Difference between revisions of "Htaccess examples (security)"

From Joomla! Documentation

m (Tagging version. Needs careful proof-reading and further testing, but is close to being finished.)
 
(99 intermediate revisions by 7 users not shown)
Line 1: Line 1:
__TOC__
 
''Credit for part of this .htaccess file goes to Ronald van den Heetkamp''
 
  
For this to work you need mod_rewrite ON:
+
{{DISPLAYTITLE:htaccess examples (security)}}__TOC__
 +
''Credit for this .htaccess file goes to Ronald van den Heetkamp, Nicholas Dionysopoulos, g1smd, and others where listed''
  
<source lang="apache">
+
== Suggested Master htaccess file ==
#  mod_rewrite in use
 
RewriteEngine On
 
</source>
 
 
 
== Rewrite rules to block out some common exploits ==
 
<source lang="apache">
 
########## Begin - Rewrite rules to block out some common exploits
 
## If you experience problems on your site block out the operations listed below
 
## This attempts to block the most common type of exploit `attempts` to Joomla!
 
## Block out any script trying to set a mosConfig value through the URL
 
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
 
# Block out any script trying to base64_encode data within the URL
 
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
 
# Block out any script that includes a <script> tag in URL
 
RewriteCond %{QUERY_STRING} (\<|%3C)([^s]*s)+cript.*(\>|%3E) [NC,OR]
 
# Block out any script trying to set a PHP GLOBALS variable via URL
 
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
 
# Block out any script trying to modify a _REQUEST variable via URL
 
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
 
# Send all blocked request to homepage with 403 Forbidden error!
 
RewriteRule .* index.php [F]
 
########### End - Rewrite rules to block out some common exploits
 
</source>
 
 
 
==  Block bad user agents ==
 
<source lang="apache">
 
########## Block bad user agents
 
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
 
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
 
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
 
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^Zeus
 
RewriteRule .* - [F]
 
</source>
 
 
 
== Other useful settings ==
 
<source lang="apache">
 
ServerSignature Off
 
RewriteCond %{REQUEST_METHOD}  ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
 
RewriteCond %{THE_REQUEST}    (\\r|\\n|%0A|%0D) [NC,OR]
 
 
 
RewriteCond %{HTTP_REFERER}    (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 
RewriteCond %{HTTP_COOKIE}    (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 
RewriteCond %{REQUEST_URI}    ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999} [NC,OR]
 
 
 
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
 
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC,OR]
 
RewriteCond %{HTTP_USER_AGENT} (winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
 
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|curl|wget|python|nikto|scan) [NC,OR]
 
RewriteCond %{HTTP_USER_AGENT} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 
 
#Block mySQL injects
 
RewriteCond %{QUERY_STRING}    (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR]
 
 
 
RewriteCond %{QUERY_STRING}    (localhost|loopback|127\.0\.0\.1) [NC,OR]
 
RewriteCond %{QUERY_STRING}    \.[a-z0-9] [NC,OR]
 
RewriteCond %{QUERY_STRING}    (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC]
 
</source>
 
 
 
'''NOTE''': Rewrite conditions need to be followed by a rewrite rule, such as:
 
<source lang="apache">
 
# Return 403 Forbidden header and show the content of the root homepage.
 
RewriteRule .* index.php [F]
 
</source>
 
  
 +
This can be discussed in [http://forum.joomla.org/viewtopic.php?f=432&t=549841&start=330#p2555002 this forum topic]
  
 +
'''Warning: Read the hashed areas! Incorrect settings on some servers may cause 500 page errors. The only way to figure out which rule(s) or section(s) are causing the errors is by trial and error.'''
  
== Suggested Master htaccess file ==
+
This .htaccess file is not meant to be just dropped in your site. You should go through all sections and modify the file to match your site. Most notably, all instances of example.com and example\.com should be replaced with your real domain name. Some sections may cause problems with legitimate requests.
  
This can be discussed in [http://forum.joomla.org/viewtopic.php?f=432&t=549841 this topic]
+
{{Joomla version|version=2.5|status=eos|comment=Experimental}}
  
'''Warning: note the hashed areas. Incorrect settings on some servers may cause 500 page errors'''
+
You are ultimately responsible for disabling sections or writing exception rules for legitimate requests that fail. Most notably, the advanced server protection section will cause issues with several minifiers, eXtplorer, VirtueMart and other extensions which use non-standard scripts as their entry points. You must add exceptions manually to the proper area of the file.
  
 
<source lang="apache">
 
<source lang="apache">
Line 152: Line 19:
 
## The Master .htaccess
 
## The Master .htaccess
 
##
 
##
## Version 2.4 (proposed) - March 8th, 2011
+
## Version 2.5 (proposed) - May 16th, 2011
 
##
 
##
 
## ----------
 
## ----------
Line 176: Line 43:
 
## the creation of this file. Special thanks to Jon Brown for sharing his
 
## the creation of this file. Special thanks to Jon Brown for sharing his
 
## research and helping me improve this file.
 
## research and helping me improve this file.
 +
##
 +
## Additional thank-yous to John for his remarks and g1smd for taking the
 +
## time to optimize the speed of the file.
 +
##
 +
## It is usually prudent to remove the comments from the file when using it
 +
## on a live host to minimize the parsing time.
 
##
 
##
 
## ----------------------------------------------------------------------
 
## ----------------------------------------------------------------------
Line 190: Line 63:
 
##
 
##
 
## CHANGELOG:
 
## CHANGELOG:
## Version 2.4 (proposed) (March 8th, 2011)
+
## Version 2.5 (proposed) (May 16th, 2011)
 +
## - Placeholders for custom code. Correction of ruleset ordering.
 +
## Version 2.4 (April 18th, 2011)
 
## - Dozens of speed optimisations and many logic and syntax corrections.
 
## - Dozens of speed optimisations and many logic and syntax corrections.
 
## Version 2.3 (November 18th, 2010)
 
## Version 2.3 (November 18th, 2010)
Line 213: Line 88:
  
 
########## Begin - RewriteBase
 
########## Begin - RewriteBase
# Uncomment following line if your webserver's URL
+
# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
+
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root)
+
# Update Your Joomla! Directory (just / for root)
  
 
# RewriteBase /
 
# RewriteBase /
 
########## End - RewriteBase
 
########## End - RewriteBase
 
########## Begin - File execution order, by Komra.de
 
DirectoryIndex index.php index.html
 
########## End - File execution order
 
  
 
########## Begin - No directory listings
 
########## Begin - No directory listings
Line 229: Line 100:
 
Options +FollowSymLinks All -Indexes
 
Options +FollowSymLinks All -Indexes
 
########## End - No directory listings
 
########## End - No directory listings
 +
 +
########## Begin - File execution order, by Komra.de
 +
DirectoryIndex index.php index.html
 +
########## End - File execution order
  
 
########## Begin - ETag Optimization
 
########## Begin - ETag Optimization
Line 237: Line 112:
 
FileETag MTime Size
 
FileETag MTime Size
 
########## End - ETag Optimization
 
########## End - ETag Optimization
 
########## Begin - Optimal default expiration time
 
## Note: this might cause problems and you might have to comment it out by
 
## placing a hash in front of this section's lines
 
<IfModule mod_expires.c>
 
  # Enable expiration control
 
  ExpiresActive On
 
 
  # Default expiration: 1 hour after request
 
  ExpiresDefault "now plus 1 hour"
 
 
 
  # CSS and JS expiration: 1 week after request
 
  ExpiresByType text/css "now plus 1 week"
 
  ExpiresByType application/javascript "now plus 1 week"
 
  ExpiresByType application/x-javascript "now plus 1 week"
 
 
 
  # Image files expiration: 1 year after request
 
  ExpiresByType image/bmp "now plus 1 year"
 
  ExpiresByType image/gif "now plus 1 year"
 
  ExpiresByType image/jpeg "now plus 1 year"
 
  ExpiresByType image/jp2 "now plus 1 year"
 
  ExpiresByType image/pipeg "now plus 1 year"
 
  ExpiresByType image/png "now plus 1 year"
 
  ExpiresByType image/svg+xml "now plus 1 year"
 
  ExpiresByType image/tiff "now plus 1 year"
 
  ExpiresByType image/vnd.microsoft.icon "now plus 1 year"
 
  ExpiresByType image/x-icon "now plus 1 year"
 
  ExpiresByType image/ico "now plus 1 year"
 
  ExpiresByType image/icon "now plus 1 year"
 
  ExpiresByType text/ico "now plus 1 year"
 
  ExpiresByType application/ico "now plus 1 year"
 
  ExpiresByType image/vnd.wap.wbmp "now plus 1 year"
 
  ExpiresByType application/vnd.wap.wbxml "now plus 1 year"
 
  ExpiresByType application/smil "now plus 1 year"
 
 
 
  # Audio files expiration: 1 year after request
 
  ExpiresByType audio/basic "now plus 1 year"
 
  ExpiresByType audio/mid "now plus 1 year"
 
  ExpiresByType audio/midi "now plus 1 year"
 
  ExpiresByType audio/mpeg "now plus 1 year"
 
  ExpiresByType audio/x-aiff "now plus 1 year"
 
  ExpiresByType audio/x-mpegurl "now plus 1 year"
 
  ExpiresByType audio/x-pn-realaudio "now plus 1 year"
 
  ExpiresByType audio/x-wav "now plus 1 year"
 
 
 
  # Movie files expiration: 1 year after request
 
  ExpiresByType application/x-shockwave-flash "now plus 1 year"
 
  ExpiresByType x-world/x-vrml "now plus 1 year"
 
  ExpiresByType video/x-msvideo "now plus 1 year"
 
  ExpiresByType video/mpeg "now plus 1 year"
 
  ExpiresByType video/mp4 "now plus 1 year"
 
  ExpiresByType video/quicktime "now plus 1 year"
 
  ExpiresByType video/x-la-asf "now plus 1 year"
 
  ExpiresByType video/x-ms-asf "now plus 1 year"
 
</IfModule>
 
########## End - Optimal expiration time
 
  
 
########## Begin - Common hacking tools and bandwidth hoggers block
 
########## Begin - Common hacking tools and bandwidth hoggers block
 
## By SigSiu.net and @nikosdion.
 
## By SigSiu.net and @nikosdion.
## WARNING: This will also block old versions of JoomlaPack Remote
+
# This line also disables Akeeba Remote Control 2.5 and earlier
## and will disallow running CRON jobs using wget.
 
# The following rules are for common hacking tools:
 
 
SetEnvIf user-agent "Indy Library" stayout=1
 
SetEnvIf user-agent "Indy Library" stayout=1
SetEnvIf user-agent "libwww-perl" stayout=1
+
# WARNING: Disabling wget will also block the most common method for
 +
# running CRON jobs. Remove if you have issues with CRON jobs.
 
SetEnvIf user-agent "Wget" stayout=1
 
SetEnvIf user-agent "Wget" stayout=1
 
# The following rules are for bandwidth-hogging download tools
 
# The following rules are for bandwidth-hogging download tools
 +
SetEnvIf user-agent "libwww-perl" stayout=1
 
SetEnvIf user-agent "Download Demon" stayout=1
 
SetEnvIf user-agent "Download Demon" stayout=1
 
SetEnvIf user-agent "GetRight" stayout=1
 
SetEnvIf user-agent "GetRight" stayout=1
Line 312: Line 131:
 
# This line denies access to all of the above tools
 
# This line denies access to all of the above tools
 
deny from env=stayout
 
deny from env=stayout
########## End - Common hacking tools and bandwidth higgers block
+
########## End - Common hacking tools and bandwidth hoggers block
  
 
########## Begin - Automatic compression of resources
 
########## Begin - Automatic compression of resources
 
# Compress text, html, javascript, css, xml, kudos to Komra.de
 
# Compress text, html, javascript, css, xml, kudos to Komra.de
 
# May kill access to your site for old versions of Internet Explorer
 
# May kill access to your site for old versions of Internet Explorer
 +
# The server needs to be compiled with mod_deflate otherwise it will send HTTP 500 Error.
 +
# mod_deflate is not available on Apache 1.x series. Can only be used with Apache 2.x server.
 +
# AddOutputFilterByType is now deprecated by Apache. Use mod_filter in the future.
 
AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
 
AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
 
########## End - Automatic compression of resources
 
########## End - Automatic compression of resources
  
########## Begin - Google Apps redirection, by Komra.de
+
########## Begin - Add optional bad user agent or IP blocking code
RewriteRule ^mail http://mail.google.com/a/example.com [R=301,L]
+
#
########## End - Google Apps redirection
+
# If you need to block certain user agents or IP addresses and
 
+
# other signatures, place that code here. Ensure the rules use
########## Begin - Redirect index.php to /
+
# the correct RewriteRule syntax and the [F] flag.
## Note: Change example.com to reflect your own domain name
+
#
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+/)*index\.php\ HTTP/
+
########## End - Add optional bad user agent or IP blocking code
RewriteRule ^(([^/]+/)*)index\.php$ http://www.example.com/$1 [R=301,L]
 
########## End - Redirect index.php to /
 
 
 
########## Begin - Redirect non-www to www
 
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
 
RewriteRule (.*) http://www.example.com/$1 [R=301,L]
 
########## End - Redirect non-www to www
 
 
 
########## Begin - Redirect www to non-www
 
## WARNING: Comment out the non-www to www rule if you choose to use this
 
#RewriteCond %{HTTP_HOST} !^(example\.com)?$
 
#RewriteRule (.*) http://example.com/$1 [R=301,L]
 
########## End - Redirect non-www to www
 
 
 
########## Begin - Redirect olddomain.com to www.example.com
 
## Note: olddomain.com is your old domain name, you want to redirect FROM,
 
## whereas www.example.com is the new domain name you want to redirect TO.
 
## Change those names to reflect your current configuration. Remember, this
 
## small part of the file is supposed to be placed in olddomain.com!
 
RewriteCond %{HTTP_HOST} ^(www\.)?olddomain\.com [NC]
 
RewriteRule ^(([^/]+/)*)index\.(php|html?) http://www.example.com/$1 [R=301,L]
 
RewriteCond %{HTTP_HOST} ^(www\.)?olddomain\.com [NC]
 
RewriteRule (.*) http://www.example.com/$1 [R=301,L]
 
########## End - Redirect olddomain.com to www.example.com
 
 
 
########## Begin - Force HTTPS for certain pages
 
# Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says.
 
# This line is required for this rule to work properly
 
RewriteCond %{HTTPS} ^off$ [NC]
 
# This is a sample redirection for foobar.html. Do note that you have to change
 
# www.example.com to reflect your own domain. Remember to escape the dots using
 
# \. in the left hand side of each rule.
 
RewriteRule ^foobar\.html$ https://www.example.com/foobar.html [R=301,L]
 
# Add mode rules below this line
 
########## End - Force HTTPS for certain pages
 
  
 
########## Begin - Rewrite rules to block out some common exploits
 
########## Begin - Rewrite rules to block out some common exploits
Line 367: Line 154:
 
## This attempts to block the most common type of exploit `attempts` to Joomla!
 
## This attempts to block the most common type of exploit `attempts` to Joomla!
 
#
 
#
# If the request contains /proc/self/environ (by SigSiu.net)
+
# If the request query string contains /proc/self/environ (by SigSiu.net)
 
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
 
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
# Legacy configuration variable injection
+
# Block out any script trying to set a mosConfig value through the URL
 +
# (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin)
 
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
 
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode or base_decode stuff to send via URL
+
# Block out any script trying to base64_encode or base64_decode data within the URL
 
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR]
 
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR]
 +
## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines:
 +
# RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR]
 +
# RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR]
 
# Block out any script that includes a <script> tag in URL
 
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C)([^s]*s)+cript.*(\>|%3E) [NC,OR]
+
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
 
# Block out any script trying to set a PHP GLOBALS variable via URL
 
# Block out any script trying to set a PHP GLOBALS variable via URL
 
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
 
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
 
# Block out any script trying to modify a _REQUEST variable via URL
 
# Block out any script trying to modify a _REQUEST variable via URL
 
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
 
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return a 403 Forbidden
+
# Return 403 Forbidden header and show the content of the root homepage
 
RewriteRule .* index.php [F]
 
RewriteRule .* index.php [F]
 
#
 
#
Line 386: Line 177:
 
########## Begin - File injection protection, by SigSiu.net
 
########## Begin - File injection protection, by SigSiu.net
 
RewriteCond %{REQUEST_METHOD} GET
 
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-z0-9_]=http:// [NC]
+
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
 +
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
 +
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
 
RewriteRule .* - [F]
 
RewriteRule .* - [F]
 
########## End - File injection protection
 
########## End - File injection protection
 +
 +
########## Begin - Basic antispam Filter, by SigSiu.net
 +
## I removed some common words, tweak to your liking
 +
## This code uses PCRE and works only with Apache 2.x.
 +
## This code will NOT work with Apache 1.x servers.
 +
RewriteCond %{QUERY_STRING} \b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b [NC,OR]
 +
RewriteCond %{QUERY_STRING} \b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b [NC,OR]
 +
RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b [NC,OR]
 +
RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b [NC]
 +
## Note: The final RewriteCond must NOT use the [OR] flag.
 +
RewriteRule .* - [F]
 +
## Note: The previous lines are a "compressed" version
 +
## of the filters. You can add your own filters as:
 +
## RewriteCond %{QUERY_STRING} \bbadword\b [NC,OR]
 +
## where "badword" is the word you want to exclude.
 +
########## End - Basic antispam Filter, by SigSiu.net
 +
 +
########## Begin - Advanced server protection - query strings, referrer and config
 +
# Advanced server protection, version 3.2 - May 2011
 +
# by Nicholas K. Dionysopoulos
 +
 +
## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
 +
## your PHP version). See http://www.0php.com/php_easter_egg.php and
 +
## http://osvdb.org/12184 for more information
 +
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
 +
RewriteRule .* - [F]
 +
 +
## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
 +
## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html
 +
## May cause problems on legitimate requests
 +
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
 +
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
 +
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]
 +
RewriteRule .* - [F]
 +
 +
## Referrer filtering for common media files. Replace with your own domain name.
 +
## This blocks most common fingerprinting attacks ;)
 +
## Note: Change www\.example\.com with your own domain name, substituting the
 +
## dots with \.  i.e. use www\.example\.com for www.example.com
 +
RewriteRule ^images/stories/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [L]
 +
RewriteCond %{HTTP_REFERER} .
 +
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]
 +
RewriteCond %{REQUEST_FILENAME} -f
 +
RewriteRule \.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [F]
 +
 +
## Disallow visual fingerprinting of Joomla! sites (module position dump)
 +
## Initial idea by Brian Teeman and Ken Crowder, see:
 +
## http://www.slideshare.net/brianteeman/hidden-joomla-secrets
 +
## Improved by @nikosdion to work more efficiently and handle template
 +
## and tmpl query parameters
 +
RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC]
 +
RewriteRule .* - [L]
 +
RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC]
 +
RewriteRule .* - [F]
 +
 +
## Disallow access to htaccess.txt, configuration.php, configuration.php-dist and php.ini
 +
RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [F]
 +
 +
########## End - Advanced server protection - query strings, referrer and config
  
 
########## Begin - Advanced server protection rules exceptions ####
 
########## Begin - Advanced server protection rules exceptions ####
 
##
 
##
## These are sample exceptions to the Advanced Server Protection 2.0
+
## These are sample exceptions to the Advanced Server Protection 3.1
 
## rule set further down this file.
 
## rule set further down this file.
 
##
 
##
Line 398: Line 250:
 
RewriteRule ^components/com_uddeim/captcha15\.php$ - [L]
 
RewriteRule ^components/com_uddeim/captcha15\.php$ - [L]
 
## Allow Phil Taylor's Turbo Gears
 
## Allow Phil Taylor's Turbo Gears
RewriteRule ^plugins/system/GoogleGears/gears-manifest\.php - [L]
+
RewriteRule ^plugins/system/GoogleGears/gears-manifest\.php$ - [L]
 
## Allow JoomlaWorks AllVideos
 
## Allow JoomlaWorks AllVideos
RewriteRule ^plugins/content/jw_allvideos/includes/jw_allvideos_scripts\.php - [L]
+
RewriteRule ^plugins/content/jw_allvideos/includes/jw_allvideos_scripts\.php$ - [L]
 
## Allow Admin Tools Joomla! updater to run
 
## Allow Admin Tools Joomla! updater to run
RewriteRule ^administrator/components/com_admintools/restore\.php - [L]
+
RewriteRule ^administrator/components/com_admintools/restore\.php$ - [L]
 
## Allow Akeeba Backup Professional's integrated restoration script to run
 
## Allow Akeeba Backup Professional's integrated restoration script to run
RewriteRule ^administrator/components/com_akeeba/restore\.php - [L]
+
RewriteRule ^administrator/components/com_akeeba/restore\.php$ - [L]
 +
## Allow Akeeba Kickstart
 +
RewriteRule ^kickstart\.php$ - [L]
  
 
# Add more rules to single PHP files here
 
# Add more rules to single PHP files here
Line 424: Line 278:
 
########## End - Advanced server protection rules exceptions ####
 
########## End - Advanced server protection rules exceptions ####
  
########## Begin - Advanced server protection
+
########## Begin - Advanced server protection - paths and files
# Advanced server protection, version 2.0 - August 2010
+
# Advanced server protection, version 3.2 - May 2011
 
# by Nicholas K. Dionysopoulos
 
# by Nicholas K. Dionysopoulos
 
## Referrer filtering for common media files. Replace with your own domain.
 
## This blocks most common fingerprinting attacks ;)
 
## Note: Change www\.example\.com with your own domain name, substituting
 
## the dots with \.  i.e. use www\.example\.com for www.example.com
 
RewriteRule ^images/stories/([^.]+)\.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|ico|html?) - [L]
 
RewriteCond %{HTTP_REFERER} !^http://www\.example\.com [NC]
 
RewriteCond %{REQUEST_FILENAME} -f
 
RewriteRule \.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|ico|html?)$ - [F]
 
 
## Disallow visual fingerprinting of Joomla! sites (module position dump)
 
## Initial idea by Brian Teeman and Ken Crowder, see:
 
## http://www.slideshare.net/brianteeman/hidden-joomla-secrets
 
## Improved by @nikosdion to work more efficiently and handle template
 
## and tmpl query parameters
 
RewriteCond %{QUERY_STRING} (^|&)tmpl=component [NC]
 
RewriteRule .* - [L]
 
RewriteCond %{QUERY_STRING} (^|&)tp= [NC,OR]
 
RewriteCond %{QUERY_STRING} (^|&)template= [NC,OR]
 
RewriteCond %{QUERY_STRING} (^|&)tmpl= [NC]
 
RewriteRule .* - [F]
 
 
## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
 
## your PHP version). See http://www.0php.com/php_easter_egg.php and
 
## http://osvdb.org/12184 for more information
 
RewriteCond %{QUERY_STRING} =PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
 
RewriteRule .* - [F]
 
  
 
## Back-end protection
 
## Back-end protection
 
## This also blocks fingerprinting attacks browsing for XML and INI files
 
## This also blocks fingerprinting attacks browsing for XML and INI files
RewriteRule ^administrator/?$ administrator/index.php [L]
+
RewriteRule ^administrator/?$ - [L]
 
RewriteRule ^administrator/index\.(php|html?)$ - [L]
 
RewriteRule ^administrator/index\.(php|html?)$ - [L]
 
RewriteRule ^administrator/index[23]\.php$ - [L]
 
RewriteRule ^administrator/index[23]\.php$ - [L]
RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^.]+)\.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|html?)$ - [L]
+
RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]
 
RewriteRule ^administrator/ - [F]
 
RewriteRule ^administrator/ - [F]
  
 
## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory
 
## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory
RewriteRule ^xmlrpc/index\.php$ - [L]
+
RewriteRule ^xmlrpc/(index\.php)?$ - [L]
 
RewriteRule ^xmlrpc/ - [F]
 
RewriteRule ^xmlrpc/ - [F]
  
Line 472: Line 299:
  
 
## Allow limited access for certain Joomla! system directories with client-accessible content
 
## Allow limited access for certain Joomla! system directories with client-accessible content
RewriteRule ^(components|modules|plugins|templates)/([^.]+)\.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|ico|html?)$ - [L]
+
RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]
RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*index\.php - [L]
+
## Uncomment this line if you have extensions which require direct access to their own
RewriteRule ^templates/([^.]+)\.php$ - [L]
+
## custom index.php files. Note that this is UNSAFE and the developer should be ashamed
 +
## for being so lame, lazy and security unconscious.
 +
# RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)?$ - [L]
 +
## Uncomment the following line if your template requires direct access to PHP files
 +
## inside its directory, e.g. GZip compressed copies of its CSS files
 +
# RewriteRule ^templates/([^/]+/)*([^/.]+\.)+php$ - [L]
 
RewriteRule ^(components|modules|plugins|templates)/ - [F]
 
RewriteRule ^(components|modules|plugins|templates)/ - [F]
  
## Disallow access to htaccess.txt and configuration.php-dist
+
## Disallow access to rogue PHP files throughout the site, unless they are explicitly allowed
RewriteRule ^(htaccess\.txt|configuration\.php-dist)$ - [F]
+
RewriteCond %{REQUEST_FILENAME} \.php$
 +
RewriteCond %{REQUEST_FILENAME} !/index[23]?\.php$
 +
## The next line is to explicitly allow the forum post assistant(fpa-xx)script to run
 +
RewriteCond %{REQUEST_FILENAME} !/fpa-[a-z]{2}\.php
 +
RewriteCond %{REQUEST_FILENAME} -f
 +
RewriteRule ^([^/]+/)*([^/.]+\.)+php$ - [F]
 +
 
 +
########## End - Advanced server protection - paths and files
 +
 
 +
########## Begin - Google Apps redirection, by Komra.de
 +
## Uncomment the following line to enable:
 +
# RewriteRule ^mail http://mail.google.com/a/example.com [R=301,L]
 +
## If the above doesn't work on your server, try this:
 +
## RewriteRule ^mail http://mail.google.com/a/example.com [R,L]
 +
########## End - Google Apps redirection
 +
 
 +
########## Begin - Custom redirects
 +
#
 +
# If you need to redirect some pages, place that code here. Ensure those
 +
# redirects use the correct RewriteRule syntax and the [R=301,L] flags.
 +
#
 +
########## End - Custom redirects
  
## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
+
########## Begin - Redirect (www.)olddomain.com to www.example.com
## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html
+
## Note: olddomain.com is your old domain name, you want to redirect FROM,
## May cause problems on legitimate requests
+
## whereas www.example.com is the new domain name you want to redirect TO.
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
+
## Change those names to reflect your current configuration. Remember, this
RewriteCond %{QUERY_STRING} union([^s]*s)+elect[^\(]*\( [NC,OR]
+
## small part of the file is supposed to be placed in www.olddomain.com!
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]
+
## Note: Replace [R=301,L] with [R,L] if you get error 500.
RewriteRule .* - [F]
+
## Uncomment the following lines to enable:
 +
# RewriteCond %{HTTP_HOST} ^(www\.)?olddomain\.com [NC]
 +
# RewriteRule (.*) http://www.example.com/$1 [R=301,L]
 +
## Note: The above section is only required if you are changing your domain name.
 +
########## End - Redirect (www.)olddomain.com to www.example.com
 +
 
 +
########## Begin - Force HTTPS for certain pages
 +
# Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says.
 +
# This is a sample redirection for foobar.html. Do note that you have to change
 +
# www.example.com to reflect your own domain. Remember to escape the dots using
 +
# \. in the left hand side of each rule. You need BOTH LINES PER URL for the rule
 +
# to work.
 +
RewriteCond %{SERVER_PORT} !^443$
 +
## Alternatively, comment the above line and uncomment the following line:
 +
# RewriteCond %{HTTPS} ^off$ [NC]
 +
RewriteRule ^foobar\.html$ https://www.example.com/foobar.html [R=301,L]
 +
## NOTE: If you get an HTTP 500 error, please swap [R=301,L] with [R,L]
 +
# Add more rules below this line as required
 +
########## End - Force HTTPS for certain pages
 +
 
 +
########## Begin - Redirect index.php to /
 +
## Note: Change example.com to reflect your own domain name
 +
RewriteCond %{THE_REQUEST} !^POST
 +
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
 +
RewriteCond %{SERVER_PORT}>s ^(443>(s)|[0-9]+>s)$
 +
RewriteRule ^index\.php$ http%2://www.example.com/$1 [R=301,L]
 +
## If the above line throws a 500 error, change [R=301,L] to [R,L]
 +
########## End - Redirect index.php to /
  
########## End - Advanced server protection
+
########## Begin - Redirect non-www to www
 +
RewriteCond %{HTTP_HOST} !^www\. [NC]
 +
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
 +
## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L]
 +
########## End - Redirect non-www to www
  
########## Begin - Basic antispam Filter, by SigSiu.net
+
########## Begin - Redirect www to non-www
## I removed some common words, tweak to your liking
+
## WARNING: Comment out the non-www to www rule if you choose to use this
RewriteCond %{QUERY_STRING} \bviagra\b [NC,OR]
+
# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteCond %{QUERY_STRING} \bambien\b [NC,OR]
+
# RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
RewriteCond %{QUERY_STRING} \bblue\spill\b [NC,OR]
+
## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L]
RewriteCond %{QUERY_STRING} \bcialis\b [NC,OR]
+
########## End - Redirect non-www to www
RewriteCond %{QUERY_STRING} \bcocaine\b [NC,OR]
+
 
RewriteCond %{QUERY_STRING} \bejaculation\b [NC,OR]
+
########## Begin - Custom internal rewrites
RewriteCond %{QUERY_STRING} \berectile\b [NC,OR]
+
#
RewriteCond %{QUERY_STRING} \berections\b [NC,OR]
+
# If you need to internally rewrite some specific URL requests,
RewriteCond %{QUERY_STRING} \bhoodia\b [NC,OR]
+
# place that code here. Ensure those internal rewrites use the
RewriteCond %{QUERY_STRING} \bhuronriveracres\b [NC,OR]
+
# correct RewriteRule syntax without domain name and with [L] flag.
RewriteCond %{QUERY_STRING} \bimpotence\b [NC,OR]
+
#
RewriteCond %{QUERY_STRING} \blevitra\b [NC,OR]
+
########## End - Custom internal rewrites
RewriteCond %{QUERY_STRING} \blibido\b [NC,OR]
 
RewriteCond %{QUERY_STRING} \blipitor\b [NC,OR]
 
RewriteCond %{QUERY_STRING} \bphentermin\b [NC,OR]
 
RewriteCond %{QUERY_STRING} \bprosac\b [NC,OR]
 
RewriteCond %{QUERY_STRING} \bsandyauer\b [NC,OR]
 
RewriteCond %{QUERY_STRING} \btramadol\b [NC,OR]
 
RewriteCond %{QUERY_STRING} \btroyhamby\b [NC,OR]
 
RewriteCond %{QUERY_STRING} \bultram\b [NC,OR]
 
RewriteCond %{QUERY_STRING} \bunicauca\b [NC,OR]
 
RewriteCond %{QUERY_STRING} \bvalium\b [NC,OR]
 
RewriteCond %{QUERY_STRING} \bviagra\b [NC,OR]
 
RewriteCond %{QUERY_STRING} \bvicodin\b [NC,OR]
 
RewriteCond %{QUERY_STRING} \bxanax\b [NC,OR]
 
RewriteCond %{QUERY_STRING} \bypxaieo\b [NC]
 
RewriteRule .* - [F]
 
########## End - Basic antispam Filter, by SigSiu.net
 
  
 
########## Begin - Joomla! core SEF Section
 
########## Begin - Joomla! core SEF Section
 
#
 
#
 
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
 
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteCond %{REQUEST_URI} !^/index.php
+
#
RewriteCond %{REQUEST_URI} (/[^.]*|\.(php|html?|feed|pdf|raw|ini|zip|json))$ [NC]
+
# If the requested path and file is not /index.php and the request
 +
# has not already been internally rewritten to the index.php script
 +
RewriteCond %{REQUEST_URI} !^/index\.php
 +
# and the request is for the site root, or for an extensionless URL,
 +
# or the requested URL ends with one of the listed extensions
 +
RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw|ini|zip|json|file))$ [NC]
 +
# and the requested path and file doesn't directly match a physical file
 
RewriteCond %{REQUEST_FILENAME} !-f
 
RewriteCond %{REQUEST_FILENAME} !-f
 +
# and the requested path doesn't directly match a physical folder
 
RewriteCond %{REQUEST_FILENAME} !-d
 
RewriteCond %{REQUEST_FILENAME} !-d
 +
# internally rewrite the request to the index.php script
 
RewriteRule .* index.php [L]
 
RewriteRule .* index.php [L]
 
#
 
#
 
########## End - Joomla! core SEF Section
 
########## End - Joomla! core SEF Section
 +
 +
########## Begin - Optimal default expiration time
 +
## Note: this might cause problems and you might have to comment it out by
 +
## placing a hash in front of this section's lines
 +
<IfModule mod_expires.c>
 +
# Enable expiration control
 +
ExpiresActive On
 +
 +
# Default expiration: 1 hour after request
 +
ExpiresDefault "now plus 1 hour"
 +
 +
# CSS and JS expiration: 1 week after request
 +
ExpiresByType text/css "now plus 1 week"
 +
ExpiresByType application/javascript "now plus 1 week"
 +
ExpiresByType application/x-javascript "now plus 1 week"
 +
 +
# Image files expiration: 1 month after request
 +
ExpiresByType image/bmp "now plus 1 month"
 +
ExpiresByType image/gif "now plus 1 month"
 +
ExpiresByType image/jpeg "now plus 1 month"
 +
ExpiresByType image/jp2 "now plus 1 month"
 +
ExpiresByType image/pipeg "now plus 1 month"
 +
ExpiresByType image/png "now plus 1 month"
 +
ExpiresByType image/svg+xml "now plus 1 month"
 +
ExpiresByType image/tiff "now plus 1 month"
 +
ExpiresByType image/vnd.microsoft.icon "now plus 1 month"
 +
ExpiresByType image/x-icon "now plus 1 month"
 +
ExpiresByType image/ico "now plus 1 month"
 +
ExpiresByType image/icon "now plus 1 month"
 +
ExpiresByType text/ico "now plus 1 month"
 +
ExpiresByType application/ico "now plus 1 month"
 +
ExpiresByType image/vnd.wap.wbmp "now plus 1 month"
 +
ExpiresByType application/vnd.wap.wbxml "now plus 1 month"
 +
ExpiresByType application/smil "now plus 1 month"
 +
 +
# Audio files expiration: 1 month after request
 +
ExpiresByType audio/basic "now plus 1 month"
 +
ExpiresByType audio/mid "now plus 1 month"
 +
ExpiresByType audio/midi "now plus 1 month"
 +
ExpiresByType audio/mpeg "now plus 1 month"
 +
ExpiresByType audio/x-aiff "now plus 1 month"
 +
ExpiresByType audio/x-mpegurl "now plus 1 month"
 +
ExpiresByType audio/x-pn-realaudio "now plus 1 month"
 +
ExpiresByType audio/x-wav "now plus 1 month"
 +
 +
# Movie files expiration: 1 month after request
 +
ExpiresByType application/x-shockwave-flash "now plus 1 month"
 +
ExpiresByType x-world/x-vrml "now plus 1 month"
 +
ExpiresByType video/x-msvideo "now plus 1 month"
 +
ExpiresByType video/mpeg "now plus 1 month"
 +
ExpiresByType video/mp4 "now plus 1 month"
 +
ExpiresByType video/quicktime "now plus 1 month"
 +
ExpiresByType video/x-la-asf "now plus 1 month"
 +
ExpiresByType video/x-ms-asf "now plus 1 month"
 +
</IfModule>
 +
########## End - Optimal expiration time
 +
</source>
 +
 +
If not using the suggested master htaccess file, the following suggestions will need RewriteEngine set to On, and will likely also need Options +FollowSymLinks too:
 +
 +
<source lang="apache">
 +
# mod_rewrite in use
 +
RewriteEngine On
 +
Options +FollowSymLinks
 +
</source>
 +
 +
== Other useful settings ==
 +
<source lang="apache">
 +
ServerSignature Off
 +
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
 +
RewriteCond %{THE_REQUEST} (\\r|\\n|%0A|%0D) [NC,OR]
 +
 +
RewriteCond %{HTTP_REFERER} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 +
RewriteCond %{HTTP_COOKIE} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 +
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999} [NC,OR]
 +
 +
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC,OR]
 +
RewriteCond %{HTTP_USER_AGENT} (winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
 +
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|curl|wget|python|nikto|scan) [NC,OR]
 +
RewriteCond %{HTTP_USER_AGENT} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 +
 +
#Block mySQL injects
 +
RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR]
 +
 +
RewriteCond %{QUERY_STRING} \.\./\.\. [OR]
 +
 +
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
 +
RewriteCond %{QUERY_STRING} \.[a-z0-9] [NC,OR]
 +
RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC]
 +
# Note: The final RewriteCond must NOT use the [OR] flag.
 +
 +
# Return 403 Forbidden error.
 +
RewriteRule .* index.php [F]
 +
</source>
 +
 +
== Block bad user agents ==
 +
<source lang="apache">
 +
########## Block bad user agents
 +
## The following list may include bots that no longer exist or are not a problem
 +
## for your site. The list will always be incomplete and it is therefore wise to
 +
## follow discussions on one of the many "security" mailing lists or on a forum
 +
## such as http://www.webmasterworld.com/search_engine_spiders/
 +
## It is also unwise to rely on this list as your ONLY security mechanism.
 +
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
 +
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
 +
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
 +
RewriteCond %{HTTP_USER_AGENT} ^Zeus
 +
## Note: The final RewriteCond must NOT use the [OR] flag.
 +
 +
## Return 403 Forbidden error.
 +
RewriteRule .* - [F]
 
</source>
 
</source>
  
Line 536: Line 595:
 
[http://perishablepress.com/press/tag/htaccess/ .htaccess tag archive @ perishablepress.com]
 
[http://perishablepress.com/press/tag/htaccess/ .htaccess tag archive @ perishablepress.com]
  
[http://snipt.net/nikosdion/the-master-htaccess. proposed "master htaccess" (updated by Nicholas on November 18th 2010) DO read the intro by Nichols!]
+
https://github.com/nikosdion/master-htaccess Proposed "master htaccess" (by Nicholas v3.3) DO read the intro by Nicholas!]
 +
 
 
[[Category:Security]]
 
[[Category:Security]]
 +
 +
The original file contained a number of syntax errors, several rules that would never work, and a number of expressions that could be more efficiently coded.
 +
 +
Primary discussion of bugs and enhancements discussed at: http://forum.joomla.org/viewtopic.php?f=432&t=549841
 +
 +
Secondary discussion was also at: http://snipt.net/g1smd/joomla-patch/
 +
 +
The new proposed file: http://code.google.com/p/joomla-master-htaccess/source/list and at: https://github.com/nikosdion/master-htaccess
 +
 +
The changes explained, line by line:
 +
 +
http://codereview.appspot.com/4312049/diff/1/joomla-master-htaccess.txt
 +
 +
http://codereview.appspot.com/4290071/diff/1/joomla-master-htaccess.txt
 +
 +
http://codereview.appspot.com/4290071/diff/8001/joomla-master-htaccess.txt
 +
 +
http://codereview.appspot.com/4370051/diff/3/joomla-master-htaccess.txt
 +
 +
http://codereview.appspot.com/4314051/diff/1001/joomla-master-htaccess.txt
 +
 +
http://codereview.appspot.com/4430062/diff/1/joomla-master-htaccess.txt
 +
 +
http://codereview.appspot.com/4528051/diff/1/joomla-master-htaccess.txt

Latest revision as of 09:11, 19 December 2014

Credit for this .htaccess file goes to Ronald van den Heetkamp, Nicholas Dionysopoulos, g1smd, and others where listed

Suggested Master htaccess file[edit]

This can be discussed in this forum topic

Warning: Read the hashed areas! Incorrect settings on some servers may cause 500 page errors. The only way to figure out which rule(s) or section(s) are causing the errors is by trial and error.

This .htaccess file is not meant to be just dropped in your site. You should go through all sections and modify the file to match your site. Most notably, all instances of example.com and example\.com should be replaced with your real domain name. Some sections may cause problems with legitimate requests.

Joomla! 
2.5
Experimental

You are ultimately responsible for disabling sections or writing exception rules for legitimate requests that fail. Most notably, the advanced server protection section will cause issues with several minifiers, eXtplorer, VirtueMart and other extensions which use non-standard scripts as their entry points. You must add exceptions manually to the proper area of the file.

###############################################################################
## The Master .htaccess
##
## Version 2.5 (proposed) - May 16th, 2011
##
## ----------
## This file is designed to be the template .htaccess file to put on your new
## sites, increasing your site's security and performance. It is not meant to
## be just dropped in your site, though. You should go through all of its
## sections and modify it to match your site. Most notably, all instances of
## example.com and example\.com should be replaced with your real domain name.
##
## Some sections are too picky and may cause problems with legitimate requests.
## You are ultimately responsible for disabling them or writing exception rules
## for your requests. Most notably, the advanced server protection section will
## cause issues with several minifiers, eXtplorer, VirtueMart and other exten-
## sions which use non-standard scripts as their entry points. You must add
## exceptions for them manually.
##
## Some sections - depending on your server configuration - may cause your site
## to throw 500 Internal Server Error. The only way to figure out which one is
## causing it is trial and error.
##
## Big thank you's to Brian Teeman, Ken Crowder, Radek Suski and Fotis
## Evangelou for sharing their .htaccess rules with the world and inspiring
## the creation of this file. Special thanks to Jon Brown for sharing his
## research and helping me improve this file.
##
## Additional thank-yous to John for his remarks and g1smd for taking the
## time to optimize the speed of the file.
##
## It is usually prudent to remove the comments from the file when using it
## on a live host to minimize the parsing time.
##
## ----------------------------------------------------------------------
## Do you want to customize this .htaccess file with a few clicks?
## Admin Tools Professional by AkeebaBackup.com does this and much more.
##
## Learn more: http://www.akeebabackup.com/software/admin-tools.html
## ----------------------------------------------------------------------
##
## Have fun, stay safe.
##
## Nicholas K. Dionysopoulos
## Lead Developer, AkeebaBackup.com
##
## CHANGELOG:
## Version 2.5 (proposed) (May 16th, 2011)
## - Placeholders for custom code. Correction of ruleset ordering.
## Version 2.4 (April 18th, 2011)
## - Dozens of speed optimisations and many logic and syntax corrections.
## Version 2.3 (November 18th, 2010)
## - Added .ico to the pass-through rules, for favicons to load
## Version 2.2 (October 25th, 2010)
## - Bug in the tmpl=component rule
## Version 2.1 (October 19th, 2010)
## - index.php to root redirection would kill some AJAX requests
## - Referer filtering was screwed up
## - Simplified and more thorough PHP Easter Egg code (thanks Jon!)
## - The tp/template/tmpl filter was not thorough and killed some components
## - Optimized Joomla! core SEF section
## - Bot filters and GZip optimization would never run for dynamic content
## - Content expiration optimization got more optimized
## - Added ETag rule
##
###############################################################################

########## Begin - RewriteEngine enabled
RewriteEngine On
########## End - RewriteEngine enabled

########## Begin - RewriteBase
# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root)

# RewriteBase /
########## End - RewriteBase

########## Begin - No directory listings
## Note: +FollowSymlinks may cause problems and you might have to remove it
IndexIgnore *
Options +FollowSymLinks All -Indexes
########## End - No directory listings

########## Begin - File execution order, by Komra.de
DirectoryIndex index.php index.html
########## End - File execution order

########## Begin - ETag Optimization
## This rule will create an ETag for files based only on the modification
## timestamp and their size. This works wonders if you are using rsync'ed
## servers, where the inode number of identical files differs.
## Note: It may cause problems on your server and you may need to remove it
FileETag MTime Size
########## End - ETag Optimization

########## Begin - Common hacking tools and bandwidth hoggers block
## By SigSiu.net and @nikosdion.
# This line also disables Akeeba Remote Control 2.5 and earlier
SetEnvIf user-agent "Indy Library" stayout=1
# WARNING: Disabling wget will also block the most common method for
# running CRON jobs. Remove if you have issues with CRON jobs.
SetEnvIf user-agent "Wget" stayout=1
# The following rules are for bandwidth-hogging download tools
SetEnvIf user-agent "libwww-perl" stayout=1
SetEnvIf user-agent "Download Demon" stayout=1
SetEnvIf user-agent "GetRight" stayout=1
SetEnvIf user-agent "GetWeb!" stayout=1
SetEnvIf user-agent "Go!Zilla" stayout=1
SetEnvIf user-agent "Go-Ahead-Got-It" stayout=1
SetEnvIf user-agent "GrabNet" stayout=1
SetEnvIf user-agent "TurnitinBot" stayout=1
# This line denies access to all of the above tools
deny from env=stayout
########## End - Common hacking tools and bandwidth hoggers block

########## Begin - Automatic compression of resources
# Compress text, html, javascript, css, xml, kudos to Komra.de
# May kill access to your site for old versions of Internet Explorer
# The server needs to be compiled with mod_deflate otherwise it will send HTTP 500 Error.
# mod_deflate is not available on Apache 1.x series. Can only be used with Apache 2.x server.
# AddOutputFilterByType is now deprecated by Apache. Use mod_filter in the future.
AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
########## End - Automatic compression of resources

########## Begin - Add optional bad user agent or IP blocking code
#
# If you need to block certain user agents or IP addresses and
# other signatures, place that code here. Ensure the rules use
# the correct RewriteRule syntax and the [F] flag.
#
########## End - Add optional bad user agent or IP blocking code

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# If the request query string contains /proc/self/environ (by SigSiu.net)
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
# Block out any script trying to set a mosConfig value through the URL
# (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin)
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode or base64_decode data within the URL
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR]
## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines:
# RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR]
# RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
########## End - Rewrite rules to block out some common exploits

########## Begin - File injection protection, by SigSiu.net
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]
########## End - File injection protection

########## Begin - Basic antispam Filter, by SigSiu.net
## I removed some common words, tweak to your liking
## This code uses PCRE and works only with Apache 2.x.
## This code will NOT work with Apache 1.x servers.
RewriteCond %{QUERY_STRING} \b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b [NC]
## Note: The final RewriteCond must NOT use the [OR] flag.
RewriteRule .* - [F]
## Note: The previous lines are a "compressed" version
## of the filters. You can add your own filters as:
## RewriteCond %{QUERY_STRING} \bbadword\b [NC,OR]
## where "badword" is the word you want to exclude.
########## End - Basic antispam Filter, by SigSiu.net

########## Begin - Advanced server protection - query strings, referrer and config
# Advanced server protection, version 3.2 - May 2011
# by Nicholas K. Dionysopoulos

## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
## your PHP version). See http://www.0php.com/php_easter_egg.php and
## http://osvdb.org/12184 for more information
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteRule .* - [F]

## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html
## May cause problems on legitimate requests
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]
RewriteRule .* - [F]

## Referrer filtering for common media files. Replace with your own domain name.
## This blocks most common fingerprinting attacks ;)
## Note: Change www\.example\.com with your own domain name, substituting the
## dots with \.  i.e. use www\.example\.com for www.example.com
RewriteRule ^images/stories/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [L]
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule \.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [F]

## Disallow visual fingerprinting of Joomla! sites (module position dump)
## Initial idea by Brian Teeman and Ken Crowder, see:
## http://www.slideshare.net/brianteeman/hidden-joomla-secrets
## Improved by @nikosdion to work more efficiently and handle template
## and tmpl query parameters
RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC]
RewriteRule .* - [L]
RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC]
RewriteRule .* - [F]

## Disallow access to htaccess.txt, configuration.php, configuration.php-dist and php.ini
RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [F]

########## End - Advanced server protection - query strings, referrer and config

########## Begin - Advanced server protection rules exceptions ####
##
## These are sample exceptions to the Advanced Server Protection 3.1
## rule set further down this file.
##
## Allow UddeIM CAPTCHA
RewriteRule ^components/com_uddeim/captcha15\.php$ - [L]
## Allow Phil Taylor's Turbo Gears
RewriteRule ^plugins/system/GoogleGears/gears-manifest\.php$ - [L]
## Allow JoomlaWorks AllVideos
RewriteRule ^plugins/content/jw_allvideos/includes/jw_allvideos_scripts\.php$ - [L]
## Allow Admin Tools Joomla! updater to run
RewriteRule ^administrator/components/com_admintools/restore\.php$ - [L]
## Allow Akeeba Backup Professional's integrated restoration script to run
RewriteRule ^administrator/components/com_akeeba/restore\.php$ - [L]
## Allow Akeeba Kickstart
RewriteRule ^kickstart\.php$ - [L]

# Add more rules to single PHP files here

## Allow Agora attachments, but not PHP files in that directory!
RewriteCond %{REQUEST_FILENAME} !(\.php)$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^components/com_agora/img/members/ - [L]

# Add more rules for allowing full access (except PHP files) on more directories here

## Uncomment to allow full access to the cache directory (strongly not recommended!)
#RewriteRule ^cache/ - [L]
## Uncomment to allow full access to the tmp directory (strongly not recommended!)
#RewriteRule ^tmp/ - [L]

# Add more full access rules here

########## End - Advanced server protection rules exceptions ####

########## Begin - Advanced server protection - paths and files
# Advanced server protection, version 3.2 - May 2011
# by Nicholas K. Dionysopoulos

## Back-end protection
## This also blocks fingerprinting attacks browsing for XML and INI files
RewriteRule ^administrator/?$ - [L]
RewriteRule ^administrator/index\.(php|html?)$ - [L]
RewriteRule ^administrator/index[23]\.php$ - [L]
RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]
RewriteRule ^administrator/ - [F]

## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory
RewriteRule ^xmlrpc/(index\.php)?$ - [L]
RewriteRule ^xmlrpc/ - [F]

## Disallow front-end access for certain Joomla! system directories
RewriteRule ^includes/js/ - [L]
RewriteRule ^(cache|includes|language|libraries|logs|tmp)/ - [F]

## Allow limited access for certain Joomla! system directories with client-accessible content
RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]
## Uncomment this line if you have extensions which require direct access to their own
## custom index.php files. Note that this is UNSAFE and the developer should be ashamed
## for being so lame, lazy and security unconscious.
# RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)?$ - [L]
## Uncomment the following line if your template requires direct access to PHP files
## inside its directory, e.g. GZip compressed copies of its CSS files
# RewriteRule ^templates/([^/]+/)*([^/.]+\.)+php$ - [L]
RewriteRule ^(components|modules|plugins|templates)/ - [F]

## Disallow access to rogue PHP files throughout the site, unless they are explicitly allowed
RewriteCond %{REQUEST_FILENAME} \.php$
RewriteCond %{REQUEST_FILENAME} !/index[23]?\.php$
## The next line is to explicitly allow the forum post assistant(fpa-xx)script to run
RewriteCond %{REQUEST_FILENAME} !/fpa-[a-z]{2}\.php
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^([^/]+/)*([^/.]+\.)+php$ - [F]

########## End - Advanced server protection - paths and files

########## Begin - Google Apps redirection, by Komra.de
## Uncomment the following line to enable:
# RewriteRule ^mail http://mail.google.com/a/example.com [R=301,L]
## If the above doesn't work on your server, try this:
## RewriteRule ^mail http://mail.google.com/a/example.com [R,L]
########## End - Google Apps redirection

########## Begin - Custom redirects
#
# If you need to redirect some pages, place that code here. Ensure those
# redirects use the correct RewriteRule syntax and the [R=301,L] flags.
#
########## End - Custom redirects

########## Begin - Redirect (www.)olddomain.com to www.example.com
## Note: olddomain.com is your old domain name, you want to redirect FROM,
## whereas www.example.com is the new domain name you want to redirect TO.
## Change those names to reflect your current configuration. Remember, this
## small part of the file is supposed to be placed in www.olddomain.com!
## Note: Replace [R=301,L] with [R,L] if you get error 500.
## Uncomment the following lines to enable:
# RewriteCond %{HTTP_HOST} ^(www\.)?olddomain\.com [NC]
# RewriteRule (.*) http://www.example.com/$1 [R=301,L]
## Note: The above section is only required if you are changing your domain name.
########## End - Redirect (www.)olddomain.com to www.example.com

########## Begin - Force HTTPS for certain pages
# Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says.
# This is a sample redirection for foobar.html. Do note that you have to change
# www.example.com to reflect your own domain. Remember to escape the dots using
# \. in the left hand side of each rule. You need BOTH LINES PER URL for the rule
# to work.
RewriteCond %{SERVER_PORT} !^443$
## Alternatively, comment the above line and uncomment the following line:
# RewriteCond %{HTTPS} ^off$ [NC]
RewriteRule ^foobar\.html$ https://www.example.com/foobar.html [R=301,L]
## NOTE: If you get an HTTP 500 error, please swap [R=301,L] with [R,L]
# Add more rules below this line as required
########## End - Force HTTPS for certain pages

########## Begin - Redirect index.php to /
## Note: Change example.com to reflect your own domain name
RewriteCond %{THE_REQUEST} !^POST
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteCond %{SERVER_PORT}>s ^(443>(s)|[0-9]+>s)$
RewriteRule ^index\.php$ http%2://www.example.com/$1 [R=301,L]
## If the above line throws a 500 error, change [R=301,L] to [R,L]
########## End - Redirect index.php to /

########## Begin - Redirect non-www to www
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L]
########## End - Redirect non-www to www

########## Begin - Redirect www to non-www
## WARNING: Comment out the non-www to www rule if you choose to use this
# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
# RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L]
########## End - Redirect non-www to www

########## Begin - Custom internal rewrites
#
# If you need to internally rewrite some specific URL requests,
# place that code here. Ensure those internal rewrites use the
# correct RewriteRule syntax without domain name and with [L] flag.
#
########## End - Custom internal rewrites

########## Begin - Joomla! core SEF Section
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
#
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the request is for the site root, or for an extensionless URL,
# or the requested URL ends with one of the listed extensions
RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw|ini|zip|json|file))$ [NC]
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
#
########## End - Joomla! core SEF Section

########## Begin - Optimal default expiration time
## Note: this might cause problems and you might have to comment it out by
## placing a hash in front of this section's lines
<IfModule mod_expires.c>
# Enable expiration control
ExpiresActive On

# Default expiration: 1 hour after request
ExpiresDefault "now plus 1 hour"

# CSS and JS expiration: 1 week after request
ExpiresByType text/css "now plus 1 week"
ExpiresByType application/javascript "now plus 1 week"
ExpiresByType application/x-javascript "now plus 1 week"

# Image files expiration: 1 month after request
ExpiresByType image/bmp "now plus 1 month"
ExpiresByType image/gif "now plus 1 month"
ExpiresByType image/jpeg "now plus 1 month"
ExpiresByType image/jp2 "now plus 1 month"
ExpiresByType image/pipeg "now plus 1 month"
ExpiresByType image/png "now plus 1 month"
ExpiresByType image/svg+xml "now plus 1 month"
ExpiresByType image/tiff "now plus 1 month"
ExpiresByType image/vnd.microsoft.icon "now plus 1 month"
ExpiresByType image/x-icon "now plus 1 month"
ExpiresByType image/ico "now plus 1 month"
ExpiresByType image/icon "now plus 1 month"
ExpiresByType text/ico "now plus 1 month"
ExpiresByType application/ico "now plus 1 month"
ExpiresByType image/vnd.wap.wbmp "now plus 1 month"
ExpiresByType application/vnd.wap.wbxml "now plus 1 month"
ExpiresByType application/smil "now plus 1 month"

# Audio files expiration: 1 month after request
ExpiresByType audio/basic "now plus 1 month"
ExpiresByType audio/mid "now plus 1 month"
ExpiresByType audio/midi "now plus 1 month"
ExpiresByType audio/mpeg "now plus 1 month"
ExpiresByType audio/x-aiff "now plus 1 month"
ExpiresByType audio/x-mpegurl "now plus 1 month"
ExpiresByType audio/x-pn-realaudio "now plus 1 month"
ExpiresByType audio/x-wav "now plus 1 month"

# Movie files expiration: 1 month after request
ExpiresByType application/x-shockwave-flash "now plus 1 month"
ExpiresByType x-world/x-vrml "now plus 1 month"
ExpiresByType video/x-msvideo "now plus 1 month"
ExpiresByType video/mpeg "now plus 1 month"
ExpiresByType video/mp4 "now plus 1 month"
ExpiresByType video/quicktime "now plus 1 month"
ExpiresByType video/x-la-asf "now plus 1 month"
ExpiresByType video/x-ms-asf "now plus 1 month"
</IfModule>
########## End - Optimal expiration time

If not using the suggested master htaccess file, the following suggestions will need RewriteEngine set to On, and will likely also need Options +FollowSymLinks too:

 # mod_rewrite in use
 RewriteEngine On
 Options +FollowSymLinks

Other useful settings[edit]

 ServerSignature Off
 RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
 RewriteCond %{THE_REQUEST} (\\r|\\n|%0A|%0D) [NC,OR]

 RewriteCond %{HTTP_REFERER} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 RewriteCond %{HTTP_COOKIE} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999} [NC,OR]

 RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
 RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} (winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} (libwww-perl|curl|wget|python|nikto|scan) [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 
 #Block mySQL injects
 RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR]

 RewriteCond %{QUERY_STRING} \.\./\.\. [OR]

 RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
 RewriteCond %{QUERY_STRING} \.[a-z0-9] [NC,OR]
 RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC]
 # Note: The final RewriteCond must NOT use the [OR] flag.

 # Return 403 Forbidden error.
 RewriteRule .* index.php [F]

Block bad user agents[edit]

 ########## Block bad user agents
 ## The following list may include bots that no longer exist or are not a problem
 ## for your site. The list will always be incomplete and it is therefore wise to
 ## follow discussions on one of the many "security" mailing lists or on a forum
 ## such as http://www.webmasterworld.com/search_engine_spiders/
 ## It is also unwise to rely on this list as your ONLY security mechanism.
 RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
 RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
 RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
 RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
 RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
 RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
 RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
 RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
 RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
 RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
 RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
 RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
 RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
 RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
 RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
 RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
 RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
 RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
 RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
 RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
 RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
 RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
 RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
 RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
 RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
 RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
 RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
 RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
 RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
 RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
 RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
 RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
 RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
 RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
 RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
 RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Zeus
 ## Note: The final RewriteCond must NOT use the [OR] flag.

 ## Return 403 Forbidden error.
 RewriteRule .* - [F]

External links[edit]

.htaccess tag archive @ perishablepress.com

https://github.com/nikosdion/master-htaccess Proposed "master htaccess" (by Nicholas v3.3) DO read the intro by Nicholas!]

The original file contained a number of syntax errors, several rules that would never work, and a number of expressions that could be more efficiently coded.

Primary discussion of bugs and enhancements discussed at: http://forum.joomla.org/viewtopic.php?f=432&t=549841

Secondary discussion was also at: http://snipt.net/g1smd/joomla-patch/

The new proposed file: http://code.google.com/p/joomla-master-htaccess/source/list and at: https://github.com/nikosdion/master-htaccess

The changes explained, line by line:

http://codereview.appspot.com/4312049/diff/1/joomla-master-htaccess.txt

http://codereview.appspot.com/4290071/diff/1/joomla-master-htaccess.txt

http://codereview.appspot.com/4290071/diff/8001/joomla-master-htaccess.txt

http://codereview.appspot.com/4370051/diff/3/joomla-master-htaccess.txt

http://codereview.appspot.com/4314051/diff/1001/joomla-master-htaccess.txt

http://codereview.appspot.com/4430062/diff/1/joomla-master-htaccess.txt

http://codereview.appspot.com/4528051/diff/1/joomla-master-htaccess.txt