Created

Embed URL

HTTPS clone URL

SSH clone URL

You can clone with HTTPS or SSH.

Download Gist

My custom configurations for apache 2.2

View 404.html
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Page Not Found</title>
<style type="text/css" media="screen">
body {
background: #f0f0f0;
font: normal 18px sans-serif;
width: 400px;
margin: 50px auto;
}
h1 {
font-size: 120%;
}
.more-info {
font-size: 80%;
background: white;
padding: 10px 20px;
}
</style>
</head>
<body>
<h1>Are you lost?</h1>
<p>The page you were looking for is somewhere else, or perhaps it does not exist at all.</p>
<p>Try <a href="/">the home page</a> and see if you can get back on track.</p>
<div class="more-info">
<h1>Did you know?</h1>
<p>This is what we in the business call a <b>404 error</b>. Web servers have their own
codes – kinda like police. Your browser usually knows what to do with these codes. <b>404</b> is the http code for "page not found."</p>
<p>There are tons of codes. Most of the time, you get a <b>200</b>, which is not an error. <b>200</b> is the code for "OK."
Anything in the 200 range is usually pretty good.</p>
<p>The <b>300's</b> are when you get redirected to another page automatically.</p>
<p>The <b>400's</b> mean you did something wrong like <b>404 Not Found</b> or <b>401 Unauthorized</b>. <b>418</b> means you reached a <b>teapot</b> instead
of a web server. That's always embarrasing.</p>
<p>Finally, the <b>500's</b> mean the server did something wrong. Those are usually out of your control.</p>
<p><a href="http://en.wikipedia.org/wiki/List_of_HTTP_status_codes">See Wikipedia for more info.</a></p>
</div>
</body>
</html>
View 404.html
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923
ServerName www.example.com
ServerAdmin webmaster@example.com
 
# Uncomment the NameVirtualHost stuff if it's not in your ports.conf
#
# NameVirtualHost *:80
#
# <IfModule mod_ssl.c>
# NameVirtualHost *:443
# </IfModule>
 
 
# # ScriptAlias: This controls which directories contain server scripts.
# # ScriptAliases are essentially the same as Aliases, except that
# # documents in the realname directory are treated as applications and
# # run by the server when requested rather than as documents sent to the client.
# # The same rules about trailing "/" apply to ScriptAlias directives as to
# # Alias.
# #
# ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
#
# #
# # "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# # CGI directory exists, if you have that configured.
# #
# <Directory "/var/www/cgi-bin">
# AllowOverride None
# Options None
# Order allow,deny
# Allow from all
# </Directory>
 
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 60
 
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
 
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 200
 
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 3
 
# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_prefork_module>
StartServers 3
MinSpareServers 2
MaxSpareServers 3
MaxClients 50
MaxRequestsPerChild 0
</IfModule>
 
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
#
ServerTokens Prod
 
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" iocombined
 
# Protect svn directories
<DirectoryMatch "^/.*/(\.svn|CVS)/">
Order deny,allow
Deny from all
</DirectoryMatch>
 
# For server-wide error pages
Alias /error/ /var/www/errors/
 
<Directory "/var/www/sites">
ErrorDocument 404 /error/404.html
</Directory>
<Directory "/var/www/errors">
AllowOverride All
Options SymLinksIfOwnerMatch
Order allow,deny
Allow from all
AcceptPathInfo On
</Directory>
 
Alias /maintenance "/var/www/maintenance"
 
# AliasMatch (?i)^/(cms|wp-admin|director/index\.php)(.*) /var/www/maintenance/index.html
 
<Directory "/var/www/sites">
 
# ===================================================== #
# The following config settings are taken from #
# the HTML5 Boilerplate template at #
# http://html5boilerplate.com/ #
# ===================================================== #
 
 
# Apache Server Configs v2.8.0 | MIT License
# https://github.com/h5bp/server-configs-apache
 
# (!) Using `.htaccess` files slows down Apache, therefore, if you have access
# to the main server config file (usually called `httpd.conf`), you should add
# this logic there: http://httpd.apache.org/docs/current/howto/htaccess.html.
 
# ##############################################################################
# # CROSS-ORIGIN RESOURCE SHARING (CORS) #
# ##############################################################################
 
# ------------------------------------------------------------------------------
# | Cross-origin requests |
# ------------------------------------------------------------------------------
 
# Allow cross-origin requests.
 
# http://enable-cors.org/
# http://www.w3.org/TR/cors/
# https://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity
 
# <IfModule mod_headers.c>
# Header set Access-Control-Allow-Origin "*"
# </IfModule>
 
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
# By default allow cross-origin access to web fonts.
 
<IfModule mod_headers.c>
<FilesMatch "\.(eot|otf|tt[cf]|woff2?)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
 
# ------------------------------------------------------------------------------
# | Cross-origin resource timing |
# ------------------------------------------------------------------------------
 
# Allow cross-origin access to the timing information for all resources.
 
# If a resource isn't served with a `Timing-Allow-Origin` header that would
# allow its timing information to be shared with the current document, some of
# the attributes of the `PerformanceResourceTiming` object will be set to zero.
 
# http://www.w3.org/TR/resource-timing/
 
# <IfModule mod_headers.c>
# Header set Timing-Allow-Origin: "*"
# </IfModule>
 
# ------------------------------------------------------------------------------
# | CORS-enabled images |
# ------------------------------------------------------------------------------
 
# Send the CORS header for images when browsers request it.
 
# https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image
# http://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
# http://hacks.mozilla.org/2011/11/using-cors-to-load-webgl-textures-from-cross-domain-images/
 
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
<FilesMatch "\.(cur|gif|ico|jpe?g|png|svgz?|webp)$">
SetEnvIf Origin ":" IS_CORS
Header set Access-Control-Allow-Origin "*" env=IS_CORS
</FilesMatch>
</IfModule>
</IfModule>
 
 
# ##############################################################################
# # ERRORS #
# ##############################################################################
 
# ------------------------------------------------------------------------------
# | 404 error prevention |
# ------------------------------------------------------------------------------
 
# Disable the pattern matching based on filenames.
 
# This setting prevents Apache from returning a 404 error as the result
# of a rewrite when the directory with the same name does not exist.
 
# http://httpd.apache.org/docs/current/content-negotiation.html#multiviews
# http://www.webmasterworld.com/apache/3808792.htm
 
Options -MultiViews
 
# ------------------------------------------------------------------------------
# | Custom error messages / pages |
# ------------------------------------------------------------------------------
 
# Customize what Apache returns to the client in case of an error.
# http://httpd.apache.org/docs/current/mod/core.html#errordocument
 
ErrorDocument 404 /404.html
 
 
# ##############################################################################
# # INTERNET EXPLORER #
# ##############################################################################
 
# ------------------------------------------------------------------------------
# | Better website experience |
# ------------------------------------------------------------------------------
 
# Force Internet Explorer to render pages in the highest available
# mode in the various cases when it may not.
# https://hsivonen.fi/doctype/#ie8
 
<IfModule mod_headers.c>
Header set X-UA-Compatible "IE=edge"
# `mod_headers` cannot match based on the content-type, however, this header
# should be send only for HTML documents and not for the other resources
<FilesMatch "\.(appcache|atom|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcf|vtt|webapp|web[mp]|woff2?|xml|xpi)$">
Header unset X-UA-Compatible
</FilesMatch>
</IfModule>
 
# ------------------------------------------------------------------------------
# | Cookie setting from iframes |
# ------------------------------------------------------------------------------
 
# Allow cookies to be set from iframes in Internet Explorer.
 
# http://msdn.microsoft.com/en-us/library/ms537343.aspx
# http://www.w3.org/TR/2000/CR-P3P-20001215/
 
# <IfModule mod_headers.c>
# Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""
# </IfModule>
 
 
# ##############################################################################
# # MEDIA TYPES AND CHARACTER ENCODINGS #
# ##############################################################################
 
# ------------------------------------------------------------------------------
# | Media types |
# ------------------------------------------------------------------------------
 
# Serve resources with the proper media types (formerly known as MIME types).
# http://www.iana.org/assignments/media-types/media-types.xhtml
 
<IfModule mod_mime.c>
 
# Audio
AddType audio/mp4 f4a f4b m4a
AddType audio/ogg oga ogg opus
 
# Data interchange
AddType application/json json map topojson
AddType application/ld+json jsonld
AddType application/vnd.geo+json geojson
 
# JavaScript
# Normalize to standard type.
# http://tools.ietf.org/html/rfc4329#section-7.2
AddType application/javascript js
 
# Manifest files
 
# If you are providing a web application manifest file (see the
# specification: http://w3c.github.io/manifest/), it is recommended
# that you serve it with the `application/manifest+json` media type.
#
# Because the web application manifest file doesn't have its own
# unique file extension, you can set its media type either by matching:
#
# 1) the exact location of the file (this can be done using a directive
# such as `<Location>`, but it will NOT work in the `.htaccess` file,
# so you will have to do it in the main server configuration file or
# inside of a `<VirtualHost>` container)
#
# e.g.:
#
# <Location "/.well-known/manifest.json">
# AddType application/manifest+json json
# </Location>
#
# 2) the filename (this can be problematic as you will need to ensure
# that you don't have any other file with the same name as the one
# you gave to your web application manifest file)
#
# e.g.:
#
# <Files "manifest.json">
# AddType application/manifest+json json
# </Files>
 
AddType application/x-web-app-manifest+json webapp
AddType text/cache-manifest appcache manifest
 
# Video
AddType video/mp4 f4v f4p m4v mp4
AddType video/ogg ogv
AddType video/webm webm
AddType video/x-flv flv
 
# Web fonts
AddType application/font-woff woff
AddType application/font-woff2 woff2
AddType application/vnd.ms-fontobject eot
 
# Browsers usually ignore the font media types and simply sniff
# the bytes to figure out the font type.
# http://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern
 
# Chrome however, shows a warning if any other media types are used
# for the following two font types.
 
AddType application/x-font-ttf ttc ttf
AddType font/opentype otf
 
AddType image/svg+xml svg svgz
 
# Other
AddType application/octet-stream safariextz
AddType application/x-chrome-extension crx
AddType application/x-opera-extension oex
AddType application/x-xpinstall xpi
AddType application/xml atom rdf rss xml
AddType image/webp webp
AddType image/x-icon cur ico
AddType text/vtt vtt
AddType text/x-component htc
AddType text/x-vcard vcf
 
</IfModule>
 
# ------------------------------------------------------------------------------
# | Character encodings |
# ------------------------------------------------------------------------------
 
# Set `UTF-8` as the character encoding for all resources served with
# the media type of `text/html` or `text/plain`.
AddDefaultCharset utf-8
 
# Set `UTF-8` as the character encoding for other certain resources.
<IfModule mod_mime.c>
AddCharset utf-8 .atom \
.css \
.geojson \
.js \
.json \
.jsonld \
.rdf \
.rss \
.topojson \
.vtt \
.webapp \
.xml
</IfModule>
 
 
# ##############################################################################
# # URL REWRITES #
# ##############################################################################
 
# ------------------------------------------------------------------------------
# | Rewrite engine |
# ------------------------------------------------------------------------------
 
# (1) Turn on the rewrite engine
# (this is necessary in order for the `RewriteRule` directives to work).
# http://httpd.apache.org/docs/current/mod/mod_rewrite.html#RewriteEngine
#
# (2) Enable the `FollowSymLinks` option if it isn't already.
# http://httpd.apache.org/docs/current/mod/core.html#options
#
# (3) If your web host doesn't allow the `FollowSymlinks` option, you may
# need to comment it out and use `Options +SymLinksIfOwnerMatch`, but
# be aware of the performance impact.
# http://httpd.apache.org/docs/current/misc/perf-tuning.html#symlinks
#
# (4) Some cloud hosting services will also require `RewriteBase` to be set.
# http://www.rackspace.com/knowledge_center/frequently-asked-question/why-is-modrewrite-not-working-on-my-site
#
# (5) Depending on how your server is set up, you may need to use the
# `RewriteOptions` directive to enable some options for the rewrite engine.
# http://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriteoptions
 
<IfModule mod_rewrite.c>
 
# (1)
RewriteEngine On
 
# (2)
Options +FollowSymlinks
 
# (3)
# Options +SymLinksIfOwnerMatch
 
# (4)
# RewriteBase /
 
# (5)
# RewriteOptions <options>
 
</IfModule>
 
# ------------------------------------------------------------------------------
# | Suppressing / Forcing the `www.` at the beginning of URLs |
# ------------------------------------------------------------------------------
 
# The same content should never be available under two different URLs,
# especially not with and without `www.` at the beginning. This can cause
# SEO problems (duplicate content), and therefore, you should choose one
# of the alternatives and redirect the other one.
 
# By default `Option 1` (no `www.`) is activated.
# http://no-www.org/faq.php?q=class_b
 
# If you would prefer to use `Option 2`, just comment out all the lines
# from `Option 1` and uncomment the ones from `Option 2`.
 
# IMPORTANT: NEVER USE BOTH RULES AT THE SAME TIME!
 
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
# Option 1: rewrite www.example.com → example.com
 
# <IfModule mod_rewrite.c>
# RewriteCond %{HTTPS} !=on
# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
# RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
# </IfModule>
 
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
# Option 2: rewrite example.com → www.example.com
 
# Be aware that the following might not be a good idea if you use "real"
# subdomains for certain parts of your website.
 
# <IfModule mod_rewrite.c>
# RewriteCond %{HTTPS} !=on
# RewriteCond %{HTTP_HOST} !^www\. [NC]
# RewriteCond %{SERVER_ADDR} !=127.0.0.1
# RewriteCond %{SERVER_ADDR} !=::1
# RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# </IfModule>
 
 
# ##############################################################################
# # SECURITY #
# ##############################################################################
 
# ------------------------------------------------------------------------------
# | Clickjacking |
# ------------------------------------------------------------------------------
 
# Protect website against clickjacking.
 
# The example below sends the `X-Frame-Options` response header with the value
# `DENY`, informing browsers not to display the web page content in any frame.
 
# This might not be the best setting for everyone. You should read about the
# other two possible values for `X-Frame-Options`: `SAMEORIGIN` & `ALLOW-FROM`.
# http://tools.ietf.org/html/rfc7034#section-2.1
 
# Keep in mind that while you could send the `X-Frame-Options` header for all
# of your site’s pages, this has the potential downside that it forbids even
# non-malicious framing of your content (e.g.: when users visit your site using
# a Google Image Search results page).
 
# Nonetheless, you should ensure that you send the `X-Frame-Options` header for
# all pages that allow a user to make a state changing operation (e.g: pages
# that contain one-click purchase links, checkout or bank-transfer confirmation
# pages, pages that make permanent configuration changes, etc.).
 
# Sending the `X-Frame-Options` header can also protect your website against
# more than just clickjacking attacks: https://cure53.de/xfo-clickjacking.pdf.
 
# http://tools.ietf.org/html/rfc7034
# http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
# https://www.owasp.org/index.php/Clickjacking
 
# <IfModule mod_headers.c>
# Header set X-Frame-Options "DENY"
# <FilesMatch "\.(appcache|atom|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcf|vtt|webapp|web[mp]|woff2?|xml|xpi)$">
# Header unset X-Frame-Options
# </FilesMatch>
# </IfModule>
 
# ------------------------------------------------------------------------------
# | Content Security Policy (CSP) |
# ------------------------------------------------------------------------------
 
# Mitigate the risk of cross-site scripting and other content-injection attacks.
 
# This can be done by setting a `Content Security Policy` which whitelists
# trusted sources of content for your website.
 
# The example header below allows ONLY scripts that are loaded from the current
# site's origin (no inline scripts, no CDN, etc). This almost certainly won't
# work as-is for your site!
 
# For more details on how to craft a reasonable policy for your site, read:
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/ (or
# the specification: http://www.w3.org/TR/CSP11/). Also, to make things easier,
# you can use an online CSP header generator such as: http://cspisawesome.com/.
 
# <IfModule mod_headers.c>
# Header set Content-Security-Policy "script-src 'self'; object-src 'self'"
# <FilesMatch "\.(appcache|atom|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcf|vtt|webapp|web[mp]|woff2?|xml|xpi)$">
# Header unset Content-Security-Policy
# </FilesMatch>
# </IfModule>
 
# ------------------------------------------------------------------------------
# | File access |
# ------------------------------------------------------------------------------
 
# Block access to directories without a default document.
 
# You should leave the following uncommented, as you shouldn't allow anyone to
# surf through every directory on your server (which may includes rather private
# places such as the CMS's directories).
 
<IfModule mod_autoindex.c>
Options -Indexes
</IfModule>
 
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
# Block access to all hidden files and directories with the exception of the
# visible content from within the `/.well-known/` hidden directory.
 
# These types of files usually contain user preferences or the preserved state
# of an utility, and can include rather private places like, for example, the
# `.git` or `.svn` directories.
 
# The `/.well-known/` directory represents the standard (RFC 5785) path prefix
# for "well-known locations" (e.g.: `/.well-known/manifest.json`,
# `/.well-known/keybase.txt`), and therefore, access to its visible content
# should not be blocked.
 
# https://www.mnot.net/blog/2010/04/07/well-known
# http://tools.ietf.org/html/rfc5785
 
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\." - [F]
</IfModule>
 
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
# Block access to files that can expose sensitive information.
 
# By default, block access to backup and source files that may be left by some
# text editors and can pose a security risk when anyone has access to them.
# http://feross.org/cmsploit/
 
# IMPORTANT: Update the `<FilesMatch>` regular expression from below to include
# any files that might end up on your production server and can expose sensitive
# information about your website. These files may include: configuration files,
# files that contain metadata about the project (e.g.: project dependencies),
# build scripts, etc..
 
<FilesMatch "(^#.*#|\.(bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$">
 
# Apache < 2.3
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
Satisfy All
</IfModule>
 
# Apache ≥ 2.3
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
 
</FilesMatch>
 
# ------------------------------------------------------------------------------
# | Reducing MIME type security risks |
# ------------------------------------------------------------------------------
 
# Prevent some browsers from MIME-sniffing the response.
 
# This reduces exposure to drive-by download attacks and cross-origin data
# leaks, and should be left uncommented, especially if the web server is
# serving user-uploaded content or content that could potentially be treated
# as executable by the browser.
 
# http://www.slideshare.net/hasegawayosuke/owasp-hasegawa
# http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941.aspx
# http://mimesniff.spec.whatwg.org/
 
<IfModule mod_headers.c>
Header set X-Content-Type-Options "nosniff"
</IfModule>
 
# ------------------------------------------------------------------------------
# | Reflected Cross-Site Scripting (XSS) attacks |
# ------------------------------------------------------------------------------
 
# (1) Try to re-enable the Cross-Site Scripting (XSS) filter built into the
# most recent web browsers.
#
# The filter is usually enabled by default, but in some cases it may be
# disabled by the user. However, in Internet Explorer for example, it can
# be re-enabled just by sending the `X-XSS-Protection` header with the
# value of `1`.
#
# (2) Prevent web browsers from rendering the web page if a potential reflected
# (a.k.a non-persistent) XSS attack is detected by the filter.
#
# By default, if the filter is enabled and browsers detect a reflected
# XSS attack, they will attempt to block the attack by making the smallest
# possible modifications to the returned web page.
#
# Unfortunately, in some browsers (e.g.: Internet Explorer), this default
# behavior may allow the XSS filter to be exploited, thereby, it's better
# to tell browsers to prevent the rendering of the page altogether, instead
# of attempting to modify it.
#
# http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities
#
# IMPORTANT: Do not rely on the XSS filter to prevent XSS attacks! Ensure that
# you are taking all possible measures to prevent XSS attacks, the most obvious
# being: validating and sanitizing your site's inputs.
#
# http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
# http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
# https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
 
# <IfModule mod_headers.c>
# # (1) (2)
# Header set X-XSS-Protection "1; mode=block"
# <FilesMatch "\.(appcache|atom|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcf|vtt|webapp|web[mp]|woff2?|xml|xpi)$">
# Header unset X-XSS-Protection
# </FilesMatch>
# </IfModule>
 
# ------------------------------------------------------------------------------
# | Secure Sockets Layer (SSL) |
# ------------------------------------------------------------------------------
 
# Rewrite secure requests properly in order to prevent SSL certificate warnings.
# E.g.: prevent `https://www.example.com` when your certificate only allows
# `https://secure.example.com`.
 
# <IfModule mod_rewrite.c>
# RewriteCond %{SERVER_PORT} !^443
# RewriteRule ^ https://example-domain-please-change-me.com%{REQUEST_URI} [R=301,L]
# </IfModule>
 
# ------------------------------------------------------------------------------
# | HTTP Strict Transport Security (HSTS) |
# ------------------------------------------------------------------------------
 
# Force client-side SSL redirection.
 
# If a user types `example.com` in his browser, the above rule will redirect
# him to the secure version of the site. That still leaves a window of
# opportunity (the initial HTTP connection) for an attacker to downgrade or
# redirect the request.
 
# The following header ensures that browser will ONLY connect to your server
# via HTTPS, regardless of what the users type in the address bar.
 
# IMPORTANT: Remove the `includeSubDomains` optional directive if the subdomains
# are not using HTTPS.
 
# http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-6.1
# http://www.html5rocks.com/en/tutorials/security/transport-layer-security/
# http://blogs.msdn.com/b/ieinternals/archive/2014/08/18/hsts-strict-transport-security-attacks-mitigations-deployment-https.aspx
 
# <IfModule mod_headers.c>
# Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"
# </IfModule>
 
# ------------------------------------------------------------------------------
# | Server software information |
# ------------------------------------------------------------------------------
 
# Avoid displaying the exact Apache version number, the description of the
# generic OS-type and the information about Apache's compiled-in modules.
 
# IMPORTANT: The `ServerTokens` directive will not work in the `.htaccess` file,
# so you will need to add the following in the main server configuration file.
 
# ServerTokens Prod
 
 
# ##############################################################################
# # WEB PERFORMANCE #
# ##############################################################################
 
# ------------------------------------------------------------------------------
# | Compression |
# ------------------------------------------------------------------------------
 
<IfModule mod_deflate.c>
 
# Force compression for mangled headers.
# https://developer.yahoo.com/blogs/ydn/pushing-beyond-gzipping-25601.html
 
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
</IfModule>
</IfModule>
 
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
# Map certain file types to the specified encoding type in order to
# make Apache serve them with the appropriate `Content-Encoding` HTTP
# response header (this will NOT make Apache compress them!).
 
# If the following file types wouldn't be served without the appropriate
# `Content-Enable` HTTP response header, client applications (e.g.:
# browsers) wouldn't know that they first need to uncompress the response,
# and thus, wouldn't be able to understand the content.
 
# http://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding
 
<IfModule mod_mime.c>
AddEncoding gzip svgz
</IfModule>
 
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
# Compress all output labeled with one of the following media types.
 
# IMPORTANT: For Apache versions below 2.3.7 you don't need to enable
# `mod_filter` and can remove the `<IfModule mod_filter.c>` & `</IfModule>`
# lines as `AddOutputFilterByType` is still in the core directives.
 
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE "application/atom+xml" \
"application/javascript" \
"application/json" \
"application/ld+json" \
"application/manifest+json" \
"application/rdf+xml" \
"application/rss+xml" \
"application/schema+json" \
"application/vnd.geo+json" \
"application/vnd.ms-fontobject" \
"application/x-font-ttf" \
"application/x-web-app-manifest+json" \
"application/xhtml+xml" \
"application/xml" \
"font/opentype" \
"image/svg+xml" \
"image/x-icon" \
"text/cache-manifest" \
"text/css" \
"text/html" \
"text/javascript" \
"text/plain" \
"text/vtt" \
"text/x-component" \
"text/xml"
</IfModule>
 
</IfModule>
 
# ------------------------------------------------------------------------------
# | Content transformation |
# ------------------------------------------------------------------------------
 
# Prevent mobile network providers from modifying the website's content.
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.5.
 
# <IfModule mod_headers.c>
# Header merge Cache-Control "no-transform"
# </IfModule>
 
# ------------------------------------------------------------------------------
# | ETags |
# ------------------------------------------------------------------------------
 
# Remove `ETags` as resources are sent with far-future expires headers.
# https://developer.yahoo.com/performance/rules.html#etags
 
# `FileETag None` doesn't work in all cases.
<IfModule mod_headers.c>
Header unset ETag
</IfModule>
 
FileETag None
 
# ------------------------------------------------------------------------------
# | Expires headers |
# ------------------------------------------------------------------------------
 
# Serve resources with far-future expires headers.
 
# IMPORTANT: If you don't control versioning with filename-based cache
# busting, consider lowering the cache times to something like one week.
 
<IfModule mod_expires.c>
 
ExpiresActive on
ExpiresDefault "access plus 1 month"
 
# CSS
ExpiresByType text/css "access plus 1 year"
 
# Data interchange
ExpiresByType application/json "access plus 0 seconds"
ExpiresByType application/ld+json "access plus 0 seconds"
ExpiresByType application/schema+json "access plus 0 seconds"
ExpiresByType application/vnd.geo+json "access plus 0 seconds"
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType text/xml "access plus 0 seconds"
 
# Favicon (cannot be renamed!) and cursor images
ExpiresByType image/x-icon "access plus 1 week"
 
# HTML components (HTCs)
ExpiresByType text/x-component "access plus 1 month"
 
# HTML
ExpiresByType text/html "access plus 0 seconds"
 
# JavaScript
ExpiresByType application/javascript "access plus 1 year"
ExpiresByType text/javascript "access plus 1 year"
 
# Manifest files
ExpiresByType application/manifest+json "access plus 1 year"
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
ExpiresByType text/cache-manifest "access plus 0 seconds"
 
# Media
ExpiresByType audio/ogg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType video/mp4 "access plus 1 month"
ExpiresByType video/ogg "access plus 1 month"
ExpiresByType video/webm "access plus 1 month"
 
# Web feeds
ExpiresByType application/atom+xml "access plus 1 hour"
ExpiresByType application/rdf+xml "access plus 1 hour"
ExpiresByType application/rss+xml "access plus 1 hour"
 
# Web fonts
ExpiresByType application/font-woff "access plus 1 month"
ExpiresByType application/font-woff2 "access plus 1 month"
ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
ExpiresByType application/x-font-ttf "access plus 1 month"
ExpiresByType font/opentype "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
 
</IfModule>
 
# ------------------------------------------------------------------------------
# | Filename-based cache busting |
# ------------------------------------------------------------------------------
 
# If you're not using a build process to manage your filename version revving,
# you might want to consider enabling the following directives to route all
# requests such as `/css/style.12345.css` to `/css/style.css`.
 
# To understand why this is important and a better idea than `*.css?v231`, read:
# http://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/
 
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.+)\.(\d{14})\.(js|css|png|jpe?g|gif|swf|ico|cur|svgz?|webp)$ $1.$3 [L]
</IfModule>
 
# ------------------------------------------------------------------------------
# | File concatenation |
# ------------------------------------------------------------------------------
 
# Allow concatenation from within specific files.
 
# e.g.:
#
# If you have the following lines in a file called, for example,
# `main.combined.js`:
#
# <!--#include file="js/jquery.js" -->
# <!--#include file="js/jquery.timer.js" -->
#
# Apache will replace those lines with the content of the specified files.
 
# <IfModule mod_include.c>
#
# <FilesMatch "\.combined\.js$">
# Options +Includes
# AddOutputFilterByType INCLUDES application/javascript text/javascript
# SetOutputFilter INCLUDES
# </FilesMatch>
#
# <FilesMatch "\.combined\.css$">
# Options +Includes
# AddOutputFilterByType INCLUDES text/css
# SetOutputFilter INCLUDES
# </FilesMatch>
#
# </IfModule>
 
</Directory>
View 404.html
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Site down for maintenance.</title>
<style type="text/css" media="screen">
body {
background: #f0f0f0;
font: normal 18px sans-serif;
width: 400px;
margin: 50px auto;
}
h1 {
font-size: 120%;
}
.more-info {
font-size: 80%;
background: white;
padding: 10px 20px;
}
</style>
</head>
<body>
<h1>We are sorry. This site is currently down for maintenance.</h1>
<p>Please check back soon.</p>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.