Redirect to HTTPS
|
|
RewriteCond %{HTTP:X-Forwarded-Proto} =http
|
|
RewriteCond %{HTTPS} off
|
|
#RewriteCond %{SERVER_PORT} 80
|
|
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
|
|
|
|
# SPDY protocol
|
|
#Header add Alternate-Protocol "443:npn-spdy/3"
|
|
|
|
# Secure cookies
|
|
#Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
|
|
#Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=strict
|
|
# Apache < 2.2.4
|
|
# Header set Set-Cookie HttpOnly;Secure
|
|
|
|
# Submit domain to https://hstspreload.org/
|
|
Header add Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
|
|
|
|
# XSS-protection
|
|
#Header add X-Frame-Options "SAMEORIGIN"
|
|
#Header add X-Content-Type-Options "nosniff"
|
|
#Header add X-XSS-Protection "1; mode=block"
|
|
#Header add Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.oppwa.com *.qit.nu *.pinterest.com *.facebook.net *.facebook.com *.addthisedge.com *.addthis.com *.jotform.com *.jotform.us *.getclicky.com *.placehold.it *.ytimg.com *.googlevideo.com *.youtube.com *.youtu.be *.gstatic.com *.googleapis.com *.google-analytics.com cdnjs.cloudflare.com assets.zendesk.com yastatic.net *.doubleclick.net *.cloudflare.com *.ggpht.com *.google.com *.googleadservices.com *.linkedin.com *.vimeo.com *.aweber.com *.simpli.fi omg.mylocalreviewsite.com *.windguru.cz; child-src 'self' *.oppwa.com *.qit.nu *.pinterest.com *.facebook.net *.facebook.com *.addthisedge.com *.addthis.com *.jotform.com *.jotform.us *.placehold.it *.gstatic.com *.ytimg.com *.googlevideo.com *.youtu.be *.youtube.com assets.zendesk.com tautt.zendesk.com *.doubleclick.net *.cloudflare.com *.ggpht.com *.google.com *.googleadservices.com *.linkedin.com *.vimeo.com *.aweber.com *.simpli.fi omg.mylocalreviewsite.com; object-src 'self' *.oppwa.com *.qit.nu *.pinterest.com *.facebook.net *.facebook.com *.addthisedge.com *.addthis.com *.jotform.com *.jotform.us *.placehold.it *.gstatic.com *.googlevideo.com *.youtube.com *.youtu.be *.cloudflare.com *.ytimg.com *.ggpht.com *.doubleclick.net *.google.com *.googleadservices.com *.linkedin.com *.vimeo.com *.aweber.com"
|
|
|
|
|
|
# Hide software headers
|
|
Header unset x-powered-by
|
|
ServerSignature Off
|
|
#ServerTokens Prod
|
|
|
|
<IfModule php5_module>
|
|
php_flag expose_php Off
|
|
</IfModule>
|
|
|
|
<IfModule lsapi_module>
|
|
php_flag expose_php Off
|
|
</IfModule>
|
|
|
|
# Enable Compression
|
|
<IfModule mod_deflate.c>
|
|
AddOutputFilterByType DEFLATE application/javascript
|
|
AddOutputFilterByType DEFLATE application/rss+xml
|
|
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
|
|
AddOutputFilterByType DEFLATE application/x-font
|
|
AddOutputFilterByType DEFLATE application/x-font-opentype
|
|
AddOutputFilterByType DEFLATE application/x-font-otf
|
|
AddOutputFilterByType DEFLATE application/x-font-truetype
|
|
AddOutputFilterByType DEFLATE application/x-font-ttf
|
|
AddOutputFilterByType DEFLATE application/x-javascript
|
|
AddOutputFilterByType DEFLATE application/xhtml+xml
|
|
AddOutputFilterByType DEFLATE application/xml
|
|
AddOutputFilterByType DEFLATE font/opentype
|
|
AddOutputFilterByType DEFLATE font/otf
|
|
AddOutputFilterByType DEFLATE font/ttf
|
|
AddOutputFilterByType DEFLATE image/svg+xml
|
|
AddOutputFilterByType DEFLATE image/x-icon
|
|
AddOutputFilterByType DEFLATE text/css
|
|
AddOutputFilterByType DEFLATE text/html
|
|
AddOutputFilterByType DEFLATE text/javascript
|
|
AddOutputFilterByType DEFLATE text/plain
|
|
</IfModule>
|
|
<IfModule mod_gzip.c>
|
|
mod_gzip_on Yes
|
|
mod_gzip_dechunk Yes
|
|
mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
|
|
mod_gzip_item_include handler ^cgi-script$
|
|
mod_gzip_item_include mime ^text/.*
|
|
mod_gzip_item_include mime ^application/x-javascript.*
|
|
mod_gzip_item_exclude mime ^image/.*
|
|
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
|
|
</IfModule>
|
|
|
|
# Leverage Browser Caching
|
|
<IfModule mod_expires.c>
|
|
ExpiresActive On
|
|
ExpiresByType image/jpg "access 1 year"
|
|
ExpiresByType image/jpeg "access 1 year"
|
|
ExpiresByType image/gif "access 1 year"
|
|
ExpiresByType image/png "access 1 year"
|
|
ExpiresByType text/css "access 1 month"
|
|
ExpiresByType text/html "access 1 month"
|
|
ExpiresByType application/pdf "access 1 month"
|
|
ExpiresByType text/x-javascript "access 1 month"
|
|
ExpiresByType application/x-shockwave-flash "access 1 month"
|
|
ExpiresByType image/x-icon "access 1 year"
|
|
ExpiresDefault "access 1 month"
|
|
</IfModule>
|
|
<IfModule mod_headers.c>
|
|
<filesmatch "\.(ico|flv|jpg|jpeg|png|gif|css|swf)$">
|
|
Header set Cache-Control "max-age=2678400, public"
|
|
</filesmatch>
|
|
<filesmatch "\.(html|htm)$">
|
|
Header set Cache-Control "max-age=7200, private, must-revalidate"
|
|
</filesmatch>
|
|
<filesmatch "\.(pdf)$">
|
|
Header set Cache-Control "max-age=86400, public"
|
|
</filesmatch>
|
|
<filesmatch "\.(js)$">
|
|
Header set Cache-Control "max-age=2678400, private"
|
|
</filesmatch>
|
|
</IfModule>
|
|
|
|
### SILVERSTRIPE START ###
|
|
|
|
# Deny access to templates (but allow from localhost)
|
|
<Files *.ss>
|
|
Order deny,allow
|
|
Deny from all
|
|
Allow from 127.0.0.1
|
|
</Files>
|
|
|
|
# Deny access to IIS configuration
|
|
<Files web.config>
|
|
Order deny,allow
|
|
Deny from all
|
|
</Files>
|
|
|
|
# Deny access to YAML configuration files which might include sensitive information
|
|
<Files ~ "\.ya?ml$">
|
|
Order allow,deny
|
|
Deny from all
|
|
</Files>
|
|
|
|
# Route errors to static pages automatically generated by SilverStripe
|
|
ErrorDocument 404 /assets/error-404.html
|
|
ErrorDocument 500 /assets/error-500.html
|
|
|
|
<IfModule mod_rewrite.c>
|
|
|
|
# Turn off index.php handling requests to the homepage fixes issue in apache >=2.4
|
|
<IfModule mod_dir.c>
|
|
DirectoryIndex disabled
|
|
DirectorySlash On
|
|
</IfModule>
|
|
|
|
SetEnv HTTP_MOD_REWRITE On
|
|
RewriteEngine On
|
|
|
|
# Enable HTTP Basic authentication workaround for PHP running in CGI mode
|
|
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
|
|
|
|
# Deny access to potentially sensitive files and folders
|
|
RewriteRule ^vendor(/|$) - [F,L,NC]
|
|
RewriteRule ^\.env - [F,L,NC]
|
|
RewriteRule silverstripe-cache(/|$) - [F,L,NC]
|
|
RewriteRule composer\.(json|lock) - [F,L,NC]
|
|
RewriteRule (error|silverstripe|debug)\.log - [F,L,NC]
|
|
|
|
# Process through SilverStripe if no file with the requested name exists.
|
|
# Pass through the original path as a query parameter, and retain the existing parameters.
|
|
# Try finding framework in the vendor folder first
|
|
RewriteCond %{REQUEST_URI} ^(.*)$
|
|
RewriteCond %{REQUEST_FILENAME} !-f
|
|
RewriteRule .* index.php
|
|
</IfModule>
|
|
### SILVERSTRIPE END ###
|