Suggested Master .htaccess file

[g1smd]

If you log to the backend through https this block will redirect you again to http.

Code: Select all

 ########## Begin - Redirect index.php to / for root and /path/ for folders
## Note: Change example.com to reflect your own domain name
RewriteCond %{THE_REQUEST} !^POST
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+/)*index\.php\ HTTP/
RewriteRule ^(([^/]+/)*)index\.php$ http://www.example.com/$1 [R=301,L]
########## End - Redirect index.php to / for root and /path/ for folders

Try this:

Code: Select all

 ########## Begin - Redirect index.php to / for root and /path/ for folders
## Note: Change example.com to reflect your own domain name
RewriteCond %{THE_REQUEST} !^POST
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+/)*index\.php\ HTTP/
RewriteCond %{SERVER_PORT}>s ^(443>(s)|[0-9]+>s)$
RewriteRule ^(([^/]+/)*)index\.php$ http%2://www.example.com/$1 [R=301,L]
########## End - Redirect index.php to / for root and /path/ for folders

Another https related issue, are secure forms, I have one to collect customer details and I need to add "s?" right after "!^http" for it to work properly, in the following block:

Code: Select all

## Referrer filtering for common media files. Replace with your own domain.
## This blocks most common fingerprinting attacks ;)
## Note: Change www\.example\.com with your own domain name, substituting
## the dots with \.  i.e. use www\.example\.com for www.example.com
RewriteRule ^images/stories/([^.]+)\.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|ico|html?) - [L]
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule \.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|ico|html?)$ - [F]

Yes. Added this new code. Thanks.

See: http://docs.joomla.org/Htaccess_example ... ldid=38027

[sog2012]

Hi

Thanks to eveyone for this beautiful post.
If you log to the backend through https this block will redirect you again to http.

Code: Select all

########## Begin - Redirect index.php to / for root and /path/ for folders
## Note: Change example.com to reflect your own domain name
RewriteCond %{THE_REQUEST} !^POST
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+/)*index\.php\ HTTP/
RewriteRule ^(([^/]+/)*)index\.php$ http://www.example.com/$1 [R=301,L]
########## End - Redirect index.php to / for root and /path/ for folders

I' m sorry but I have no enough knowledge to fix it. A temporary solution is to use this line suggested before.

Code: Select all

RewriteCond %{REQUEST_URI} !/([^/]+/)*administrator

Another https related issue, are secure forms, I have one to collect customer details and I need to add "s?" right after "!^http" for it to work properly, in the following block:

Code: Select all

## Referrer filtering for common media files. Replace with your own domain.
## This blocks most common fingerprinting attacks ;)
## Note: Change www\.example\.com with your own domain name, substituting
## the dots with \.  i.e. use www\.example\.com for www.example.com
RewriteRule ^images/stories/([^.]+)\.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|ico|html?) - [L]
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule \.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|ico|html?)$ - [F]

Best Regards, and thanks again.

You don't need "RewriteCond %{REQUEST_URI} !/([^/]+/)*administrator" anymore when you include "RewriteCond %{THE_REQUEST} !^POST"

[sog2012]

It's quite simple. Where the file has "." use ".", and where it has "\." use "\." each time...

I am confused... why do I need to use "." and "\." when it's already in the .htaccess file? I don't need to change it or use it because it's already being used, right?

The only thing I have done in the entire .htaccess file is change the word "example" to my domain name, and changed the ".com" to ".org".

That's all I have done and it seems to be working.

What is meant is this:
If I want to use the code block below I need to make it work with my site. I do this like this:
Say my site name is http://www.mysite.org
I change this line: RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com [NC]
to look like this:
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite\.org [NC]

And I think ( to early in morning) before you ask, if my domain is just mysite.org and I don't use the www. part the line remains the same. That is:
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite\.org [NC]

This is because the question mark matches or indicates there is zero or one of the preceding element. Which in this case would be what is contained (grouped) within the parenthesis (www\.)

Code: Select all

## Referrer filtering for common media files. Replace with your own domain.
## This blocks most common fingerprinting attacks ;)
## Note: Change www\.example\.com with your own domain name, substituting
## the dots with \.  i.e. use www\.example\.com for www.example.com
RewriteRule ^images/stories/([^.]+)\.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|ico|html?) - [L]
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com [NC]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule \.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|ico|html?)$ - [F]

Well that was my point, all I did was replace "example" with my real webname and I then replaced ".com" with ".org". That is all I did in the entire .htaccess file.

[g1smd]

What would you replace example\.com with if your site was www.store.example.co.uk here?

[sog2012]

Is there a command we can include in .htaccess that stops from getting keylogged?

[sog2012]

What would you replace example\.com with if your site was www.store.example.co.uk here?

Well the website I created for my friend would be: biblejesus\.org

But if his website would be www.store.example.co.uk, then I would make it look like this:

store.example\.co.uk

[sog2012]

Working good, no problems to report.

[g1smd]

What would you replace example\.com with if your site was www.store.example.co.uk here?

Well the website I created for my friend would be: biblejesus\.org

But if his website would be www.store.example.co.uk, then I would make it look like this:
store.example\.co.uk

That would be incorrect.

It should be: store\.example\.co\.uk with all of the literal periods in the RegEx patterns escaped.

[sog2012]

What would you replace example\.com with if your site was http://www.store.example.co.uk here?

Well the website I created for my friend would be: biblejesus\.org

But if his website would be http://www.store.example.co.uk, then I would make it look like this:
store.example\.co.uk

That would be incorrect.

It should be: store\.example\.co\.uk with all of the literal periods in the RegEx patterns escaped.

so there is an \. between any words?

So the best way ti think about it, is we add an \ before any full stop?

So is biblejesus\.org correct? Or am I really confused?

[g1smd]

Where the example has "." use "." for all of the periods.

Where the example has "\." use "\." for all of the periods.

So where the example code says www.example.com you would use www.store.example.co.uk and where the code says www\.example\.com you would use www\.store\.example\.co\.uk

[sog2012]

Where the example has "." use "." for all of the periods.

Where the example has "\." use "\." for all of the periods.

So where the example code says www.example.com you would use www.store.example.co.uk and where the code says www\.example\.com you would use www\.store\.example\.co\.uk

That makes sense

Good we covered this for the benefit for everyone as there may have been some confusion about that important part.

[reivaj]

Cheers g1smd,

It works indeed. To be honest it took me almost 2 hours of searching and thinking to understand the logic in the 3rd condition.
It seems that you are using what mod_rewrite docs refer as 'lexicographically follows'. You add an s after {SERVER_PORT}, and each of the regex separated by the pipe, 443>(s), and [0-9]+>s.
The s after 443 is between brackets because that is the port you want to match, so you can save the s in a variable and use it later on in the following line, here http%2

Try this:
Code:
########## Begin - Redirect index.php to / for root and /path/ for folders
## Note: Change example.com to reflect your own domain name
RewriteCond %{THE_REQUEST} !^POST
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+/)*index\.php\ HTTP/
RewriteCond %{SERVER_PORT}>s ^(443>(s)|[0-9]+>s)$
RewriteRule ^(([^/]+/)*)index\.php$ http%2://www.example.com/$1 [R=301,L]
########## End - Redirect index.php to / for root and /path/ for folders

You are a genius Sir. Thanks again

[g1smd]

Yes. It boggles the mind the first time you see it.

Code: Select all

RewriteCond %{SERVER_PORT}>s ^(443>(s)|[0-9]+>s)$

Indeed it works as you have described. It "saves" the "s" if the port is 443 and then later it adds it to the http to make https. The ">" is a character that means nothing and is there merely to aid pattern matching and readability.

The key to understanding mod_rewrite is to be clear that it works with URL requests. Once you are sure what the browser asked for, you can decide how you want the server to deal with that request: externally redirect to another URL, internally rewrite to a non-default filepath and/or filename, or do nothing and let the default Apache handlers deal with the request.

[reivaj]

Sure.

Those '>' were freaking me out as I have never seen those in regex neither in rewrites.
But I found a clue here http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html

Code: Select all

'>CondPattern' (lexicographically follows)
Treats the CondPattern as a plain string and compares it lexicographically to TestString. True if TestString lexicographically follows CondPattern.

There is something else I wasn't concerned, I didn't know that it's allowed to append a string to server variables. I'm happy to learn something new.

By the way, I've learnt a lot about mod_rewrite reading the webmasterworld forum.
Many posts from yourself or jdMorgan in there are almost master classes, and one of the best sources for examples and explanations.

Thank you again

[g1smd]

We try very hard, but there's only two of us and millions of websites with inefficient and buggy code to fix. The quickest route seems to be to pass the knowledge on to the developers of the major blog, forum, cart and CMS packages and hope the ideas are passed on from there.

[sog2012]

...You are a genius Sir. Thanks again

He is definitely a genius to be able to understand all that funny looking coding Must have a good mind.

[sog2012]

My hosting company installed awstats for me. But it doesn't work with the current .htaccess file. They told me there are some rewrite rules in the .htaccess file that stops awstats from working.

Is there a solution to this please?

[g1smd]

For the rules that interfere, add a preceding RewriteCond that excludes the URL paths used by the stats software, to stop those rules interfering with them. This works in much the same way that POST requests were excluded from some rules earlier on.

Those conditions will be specific to your site, and cannot be added to the code in this thread nor the documentation wiki. In general they will take the form RewriteCond %{REQUEST_URI} ^/path-to-the-stats or similar.

[sog2012]

For the rules that interfere, add a preceding RewriteCond that excludes the URL paths used by the stats software, to stop those rules interfering with them. This works in much the same way that POST requests were excluded from some rules earlier on.

Those conditions will be specific to your site, and cannot be added to the code in this thread nor the documentation wiki. In general they will take the form RewriteCond %{REQUEST_URI} ^/path-to-the-stats or similar.

Ok thank you.

BY the way, .htaccess must be working well, it even stops things from running that someone else installs

[Joe Crawford]

I assume the "Htaccess examples (security)" page @ http://docs.joomla.org/index.php?title= ... ldid=38010 is going to be the final place where the recommended file is documented. Before closing down the task of upgrading the file I think it would be nice (and save newbie’s like me a lot of trouble) if someone made a couple of minor changes to that page.

1) The first two sections on the page are already included in the code of the "Suggested Master htaccess file": the first section after the TOC ("For this to work you need RewriteEngine set to On, and will likely also need Options +FollowSymLinks too :"), and the "Rewrite rules to block out some common exploits". Why not just delete them and update the comments in the code of the suggested file.

2) The "Other useful settings" section has 17 lines of code with only three comments, two of which describe how to add the final RewriteRule statement. It sure would be nice if someone would add comments that describe each line (rewrite condition) and its purpose. Most of the code in the recommended file is fairly well documented/commented.

3) It might also read better, and be simpler to understand if the "Block bad user agents" section, along with any new and suggested additions (not already included in the file) were placed after the suggested file.

Going a bit further and considering the importance placed on the htaccess file for website security, at least on those sites that can use it, I think detailed documentation is a necessity if Joomla! is going to be considered anything other than a toy. While maintaining proper backup is a requirement for any & all commercial systems, requiring that Joomla users just install this file without a detailed description of the purpose of each line of code, and requiring the user to just comment out (by trial and error) any lines/sections that crash his/her site is bordering on the ridiculous. In fact, unless/until the entire Joomla development and support group accepts security and data integrity as primary requirements (as opposed to loose objectives) of any and all main line code and extensions, it will never be considered anything other than an pseudo-academic "proof of concept", still missing the main functions (e.g., usability, reliability, security, data integrity, etc.) that are required to make it a commercial-use product.
Anyway, I would like to thank everyone again for their time spent on this thread in trying to at least make the current recommended htaccess file execute properly and perform the stated functions correctly. It is a major step in the right direction.

Joe

[g1smd]

This file will never be cut and paste. This is server configuration code and will be need to be tailored to fit however the rest of your server is configured. It's a selection of code blocks you can use in part or in full, no more, no less.

Wholesale changing the order of the rules isn't going to happen just yet as the originator of part of the code needs to get in sync with what we've done here first. There's a few other tweaks to work through too.

The common exploits block in the master file section is slightly different to the one at the top of the page which matches the one in the Joomla production file (or it will be when the patches waiting for more than 6 months finally get committed).

The RewriteEngine directive MUST be the first directive in the file. That's why it appears at the top of the page. The internal rewrite code must be last in the file, and it would be dangerous to put the bad user agents code after it as in a real site it must not be in that part of the file. I agree the current order is non-optimum, but it does at least work in the presented order.

I'll take a look at the comments and other stuff over the next few days, but there's some usable ideas in there. Be aware of the history. The first part of the file was the original page with various "suggestions". The "master file" was developed elsewhere and pasted in more recently. The page really has two separate parts to it.

[PhilD]

...requiring that Joomla users just install this file without a detailed description of the purpose of each line of code, and requiring the user to just comment out (by trial and error) any lines/sections that crash his/her site is bordering on the ridiculous.

Lets get one thing straight. This Is Not an Official Release of htaccess Code By Joomla Developers and will not be included in any versions of Joomla. There is no requirement that anyone use Any of the Code provided in the Suggested Master htaccess file. The file is not and never will be cut and paste.

I do not suggest anyone use anything other than the official htaccess included with the full download of Joomla. The code was originally posted by leolam as a suggestion just as others have posted examples of how to move the configuration.php file outside of publicly accessible (public_html) directory areas, it is just a suggestion. There is no requirement that one does this either, it is mearly a suggestion. If a forum or wiki doc reader wishes to use the file then it is up to the user to understand Fully just what the code does in the htaccess file and how it will affect that individuals site.

I assume the "Htaccess examples (security)" page @ http://docs.joomla.org/index.php?title= ... ldid=38010 is going to be the final place where the recommended file is documented.

That is correct. Any posts of code snipits within the forum are to be considered for discussion only as they may be wrong or works in progress.

Before closing down the task of upgrading the file I think it would be nice (and save newbie’s like me a lot of trouble) if someone made a couple of minor changes to that page.

I agree that the page could be reordered to be less confusing and certain sections could be better documented, and any duplication could be removed.

In fact, unless/until the entire Joomla development and support group accepts security and data integrity as primary requirements (as opposed to loose objectives) of any and all main line code and extensions, it will never be considered anything other than an pseudo-academic "proof of concept", still missing the main functions (e.g., usability, reliability, security, data integrity, etc.) that are required to make it a commercial-use product.


I have to take exception with what is stated as not true. The Joomla! Project takes security vulnerabilities very seriously. As a member of oCert we follow some specific procedures when dealing with security issues. More information may be found here:
http://developer.joomla.org/security.html

Joomla is not a toy, "proof of concept" etc, and meets the goals set forth for the intended target audience and user experience level. http://www.joomla.org/about-joomla/the- ... alues.html

It is also used very successfully commercially. http://www.joomla.org/about-joomla.html

If you feel strongly about a certain area(s), then why not join the effort to improve the area(s) instead of waiting for someone else to do it?

If you (or anyone else) does not feel that Joomla meets the specific requirements required, or required by your clients, or you prefer programming your own functionality into a CMS framework, then may I suggest you use Drupal instead. No one is binding you to use Joomla

[sog2012]

PhilD, that was a bit harsh on poor Joe I feel, maybe a bit more tact would be better? :P

In any case, thank you PhilD for making that very clear for us. It has been understood crystal clearly.

[Webdongle]

PhilD +1

[kurchania]

PhilD+1
@g1smd
easter egg code is still working

Code: Select all

## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
## your PHP version). See http://www.0php.com/php_easter_egg.php and
## http://osvdb.org/12184 for more information
RewriteCond %{QUERY_STRING} =PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteRule .* - [F]
## Back-end protection

you can also try this url.
?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

[g1smd]

Does this small change fix it?

Code: Select all

RewriteCond %{QUERY_STRING} PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteRule .* - [F]

OR

Code: Select all

RewriteCond %{QUERY_STRING} (^|&)=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteRule .* - [F]

[kurchania]

@g1smd

Code: Select all

RewriteCond %{QUERY_STRING} PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteRule .* - [F]

yup that code will do the trick.please update this code also.
i integrate the master htaccess on my live site. check few more issues and will report more issue if i find something.
my paypal return url of cbpaid subscription give me forbidden access error.

Code: Select all

index.php?option=com_comprofiler&task=pluginclass&user=242&plugin=cbpaidsubscriptions&cbpgacctno=1&cbppdtback=a61f8054c1e02088656d3086469e6dce&cbpbasket=311&result=success&cbpid=cbp4d89b9277f06b407321671&tx=34G04140CL9905221&st=Completed&amt=32.30&cc=USD&cm=311&item_number=S306-242-4

[g1smd]

That "return" URL is insane. How many parameters? Is all that stuff really necessary? I can't offer support on individual URLs, suffice to say you'll likely need to add an extra RewriteCond exclusion somewhere.


Having spent a fair amount of time on this stuff over the last three weeks, I want to wrap this up shortly. Get your comments in before I get on with some real work.

[g1smd]

I'm done. http://snipt.net/g1smd/joomla-master-ht ... 011-03-24/


Based on http://snipt.net/nikosdion/the-master-htaccess/

There are almost 100 changes, and they are listed here: http://docs.joomla.org/Htaccess_example ... ldid=35925

The comments for each change are shown as follows: http://docs.joomla.org/Htaccess_example ... on=history

Discussion also in: http://snipt.net/nikosdion/the-master-htaccess/

[kurchania]

That "return" URL is insane. How many parameters? Is all that stuff really necessary? I can't offer support on individual URLs, suffice to say you'll likely need to add an extra RewriteCond exclusion somewhere.
Having spent a fair amount of time on this stuff over the last three weeks, I want to wrap this up shortly. Get your comments in before I get on with some real work.

@g1smd,
great work g1smd.its working fine.

Code: Select all

index.php?option=com_comprofiler&task=pluginclass&user=242&plugin=cbpaidsubscriptions&cbpgacctno=1&cbppdtback=a61f8054c1e02088656d3086469e6dce&cbpbasket=311&result=success&cbpid=cbp4d89b9277f06b407321671&tx=34G04140CL9905221&st=Completed&amt=32.30&cc=USD&cm=311&item_number=S306-242-4

i handle this url by creating rewrite rule.do you think its OK?

Code: Select all

RewriteCond %{QUERY_STRING} (^|&)plugin=cbpaidsubscriptions [NC]
RewriteRule .* - [L]