###############################################################################
## The Master .htaccess
## ----------
## This file is designed to be the template .htaccess file to put on your new
## sites, increasing your site's security and performance. It is not meant to
## be just dropped in your site, though. You should go through all of its
## sections and modify it to match your site. Most notably, all instances of
## domain.com and domain\.com should be replaced with your real domain name.
##
## Some sections are too picky and may cause problems with legitimate requests.
## You are ultimately responsible for disabling them or writing exception rules
## for your requests. Most notably, the advanced server protection section will
## cause issues with several minifiers, eXtplorer, VirtueMart and other exten-
## sions which use non-standard scripts as their entry points. You must add
## exceptions for them manually.
##
## Some sections - depending on your server configuration - may cause your site
## to throw 500 Internal Server Error. The only way to figure out which one is
## causing it is trial and error.
##
## Big thank you's to Brian Teeman, Ken Crowder, Radek Suski and Fotis
## Evangelou for sharing their .htaccess rules with the world and inspiring
## the creation of this file.
##
## Have fun, stay safe.
##
## Nicholas K. Dionysopoulos
## Lead Developer, AkeebaBackup.com
###############################################################################
########## Begin - File exection order, by Komra.de
DirectoryIndex index.php index.html
########## End - File exection order
########## Begin - No directory listings
IndexIgnore *
Options +FollowSymLinks All -Indexes
########## End - No directory listings
########## Begin - Optimal default expiration time
ExpiresDefault "now plus 1 hour"
########## End - Optimal expiration time
########## Begin - RewriteEngine enabled
RewriteEngine On
########## End - RewriteEngine enabled
########## Begin - Google Apps redirection, by Komra.de
Redirect 301 /mail
http://mail.google.com/a/domain.com
########## End - Google Apps redirection
########## Begin - Redirect index.php to /, by Komra.de
RewriteCond %{THE_REQUEST} ^[A-Z]+\ /index\.php(/[^\ ]*)?\ HTTP/
RewriteRule ^index\.php(/(.*))?$ /$2 [R=301,L]
########## End - Redirect index.php to /
########## Begin - Redirect non-www to www
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
########## End - Redirect non-www to www
########## Begin - Redirect www to non-www
## WARNING: Comment out the non-www to www rule if you choose to use this
#RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
#RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
########## End - Redirect non-www to www
########## Begin - Redirect olddomain.com to
http://www.domain.com
RewriteCond %{HTTP_HOST} ^olddomain.net [NC]
RewriteRule ^(.*)$
http://www.domain.com/$1 [L,R=301]
########## End - Redirect olddomain.com to
http://www.domain.com
########## Begin - Force HTTPS for certain pages
# Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says.
RewriteCond %{HTTPS} ^off$ [NC]
RewriteRule ^foobar\.html$
https://www.domain.com/foobar.html [L,R=301]
########## End - Force HTTPS for certain pages
########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# If the request contains /proc/self/environ (by SigSiu.net)
RewriteCond %{QUERY_STRING} proc\/self\/environ [OR]
# Legacy configuration variable injection
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode stuff to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script trying to base64_decode stuff to send via URL
RewriteCond %{QUERY_STRING} base64_decode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Instead of using 403, we'd better use 404 (Not Found) to confuse hackers
RewriteRule ^(.*)$ index.php [R=404,L]
#
########## End - Rewrite rules to block out some common exploits
########## Begin - File injection protection, by SigSiu.net
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]\=http:\/\/(.*)
RewriteRule ^(.*)$ - [R=404,L]
########## End - File injection protection
# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root)
# RewriteBase /
########## Begin - Advanced server protection rules exceptions ####
##
## These are sample exceptions to the Advanced Server Protection 2.0
## rule set further down this file.
##
## Allow UddeIM CAPTCHA
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^(components/com_uddeim/captcha15\.php)$ $1 [L]
## Allow Phil Taylor's Turbo Gears
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^(plugins/system/GoogleGears/gears-manifest\.php) $1 [L]
## Allow Agora attachments, but not PHP files in that directory!
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} !(\.php)$
RewriteRule ^(components/com_agora/img/members/.*) $1 [L]
## Allow JoomlaWorks AllVideos
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^(plugins/content/jw_allvideos/includes/jw_allvideos_scripts\.php) $1 [L]
## Uncomment to allow full access to the cache directory (strongly not recommended!)
#RewriteRule ^(cache/.*)$ $1 [L]
## Uncomment to allow full access to the tmp directory (strongly not recommended!)
#RewriteRule ^(tmp/.*)$ $1 [L]
## Add your own exceptions here...
########## End - Advanced server protection rules exceptions ####
########## Begin - Advanced server protection
# Advanced server protection, version 2.0 - August 2010
# by Nicholas K. Dionysopoulos
## Referrer filtering for common media files. Replace with your own domain.
## This blocks most common fingerprinting attacks
RewriteRule ^(images/stories/*\.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?))$ $1 [L]
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?domain\.com [NC]
RewriteRule \.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?)$ - [R=404,L]
## Disallow visual fingerprinting of Joomla! sites (module position dump)
## Initial idea by Brian Teeman and Ken Crowder, see:
##
http://www.slideshare.net/brianteeman/h ... la-secrets
## Improved by @nikosdion to work more efficientyl and handle template
## and tmpl query parameters
RewriteCond %{QUERY_STRING} (&|%3F){1,1}tp= [OR]
RewriteCond %{QUERY_STRING} (&|%3F){1,1}template= [OR]
RewriteCond %{QUERY_STRING} (&|%3F){1,1}tmpl= [NC]
RewriteRule ^(.*)$ - [R=404,L]
## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
## your PHP version). See
http://www.0php.com/php_easter_egg.php and
##
http://osvdb.org/12184 for more information
RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [OR]
RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F34-D428-11d2-A769-00AA001ACF42 [OR]
RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F35-D428-11d2-A769-00AA001ACF42 [OR]
RewriteCond %{QUERY_STRING} ^%3F=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 [OR]
RewriteRule ^(.*)$ - [R=404,L]
## Back-end protection
## This also blocks fingerprinting attacks browsing for XML and INI files
RewriteRule ^(administrator[/]?)$ administrator/index.php [L]
RewriteRule ^(administrator/index.htm[l]?)$ $1 [L]
RewriteRule ^(administrator/index.php)$ $1 [L]
RewriteRule ^(administrator/index[2,3].php)$ $1 [L]
RewriteRule ^(administrator/(components|modules|templates|images|plugins)/.*\.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?))$ $1 [L]
RewriteRule ^administrator/(.*)$ - [R=404,L]
## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory
RewriteRule ^(xmlrpc/index\.php)$ $1 [L]
RewriteRule ^xmlrpc/(.*)$ - [R=404,L]
## Disallow front-end access for certain Joomla! system directories
RewriteRule ^(includes/js/.*)$ $1 [L]
RewriteRule ^(cache|includes|language|libraries|logs|tmp)/.*$ - [R=404,L]
## Allow limited access for certain Joomla! system directories with client-accessible content
RewriteRule ^((components|modules|plugins|templates)/.*\.(jp[g,2,eg]?|png|gif|bmp|css|js|swf|htm[l]?))$ $1 [L]
RewriteRule ^((components|modules|plugins|templates)/.*index\.php(.*))$ $1 [L]
RewriteRule ^(templates/.*\.php)$ $1 [L]
RewriteRule ^(components|modules|plugins|templates)/.*$ - [R=404,L]
## Disallow access to htaccess.txt and configuration.php-dist
RewriteRule ^(htaccess\.txt|configuration\.php-dist)$ - [R=404,L]
## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
##
http://www.sigsiu.net/presentations/for ... bsite.html
## May cause problems on legitimate requests
RewriteCond %{QUERY_STRING} concat.*\( [NC,OR]
RewriteCond %{QUERY_STRING} union.*select.*\( [NC,OR]
RewriteCond %{QUERY_STRING} union.*all.*select.* [NC]
RewriteRule ^(.*)$ - [R=404,L]
########## End - Advanced server protection
########## Begin - Basic antispam Filter, by SigSiu.net
## I removed some common words, tweak to your liking
RewriteCond %{query_string} \bviagra\b [NC,OR]
RewriteCond %{query_string} \bambien\b [NC,OR]
RewriteCond %{query_string} \bblue\spill\b [NC,OR]
RewriteCond %{query_string} \bcialis\b [NC,OR]
RewriteCond %{query_string} \bcocaine\b [NC,OR]
RewriteCond %{query_string} \bejaculation\b [NC,OR]
RewriteCond %{query_string} \berectile\b [NC,OR]
RewriteCond %{query_string} \berections\b [NC,OR]
RewriteCond %{query_string} \bhoodia\b [NC,OR]
RewriteCond %{query_string} \bhuronriveracres\b [NC,OR]
RewriteCond %{query_string} \bimpotence\b [NC,OR]
RewriteCond %{query_string} \blevitra\b [NC,OR]
RewriteCond %{query_string} \blibido\b [NC,OR]
RewriteCond %{query_string} \blipitor\b [NC,OR]
RewriteCond %{query_string} \bphentermin\b [NC,OR]
RewriteCond %{query_string} \bprosac\b [NC,OR]
RewriteCond %{query_string} \bsandyauer\b [NC,OR]
RewriteCond %{query_string} \btramadol\b [NC,OR]
RewriteCond %{query_string} \btroyhamby\b [NC,OR]
RewriteCond %{query_string} \bultram\b [NC,OR]
RewriteCond %{query_string} \bunicauca\b [NC,OR]
RewriteCond %{query_string} \bvalium\b [NC,OR]
RewriteCond %{query_string} \bviagra\b [NC,OR]
RewriteCond %{query_string} \bvicodin\b [NC,OR]
RewriteCond %{query_string} \bxanax\b [NC,OR]
RewriteCond %{query_string} \bypxaieo\b [NC]
RewriteRule ^(.*)$ - [R=404,L]
########## End - Basic antispam Filter, by SigSiu.net
########## Begin - Joomla! core SEF Section
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$ [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
#
########## End - Joomla! core SEF Section
########## Begin - Common hacking tools and bandwidth hoggers block
## By SigSiu.net and @nikosdion.
## WARNING: This will also block old versions of JoomlaPack Remote
## and will disallow running CRON jobs using wget.
# The following rules are for common hacking tools:
SetEnvIf user-agent "Indy Library" stayout=1
SetEnvIf user-agent "libwww-perl" stayout=1
SetEnvIf user-agent "Wget" stayout=1
# The following rules are for bandwidth-hogging download tools
SetEnvIf user-agent "Download Demon" stayout=1
SetEnvIf user-agent "GetRight" stayout=1
SetEnvIf user-agent "GetWeb!" stayout=1
SetEnvIf user-agent "Go!Zilla" stayout=1
SetEnvIf user-agent "Go-Ahead-Got-It" stayout=1
SetEnvIf user-agent "GrabNet" stayout=1
SetEnvIf user-agent "TurnitinBot" stayout=1
# This line denies access to all of the above tools
deny from env=stayout
########## End - Common hacking tools and bandwidth higgers block
########## Begin - Automatic compression of resources
# Compress text, html, javascript, css, xml, kudos to Komra.de
# May kill access to your site for old versions of Internet Explorer
AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
########## End - Automatic compression of resources