Actions

Difference between revisions of "Preconfigured htaccess"

From Joomla! Documentation

m (Hutchy68 moved page Preconfigured .htaccess to Preconfigured htaccess: fixing page not accessible)
(Marked this version for translation)
 
(11 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{review}}
+
<noinclude><languages /></noinclude>
 +
<translate>
 +
<!--T:1-->
 +
An Apache webserver uses an htaccess file in the site main directory for site specific configuration. A preconfigured htaccess file (<tt>htaccess.txt</tt>) is delivered with Joomla. It contains instructions to avoid common exploits and implements SEF urls. In addition it provides some settings that needs to be checked for your environment:
 +
</translate>
 +
<ul>
 +
<li>IndexIgnore *</li>
 +
<li>Options +FollowSymLinks</li>
 +
<li>Options -Indexes</li>
 +
<li>RewriteBase /<li>
 +
</ul>
  
##
+
<translate><!--T:2-->
# @version $Id: htaccess.txt 10492 2008-07-02 06:38:28Z ircmaxell $
+
Activating <tt>htaccess.txt</tt> means merging an existing .htaccess file with htaccess.txt and decide on the settings mentioned above.</translate>
# @package Joomla
+
 
# @copyright Copyright (C) 2005 - 2008 Open Source Matters. All rights reserved.
+
<strong><translate><!--T:3-->
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
+
Note:</translate></strong>
# Joomla! is Free Software
+
 
##
+
<translate><!--T:4-->
 +
The active file is set in one of the httpd.conf files with:</translate>
 +
<pre>AccessFileName .htaccess</pre>
 +
<translate><!--T:5-->
 +
It defaults to .htaccess (which makes it hidden on a Unix-like filesystems). No need to change that.</translate>
 
   
 
   
+
<translate><!--T:6-->
#####################################################
+
On the Windows platform you might change it to:</translate>
# READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE
+
<pre>AccessFileName htaccess.ini</pre>
#
+
<translate><!--T:7-->
# The line just below this section: 'Options +FollowSymLinks' may cause problems
+
so you can edit it more easily.</translate>
# with some server configurations.  It is required for use of mod_rewrite, but may already
+
 
# be set by your server administrator in a way that dissallows changing it in
+
<translate><!--T:8-->
# your .htaccess file.  If using it causes your server to error out, comment it out (add # to
+
Don't use <tt>htaccess.txt</tt> here because when updating Joomla, it will be overwritten and changes will be lost.</translate>
# beginning of line), reload your site in your browser and test your sef url's.  If they work,
+
 
# it has been set by your server administrator and you do not need it set here.
+
<translate><!--T:9-->
#
+
Content of <tt>htaccess.txt</tt>:</translate>
#####################################################
+
 
+
<pre>
## Can be commented out if causes errors, see notes above.
+
##
Options +FollowSymLinks
+
# @package    Joomla
+
# @copyright  Copyright (C) 2005 - 2015 Open Source Matters. All rights reserved.
#
+
# @license    GNU General Public License version 2 or later; see LICENSE.txt
# mod_rewrite in use
+
##
+
 
RewriteEngine On
+
##
+
# READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE!
########## Begin - Rewrite rules to block out some common exploits
+
#
## If you experience problems on your site block out the operations listed below
+
# The line just below this section: 'Options +FollowSymLinks' may cause problems
## This attempts to block the most common type of exploit `attempts` to Joomla!
+
# with some server configurations.  It is required for use of mod_rewrite, but may already
#
+
# be set by your server administrator in a way that disallows changing it in
# Block out any script trying to set a mosConfig value through the URL
+
# your .htaccess file.  If using it causes your server to error out, comment it out (add # to
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
+
# beginning of line), reload your site in your browser and test your sef url's.  If they work,
# Block out any script trying to base64_encode crap to send via URL
+
# it has been set by your server administrator and you do not need it set here.
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
+
##
# Block out any script that includes a <script> tag in URL
+
 
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
+
## No directory listings
# Block out any script trying to set a PHP GLOBALS variable via URL
+
IndexIgnore *
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
+
 
# Block out any script trying to modify a _REQUEST variable via URL
+
## Can be commented out if causes errors, see notes above.
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
+
Options +FollowSymlinks
# Send all blocked request to homepage with 403 Forbidden error!
+
Options -Indexes
RewriteRule ^(.*)$ index.php [F,L]
+
 
#
+
## Mod_rewrite in use.
########## End - Rewrite rules to block out some common exploits
+
 
+
RewriteEngine On
# Uncomment following line if your webserver's URL
+
 
# is not directly related to physical file paths.
+
## Begin - Rewrite rules to block out some common exploits.
# Update Your Joomla! Directory (just / for root)
+
# If you experience problems on your site block out the operations listed below
+
# This attempts to block the most common type of exploit `attempts` to Joomla!
# RewriteBase /
+
#
+
# Block out any script trying to base64_encode data within the URL.
+
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
########## Begin - Joomla! core SEF Section
+
# Block out any script that includes a <script> tag in URL.
#
+
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{REQUEST_FILENAME} !-f
+
# Block out any script trying to set a PHP GLOBALS variable via URL.
RewriteCond %{REQUEST_FILENAME} !-d
+
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{REQUEST_URI} !^/index.php
+
# Block out any script trying to modify a _REQUEST variable via URL.
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$  [NC]
+
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule (.*) index.php
+
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
+
RewriteRule .* index.php [F]
#
+
#
########## End - Joomla! core SEF Section
+
## End - Rewrite rules to block out some common exploits.
 +
 
 +
## Begin - Custom redirects
 +
#
 +
# If you need to redirect some pages, or set a canonical non-www to
 +
# www redirect (or vice versa), place that code here. Ensure those
 +
# redirects use the correct RewriteRule syntax and the [R=301,L] flags.
 +
#
 +
## End - Custom redirects
 +
 
 +
##
 +
# Uncomment following line if your webserver's URL
 +
# is not directly related to physical file paths.
 +
# Update Your Joomla! Directory (just / for root).
 +
##
 +
 
 +
# RewriteBase /
 +
 
 +
## Begin - Joomla! core SEF Section.
 +
#
 +
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
 +
#
 +
# If the requested path and file is not /index.php and the request
 +
# has not already been internally rewritten to the index.php script
 +
RewriteCond %{REQUEST_URI} !^/index\.php
 +
# and the requested path and file doesn't directly match a physical file
 +
RewriteCond %{REQUEST_FILENAME} !-f
 +
# and the requested path and file doesn't directly match a physical folder
 +
RewriteCond %{REQUEST_FILENAME} !-d
 +
# internally rewrite the request to the index.php script
 +
RewriteRule .* index.php [L]
 +
#
 +
## End - Joomla! core SEF Section.
 +
 
 +
</pre>
 +
 
 +
<noinclude>
 +
<translate>
 +
<!--T:10-->
 +
[[Category:Joomla! Website Management]]
 +
[[Category:Installation]]
 +
</translate>
 +
</noinclude>

Latest revision as of 11:55, 6 September 2015

Other languages:
English • ‎español • ‎français • ‎Nederlands • ‎português do Brasil

An Apache webserver uses an htaccess file in the site main directory for site specific configuration. A preconfigured htaccess file (htaccess.txt) is delivered with Joomla. It contains instructions to avoid common exploits and implements SEF urls. In addition it provides some settings that needs to be checked for your environment:

  • IndexIgnore *
  • Options +FollowSymLinks
  • Options -Indexes
  • RewriteBase /

Activating htaccess.txt means merging an existing .htaccess file with htaccess.txt and decide on the settings mentioned above.

Note:

The active file is set in one of the httpd.conf files with:

AccessFileName .htaccess

It defaults to .htaccess (which makes it hidden on a Unix-like filesystems). No need to change that.

On the Windows platform you might change it to:

AccessFileName htaccess.ini

so you can edit it more easily.

Don't use htaccess.txt here because when updating Joomla, it will be overwritten and changes will be lost.

Content of htaccess.txt:

##
# @package    Joomla
# @copyright  Copyright (C) 2005 - 2015 Open Source Matters. All rights reserved.
# @license    GNU General Public License version 2 or later; see LICENSE.txt
##

##
# READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE!
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations.  It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that disallows changing it in
# your .htaccess file.  If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's.  If they work,
# it has been set by your server administrator and you do not need it set here.
##

## No directory listings
IndexIgnore *

## Can be commented out if causes errors, see notes above.
Options +FollowSymlinks
Options -Indexes

## Mod_rewrite in use.

RewriteEngine On

## Begin - Rewrite rules to block out some common exploits.
# If you experience problems on your site block out the operations listed below
# This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block out any script that includes a <script> tag in URL.
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL.
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL.
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
## End - Rewrite rules to block out some common exploits.

## Begin - Custom redirects
#
# If you need to redirect some pages, or set a canonical non-www to
# www redirect (or vice versa), place that code here. Ensure those
# redirects use the correct RewriteRule syntax and the [R=301,L] flags.
#
## End - Custom redirects

##
# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root).
##

# RewriteBase /

## Begin - Joomla! core SEF Section.
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
#
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path and file doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
#
## End - Joomla! core SEF Section.