Suggested Master .htaccess file

[PhilD]

OK. The final question with that part is simply whether this line for ADMIN functions is needed any more:

Code: Select all

RewriteCond %{REQUEST_URI} !/([^/]+/)*administrator

It may be the POST fix code (already confirmed as fixing search and virtuemart) also fixes the earlier ADMIN problems too.

I can confirm that the code block works ok without that line.

[g1smd]

I still need to comment out this following section because it gives me an server error 500.

Code: Select all

########## Begin - Automatic compression of resources
# Compress text, html, javascript, css, xml, kudos to Komra.de
# May kill access to your site for old versions of Internet Explorer
# The server needs to be compiled with mod_deflate otherwise it will send HTTP 500 Error.
# AddOutputFilterByType is now deprecated by Apache. Use mod_filter in the future.
AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
########## End - Automatic compression of resources

Is that section really needed? Can I live without it? Cause I don't know how to compile with mod_deflate.

Your web host will need to install it. Otherwise just comment it out.

Code: Select all

RewriteCond %{REQUEST_URI} !/([^/]+/)*administrator

I can confirm that the code block works OK without that line.

That's good to know. Having one exclusion makes the code easier to maintain.

[sog2012]

I still need to comment out this following section because it gives me an server error 500.

Code: Select all

########## Begin - Automatic compression of resources
# Compress text, html, javascript, css, xml, kudos to Komra.de
# May kill access to your site for old versions of Internet Explorer
# The server needs to be compiled with mod_deflate otherwise it will send HTTP 500 Error.
# AddOutputFilterByType is now deprecated by Apache. Use mod_filter in the future.
AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
########## End - Automatic compression of resources

Is that section really needed? Can I live without it? Cause I don't know how to compile with mod_deflate.

Your web host will need to install it. Otherwise just comment it out.

Code: Select all

RewriteCond %{REQUEST_URI} !/([^/]+/)*administrator

I can confirm that the code block works OK without that line.

That's good to know. Having one exclusion makes the code easier to maintain.

I am changing hosts soon anyway, changing from ixwebhosting to either Rochen, CloudAccess.net or iRedHost.com, so hopefully they will help me fix that.

But I did just raise a new ticket with my current host and I requested that they install mod_deflate
for me.

Allright, here is my final feedback... THANK YOU , everything works perfect. Well DONE!

[Joe Crawford]

@g1smd,
The W3C Markup Validation Service at w3.org gets a 403 Forbidden error when trying to validate the CSS files. If I enter the same url (e.g., http://www.mysite.com/templates/FrontPa ... mplate.css) into my browser (FireFox 3.6.15) the CSS file prints out on my screen. I don't know if this impacts security or not but thought I'd mention it.

Other than the above, the other htaccess functions I could test seem to work fine on my limited function website.

[g1smd]

Is the W3 validator user agent one of those listed in the UA block list?

Maybe it is the lack of referrer data that gets it the whack?

Is this effect happening with or without this change? http://docs.joomla.org/Htaccess_example ... ldid=38010

[Joe Crawford]

It's happening without that last change... I try it with..

[Joe Crawford]

@g1smd,
Thanks... the w3c Validator now works correctly after changing the HTTP_REFERER line to:

Code: Select all

RewriteCond %{HTTP_REFERER} .

[g1smd]

Be sure that was not "changing" a line, but "adding" a line.

[Joe Crawford]

@g1smd,
You caught me on that one, I changed the line. It (w3c) worked fine but standard access to the website couldn't read the CSS file. I'll try it the other way tomorrow... the YL is hollering at me to come to supper (and get off this xxxx computer!).

Thanks again for your time on this...
Joe

[g1smd]

With .htaccess every little detail is important. This is server configuration code.

There have been times when a single typo has destroyed site indexing and traffic, and quite literally put people out of business.

[sog2012]

With .htaccess every little detail is important. This is server configuration code.

There have been times when a single typo has destroyed site indexing and traffic, and quite literally put people out of business.

g1smd, do you have an hotmail or gmail email you could post here so I can send you an email? For some reason I am unable to send you a PM or email through this forum.

BTW, this was the reply from ixwebhosting:

"Thank you for contacting our technical support team. Mod_deflate is Apache 2.0 module and cannot be installed on Apache 1.3 version we provide, unfortunately."

[mandville]

tell your host to update or change your host
http://httpd.apache.org/

Apache httpd 1.3.42 is the final stable version of the 1.3 series, which was released and declared end of life on February 2nd, 2010. No further development or maintenance will occur for the 1.3 series.

[sog2012]

tell your host to update or change your host
http://httpd.apache.org/

Apache httpd 1.3.42 is the final stable version of the 1.3 series, which was released and declared end of life on February 2nd, 2010. No further development or maintenance will occur for the 1.3 series.

I did as you suggested, and they said no way they can do it, and they then tried to sell me an VPS upgrade plan, and I said in return, "No way I cannot do it" hehe

That's OK, I am changing hosting companies soon, and in the meantime, I just edited out that one section that needs Apache 2.0 and the rest of the .htaccess file is working great

Thank you to g1smd and everyone else who helped out.

[leolam]

That's OK, I am changing hosting companies soon

Better change today and move your site over since you are in grave danger of being whacked/smacked/hacked

Leo

[Joe Crawford]

@g1smd,
I corrected my screw-up above and am now running the Suggested Master htaccess file, Revision as of 07:57, 17 March 2011 by G1smd (with out the Other useful settings section & the Block bad user agents). It all seems to be working OK for my (limited) usage.

In trying to access different directories and files on my site (as a non-logged in user) I can get 3 or 4 different errors and sometimes just a blank screen (e.g., /templates/index.php). It appears from just these (different) errors a determined user could figure out more information about the site than might be either necessary or optimum from a security stand point. But, I don't think it's worth pursuing further.

Again, thanks for your time in straightening out the htaccess file. I'm in a lot better shape now that when I started...
Joe

[g1smd]

There's a few more things that could be changed, but for very minor gain.

Sometimes there's utility in returning 404 or 410 for some requests instead of 403.

However, as you note, we're well into the "diminishing returns" arena now.

[sog2012]

That's OK, I am changing hosting companies soon

Better change today and move your site over since you are in grave danger of being whacked/smacked/hacked

Leo

Not a chance, I am using the incredible Master .htaccess file

Very happy with it.

[ilox]

g1smd, Phil, sog, leo, Joe and everybody else that has been playing in this pool, a huge thank you for all you have been contributing. It has been a challenge to read through all of this and see the changes that have been put forward and either accepted or again modified. This stuff is very technical and yet something that is essential for every site.

Just a little question and I think it is related to what has been done so far. Most of my sites are in Joomla but one is old HTML and some others in concrete5. Can I use this across the board or only for my Joomla sites?

@mandville and mods:
If it is applicable across the board should I be referring others (non-Joomla) to this thread, the wiki post or is there going to be a repository that I can point others to to get their own .htaccess file?

[mandville]

welcome back ilox, g1smd is finishing up the edits and will no doubt announce the final suggested version.

sog2012 i think you better read this before relying soley on the htaccess
http://[no tiny url]/13isdangerous

[g1smd]

It has been a challenge to read through all of this and see the changes that have been put forward and either accepted or again modified.

The complete list of changes: http://docs.joomla.org/Htaccess_example ... ldid=35925
The list of comments for changes: http://docs.joomla.org/Htaccess_example ... on=history
Don't try to follow every turn of this thread, because some people issued incorrect or incomplete advice, and various code combinations were tried and found to not work.

Just a little question and I think it is related to what has been done so far. Most of my sites are in Joomla but one is old HTML and some others in concrete5. Can I use this across the board or only for my Joomla sites?

Some of the code is useful for any site. Some is useful for dynamic/scripted sites in general. Some is specific to Joomla paths and filenames.

If it is applicable across the board should I be referring others (non-Joomla) to this thread, the wiki post or is there going to be a repository that I can point others to to get their own .htaccess file?

Refer people to the Wiki page. Do note that one size does NOT fit all.

[g1smd]

A few notes about the recently revised .htaccess file.

The recent changes fix syntax errors in several rules, and improve efficiency in many others. Little or no extra functionality is implemented, except to bring into use rules which previously failed to operate due to coding errors. Several extra notes and/or additions to existing notes have been added to clarify and codify the various rules and their functionality.

The new file likely does not protect sites from all possible or probable risks. YOU are responsible for the security of YOUR site. Read the instructions within the file very carefully. At least twice. Evaluate every section of the file individually as to whether it applies to your site and your server configuration. Note that some sections of code do not work with Apache 1.x servers, and must be commented out when used in that scenario. Long term you should consider upgrading to Apache 2.x as soon as possible.

The .htaccess file is a collection of works. It is not a complete and definitive file to simply cut and paste for any site. Make sure that example.com and www.example.com are replaced with your own domain name in every place within the file (and escape literal periods where required too). The file is provided "as is" and you use the new file at your own risk.

In addition, note the latest versions of Joomla are currently 1.5.22 and 1.6.1, with several recent versions implementing a number of internal security upgrades. If you are using a previous version of Joomla you should upgrade to the latest version as soon as possible. There is no point in sealing the back door by using these .htaccess rules, whilst leaving a side door wide open by using an old version of Joomla.

Likewise, whenever you upgrade your Joomla site in the future, you must re-evaluate the entire .htaccess file to identify parts which no longer apply, parts which need to be edited or upgraded in some way, and identify new risks for which new .htaccess code will need to be created.

Finally, read the comments within the .htaccess file in full, and then again several more times. YOU are responsible for the security of YOUR site.

[sog2012]

...(and escape literal periods where required too). ..

What do you mean by "and escape literal periods where required too"?

[g1smd]

A Regular Expression pattern such as ^www.example.com$ would match wwwXexample9com or www2exampleNcom or www_example_com. Within a RegEx pattern the "." means "any character".

Since the one and only character you want to match is a literal period "." you must escape the period in the pattern by using ^www\.example\.com$ instead

There are many places within the file where this syntax is used and it is important to get it right.

[sog2012]

A Regular Expression pattern such as ^www.example.com$ would match wwwXexample9com or www2exampleNcom or www_example_com. Within a RegEx pattern the "." means "any character".

Since the one and only character you want to match is a literal period "." you must escape the period in the pattern by using ^www\.example\.com$ instead

There are many places within the file where this syntax is used and it is important to get it right.

I for one didn't understand a word you said. So I wonder how many others could be affected with a lack of understanding regarding this part.

All I did with the .htaccess file was replace all the words "example" with my domain name, and I replaced the word ".com" with ".org".

[g1smd]

http://en.wikipedia.org/wiki/Regular_expression

http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html

[sog2012]

http://en.wikipedia.org/wiki/Regular_expression

http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html

There is no way I am going to read those lengthy pages and be able to understand what it says. I am just a dumb blonde girl who changes example to my domain name and use the .htaccess, that's as far as my ability goes

But you have made me realise that it's not just as simple as changing example to our domain name and changing .com to our own extension, so I may have to remove the .htaccess before it may do some damage to my website.

[g1smd]

It's quite simple. Where the file has "." use ".", and where it has "\." use "\." each time.

The "\" is the escaping, and is needed in several very specific places.

[sog2012]

It's quite simple. Where the file has "." use ".", and where it has "\." use "\." each time...

I am confused... why do I need to use "." and "\." when it's already in the .htaccess file? I don't need to change it or use it because it's already being used, right?

The only thing I have done in the entire .htaccess file is change the word "example" to my domain name, and changed the ".com" to ".org".

That's all I have done and it seems to be working.

[reivaj]

Hi

Thanks to eveyone for this beautiful post.
If you log to the backend through https this block will redirect you again to http.

Code: Select all

########## Begin - Redirect index.php to / for root and /path/ for folders
## Note: Change example.com to reflect your own domain name
RewriteCond %{THE_REQUEST} !^POST
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+/)*index\.php\ HTTP/
RewriteRule ^(([^/]+/)*)index\.php$ http://www.example.com/$1 [R=301,L]
########## End - Redirect index.php to / for root and /path/ for folders

I' m sorry but I have no enough knowledge to fix it. A temporary solution is to use this line suggested before.

Code: Select all

RewriteCond %{REQUEST_URI} !/([^/]+/)*administrator

Another https related issue, are secure forms, I have one to collect customer details and I need to add "s?" right after "!^http" for it to work properly, in the following block:

Code: Select all

## Referrer filtering for common media files. Replace with your own domain.
## This blocks most common fingerprinting attacks ;)
## Note: Change www\.example\.com with your own domain name, substituting
## the dots with \.  i.e. use www\.example\.com for www.example.com
RewriteRule ^images/stories/([^.]+)\.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|ico|html?) - [L]
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule \.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|ico|html?)$ - [F]

Best Regards, and thanks again.

[PhilD]

It's quite simple. Where the file has "." use ".", and where it has "\." use "\." each time...

I am confused... why do I need to use "." and "\." when it's already in the .htaccess file? I don't need to change it or use it because it's already being used, right?

The only thing I have done in the entire .htaccess file is change the word "example" to my domain name, and changed the ".com" to ".org".

That's all I have done and it seems to be working.

What is meant is this:
If I want to use the code block below I need to make it work with my site. I do this like this:
Say my site name is http://www.mysite.org
I change this line: RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com [NC]
to look like this:
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite\.org [NC]

And I think ( to early in morning) before you ask, if my domain is just mysite.org and I don't use the www. part the line remains the same. That is:
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite\.org [NC]

This is because the question mark matches or indicates there is zero or one of the preceding element. Which in this case would be what is contained (grouped) within the parenthesis (www\.)

Code: Select all

## Referrer filtering for common media files. Replace with your own domain.
## This blocks most common fingerprinting attacks ;)
## Note: Change www\.example\.com with your own domain name, substituting
## the dots with \.  i.e. use www\.example\.com for www.example.com
RewriteRule ^images/stories/([^.]+)\.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|ico|html?) - [L]
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com [NC]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule \.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|ico|html?)$ - [F]