-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy path.htaccess
343 lines (278 loc) · 13.4 KB
/
.htaccess
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
###### Version 2.23.4
##### GLOBAL ===========
#### NIE LÖSCHEN
RewriteEngine On
#### BESUCHER SPERREN
## SET! nach TLD
#RewriteCond %{HTTP_REFERER} ^https?://[^/]+\.(br|by|in|kz|no|ru|pk|ro|tr|ua)/? [NC]
#RewriteRule .* - [F,L]
## leerer User-Agent
RewriteCond %{HTTP_USER_AGENT} ^$ [NC]
RewriteRule .* - [F]
## nach Referer
RewriteCond %{HTTP_REFERER} (1-free-share-buttons|aviav|offbyone|semalt|todaperfeita|trikaladay|trainersuchmaschine|vebidoo|wp-login.php) [NC,OR]
RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000,}) [NC]
RewriteRule .* - [F,L]
## nach Request-Methoden
RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|put|trace|track) [NC]
RewriteRule .* - [F,L]
## nach User-Agent
SetEnvIfNoCase User-Agent ([a-z0-9]{2000,}) bad_bot
SetEnvIfNoCase User-Agent (\{) bad_bot
SetEnvIfNoCase User-Agent (backlinkcrawler|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|domainappender|dotbot|extract|feedfinder|flicky|garlikcrawler|guzzlehttp|g00g1e|harvest|heritrix|httrack|implisensebot|kraken|kmccrew|linkdexbot|loader|mindupbot|miner|mixrankbot|netestate|nikto|nutch|planetwork|postrank|purebot|pycurl|python|scrapy|scrapyproject|seekerspider|seokicks-robot|seoscanners|shopcrawler|siclab|skygrid|sqlmap|sophora|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
## nach IP-Adressen SET! Quelle: https://perishablepress.com/worst-ips-2016/
<Limit GET POST PUT>
Order Allow,Deny
Allow from All
Deny from 5.9.136.67
Deny from 79.155.74.231
Deny from 195.154.225.19
Deny from 198.27.101.168
</Limit>
## im Honeypot gefangen
<Limit GET HEAD OPTIONS POST PUT>
order deny,allow
allow from all
# TelemaxX
deny from 213.144.5.182
# open-entity
deny from 134.245.254.244
</Limit>
#### KRITISCHE DATEIEN BLOCKIEREN
## (.htaccess, Google-Bestätigung)
<FilesMatch "(^.*\.(htaccess)|(^google[0-9a-zA-Z]+.html$))">
order allow,deny
deny from all
</FilesMatch>
## weitere Dateiendungen
#RewriteCond %{REQUEST_URI} \.(7z|aspx?|bash|bak?|bz2|bzip2|cfg|cgi|dist|dll|exe|fla|git|gz|gzip|hg|ini|jsp|log|mdb|old|out|rar|rdf|sql|sik|sh|svn|swp|tgz|tar|tlp)$ [NC]
#RewriteRule .* - [F,L]
#### ANFRAGEN BLOCKIEREN
## TODO! Nicht unbedingt erforderliche MODx-Verzeichnisse komplett blockieren
#RewriteCond %{REQUEST_URI} ([assets\/](backup|export|flash|import)) [NC]
#RewriteRule .* - [F,L]
## TODO! PHP in typischen MODx-Verzeichnissen blockieren, wo dies nicht erforderlich ist
#RewriteCond %{REQUEST_URI} ([assets\/](\.thumbs|drgalleries|images|galleries|js))*\.php [NC]
#RewriteRule .* - [F,L]
## TODO! Blockade von PHP in zusätzlich eingerichteten Verzeichnissen
#RewriteCond %{REQUEST_URI} ([client\/](css|scripts|grafik|fonts))*\.php [NC]
#RewriteRule .* - [F,L]
RewriteCond %{REQUEST_URI} (oaklayer|phpmyadmin|ranger|raybaner|revslider|test-for-404-page|tel:+) [NC,OR]
## wp-content für Honigtop ev. entfernen
RewriteCond %{REQUEST_URI} (wordpress|([wp-](admin|config|includes|login))|wpcontent) [NC,OR]
RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} ([a-z0-9]{2000,}) [NC,OR]
RewriteCond %{QUERY_STRING} (https?|ftp|php):/ [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
## SET! Folgende Regel für MODx Evo eventuell auskommentieren, verhindert Öffnen des Verzeichnisbaums
#RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC,OR]
RewriteCond %{QUERY_STRING} (=\\\'|=\\%27|/\\\'/?)\. [NC,OR]
RewriteCond %{QUERY_STRING} (?i)/(\$(\&)?|\*|\"|\.|,|&|&?)/?$ [NC,OR]
RewriteCond %{QUERY_STRING} (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\") [NC,OR]
## SET! Folgende Regel NUR FÜR MODx EVO, in Revo auskommentieren
#RewriteCond %{QUERY_STRING} (?i)(~|`|<|>|:|,|\\|\s|\{|\}|\[|\]) [NC,OR]
## TODO! Vorherige Regel an MODx Revo anpassen
## SET! Kann eventuell den Datei-Manager blockieren
#RewriteCond %{QUERY_STRING} (?i)(%) [NC,OR]
## SET! Kann eventuell den Anforderung eines neuen PW im webloginpe blockieren
#RewriteCond %{QUERY_STRING} (?i)(;) [NC,OR]
RewriteCond %{QUERY_STRING} (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack) [NC,OR]
RewriteCond %{QUERY_STRING} (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ) [NC]
RewriteRule .* - [F,L]
## PHP-DATEIEN gezielt blockieren
RewriteCond %{REQUEST_URI} (admin-post|content|css-min|dumper|etchk|etpost|etreply|glnoa|green)\.php [NC,OR]
RewriteCond %{REQUEST_URI} (img|license|map|master|mobiquo|minify|phpinfo|red|register|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|ui-elements|up|webshell|xml81|xmlrpc)\.php [NC,OR]
## TXT blockieren
RewriteCond %{REQUEST_URI} (ads)\.txt [NC,OR]
## Phantasie-Endung blockieren
RewriteCond %{REQUEST_URI} \.(nhtm|phpx) [NC]
RewriteRule .* - [F,L]
## Datenbankabfragen
RewriteCond %{QUERY_STRING} (NULL(.*)NULL(.*)NULL|INFORMATION_SCHEMA\.CHARACTER_SETS|SELECT(.*)CASE(.*)WHEN|AND(.*)AND(.*)oNnL|CONVERT(.*)INT(.*)SELECT|SELECT(.*)SLEEP|WAITFOR(.*)DELAY|DBMS_PIPE\.RECEIVE_MESSAGE) [NC]
RewriteRule .* - [F,L]
#### BAD BOTS STOPPEN
## Apache < 2.3
<IfModule !mod_authz_core.c>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</IfModule>
## Apache >= 2.3
<IfModule mod_authz_core.c>
<RequireAll>
Require all Granted
Require not env bad_bot
</RequireAll>
</IfModule>
#### CACHE
<IfModule mod_expires.c>
## SET! Die folgende Zeile während der Entwicklung eventuell auskommentieren
ExpiresActive on
ExpiresDefault "access plus 1 month"
ExpiresByType text/css "access plus 1 year"
ExpiresByType application/atom+xml "access plus 1 hour"
ExpiresByType application/rdf+xml "access plus 1 hour"
ExpiresByType application/rss+xml "access plus 1 hour"
ExpiresByType application/json "access plus 0 seconds"
ExpiresByType application/vnd.geo+json "access plus 0 seconds"
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType text/xml "access plus 0 seconds"
ExpiresByType text/calendar "access plus 6 hours"
ExpiresByType text/html "access plus 5 minutes"
ExpiresByType application/javascript "access plus 1 year"
ExpiresByType application/manifest+json "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType image/svg+xml "access plus 1 year"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresByType video/mp4 "access plus 1 year"
ExpiresByType video/ogg "access plus 1 year"
ExpiresByType video/webm "access plus 1 year"
ExpiresByType font/truetype "access plus 1 year"
ExpiresByType application/font-woff "access plus 1 year"
ExpiresByType font/woff2 "access plus 1 year"
ExpiresByType text/x-cross-domain-policy "access plus 1 week"
## alte Browser
#BrowserMatch "MSIE" brokenvary=1
#BrowserMatch "Mozilla/4.[0-9]{2}" brokenvary=1
#BrowserMatch "Opera" !brokenvary
#SetEnvIf brokenvary 1 force-no-vary
</IfModule>
#### MIME-Tpyen
<IfModule mod_mime.c>
AddType application/pdf pdf
AddType text/css css
AddType application/javascript js
AddType application/json json
AddType image/jpeg jpg jpeg
AddType image/png png
AddType image/gif gif
AddType image/x-icon ico
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
AddType font/truetype ttf
AddType application/font-woff woff
AddType font/woff2 woff2
AddType audio/mpeg mp3
AddType audio/mp4 m4a mp4 mpa
AddType audio/ogg ogg oga
AddType video/ogg ogv ogg
AddType video/mp4 mp4
AddType application/x-shockwave-flash swf
AddType text/calendar ics
AddType application/xml rss atom xml rdf
AddType text/vcard vcf
AddType text/vtt vtt
AddType application/vnd.google-earth.kml+xml kml
AddType application/gpx+xml gpx
</IfModule>
#### KOMPRIMIERUNG
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/css text/javascript text/calendar application/javascript application/json application/xml image/x-icon image/svg+xml
</IfModule>
#### HEADER
<IfModule mod_headers.c>
Header unset SERVER
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options "SAMEORIGIN"
Header unset X-Powered-By
Header set X-XSS-Protection "1; mode=block"
Header always edit Set-Cookie (.*) "$1; HTTPOnly"
## SET! Nur bei http verwenden, dann zeile darüber auskommentieren
#Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"
<FilesMatch "\.(appcache|css|f4[abpv]|flv|gif|ico|jpe?g|js|json(ld)?|m4[av]|manifest|mp4|og[agv]|pdf|png|rdf|rss|svgz?|swf|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xml|xpi)$">
Header unset Content-Security-Policy
Header unset X-Frame-Options
Header unset X-XSS-Protection
Header unset Referrer-Policy
</FilesMatch>
Header set Connection keep-alive
Header unset ETag
Header set Cache-Control "private, no-transform"
<FilesMatch "\.(gif|jpe?g|png|svg)$">
Header set Cache-Control "public, private, max-age=31536000, immutable"
</FilesMatch>
<FilesMatch "\.(css|js|woff|woff2)$">
Header set Cache-Control "public, private, max-age=31536000, immutable"
</FilesMatch>
</IfModule>
FileETag None
#### SERVER
### COOKIES
php_value session.use_strict_mode 1
php_value session.cookie_SameSite lax
php_value session.cookie_httponly 1
php_value session.use_cookies 1
php_value session.use_only_cookies 1
php_value session.use_trans_sid 0
php_value session.hash_function sha512
## SET! Nur bei https verwenden
#php_value session.cookie_secure 1
## TEST! Wirkung bei all-ikl.com fraglich
#php_value session.save_path /tmp/phpfpmsessions/
##### SPEZIAL ===========
#### SERVER
ServerSignature Off
Options -Indexes -FollowSymLinks -Includes
## SET! Die Angabe :/tmp undedingt überprüfen funktionieren Uploads?
#php_value open_basedir /www/htdocs/w00f2f21/web/modx11:/tmp
## SET! Zahl der parallelen Updloads
php_value max_file_uploads 10
## SET! Größe von Upload-Files begrenzen
php_value upload_max_filesize 2M
## Zugriff auf externe Daten
php_value allow_url_fopen Off
php_value allow_url_include Off
AddDefaultCharset UTF-8
## SET!
DefaultLanguage de-DE
## SET! Zeitzone
SetEnv TZ Europe/Berlin
##### DOMAIN ===========
#### HEADER
### UMLEITUNGEN
Options +FollowSymlinks +SymLinksIfOwnerMatch
RewriteBase /
## ACHTUNG! Die nächsten Blöcke bis <--- schleißen sich gegenseitig aus
## Rewrite deine-site.de -> www.your-site.de
#RewriteCond %{HTTP_HOST} .
#RewriteCond %{HTTP_HOST} !^www\.your-site\.de [NC]
#RewriteRule (.*) http://www.your-site.de/$1 [R=301,L]
#RewriteCond %{HTTPS} !=on
#RewriteCond %{HTTP_HOST} ^www.(.+)$ [NC]
#RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
#RewriteCond %{HTTPS} !=on
#RewriteCond %{HTTP_HOST} !^www..+$ [NC]
#RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
## Rewrite www.deine-site.de -> deine-site.de
#RewriteCond %{HTTP_HOST} .
#RewriteCond %{HTTP_HOST} !^your-site\.de [NC]
#RewriteRule (.*) http://your-site.de/$1 [R=301,L]
## Rewrite alles auf https://
#RewriteCond %{HTTPS} on
#RewriteCond %{HTTP_HOST} ^www\.(.*)
#RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
## Rewrite alles auf https://www.
#RewriteCond %{HTTP_HOST} ^[^.]+\.[^.]+$
#RewriteCond %{HTTPS}s ^on(s)|
#RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
## <--- ENDE
## Zeitstempel einfügen in Dateien nach dem Schema mein-script.min.js. Muss mit PHP aufgelöst werden
RewriteRule (.+)\.(min|dev)\.(\d+)\.(js|css)$ $1.$2.$4 [L]
## MODx Evo: Exclude /assets and /manager directories and images from rewrite rules
RewriteRule ^(manager|assets|js|css|images|img)/.*$ - [L]
RewriteRule \.(jpg|jpeg|png|gif|ico)$ - [L]
## MODx Evo: Fix Apache internal dummy connections from breaking [(site_url)] cache
RewriteCond %{HTTP_USER_AGENT} ^.*internal\ dummy\ connection.*$ [NC]
RewriteRule .* - [F,L]
## MODx Evo: For Friendly URLs
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]