Last active
June 28, 2016 22:37
-
-
Save sergiohidalgo/84e2d38eeeca652f4497 to your computer and use it in GitHub Desktop.
Protección de servidor y mejoras con htacces
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# BEGIN Better WP Security | |
Options -Indexes | |
Order Allow,Deny | |
Deny from env=DenyAccess | |
Allow from all | |
SetEnvIF REMOTE_ADDR "^168\.96\.255\.98$" DenyAccess | |
SetEnvIF X-FORWARDED-FOR "^168\.96\.255\.98$" DenyAccess | |
SetEnvIF X-CLUSTER-CLIENT-IP "^168\.96\.255\.98$" DenyAccess | |
SetEnvIF REMOTE_ADDR "^186\.128\.145\.50$" DenyAccess | |
SetEnvIF X-FORWARDED-FOR "^186\.128\.145\.50$" DenyAccess | |
SetEnvIF X-CLUSTER-CLIENT-IP "^186\.128\.145\.50$" DenyAccess | |
SetEnvIF REMOTE_ADDR "^186\.128\.159\.161$" DenyAccess | |
SetEnvIF X-FORWARDED-FOR "^186\.128\.159\.161$" DenyAccess | |
SetEnvIF X-CLUSTER-CLIENT-IP "^186\.128\.159\.161$" DenyAccess | |
SetEnvIF REMOTE_ADDR "^190\.14\.159\.10$" DenyAccess | |
SetEnvIF X-FORWARDED-FOR "^190\.14\.159\.10$" DenyAccess | |
SetEnvIF X-CLUSTER-CLIENT-IP "^190\.14\.159\.10$" DenyAccess | |
SetEnvIF REMOTE_ADDR "^190\.196\.178\.150$" DenyAccess | |
SetEnvIF X-FORWARDED-FOR "^190\.196\.178\.150$" DenyAccess | |
SetEnvIF X-CLUSTER-CLIENT-IP "^190\.196\.178\.150$" DenyAccess | |
SetEnvIF REMOTE_ADDR "^216\.241\.9\.99$" DenyAccess | |
SetEnvIF X-FORWARDED-FOR "^216\.241\.9\.99$" DenyAccess | |
SetEnvIF X-CLUSTER-CLIENT-IP "^216\.241\.9\.99$" DenyAccess | |
SetEnvIF REMOTE_ADDR "^46\.4\.94\.230$" DenyAccess | |
SetEnvIF X-FORWARDED-FOR "^46\.4\.94\.230$" DenyAccess | |
SetEnvIF X-CLUSTER-CLIENT-IP "^46\.4\.94\.230$" DenyAccess | |
SetEnvIF REMOTE_ADDR "^64\.39\.111\.93$" DenyAccess | |
SetEnvIF X-FORWARDED-FOR "^64\.39\.111\.93$" DenyAccess | |
SetEnvIF X-CLUSTER-CLIENT-IP "^64\.39\.111\.93$" DenyAccess | |
SetEnvIF REMOTE_ADDR "^64\.39\.111\.94$" DenyAccess | |
SetEnvIF X-FORWARDED-FOR "^64\.39\.111\.94$" DenyAccess | |
SetEnvIF X-CLUSTER-CLIENT-IP "^64\.39\.111\.94$" DenyAccess | |
SetEnvIF REMOTE_ADDR "^46\.4\.85\.14$" DenyAccess | |
SetEnvIF X-FORWARDED-FOR "^46\.4\.85\.14$" DenyAccess | |
SetEnvIF X-CLUSTER-CLIENT-IP "^46\.4\.85\.14$" DenyAccess | |
<files .htaccess> | |
Order allow,deny | |
Deny from all | |
</files> | |
#WordPress | |
<files readme.html> | |
Order allow,deny | |
Deny from all | |
</files> | |
<files readme.txt> | |
Order allow,deny | |
Deny from all | |
</files> | |
<files install.php> | |
Order allow,deny | |
Deny from all | |
</files> | |
<files wp-config.php> | |
Order allow,deny | |
Deny from all | |
</files> | |
<IfModule mod_rewrite.c> | |
RewriteEngine On | |
#Redireccionamiento | |
#RewriteCond %{HTTP:X-Forwarded-Host} !^miwebnueva.cl [NC] | |
#RewriteRule ^(.*) https://miwebnueva.cl/$1 [R=301,L] | |
</IfModule> | |
# END Better WP Security | |
# Errores | |
ErrorDocument 401 /error.php | |
ErrorDocument 402 /404.php | |
ErrorDocument 403 /404.php | |
ErrorDocument 404 /404.php | |
ErrorDocument 500 /404.php | |
# Renovación de archivos caché | |
ExpiresByType text/css "access plus 2 seconds" | |
# No caching for dynamic files | |
<FilesMatch "\.(php|cgi|pl|htm|html|css)$"> | |
ExpiresActive Off | |
Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform" | |
Header set Pragma "no-cache" | |
</FilesMatch> | |
#Enmascarar carpeta web | |
#RewriteCond %{HTTP_HOST} ^(www.)?miwebsite.com$ | |
#RewriteCond %{REQUEST_URI} !^/carpeta/ | |
#RewriteCond %{REQUEST_FILENAME} !-f | |
#RewriteCond %{REQUEST_FILENAME} !-d | |
#RewriteRule ^(.*)$ /carpeta/$1 | |
#RewriteCond %{HTTP_HOST} ^(www.)?miwebsite.com$ | |
#RewriteRule ^(/)?$ carpeta/ [L] | |
#Evita avegación de directorios | |
Options All -Indexes | |
#Restringir envio de MySQL por GET | |
#RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR] | |
#RewriteCond %{QUERY_STRING} \.\./\.\. [OR] | |
#RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] | |
#RewriteCond %{QUERY_STRING} \.[a-z0-9] [NC,OR] | |
#RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC] | |
#RewriteRule .* - [F] | |
#Bloquear solicitudes por linea de comando | |
#RewriteCond %{HTTP_USER_AGENT} ^$ [OR] | |
#RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC,OR] | |
#RewriteCond %{HTTP_USER_AGENT} (winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR] | |
#RewriteCond %{HTTP_USER_AGENT} (libwww-perl|curl|wget|python|nikto|scan) [NC,OR] | |
#RewriteCond %{HTTP_USER_AGENT} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC] | |
#RewriteRule .* - [F] | |
#Envio de archivos remotos por GET | |
RewriteCond %{REQUEST_METHOD} GET | |
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] | |
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] | |
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC] | |
RewriteRule .* - [F] | |
#Errores | |
ErrorDocument 404 "Ups! Se ha producido un error 404" | |
ErrorDocument 403 "Ups! Se ha producido un error 403" | |
ErrorDocument 400 "Ups! Se ha producido un error 400" | |
ErrorDocument 406 "Ups! Se ha producido un error 406" | |
ErrorDocument 412 "Ups! Se ha producido un error 412" | |
ErrorDocument 416 "Ups! Se ha producido un error 416" | |
ErrorDocument 501 "Ups! Se ha producido un error 501" | |
ErrorDocument 401 "Ups! Se ha producido un error 401" | |
ErrorDocument 500 "Ups! Se ha producido un error 500" | |
#ErrorDocument 404 /404.php | |
#No mostrar info del servidor | |
ServerSignature Off | |
# Limitar el peso de subida de archivos 10mb | |
#LimitRequestBody 10240000 | |
# Protege los pluggin de wordpress | |
<Files ~ "\.(js|css)$"> | |
order allow,deny | |
allow from all | |
</Files> | |
# sin acceso a proc/self/environ | |
RewriteCond %{QUERY_STRING} proc/self/environ [OR] | |
# bloquear cualquier script que trate de establecer un valor mosConfig a través de una URL | |
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] | |
# bloquear cualquier script que trate de colocarte código codificado base64_encode a través de una URL | |
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR] | |
# bloquea cualquier script que incluya la tag <script> en la URL | |
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] | |
# bloquea cualquier script que trate de establecer la variable PHP GLOBALS a través de una URL | |
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR] | |
# bloquea cualquier script que trate de modificar una variable _REQUEST a través de una URL | |
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2}) | |
# manda a todas las peticiones bloqueadas a la página principal con un error de 403 Prohibido | |
RewriteRule ^(.*)$ index.php [F,L] | |
# Evitar el acceso externo al mismo archivo | |
<files .htaccess> | |
order allow,deny | |
deny from all | |
</files> | |
# Evitar el acceso externo a cualquier archivo ht | |
<Files ~ "^.*\.([Hh][Tt][Aa])"> | |
order allow,deny | |
deny from all | |
satisfy all | |
</Files> | |
# //////////// MEJORAS //////////// | |
#Envia archivos comprimidos al navegador | |
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript | |
<IfModule mod_deflate.c> | |
<IfModule mod_setenvif.c> | |
<IfModule mod_headers.c> | |
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding | |
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding | |
</IfModule> | |
</IfModule> | |
<IfModule mod_filter.c> | |
AddOutputFilterByType DEFLATE application/atom+xml \ | |
application/javascript \ | |
application/json \ | |
application/rss+xml \ | |
application/vnd.ms-fontobject \ | |
application/x-font-ttf \ | |
application/x-web-app-manifest+json \ | |
application/xhtml+xml \ | |
application/xml \ | |
font/opentype \ | |
image/svg+xml \ | |
image/x-icon \ | |
text/css \ | |
text/html \ | |
text/plain \ | |
text/x-component \ | |
text/xml | |
</IfModule> | |
</IfModule> | |
#Define UTF-8 | |
# AddDefaultCharset utf-8 | |
# AddCharset utf-8 .atom .css .js .json .rss .vtt .xml | |
#Mejorando el cache | |
SetOutputFilter DEFLATE | |
Header unset ETag | |
FileETag None | |
<FilesMatch "\.(js|ico|pdf|jpg|jpeg|png|gif)$"> | |
Header set Cache-Control "public" | |
Header set Expires "Thu, 15 Apr 2020 20:00:00 GMT" | |
Header unset Last-Modified | |
</FilesMatch> | |
<FilesMatch "\.(php|cgi|pl|htm|html|css)$"> | |
ExpiresActive Off | |
Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform" | |
Header set Pragma "no-cache" | |
</FilesMatch> | |
#Negar el acceso de archivos según su extención | |
<FilesMatch "(\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|swp|env)|~)$"> | |
Order allow,deny | |
Deny from all | |
Satisfy All | |
</FilesMatch> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment