silverstripe-webpack/public/htaccess-dist
2020-02-08 02:51:42 +07:00

160 lines
6.3 KiB
Plaintext

# Redirect to HTTPS
#RewriteEngine On
#RewriteCond %{HTTPS} off
#RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Redirect to WWW
#RewriteCond %{HTTP_HOST} !^www\. [NC]
#RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# SPDY protocol
#Header add Alternate-Protocol "443:npn-spdy/3"
# Secure cookies
#Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
#Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=strict
# Apache < 2.2.4
# Header set Set-Cookie HttpOnly;Secure
# Submit domain to https://hstspreload.org/
#Header add Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
# XSS-protection
#Header add X-Frame-Options "SAMEORIGIN"
#Header add X-Content-Type-Options "nosniff"
#Header add X-XSS-Protection "1; mode=block"
#Header add Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.oppwa.com *.qit.nu *.pinterest.com *.facebook.net *.facebook.com *.addthisedge.com *.addthis.com *.jotform.com *.jotform.us *.getclicky.com *.placehold.it *.ytimg.com *.googlevideo.com *.youtube.com *.youtu.be *.gstatic.com *.googleapis.com *.google-analytics.com cdnjs.cloudflare.com assets.zendesk.com yastatic.net *.doubleclick.net *.cloudflare.com *.ggpht.com *.google.com *.googleadservices.com *.linkedin.com *.vimeo.com *.aweber.com *.simpli.fi omg.mylocalreviewsite.com *.windguru.cz; child-src 'self' *.oppwa.com *.qit.nu *.pinterest.com *.facebook.net *.facebook.com *.addthisedge.com *.addthis.com *.jotform.com *.jotform.us *.placehold.it *.gstatic.com *.ytimg.com *.googlevideo.com *.youtu.be *.youtube.com assets.zendesk.com tautt.zendesk.com *.doubleclick.net *.cloudflare.com *.ggpht.com *.google.com *.googleadservices.com *.linkedin.com *.vimeo.com *.aweber.com *.simpli.fi omg.mylocalreviewsite.com; object-src 'self' *.oppwa.com *.qit.nu *.pinterest.com *.facebook.net *.facebook.com *.addthisedge.com *.addthis.com *.jotform.com *.jotform.us *.placehold.it *.gstatic.com *.googlevideo.com *.youtube.com *.youtu.be *.cloudflare.com *.ytimg.com *.ggpht.com *.doubleclick.net *.google.com *.googleadservices.com *.linkedin.com *.vimeo.com *.aweber.com"
# Hide software headers
Header unset x-powered-by
ServerSignature Off
#ServerTokens Prod
<IfModule php5_module>
php_flag expose_php Off
</IfModule>
<IfModule lsapi_module>
php_flag expose_php Off
</IfModule>
# Enable Compression
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
</IfModule>
<IfModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</IfModule>
# Leverage Browser Caching
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 month"
ExpiresByType text/html "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 1 month"
</IfModule>
<IfModule mod_headers.c>
<filesmatch "\.(ico|flv|jpg|jpeg|png|gif|css|swf)$">
Header set Cache-Control "max-age=2678400, public"
</filesmatch>
<filesmatch "\.(html|htm)$">
Header set Cache-Control "max-age=7200, private, must-revalidate"
</filesmatch>
<filesmatch "\.(pdf)$">
Header set Cache-Control "max-age=86400, public"
</filesmatch>
<filesmatch "\.(js)$">
Header set Cache-Control "max-age=2678400, private"
</filesmatch>
</IfModule>
### SILVERSTRIPE START ###
# Deny access to templates (but allow from localhost)
<Files *.ss>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Files>
# Deny access to IIS configuration
<Files web.config>
Order deny,allow
Deny from all
</Files>
# Deny access to YAML configuration files which might include sensitive information
<Files ~ "\.ya?ml$">
Order allow,deny
Deny from all
</Files>
# Route errors to static pages automatically generated by SilverStripe
ErrorDocument 404 /assets/error-404.html
ErrorDocument 500 /assets/error-500.html
<IfModule mod_rewrite.c>
# Turn off index.php handling requests to the homepage fixes issue in apache >=2.4
<IfModule mod_dir.c>
DirectoryIndex disabled
DirectorySlash On
</IfModule>
SetEnv HTTP_MOD_REWRITE On
RewriteEngine On
# Enable HTTP Basic authentication workaround for PHP running in CGI mode
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Deny access to potentially sensitive files and folders
RewriteRule ^vendor(/|$) - [F,L,NC]
RewriteRule ^\.env - [F,L,NC]
RewriteRule silverstripe-cache(/|$) - [F,L,NC]
RewriteRule composer\.(json|lock) - [F,L,NC]
RewriteRule (error|silverstripe|debug)\.log - [F,L,NC]
# Process through SilverStripe if no file with the requested name exists.
# Pass through the original path as a query parameter, and retain the existing parameters.
# Try finding framework in the vendor folder first
RewriteCond %{REQUEST_URI} ^(.*)$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule .* index.php
</IfModule>
### SILVERSTRIPE END ###