1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Ideal htaccess file for xenforo

Discussion in 'General XenForo Discussion and Feedback' started by Shakir, Mar 7, 2013.

  1. Shakir

    Shakir Member

    Hi,
    Wonder if senior xenian (or xenforoian :) ) members already discussed and developed an ideal htaccess file to be used for xenforo installation? A properly commented, thoroughly discussed ultimate htaccess file can really help speed up and secure the forums out there.

    For a long time, I am using the ideal htaccess file for my joomla websites and am sharing herewith for general sample and discussion purposes. Remember this is a work of Joomla community and we expect something better out of xenian community :)

    Code:
    ## The Master .htaccess
    # Begin - RewriteEngine enabled
    RewriteEngine On
    # End - RewriteEngine enabled
     
    # Begin - RewriteBase
    # Uncomment following line if your webserver's URL
    # is not directly related to physical file paths.
    # Update Your Joomla! Directory (just / for root)
     
    # RewriteBase /
    ########## End - RewriteBase
     
    # Begin - No directory listings
    ## Note: +FollowSymlinks may cause problems and you might have to remove it
    IndexIgnore *
    Options +FollowSymLinks All -Indexes
    # End - No directory listings
     
    ########## Begin - File execution order, by Komra.de
    DirectoryIndex index.php index.html
    ########## End - File execution order
     
    ########## Begin - ETag Optimization
    ## This rule will create an ETag for files based only on the modification
    ## timestamp and their size. This works wonders if you are using rsync'ed
    ## servers, where the inode number of identical files differs.
    ## Note: It may cause problems on your server and you may need to remove it
    FileETag MTime Size
    ########## End - ETag Optimization
     
    ########## Begin - Common hacking tools and bandwidth hoggers block
    ## By SigSiu.net and @nikosdion.
    # This line also disables Akeeba Remote Control 2.5 and earlier
    SetEnvIf user-agent "Indy Library" stayout=1
    # WARNING: Disabling wget will also block the most common method for
    # running CRON jobs. Remove if you have issues with CRON jobs.
    SetEnvIf user-agent "Wget" stayout=1
    # The following rules are for bandwidth-hogging download tools
    SetEnvIf user-agent "libwww-perl" stayout=1
    SetEnvIf user-agent "Download Demon" stayout=1
    SetEnvIf user-agent "GetRight" stayout=1
    SetEnvIf user-agent "GetWeb!" stayout=1
    SetEnvIf user-agent "Go!Zilla" stayout=1
    SetEnvIf user-agent "Go-Ahead-Got-It" stayout=1
    SetEnvIf user-agent "GrabNet" stayout=1
    SetEnvIf user-agent "TurnitinBot" stayout=1
    # This line denies access to all of the above tools
    deny from env=stayout
    ########## End - Common hacking tools and bandwidth hoggers block
     
    ########## Begin - Automatic compression of resources
    # Compress text, html, javascript, css, xml, kudos to Komra.de
    # May kill access to your site for old versions of Internet Explorer
    # The server needs to be compiled with mod_deflate otherwise it will send HTTP 500 Error.
    # mod_deflate is not available on Apache 1.x series. Can only be used with Apache 2.x server.
    # AddOutputFilterByType is now deprecated by Apache. Use mod_filter in the future.
    AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
    ########## End - Automatic compression of resources
     
    ########## Begin - Add optional bad user agent or IP blocking code
    #
    # If you need to block certain user agents or IP addresses and
    # other signatures, place that code here. Ensure the rules use
    # the correct RewriteRule syntax and the [F] flag.
    #
    ########## End - Add optional bad user agent or IP blocking code
     
    ########## Begin - Rewrite rules to block out some common exploits
    ## If you experience problems on your site block out the operations listed below
    ## This attempts to block the most common type of exploit `attempts` to Joomla!
    #
    # If the request query string contains /proc/self/environ (by SigSiu.net)
    RewriteCond %{QUERY_STRING} proc/self/environ [OR]
    # Block out any script trying to set a mosConfig value through the URL
    # (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin)
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
    # Block out any script trying to base64_encode or base64_decode data within the URL
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR]
    ## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines:
    # RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR]
    # RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR]
    # Block out any script that includes a <script> tag in URL
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    # Block out any script trying to set a PHP GLOBALS variable via URL
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    # Block out any script trying to modify a _REQUEST variable via URL
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    # Return 403 Forbidden header and show the content of the root homepage
    RewriteRule .* index.php [F]
    #
    ########## End - Rewrite rules to block out some common exploits
     
    ########## Begin - File injection protection, by SigSiu.net
    RewriteCond %{REQUEST_METHOD} GET
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
    RewriteRule .* - [F]
    ########## End - File injection protection
     
    ########## Begin - Basic antispam Filter, by SigSiu.net
    ## I removed some common words, tweak to your liking
    ## This code uses PCRE and works only with Apache 2.x.
    ## This code will NOT work with Apache 1.x servers.
    RewriteCond %{QUERY_STRING} \b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b [NC,OR]
    RewriteCond %{QUERY_STRING} \b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b [NC,OR]
    RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b [NC,OR]
    RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b [NC]
    ## Note: The final RewriteCond must NOT use the [OR] flag.
    RewriteRule .* - [F]
    ## Note: The previous lines are a "compressed" version
    ## of the filters. You can add your own filters as:
    ## RewriteCond %{QUERY_STRING} \bbadword\b [NC,OR]
    ## where "badword" is the word you want to exclude.
    ########## End - Basic antispam Filter, by SigSiu.net
     
    ########## Begin - Advanced server protection - query strings, referrer and config
    # Advanced server protection, version 3.2 - May 2011
    # by Nicholas K. Dionysopoulos
     
    ## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
    ## your PHP version). See http://www.0php.com/php_easter_egg.php and
    ## http://osvdb.org/12184 for more information
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
    RewriteRule .* - [F]
     
    ## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
    ## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html
    ## May cause problems on legitimate requests
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]
    RewriteRule .* - [F]
     
    ## Referrer filtering for common media files. Replace with your own domain name.
    ## This blocks most common fingerprinting attacks ;)
    ## Note: Change www\.example\.com with your own domain name, substituting the
    ## dots with \.  i.e. use www\.example\.com for www.example.com
    RewriteRule ^images/stories/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [L]
    RewriteCond %{HTTP_REFERER} .
    RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteRule \.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [F]
     
    ## Disallow visual fingerprinting of Joomla! sites (module position dump)
    ## Initial idea by Brian Teeman and Ken Crowder, see:
    ## http://www.slideshare.net/brianteeman/hidden-joomla-secrets
    ## Improved by @nikosdion to work more efficiently and handle template
    ## and tmpl query parameters
    RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC]
    RewriteRule .* - [L]
    RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC]
    RewriteRule .* - [F]
     
    ## Disallow access to htaccess.txt, configuration.php, configuration.php-dist and php.ini
    RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [F]
     
    ########## End - Advanced server protection - query strings, referrer and config
     
    ########## Begin - Advanced server protection rules exceptions ####
    ##
    ## These are sample exceptions to the Advanced Server Protection 3.1
    ## rule set further down this file.
    ##
    ## Allow UddeIM CAPTCHA
    RewriteRule ^components/com_uddeim/captcha15\.php$ - [L]
    ## Allow Phil Taylor's Turbo Gears
    RewriteRule ^plugins/system/GoogleGears/gears-manifest\.php$ - [L]
    ## Allow JoomlaWorks AllVideos
    RewriteRule ^plugins/content/jw_allvideos/includes/jw_allvideos_scripts\.php$ - [L]
    ## Allow Admin Tools Joomla! updater to run
    RewriteRule ^administrator/components/com_admintools/restore\.php$ - [L]
    ## Allow Akeeba Backup Professional's integrated restoration script to run
    RewriteRule ^administrator/components/com_akeeba/restore\.php$ - [L]
    ## Allow Akeeba Kickstart
    RewriteRule ^kickstart\.php$ - [L]
    
     
  2. Shakir

    Shakir Member

    To be continued.... due to limit in number of characters. seriously :cautious:

    Code:
    # Add more rules to single PHP files here
     
    ## Allow Agora attachments, but not PHP files in that directory!
    RewriteCond %{REQUEST_FILENAME} !(\.php)$
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteRule ^components/com_agora/img/members/ - [L]
     
    # Add more rules for allowing full access (except PHP files) on more directories here
     
    ## Uncomment to allow full access to the cache directory (strongly not recommended!)
    #RewriteRule ^cache/ - [L]
    ## Uncomment to allow full access to the tmp directory (strongly not recommended!)
    #RewriteRule ^tmp/ - [L]
     
    # Add more full access rules here
     
    ########## End - Advanced server protection rules exceptions ####
     
    ########## Begin - Advanced server protection - paths and files
    # Advanced server protection, version 3.2 - May 2011
    # by Nicholas K. Dionysopoulos
     
    ## Back-end protection
    ## This also blocks fingerprinting attacks browsing for XML and INI files
    RewriteRule ^administrator/?$ - [L]
    RewriteRule ^administrator/index\.(php|html?)$ - [L]
    RewriteRule ^administrator/index[23]\.php$ - [L]
    RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]
    RewriteRule ^administrator/ - [F]
     
    ## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory
    RewriteRule ^xmlrpc/(index\.php)?$ - [L]
    RewriteRule ^xmlrpc/ - [F]
     
    ## Disallow front-end access for certain Joomla! system directories
    RewriteRule ^includes/js/ - [L]
    RewriteRule ^(cache|includes|language|libraries|logs|tmp)/ - [F]
     
    ## Allow limited access for certain Joomla! system directories with client-accessible content
    RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]
    ## Uncomment this line if you have extensions which require direct access to their own
    ## custom index.php files. Note that this is UNSAFE and the developer should be ashamed
    ## for being so lame, lazy and security unconscious.
    # RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)?$ - [L]
    ## Uncomment the following line if your template requires direct access to PHP files
    ## inside its directory, e.g. GZip compressed copies of its CSS files
    # RewriteRule ^templates/([^/]+/)*([^/.]+\.)+php$ - [L]
    RewriteRule ^(components|modules|plugins|templates)/ - [F]
     
    ## Disallow access to rogue PHP files throughout the site, unless they are explicitly allowed
    RewriteCond %{REQUEST_FILENAME} \.php$
    RewriteCond %{REQUEST_FILENAME} !/index[23]?\.php$
    ## The next line is to explicitly allow the forum post assistant(fpa-xx)script to run
    RewriteCond %{REQUEST_FILENAME} !/fpa-[a-z]{2}\.php
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteRule ^([^/]+/)*([^/.]+\.)+php$ - [F]
     
    ########## End - Advanced server protection - paths and files
     
    ########## Begin - Google Apps redirection, by Komra.de
    ## Uncomment the following line to enable:
    # RewriteRule ^mail http://mail.google.com/a/example.com [R=301,L]
    ## If the above doesn't work on your server, try this:
    ## RewriteRule ^mail http://mail.google.com/a/example.com [R,L]
    ########## End - Google Apps redirection
     
    ########## Begin - Custom redirects
    #
    # If you need to redirect some pages, place that code here. Ensure those
    # redirects use the correct RewriteRule syntax and the [R=301,L] flags.
    #
    ########## End - Custom redirects
     
    ########## Begin - Redirect (www.)olddomain.com to www.example.com
    ## Note: olddomain.com is your old domain name, you want to redirect FROM,
    ## whereas www.example.com is the new domain name you want to redirect TO.
    ## Change those names to reflect your current configuration. Remember, this
    ## small part of the file is supposed to be placed in www.olddomain.com!
    ## Note: Replace [R=301,L] with [R,L] if you get error 500.
    ## Uncomment the following lines to enable:
    # RewriteCond %{HTTP_HOST} ^(www\.)?olddomain\.com [NC]
    # RewriteRule (.*) http://www.example.com/$1 [R=301,L]
    ## Note: The above section is only required if you are changing your domain name.
    ########## End - Redirect (www.)olddomain.com to www.example.com
     
    ########## Begin - Force HTTPS for certain pages
    # Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says.
    # This is a sample redirection for foobar.html. Do note that you have to change
    # www.example.com to reflect your own domain. Remember to escape the dots using
    # \. in the left hand side of each rule. You need BOTH LINES PER URL for the rule
    # to work.
    RewriteCond %{SERVER_PORT} !^443$
    ## Alternatively, comment the above line and uncomment the following line:
    # RewriteCond %{HTTPS} ^off$ [NC]
    RewriteRule ^foobar\.html$ https://www.example.com/foobar.html [R=301,L]
    ## NOTE: If you get an HTTP 500 error, please swap [R=301,L] with [R,L]
    # Add more rules below this line as required
    ########## End - Force HTTPS for certain pages
     
    ########## Begin - Redirect index.php to /
    ## Note: Change example.com to reflect your own domain name
    RewriteCond %{THE_REQUEST} !^POST
    RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
    RewriteCond %{SERVER_PORT}>s ^(443>(s)|[0-9]+>s)$
    RewriteRule ^index\.php$ http%2://www.example.com/$1 [R=301,L]
    ## If the above line throws a 500 error, change [R=301,L] to [R,L]
    ########## End - Redirect index.php to /
     
    ########## Begin - Redirect non-www to www
    RewriteCond %{HTTP_HOST} !^www\. [NC]
    RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
    ## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L]
    ########## End - Redirect non-www to www
     
    ########## Begin - Redirect www to non-www
    ## WARNING: Comment out the non-www to www rule if you choose to use this
    # RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
    # RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
    ## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L]
    ########## End - Redirect non-www to www
     
    ########## Begin - Custom internal rewrites
    #
    # If you need to internally rewrite some specific URL requests,
    # place that code here. Ensure those internal rewrites use the
    # correct RewriteRule syntax without domain name and with [L] flag.
    #
    ########## End - Custom internal rewrites
     
    ########## Begin - Joomla! core SEF Section
    #
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    #
    # If the requested path and file is not /index.php and the request
    # has not already been internally rewritten to the index.php script
    RewriteCond %{REQUEST_URI} !^/index\.php
    # and the request is for the site root, or for an extensionless URL,
    # or the requested URL ends with one of the listed extensions
    RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw|ini|zip|json|file))$ [NC]
    # and the requested path and file doesn't directly match a physical file
    RewriteCond %{REQUEST_FILENAME} !-f
    # and the requested path doesn't directly match a physical folder
    RewriteCond %{REQUEST_FILENAME} !-d
    # internally rewrite the request to the index.php script
    RewriteRule .* index.php [L]
    #
    ########## End - Joomla! core SEF Section
     
    ########## Begin - Optimal default expiration time
    ## Note: this might cause problems and you might have to comment it out by
    ## placing a hash in front of this section's lines
    <IfModule mod_expires.c>
            # Enable expiration control
            ExpiresActive On
     
            # Default expiration: 1 hour after request
            ExpiresDefault "now plus 1 hour"
     
            # CSS and JS expiration: 1 week after request
            ExpiresByType text/css "now plus 1 week"
            ExpiresByType application/javascript "now plus 1 week"
            ExpiresByType application/x-javascript "now plus 1 week"
     
            # Image files expiration: 1 month after request
            ExpiresByType image/bmp "now plus 1 month"
            ExpiresByType image/gif "now plus 1 month"
            ExpiresByType image/jpeg "now plus 1 month"
            ExpiresByType image/jp2 "now plus 1 month"
            ExpiresByType image/pipeg "now plus 1 month"
            ExpiresByType image/png "now plus 1 month"
            ExpiresByType image/svg+xml "now plus 1 month"
            ExpiresByType image/tiff "now plus 1 month"
            ExpiresByType image/vnd.microsoft.icon "now plus 1 month"
            ExpiresByType image/x-icon "now plus 1 month"
            ExpiresByType image/ico "now plus 1 month"
            ExpiresByType image/icon "now plus 1 month"
            ExpiresByType text/ico "now plus 1 month"
            ExpiresByType application/ico "now plus 1 month"
            ExpiresByType image/vnd.wap.wbmp "now plus 1 month"
            ExpiresByType application/vnd.wap.wbxml "now plus 1 month"
            ExpiresByType application/smil "now plus 1 month"
     
            # Audio files expiration: 1 month after request
            ExpiresByType audio/basic "now plus 1 month"
            ExpiresByType audio/mid "now plus 1 month"
            ExpiresByType audio/midi "now plus 1 month"
            ExpiresByType audio/mpeg "now plus 1 month"
            ExpiresByType audio/x-aiff "now plus 1 month"
            ExpiresByType audio/x-mpegurl "now plus 1 month"
            ExpiresByType audio/x-pn-realaudio "now plus 1 month"
            ExpiresByType audio/x-wav "now plus 1 month"
     
            # Movie files expiration: 1 month after request
            ExpiresByType application/x-shockwave-flash "now plus 1 month"
            ExpiresByType x-world/x-vrml "now plus 1 month"
            ExpiresByType video/x-msvideo "now plus 1 month"
            ExpiresByType video/mpeg "now plus 1 month"
            ExpiresByType video/mp4 "now plus 1 month"
            ExpiresByType video/quicktime "now plus 1 month"
            ExpiresByType video/x-la-asf "now plus 1 month"
            ExpiresByType video/x-ms-asf "now plus 1 month"
    </IfModule>
    ########## End - Optimal expiration time
     
  3. Sheldon

    Sheldon Well-Known Member

  4. Shakir

    Shakir Member

    Thanks stewart. Purpose of the question was not personal to me :) , thought if this has already been done, somebody will share or else other users might share their htaccess files and we can combine and develop some kind of "Ideal" file which will help the community in general.
     
    adwade likes this.

Share This Page