Last active
August 10, 2018 03:37
-
-
Save reillo/9030038e854ffa49d83e423415c7acf4 to your computer and use it in GitHub Desktop.
.htaccess (Magento)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################ | |
| ## uncomment these lines for CGI mode | |
| ## make sure to specify the correct cgi php binary file name | |
| ## it might be /cgi-bin/php-cgi | |
| # Action php5-cgi /cgi-bin/php5-cgi | |
| # AddHandler php5-cgi .php | |
| ############################################ | |
| ## GoDaddy specific options | |
| # Options -MultiViews | |
| ## you might also need to add this line to php.ini | |
| ## cgi.fix_pathinfo = 1 | |
| ## if it still doesn't work, rename php.ini to php5.ini | |
| ############################################ | |
| ## this line is specific for 1and1 hosting | |
| #AddType x-mapp-php5 .php | |
| #AddHandler x-mapp-php5 .php | |
| ############################################ | |
| ## default index file | |
| DirectoryIndex index.php | |
| <IfModule mod_php5.c> | |
| ############################################ | |
| ## adjust memory limit | |
| php_value memory_limit 512M | |
| php_value max_execution_time 18000 | |
| ############################################ | |
| ## disable magic quotes for php request vars | |
| php_flag magic_quotes_gpc off | |
| ############################################ | |
| ## disable automatic session start | |
| ## before autoload was initialized | |
| php_flag session.auto_start off | |
| ############################################ | |
| ## enable resulting html compression | |
| #php_flag zlib.output_compression on | |
| ########################################### | |
| # disable user agent verification to not break multiple image upload | |
| php_flag suhosin.session.cryptua off | |
| ########################################### | |
| # turn off compatibility with PHP4 when dealing with objects | |
| php_flag zend.ze1_compatibility_mode Off | |
| </IfModule> | |
| <IfModule mod_security.c> | |
| ########################################### | |
| # disable POST processing to not break multiple image upload | |
| SecFilterEngine Off | |
| SecFilterScanPOST Off | |
| </IfModule> | |
| <IfModule mod_deflate.c> | |
| ############################################ | |
| ## enable apache served files compression | |
| ## http://developer.yahoo.com/performance/rules.html#gzip | |
| # Insert filter on all content | |
| ###SetOutputFilter DEFLATE | |
| # Insert filter on selected content types only | |
| #AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript | |
| # Netscape 4.x has some problems... | |
| #BrowserMatch ^Mozilla/4 gzip-only-text/html | |
| # Netscape 4.06-4.08 have some more problems | |
| #BrowserMatch ^Mozilla/4\.0[678] no-gzip | |
| # MSIE masquerades as Netscape, but it is fine | |
| #BrowserMatch \bMSIE !no-gzip !gzip-only-text/html | |
| # Don't compress images | |
| #SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary | |
| # Make sure proxies don't deliver the wrong content | |
| #Header append Vary User-Agent env=!dont-vary | |
| </IfModule> | |
| <IfModule mod_ssl.c> | |
| ############################################ | |
| ## make HTTPS env vars available for CGI mode | |
| SSLOptions StdEnvVars | |
| </IfModule> | |
| <IfModule mod_rewrite.c> | |
| ############################################ | |
| ## enable rewrites | |
| Options +FollowSymLinks | |
| RewriteEngine on | |
| ############################################ | |
| ## you can put here your magento root folder | |
| ## path relative to web root | |
| #RewriteBase /magento/ | |
| ############################################ | |
| ## workaround for HTTP authorization | |
| ## in CGI environment | |
| RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] | |
| ############################################ | |
| ## always send 404 on missing files in these folders | |
| RewriteCond %{REQUEST_URI} !^/(media|skin|js)/ | |
| ############################################ | |
| ## never rewrite for existing files, directories and links | |
| RewriteCond %{REQUEST_FILENAME} !-f | |
| RewriteCond %{REQUEST_FILENAME} !-d | |
| RewriteCond %{REQUEST_FILENAME} !-l | |
| ############################################ | |
| ## rewrite everything else to index.php | |
| RewriteRule .* index.php [L] | |
| </IfModule> | |
| ############################################ | |
| ## Prevent character encoding issues from server overrides | |
| ## If you still have problems, use the second line instead | |
| AddDefaultCharset Off | |
| #AddDefaultCharset UTF-8 | |
| <IfModule mod_expires.c> | |
| ############################################ | |
| ## Add default Expires header | |
| ## http://developer.yahoo.com/performance/rules.html#expires | |
| ExpiresDefault "access plus 1 year" | |
| </IfModule> | |
| ############################################ | |
| ## By default allow all access | |
| Order allow,deny | |
| Allow from all | |
| ############################################ | |
| ## If running in cluster environment, uncomment this | |
| ## http://developer.yahoo.com/performance/rules.html#etags | |
| #FileETag none | |
| ########################################### | |
| ## Deny access to cron.php | |
| <Files cron.php> | |
| ############################################ | |
| ## uncomment next lines to enable cron access with base HTTP authorization | |
| ## http://httpd.apache.org/docs/2.2/howto/auth.html | |
| ## | |
| ## Warning: .htpasswd file should be placed somewhere not accessible from the web. | |
| ## This is so that folks cannot download the password file. | |
| ## For example, if your documents are served out of /usr/local/apache/htdocs | |
| ## you might want to put the password file(s) in /usr/local/apache/. | |
| #AuthName "Cron auth" | |
| #AuthUserFile ../.htpasswd | |
| #AuthType basic | |
| #Require valid-user | |
| ############################################ | |
| Order allow,deny | |
| Deny from all | |
| </Files> | |
| # ###################################################################### | |
| # # REWRITES # | |
| # ###################################################################### | |
| # ---------------------------------------------------------------------- | |
| # | Rewrite engine | | |
| # ---------------------------------------------------------------------- | |
| # (1) Turn on the rewrite engine (this is necessary in order for | |
| # the `RewriteRule` directives to work). | |
| # | |
| # https://httpd.apache.org/docs/current/mod/mod_rewrite.html#RewriteEngine | |
| # | |
| # (2) Enable the `FollowSymLinks` option if it isn't already. | |
| # | |
| # https://httpd.apache.org/docs/current/mod/core.html#options | |
| # | |
| # (3) If your web host doesn't allow the `FollowSymlinks` option, | |
| # you need to comment it out or remove it, and then uncomment | |
| # the `Options +SymLinksIfOwnerMatch` line (4), but be aware | |
| # of the performance impact. | |
| # | |
| # https://httpd.apache.org/docs/current/misc/perf-tuning.html#symlinks | |
| # | |
| # (4) Some cloud hosting services will require you set `RewriteBase`. | |
| # | |
| # https://www.rackspace.com/knowledge_center/frequently-asked-question/why-is-modrewrite-not-working-on-my-site | |
| # https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritebase | |
| # | |
| # (5) Depending on how your server is set up, you may also need to | |
| # use the `RewriteOptions` directive to enable some options for | |
| # the rewrite engine. | |
| # | |
| # https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriteoptions | |
| # | |
| # (6) Set %{ENV:PROTO} variable, to allow rewrites to redirect with the | |
| # appropriate schema automatically (http or https). | |
| <IfModule mod_rewrite.c> | |
| # (1) | |
| RewriteEngine On | |
| # (2) | |
| Options +FollowSymlinks | |
| # (3) | |
| # Options +SymLinksIfOwnerMatch | |
| # (4) | |
| # RewriteBase / | |
| # (5) | |
| # RewriteOptions <options> | |
| # (6) | |
| RewriteCond %{HTTPS} =on | |
| RewriteRule ^ - [env=proto:https] | |
| RewriteCond %{HTTPS} !=on | |
| RewriteRule ^ - [env=proto:http] | |
| </IfModule> | |
| # ---------------------------------------------------------------------- | |
| # | Suppressing / Forcing the `www.` at the beginning of URLs | | |
| # ---------------------------------------------------------------------- | |
| # The same content should never be available under two different | |
| # URLs, especially not with and without `www.` at the beginning. | |
| # This can cause SEO problems (duplicate content), and therefore, | |
| # you should choose one of the alternatives and redirect the other | |
| # one. | |
| # | |
| # By default `Option 1` (no `www.`) is activated. | |
| # http://no-www.org/faq.php?q=class_b | |
| # | |
| # If you would prefer to use `Option 2`, just comment out all the | |
| # lines from `Option 1` and uncomment the ones from `Option 2`. | |
| # | |
| # (!) NEVER USE BOTH RULES AT THE SAME TIME! | |
| # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| # Option 1: rewrite www.example.com → example.com | |
| # <IfModule mod_rewrite.c> | |
| # RewriteEngine On | |
| # RewriteCond %{HTTPS} !=on | |
| # RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] | |
| # RewriteRule ^ %{ENV:PROTO}://%1%{REQUEST_URI} [R=301,L] | |
| # </IfModule> | |
| # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| # Option 2: rewrite example.com → www.example.com | |
| # | |
| # Be aware that the following might not be a good idea if you use "real" | |
| # subdomains for certain parts of your website. | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine On | |
| RewriteCond %{HTTP_HOST} !^www\. [NC] | |
| RewriteCond %{SERVER_ADDR} !=127.0.0.1 | |
| RewriteCond %{SERVER_ADDR} !=::1 | |
| RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=302,L] | |
| </IfModule> | |
| # ---------------------------------------------------------------------- | |
| # | Forcing `https://` | | |
| # ---------------------------------------------------------------------- | |
| # Redirect from the `http://` to the `https://` version of the URL. | |
| # https://wiki.apache.org/httpd/RewriteHTTPToHTTPS | |
| # Note, if you're testing, I recommend to use 302 instead of 301 | |
| #<IfModule mod_rewrite.c> | |
| # RewriteEngine On | |
| # RewriteCond %{HTTPS} !=on | |
| # RewriteCond %{HTTP_HOST} ^(www\.)?example\.com$ [NC] | |
| # RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=302,L] | |
| #</IfModule> | |
| # ###################################################################### | |
| # # WEB PERFORMANCE # | |
| # ###################################################################### | |
| # ---------------------------------------------------------------------- | |
| # | Compression | | |
| # ---------------------------------------------------------------------- | |
| <IfModule mod_deflate.c> | |
| # Force compression for mangled `Accept-Encoding` request headers | |
| # https://developer.yahoo.com/blogs/ydn/pushing-beyond-gzipping-25601.html | |
| <IfModule mod_setenvif.c> | |
| <IfModule mod_headers.c> | |
| SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding | |
| RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding | |
| </IfModule> | |
| </IfModule> | |
| # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| # Compress all output labeled with one of the following media types. | |
| # | |
| # (!) For Apache versions below version 2.3.7 you don't need to | |
| # enable `mod_filter` and can remove the `<IfModule mod_filter.c>` | |
| # and `</IfModule>` lines as `AddOutputFilterByType` is still in | |
| # the core directives. | |
| # | |
| # https://httpd.apache.org/docs/current/mod/mod_filter.html#addoutputfilterbytype | |
| <IfModule mod_filter.c> | |
| AddOutputFilterByType DEFLATE "application/atom+xml" \ | |
| "application/javascript" \ | |
| "application/json" \ | |
| "application/ld+json" \ | |
| "application/manifest+json" \ | |
| "application/rdf+xml" \ | |
| "application/rss+xml" \ | |
| "application/schema+json" \ | |
| "application/vnd.geo+json" \ | |
| "application/vnd.ms-fontobject" \ | |
| "application/x-font-ttf" \ | |
| "application/x-javascript" \ | |
| "application/x-web-app-manifest+json" \ | |
| "application/xhtml+xml" \ | |
| "application/xml" \ | |
| "font/eot" \ | |
| "font/opentype" \ | |
| "image/bmp" \ | |
| "image/svg+xml" \ | |
| "image/vnd.microsoft.icon" \ | |
| "image/x-icon" \ | |
| "text/cache-manifest" \ | |
| "text/css" \ | |
| "text/html" \ | |
| "text/javascript" \ | |
| "text/plain" \ | |
| "text/vcard" \ | |
| "text/vnd.rim.location.xloc" \ | |
| "text/vtt" \ | |
| "text/x-component" \ | |
| "text/x-cross-domain-policy" \ | |
| "text/xml" | |
| </IfModule> | |
| # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| # Map the following filename extensions to the specified | |
| # encoding type in order to make Apache serve the file types | |
| # with the appropriate `Content-Encoding` response header | |
| # (do note that this will NOT make Apache compress them!). | |
| # | |
| # If these files types would be served without an appropriate | |
| # `Content-Enable` response header, client applications (e.g.: | |
| # browsers) wouldn't know that they first need to uncompress | |
| # the response, and thus, wouldn't be able to understand the | |
| # content. | |
| # | |
| # https://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding | |
| <IfModule mod_mime.c> | |
| AddEncoding gzip svgz | |
| </IfModule> | |
| </IfModule> | |
| # ############################################################################## | |
| # # SECURITY # | |
| # ############################################################################## | |
| # ------------------------------------------------------------------------------ | |
| # | Content Security Policy (CSP) | | |
| # ------------------------------------------------------------------------------ | |
| # You can mitigate the risk of cross-site scripting and other content-injection | |
| # attacks by setting a Content Security Policy which whitelists trusted sources | |
| # of content for your site. | |
| # The example header below allows ONLY scripts that are loaded from the current | |
| # site's origin (no inline scripts, no CDN, etc). This almost certainly won't | |
| # work as-is for your site! | |
| # To get all the details you'll need to craft a reasonable policy for your site, | |
| # read: http://html5rocks.com/en/tutorials/security/content-security-policy (or | |
| # see the specification: http://w3.org/TR/CSP). | |
| # <IfModule mod_headers.c> | |
| # Header set Content-Security-Policy "script-src 'self'; object-src 'self'" | |
| # <FilesMatch "\.(appcache|crx|css|eot|gif|htc|ico|jpe?g|js|m4a|m4v|manifest|mp4|oex|oga|ogg|ogv|otf|pdf|png|safariextz|svgz?|ttf|vcf|webapp|webm|webp|woff|xml|xpi)$"> | |
| # Header unset Content-Security-Policy | |
| # </FilesMatch> | |
| # </IfModule> | |
| # ------------------------------------------------------------------------------ | |
| # | File access | | |
| # ------------------------------------------------------------------------------ | |
| # Block access to directories without a default document. | |
| # Usually you should leave this uncommented because you shouldn't allow anyone | |
| # to surf through every directory on your server (which may includes rather | |
| # private places like the CMS's directories). | |
| <IfModule mod_autoindex.c> | |
| Options -Indexes | |
| </IfModule> | |
| # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| # Block access to hidden files and directories. | |
| # This includes directories used by version control systems such as Git and SVN. | |
| <IfModule mod_rewrite.c> | |
| RewriteCond %{SCRIPT_FILENAME} -d [OR] | |
| RewriteCond %{SCRIPT_FILENAME} -f | |
| RewriteCond %{REQUEST_URI} !\.well-known/acme-challenge | |
| RewriteRule "(^|/)\." - [F] | |
| </IfModule> | |
| # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| # Block access to backup and source files. | |
| # These files may be left by some text editors and can pose a great security | |
| # danger when anyone has access to them. | |
| <FilesMatch "(^#.*#|\.(bak|config|dist|fla|inc|ini|log|psd|sh|phar|sql|sw[op])|~)$"> | |
| Order allow,deny | |
| Deny from all | |
| Satisfy All | |
| </FilesMatch> | |
| # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| # Block access to Release and md files. phar | |
| <FilesMatch "(^.*\.(md)|^.*\.example|^.*\.sample|^.*\.phar|^LICENSE.*)$"> | |
| Order allow,deny | |
| Deny from all | |
| Satisfy All | |
| </FilesMatch> | |
| # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| # We don't use downloader, block access to downloader | |
| RedirectMatch 403 ^.*/downloader/*$ | |
| # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| # We don't use rss login bruteforce attacked | |
| RedirectMatch 403 ^.*rss/(catalog|order)/(new|review|notifystock).*$ | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Updates, never block .acme-challenge hidden files as it requires auto renewal of free certificates like lets encrypt