vB5 .htaccess

  • Downloading from our site will require you to have a paid membership. Upgrade to a Premium Membership today!

    Dont forget read our Rules! Also anyone caught Sharing this content will be banned. By using this site you are agreeing to our rules so read them. Saying I did not know is simply not an excuse! You have been warned.

Radio

    ven0m

    Administrator
    Staff member
    Administrator
    Moderator
    Platinum
    xenForo 2.x.x
    xenForo 1.x.x
    Contributor
    vBulletin All Access Pass
    The Chest
    Verified
    Ultra Platinum VIP
    Platinum VIP
    Gold VIP
    Silver VIP
    Premium
    Member
    Jul 17, 2005
    20,466
    7,708
    321
    localhost
    Heisenberg submitted a new resource:

    - .htaccess

    vB Version: 5.x.x

    This subject really doesn't have a proper place on this forum so I'm jamming it into here.
    One of the most overlooked aspects of security, especially with vBulletin and hosting your on servers, is the .htaccess file.
    This only applies for those running an Apache based server.
    I am not going to go into details about what it is. For that there are plenty of

     
    Last edited:

    ven0m

    Administrator
    Staff member
    Administrator
    Moderator
    Platinum
    xenForo 2.x.x
    xenForo 1.x.x
    Contributor
    vBulletin All Access Pass
    The Chest
    Verified
    Ultra Platinum VIP
    Platinum VIP
    Gold VIP
    Silver VIP
    Premium
    Member
    Jul 17, 2005
    20,466
    7,708
    321
    localhost
    Part 1 of 2

    Code:
    # START Deny attempts to view the Htaccess file.
    <Files .htaccess>
    Order allow,deny
    Deny from all
    </Files>
    # END Deny attempts to view the Htaccess file.
    
    # Start Deny attempts to view the config file.
    <Files includes/config.php>
    Order allow,deny
    Deny from all
    </Files>  
    # End Deny attempts to view the config file.
    
    <IfModule mod_rewrite.c>
        RewriteEngine On
    
    [COLOR=#FF8C00]    RewriteCond %{HTTP_HOST} www.[/COLOR][COLOR=#0000FF]MYWEBSITE[/COLOR][COLOR=#FF8C00]\.[/COLOR][COLOR=#0000FF]ORG[/COLOR]
    [COLOR=#FF8C00]    RewriteRule (.*) https://[/COLOR][COLOR=#0000FF]MYWEBSITE.ORG[/COLOR][COLOR=#FF8C00]/$1 [R=301,L,QSA]
        
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L][/COLOR]
    
    [COLOR=#008000]    #In some cases where you have other mod_rewrite rules, you may need to comment out the following line
        #and change it to match your folder name. This resets the other mod_rewrite rules for just this directory
        #If your site was www.example.com/forum, the setting would be /forum/
        #RewriteBase /
    
        # Send css calls directly to the correct file VBV-7807
        RewriteRule ^css.php$ core/css.php [NC,L]
    
        # Redirect old install path to core.
        RewriteRule ^install/ core/install/ [NC,L]
    
        # Main Redirect
        RewriteCond %{REQUEST_URI} !\.(bmp|swf|gif|jpg|jpeg|png|css)$
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule ^(.*)$ index.php?routestring=$1 [L,QSA]
    
        # Because admincp is an actual directory.
        RewriteRule ^(admincp/)$ index.php?routestring=$1 [L,QSA]
    
    </IfModule>[/COLOR]
    
    <IfModule mod_deflate.c>
    
        # Force compression for mangled headers.
        # http://developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping
        <IfModule mod_setenvif.c>
            <IfModule mod_headers.c>
                SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
                RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
            </IfModule>
        </IfModule>
    
    # BEGIN Compress text files
    <ifModule mod_deflate.c>
      AddOutputFilterByType DEFLATE text/html text/xml text/css text/plain
      AddOutputFilterByType DEFLATE image/svg+xml application/xhtml+xml application/xml
      AddOutputFilterByType DEFLATE application/rdf+xml application/rss+xml application/atom+xml
      AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript application/json
      AddOutputFilterByType DEFLATE application/x-font-ttf application/x-font-otf
      AddOutputFilterByType DEFLATE font/truetype font/opentype
    
    # remove browser bugs
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4.0[678] no-gzip
    BrowserMatch bMSIE !no-gzip !gzip-only-text/html
    </ifModule>
    # END Compress text files
    
        # Compress all output labeled with one of the following MIME-types
        # (for Apache versions below 2.3.7, you don't need to enable `mod_filter`
        #  and can remove the `<IfModule mod_filter.c>` and `</IfModule>` lines
        #  as `AddOutputFilterByType` is still in the core directives).
        <IfModule mod_filter.c>
            AddOutputFilterByType DEFLATE application/atom+xml \
                                          application/javascript \
                                          application/json \
                                          application/rss+xml \
                                          application/vnd.ms-fontobject \
                                          application/x-font-ttf \
                                          application/x-web-app-manifest+json \
                                          application/xhtml+xml \
                                          application/xml \
                                          font/opentype \
                                          image/svg+xml \
                                          image/x-icon \
                                          text/css \
                                          text/html \
                                          text/plain \
                                          text/x-component \
                                          text/xml
        </IfModule>
    
    </IfModule>
    
    <IfModule mod_expires.c>
        ExpiresActive On
        ExpiresByType application/ico A2592000
        ExpiresByType application/java A2628000
        ExpiresByType application/javascript A1209600
        ExpiresByType application/javascript A2628000
        ExpiresByType application/msword A2628000
        ExpiresByType application/pdf A2628000
        ExpiresByType application/vnd.ms-access A2628000
        ExpiresByType application/vnd.ms-excel A2628000
        ExpiresByType application/vnd.ms-fontobject A2592000
        ExpiresByType application/vnd.ms-powerpoint A2628000
        ExpiresByType application/vnd.ms-project A2628000
        ExpiresByType application/vnd.ms-write A2628000
        ExpiresByType application/vnd.oasis.opendocument.chart A2628000
        ExpiresByType application/vnd.oasis.opendocument.database A2628000
        ExpiresByType application/vnd.oasis.opendocument.formula A2628000
        ExpiresByType application/vnd.oasis.opendocument.graphics A2628000
        ExpiresByType application/vnd.oasis.opendocument.presentation A2628000
        ExpiresByType application/vnd.oasis.opendocument.spreadsheet A2628000
        ExpiresByType application/vnd.oasis.opendocument.text A2628000
        ExpiresByType application/x-font-woff A2592000
        ExpiresByType application/x-gzip A2628000
        ExpiresByType application/x-ico A2592000
        ExpiresByType application/x-javascript A2628000
        ExpiresByType application/x-msdownload A2628000
        ExpiresByType application/x-shockwave-flash A2628000
        ExpiresByType application/x-tar A2628000
        ExpiresByType application/zip A2628000
        ExpiresByType audio/midi A2628000
        ExpiresByType audio/mpeg A2628000
        ExpiresByType audio/ogg A2628000
        ExpiresByType audio/wav A2628000
        ExpiresByType audio/wma A2628000
        ExpiresByType audio/x-realaudio A2628000
        ExpiresByType font/opentype A2592000
        ExpiresByType font/otf A2592000
        ExpiresByType font/truetype A2592000
        ExpiresByType font/ttf A2592000
        ExpiresByType font/x-woff A2592000
        ExpiresByType image/bmp A2628000
        ExpiresByType image/gif A2628000
        ExpiresByType image/icon A2592000
        ExpiresByType image/jpeg A2628000
        ExpiresByType image/jpg A1209600
        ExpiresByType image/png A2628000
        ExpiresByType image/svg+xml A2592000
        ExpiresByType image/tiff A2628000
        ExpiresByType image/x-icon A2628000
        ExpiresByType text/css A31536000
        ExpiresByType text/javascript A1209600
        ExpiresByType text/plain A3600
        ExpiresByType text/richtext A3600
        ExpiresByType text/xsd A3600
        ExpiresByType text/xsl A3600
        ExpiresByType video/asf A2628000
        ExpiresByType video/avi A2628000
        ExpiresByType video/divx A2628000
        ExpiresByType video/mp4 A2628000
        ExpiresByType video/mpeg A2628000
        ExpiresByType video/quicktime A2628000
    </IfModule>
    
    <IfModule mod_headers.c>
        Header set Connection keep-alive
        <filesmatch "\.(ico|flv|gif|swf|eot|woff|otf|ttf|svg)$">
            Header set Cache-Control "max-age=2592000, public"
        </filesmatch>
        <filesmatch "\.(jpg|jpeg|png)$">
            Header set Cache-Control "max-age=1209600, public"
        </filesmatch>
        <filesmatch "\.(eot|woff|otf|ttf|svg)$">
            Header set Cache-Control "max-age=2592000, public"
        </filesmatch>
        # css and js should use private for proxy caching https://developers.google.com/speed/docs/best-practices/caching#LeverageProxyCaching
        <filesmatch "\.(css)$">
            Header set Cache-Control "max-age=31536000, private"
        </filesmatch>
        <filesmatch "\.(js)$">
            Header set Cache-Control "max-age=1209600, private"
        </filesmatch>
    </IfModule>
     

    ven0m

    Administrator
    Staff member
    Administrator
    Moderator
    Platinum
    xenForo 2.x.x
    xenForo 1.x.x
    Contributor
    vBulletin All Access Pass
    The Chest
    Verified
    Ultra Platinum VIP
    Platinum VIP
    Gold VIP
    Silver VIP
    Premium
    Member
    Jul 17, 2005
    20,466
    7,708
    321
    localhost
    Part 2 of 2

    Code:
    # deny requests for config files
    <FilesMatch ".(ini|conf)$">
        Order allow,deny
        Deny from all
    </FilesMatch>
    
    # Disable ETags
    <IfModule mod_headers.c>
        Header Unset ETag
        FileETag none
    </IfModule>
    
    # Default expires header if none specified (stay in browser cache for 7 days)
    <IfModule mod_expires.c>
    
        ExpiresActive on
        ExpiresDefault                                      "access plus 1 week"
    
      # CSS
        ExpiresByType text/css                              "access plus 1 year"
    
      # Data interchange
        ExpiresByType application/json                      "access plus 0 seconds"
        ExpiresByType application/xml                       "access plus 0 seconds"
        ExpiresByType text/xml                              "access plus 0 seconds"
    
      # Favicon (cannot be renamed!)
        ExpiresByType image/x-icon                          "access plus 1 week"
    
      # HTML components (HTCs)
        ExpiresByType text/x-component                      "access plus 1 month"
    
      # HTML
        ExpiresByType text/html                             "access plus 0 seconds"
    
      # JavaScript
        ExpiresByType application/javascript                "access plus 1 year"
    
      # Manifest files
        ExpiresByType application/x-web-app-manifest+json   "access plus 0 seconds"
        ExpiresByType text/cache-manifest                   "access plus 0 seconds"
    
      # Media
        ExpiresByType audio/ogg                             "access plus 1 month"
        ExpiresByType image/gif                             "access plus 1 month"
        ExpiresByType image/jpeg                            "access plus 1 month"
        ExpiresByType image/png                             "access plus 1 month"
        ExpiresByType video/mp4                             "access plus 1 month"
        ExpiresByType video/swf                             "access plus 1 month"
        ExpiresByType video/ogg                             "access plus 1 month"
        ExpiresByType video/webm                            "access plus 1 month"
    
      # Web feeds
        ExpiresByType application/atom+xml                  "access plus 1 hour"
        ExpiresByType application/rss+xml                   "access plus 1 hour"
    
      # Web fonts
        ExpiresByType application/font-woff                 "access plus 1 month"
        ExpiresByType application/vnd.ms-fontobject         "access plus 1 month"
        ExpiresByType application/x-font-ttf                "access plus 1 month"
        ExpiresByType font/opentype                         "access plus 1 month"
        ExpiresByType image/svg+xml                         "access plus 1 month"
    
    </IfModule>
    
    
    # add font types for chromium/chrome
    AddType application/font-woff woff
    
    [COLOR=#800080]SetEnvIfNoCase Referer "^https://MYWEBSITE.ORG/" locally_linked=1
    SetEnvIfNoCase Referer "^http://MYWEBSITE-ALT.ORG/|https://MYWEBSITE-ALT.ORG/|http://localhost/|http://127.0.0.1/|https://localhost/|https://127.0.0.1/" locally_linked=1[/COLOR]
    SetEnvIf Referer "^$" locally_linked=1
    <FilesMatch "\.(ico|gif|png|swf|jpe?g|zip|rar|ace|mp3|mp4|avi|ogg|ogv|webm|css)$">
      Order Allow,Deny
      Allow from env=locally_linked
    </FilesMatch>
    
    allow from localhost
    
    # BEGIN W3TC Browser Cache
    <IfModule mod_mime.c>
    AddType application/ace .ace
    AddType application/java .class
    AddType application/javascript .js
    AddType application/msword .doc .docx
    AddType application/pdf .pdf
    AddType application/rar .rar
    AddType application/vnd.ms-access .mdb
    AddType application/vnd.ms-excel .xla .xls .xlsx .xlt .xlw
    AddType application/vnd.ms-powerpoint .pot .pps .ppt .pptx
    AddType application/vnd.ms-project .mpp
    AddType application/vnd.ms-write .wri
    AddType application/vnd.oasis.opendocument.chart .odc
    AddType application/vnd.oasis.opendocument.database .odb
    AddType application/vnd.oasis.opendocument.formula .odf
    AddType application/vnd.oasis.opendocument.graphics .odg
    AddType application/vnd.oasis.opendocument.presentation .odp
    AddType application/vnd.oasis.opendocument.spreadsheet .ods
    AddType application/vnd.oasis.opendocument.text .odt
    AddType application/x-gzip .gz .gzip
    AddType application/x-javascript .js
    AddType application/x-msdownload .exe
    AddType application/x-shockwave-flash .swf
    AddType application/x-tar .tar
    AddType application/zip .zip
    AddType audio/midi .mid .midi
    AddType audio/mpeg .mp3 .m4a
    AddType audio/ogg .ogg
    AddType audio/wav .wav
    AddType audio/wma .wma
    AddType audio/x-realaudio .ra .ram
    AddType image/bmp .bmp
    AddType image/gif .gif
    AddType image/jpeg .jpg .jpeg .jpe
    AddType image/png .png
    AddType image/svg+xml .svg .svgz
    AddType image/tiff .tif .tiff
    AddType image/x-icon .ico
    AddType text/css .css
    AddType text/html .html .htm
    AddType text/plain .txt
    AddType text/richtext .rtf .rtx
    AddType text/xml .xml
    AddType text/xsd .xsd
    AddType text/xsl .xsl
    AddType video/asf .asf .asx .wax .wmv .wmx
    AddType video/avi .avi
    AddType video/divx .divx
    AddType video/mp4 .mp4 .m4v
    AddType video/mpeg .mpeg .mpg .mpe
    AddType video/quicktime .mov .qt
    </IfModule>
    # END W3TC Browser Cache
    
    # Block User-agent Libwww-perl
    RewriteCond %{HTTP_USER_AGENT} libwww-perl.*
    RewriteRule .* – [F,L]
    
    # proc/self/environ? no way!
    RewriteCond %{QUERY_STRING} proc/self/environ [OR]
    # Block out any script trying to set a mosConfig value through the URL
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [OR]
    # Block out any script trying to base64_encode crap to send via URL
    RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
    # Block out any script that includes a <script> tag in URL
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    # Block out any script trying to set a PHP GLOBALS variable via URL
    RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
    # Block out any script trying to modify a _REQUEST variable via URL
    RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
    
    ##
    ##&nbsp; Commented version of Rewrite rules attributed to Ronald van den Heetkamp
    ##&nbsp; Comments by http://bodvoc.com
    #
    # Prevent use of specified methods in HTTP Request
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
    # Block out use of illegal or unsafe characters in the HTTP Request
    RewriteCond %{THE_REQUEST} ^.*(r|n|%0A|%0D).* [NC,OR]
    # Block out use of illegal or unsafe characters in the Referer Variable of the HTTP Request
    RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
    # Block out use of illegal or unsafe characters in any cookie associated with the HTTP Request
    RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
    # Block out use of illegal characters in URI or use of malformed URI
    RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|..).{0,9999}.* [NC,OR]
    # NOTE - disable this rule if your site is integrated with Payment Gateways such as PayPal
    # Block out  use of empty User Agent Strings
    RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
    # Block out  use of User Agent Strings beginning with java, curl or wget
    RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
    # Block out  use of User Agent Strings containing specific robot (crawler) identifiers
    RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
    # Block out  use of User Agent Strings containing references to specific crawler libraries
    RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
    # Block out  use of illegal or unsafe characters in the User Agent variable
    RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
    # Measures to block out  SQL injection attacks
    RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
    # Block out  reference to localhost/loopback/127.0.0.1 in the Query String
    RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
    # Block out  use of illegal or unsafe characters in the Query String variable
    RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
    #
    ## End of commented Rewrite directives