API tools faq
paste
Lexinek

.htaccess

Lexinek
Mar 12th, 2014
373
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 24.74 KB | None | 0 0
raw download clone embed print report
  1. # Apache Server Configs v1.1.0 | MIT License
  2. # https://github.com/h5bp/server-configs-apache
  3.  
  4. # (!) Using `.htaccess` files slows down Apache, therefore, if you have access
  5. # to the main server config file (usually called `httpd.conf`), you should add
  6. # this logic there: http://httpd.apache.org/docs/current/howto/htaccess.html.
  7.  
  8. # ##############################################################################
  9. # # CROSS-ORIGIN RESOURCE SHARING (CORS) #
  10. # ##############################################################################
  11.  
  12. # ------------------------------------------------------------------------------
  13. # | Cross-domain AJAX requests |
  14. # ------------------------------------------------------------------------------
  15.  
  16. # Enable cross-origin AJAX requests.
  17. # http://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity
  18. # http://enable-cors.org/
  19.  
  20. # <IfModule mod_headers.c>
  21. # Header set Access-Control-Allow-Origin "*"
  22. # </IfModule>
  23.  
  24. # ------------------------------------------------------------------------------
  25. # | CORS-enabled images |
  26. # ------------------------------------------------------------------------------
  27.  
  28. # Send the CORS header for images when browsers request it.
  29. # https://developer.mozilla.org/en/CORS_Enabled_Image
  30. # http://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
  31. # http://hacks.mozilla.org/2011/11/using-cors-to-load-webgl-textures-from-cross-domain-images/
  32.  
  33. <IfModule mod_setenvif.c>
  34. <IfModule mod_headers.c>
  35. <FilesMatch "\.(gif|ico|jpe?g|png|svgz?|webp)$">
  36. SetEnvIf Origin ":" IS_CORS
  37. Header set Access-Control-Allow-Origin "*" env=IS_CORS
  38. </FilesMatch>
  39. </IfModule>
  40. </IfModule>
  41.  
  42. # ------------------------------------------------------------------------------
  43. # | Web fonts access |
  44. # ------------------------------------------------------------------------------
  45.  
  46. # Allow access from all domains for web fonts
  47.  
  48. <IfModule mod_headers.c>
  49. <FilesMatch "\.(eot|font.css|otf|ttc|ttf|woff)$">
  50. Header set Access-Control-Allow-Origin "*"
  51. </FilesMatch>
  52. </IfModule>
  53.  
  54.  
  55. # ##############################################################################
  56. # # ERRORS #
  57. # ##############################################################################
  58.  
  59. # ------------------------------------------------------------------------------
  60. # | 404 error prevention for non-existing redirected folders |
  61. # ------------------------------------------------------------------------------
  62.  
  63. # Prevent Apache from returning a 404 error for a rewrite if a directory
  64. # with the same name does not exist.
  65. # http://httpd.apache.org/docs/current/content-negotiation.html#multiviews
  66. # http://www.webmasterworld.com/apache/3808792.htm
  67.  
  68. Options -MultiViews
  69.  
  70. # ------------------------------------------------------------------------------
  71. # | Custom error messages / pages |
  72. # ------------------------------------------------------------------------------
  73.  
  74. # You can customize what Apache returns to the client in case of an error (see
  75. # http://httpd.apache.org/docs/current/mod/core.html#errordocument), e.g.:
  76.  
  77. # ErrorDocument 404 /404.html
  78.  
  79.  
  80. # ##############################################################################
  81. # # INTERNET EXPLORER #
  82. # ##############################################################################
  83.  
  84. # ------------------------------------------------------------------------------
  85. # | Better website experience |
  86. # ------------------------------------------------------------------------------
  87.  
  88. # Force IE to render pages in the highest available mode in the various
  89. # cases when it may not: http://hsivonen.iki.fi/doctype/ie-mode.pdf.
  90.  
  91. <IfModule mod_headers.c>
  92. Header set X-UA-Compatible "IE=edge"
  93. # `mod_headers` can't match based on the content-type, however, we only
  94. # want to send this header for HTML pages and not for the other resources
  95. <FilesMatch "\.(appcache|crx|css|eot|gif|htc|ico|jpe?g|js|m4a|m4v|manifest|mp4|oex|oga|ogg|ogv|otf|pdf|png|safariextz|svgz?|ttf|vcf|webapp|webm|webp|woff|xml|xpi)$">
  96. Header unset X-UA-Compatible
  97. </FilesMatch>
  98. </IfModule>
  99.  
  100. # ------------------------------------------------------------------------------
  101. # | Cookie setting from iframes |
  102. # ------------------------------------------------------------------------------
  103.  
  104. # Allow cookies to be set from iframes in IE.
  105.  
  106. # <IfModule mod_headers.c>
  107. # Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""
  108. # </IfModule>
  109.  
  110. # ------------------------------------------------------------------------------
  111. # | Screen flicker |
  112. # ------------------------------------------------------------------------------
  113.  
  114. # Stop screen flicker in IE on CSS rollovers (this only works in
  115. # combination with the `ExpiresByType` directives for images from below).
  116.  
  117. # BrowserMatch "MSIE" brokenvary=1
  118. # BrowserMatch "Mozilla/4.[0-9]{2}" brokenvary=1
  119. # BrowserMatch "Opera" !brokenvary
  120. # SetEnvIf brokenvary 1 force-no-vary
  121.  
  122.  
  123. # ##############################################################################
  124. # # MIME TYPES AND ENCODING #
  125. # ##############################################################################
  126.  
  127. # ------------------------------------------------------------------------------
  128. # | Proper MIME types for all files |
  129. # ------------------------------------------------------------------------------
  130.  
  131. <IfModule mod_mime.c>
  132.  
  133. # Audio
  134. AddType audio/mp4 m4a f4a f4b
  135. AddType audio/ogg oga ogg
  136.  
  137. # JavaScript
  138. # Normalize to standard type (it's sniffed in IE anyways):
  139. # http://tools.ietf.org/html/rfc4329#section-7.2
  140. AddType application/javascript js
  141. AddType application/json json
  142.  
  143. # Video
  144. AddType video/mp4 mp4 m4v f4v f4p
  145. AddType video/ogg ogv
  146. AddType video/webm webm
  147. AddType video/x-flv flv
  148.  
  149. # Web fonts
  150. AddType application/font-woff woff
  151. AddType application/vnd.ms-fontobject eot
  152.  
  153. # Browsers usually ignore the font MIME types and sniff the content,
  154. # however, Chrome shows a warning if other MIME types are used for the
  155. # following fonts.
  156. AddType application/x-font-ttf ttc ttf
  157. AddType font/opentype otf
  158.  
  159. # Make SVGZ fonts work on iPad:
  160. # https://twitter.com/FontSquirrel/status/14855840545
  161. AddType image/svg+xml svg svgz
  162. AddEncoding gzip svgz
  163.  
  164. # Other
  165. AddType application/octet-stream safariextz
  166. AddType application/x-chrome-extension crx
  167. AddType application/x-opera-extension oex
  168. AddType application/x-shockwave-flash swf
  169. AddType application/x-web-app-manifest+json webapp
  170. AddType application/x-xpinstall xpi
  171. AddType application/xml atom rdf rss xml
  172. AddType image/webp webp
  173. AddType image/x-icon ico
  174. AddType text/cache-manifest appcache manifest
  175. AddType text/vtt vtt
  176. AddType text/x-component htc
  177. AddType text/x-vcard vcf
  178.  
  179. </IfModule>
  180.  
  181. # ------------------------------------------------------------------------------
  182. # | UTF-8 encoding |
  183. # ------------------------------------------------------------------------------
  184.  
  185. # Use UTF-8 encoding for anything served as `text/html` or `text/plain`.
  186. AddDefaultCharset utf-8
  187.  
  188. # Force UTF-8 for certain file formats.
  189. <IfModule mod_mime.c>
  190. AddCharset utf-8 .atom .css .js .json .rss .vtt .webapp .xml
  191. </IfModule>
  192.  
  193.  
  194. # ##############################################################################
  195. # # URL REWRITES #
  196. # ##############################################################################
  197.  
  198. # ------------------------------------------------------------------------------
  199. # | Rewrite engine |
  200. # ------------------------------------------------------------------------------
  201.  
  202. # Turning on the rewrite engine and enabling the `FollowSymLinks` option is
  203. # necessary for the following directives to work.
  204.  
  205. # If your web host doesn't allow the `FollowSymlinks` option, you may need to
  206. # comment it out and use `Options +SymLinksIfOwnerMatch` but, be aware of the
  207. # performance impact: http://httpd.apache.org/docs/current/misc/perf-tuning.html#symlinks
  208.  
  209. # Also, some cloud hosting services require `RewriteBase` to be set:
  210. # http://www.rackspace.com/knowledge_center/frequently-asked-question/why-is-mod-rewrite-not-working-on-my-site
  211.  
  212. <IfModule mod_rewrite.c>
  213. Options +FollowSymlinks
  214. # Options +SymLinksIfOwnerMatch
  215. RewriteEngine On
  216. # RewriteBase /
  217.  
  218. # front controller
  219. RewriteCond %{REQUEST_FILENAME} !-f
  220. RewriteCond %{REQUEST_FILENAME} !-d
  221. RewriteRule !\.(pdf|js|ico|gif|jpg|png|css|rar|zip|tar\.gz)$ index.php [L]
  222. </IfModule>
  223.  
  224. # ------------------------------------------------------------------------------
  225. # | Suppressing / Forcing the "www." at the beginning of URLs |
  226. # ------------------------------------------------------------------------------
  227.  
  228. # The same content should never be available under two different URLs especially
  229. # not with and without "www." at the beginning. This can cause SEO problems
  230. # (duplicate content), therefore, you should choose one of the alternatives and
  231. # redirect the other one.
  232.  
  233. # By default option 1 (no "www.") is activated:
  234. # http://no-www.org/faq.php?q=class_b
  235.  
  236. # If you'd prefer to use option 2, just comment out all the lines from option 1
  237. # and uncomment the ones from option 2.
  238.  
  239. # IMPORTANT: NEVER USE BOTH RULES AT THE SAME TIME!
  240.  
  241. # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  242.  
  243. # Option 1: rewrite www.example.com → example.com
  244.  
  245. <IfModule mod_rewrite.c>
  246. RewriteCond %{HTTPS} !=on
  247. RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
  248. RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
  249. </IfModule>
  250.  
  251. # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  252.  
  253. # Option 2: rewrite example.com → www.example.com
  254.  
  255. # Be aware that the following might not be a good idea if you use "real"
  256. # subdomains for certain parts of your website.
  257.  
  258. # <IfModule mod_rewrite.c>
  259. # RewriteCond %{HTTPS} !=on
  260. # RewriteCond %{HTTP_HOST} !^www\..+$ [NC]
  261. # RewriteCond %{HTTP_HOST} !=localhost [NC]
  262. # RewriteCond %{HTTP_HOST} !=127.0.0.1
  263. # RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
  264. # </IfModule>
  265.  
  266.  
  267. # ##############################################################################
  268. # # SECURITY #
  269. # ##############################################################################
  270.  
  271. # ------------------------------------------------------------------------------
  272. # | Content Security Policy (CSP) |
  273. # ------------------------------------------------------------------------------
  274.  
  275. # You can mitigate the risk of cross-site scripting and other content-injection
  276. # attacks by setting a Content Security Policy which whitelists trusted sources
  277. # of content for your site.
  278.  
  279. # The example header below allows ONLY scripts that are loaded from the current
  280. # site's origin (no inline scripts, no CDN, etc). This almost certainly won't
  281. # work as-is for your site!
  282.  
  283. # To get all the details you'll need to craft a reasonable policy for your site,
  284. # read: http://html5rocks.com/en/tutorials/security/content-security-policy (or
  285. # see the specification: http://w3.org/TR/CSP).
  286.  
  287. # <IfModule mod_headers.c>
  288. # Header set Content-Security-Policy "script-src 'self'; object-src 'self'"
  289. # <FilesMatch "\.(appcache|crx|css|eot|gif|htc|ico|jpe?g|js|m4a|m4v|manifest|mp4|oex|oga|ogg|ogv|otf|pdf|png|safariextz|svgz?|ttf|vcf|webapp|webm|webp|woff|xml|xpi)$">
  290. # Header unset Content-Security-Policy
  291. # </FilesMatch>
  292. # </IfModule>
  293.  
  294. # ------------------------------------------------------------------------------
  295. # | File access |
  296. # ------------------------------------------------------------------------------
  297.  
  298. # Block access to directories without a default document.
  299. # Usually you should leave this uncommented because you shouldn't allow anyone
  300. # to surf through every directory on your server (which may includes rather
  301. # private places like the CMS's directories).
  302.  
  303. <IfModule mod_autoindex.c>
  304. Options -Indexes
  305. </IfModule>
  306.  
  307. # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  308.  
  309. # Block access to hidden files and directories.
  310. # This includes directories used by version control systems such as Git and SVN.
  311.  
  312. <IfModule mod_rewrite.c>
  313. RewriteCond %{SCRIPT_FILENAME} -d [OR]
  314. RewriteCond %{SCRIPT_FILENAME} -f
  315. RewriteRule "(^|/)\." - [F]
  316. </IfModule>
  317.  
  318. # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  319.  
  320. # Block access to backup and source files.
  321. # These files may be left by some text editors and can pose a great security
  322. # danger when anyone has access to them.
  323.  
  324. <FilesMatch "(^#.*#|\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|sw[op])|~)$">
  325. Order allow,deny
  326. Deny from all
  327. Satisfy All
  328. </FilesMatch>
  329.  
  330. # ------------------------------------------------------------------------------
  331. # | Secure Sockets Layer (SSL) |
  332. # ------------------------------------------------------------------------------
  333.  
  334. # Rewrite secure requests properly to prevent SSL certificate warnings, e.g.:
  335. # prevent `https://www.example.com` when your certificate only allows
  336. # `https://secure.example.com`.
  337.  
  338. # <IfModule mod_rewrite.c>
  339. # RewriteCond %{SERVER_PORT} !^443
  340. # RewriteRule ^ https://example-domain-please-change-me.com%{REQUEST_URI} [R=301,L]
  341. # </IfModule>
  342.  
  343. # ------------------------------------------------------------------------------
  344. # | HTTP Strict Transport Security (HSTS) |
  345. # ------------------------------------------------------------------------------
  346.  
  347. # Force client-side SSL redirection.
  348.  
  349. # If a user types "example.com" in his browser, the above rule will redirect
  350. # him to the secure version of the site. That still leaves a window of oppor-
  351. # tunity (the initial HTTP connection) for an attacker to downgrade or redirect
  352. # the request. The following header ensures that browser will ONLY connect to
  353. # your server via HTTPS, regardless of what the users type in the address bar.
  354. # http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-6.1
  355. # http://www.html5rocks.com/en/tutorials/security/transport-layer-security/
  356.  
  357. # (!) Remove the `includeSubDomains` optional directive if the subdomains are
  358. # not using HTTPS.
  359.  
  360. # <IfModule mod_headers.c>
  361. # Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"
  362. # </IfModule>
  363.  
  364. # ------------------------------------------------------------------------------
  365. # | Server software information |
  366. # ------------------------------------------------------------------------------
  367.  
  368. # Avoid displaying the exact Apache version number, the description of the
  369. # generic OS-type and the information about Apache's compiled-in modules.
  370.  
  371. # ADD THIS DIRECTIVE IN THE `httpd.conf` AS IT WILL NOT WORK IN THE `.htaccess`!
  372.  
  373. # ServerTokens Prod
  374.  
  375.  
  376. # ##############################################################################
  377. # # WEB PERFORMANCE #
  378. # ##############################################################################
  379.  
  380. # ------------------------------------------------------------------------------
  381. # | Compression |
  382. # ------------------------------------------------------------------------------
  383.  
  384. <IfModule mod_deflate.c>
  385.  
  386. # Force compression for mangled headers.
  387. # http://developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping
  388. <IfModule mod_setenvif.c>
  389. <IfModule mod_headers.c>
  390. SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
  391. RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
  392. </IfModule>
  393. </IfModule>
  394.  
  395. # Compress all output labeled with one of the following MIME-types
  396. # (for Apache versions below 2.3.7, you don't need to enable `mod_filter`
  397. # and can remove the `<IfModule mod_filter.c>` and `</IfModule>` lines
  398. # as `AddOutputFilterByType` is still in the core directives).
  399. <IfModule mod_filter.c>
  400. AddOutputFilterByType DEFLATE application/atom+xml \
  401. application/javascript \
  402. application/json \
  403. application/rss+xml \
  404. application/vnd.ms-fontobject \
  405. application/x-font-ttf \
  406. application/x-web-app-manifest+json \
  407. application/xhtml+xml \
  408. application/xml \
  409. font/opentype \
  410. image/svg+xml \
  411. image/x-icon \
  412. text/css \
  413. text/html \
  414. text/plain \
  415. text/x-component \
  416. text/xml
  417. </IfModule>
  418.  
  419. </IfModule>
  420.  
  421. # ------------------------------------------------------------------------------
  422. # | Content transformations |
  423. # ------------------------------------------------------------------------------
  424.  
  425. # Prevent some of the mobile network providers from modifying the content of
  426. # your site: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.5.
  427.  
  428. # <IfModule mod_headers.c>
  429. # Header set Cache-Control "no-transform"
  430. # </IfModule>
  431.  
  432. # ------------------------------------------------------------------------------
  433. # | ETag removal |
  434. # ------------------------------------------------------------------------------
  435.  
  436. # Since we're sending far-future expires headers (see below), ETags can
  437. # be removed: http://developer.yahoo.com/performance/rules.html#etags.
  438.  
  439. # `FileETag None` is not enough for every server.
  440. <IfModule mod_headers.c>
  441. Header unset ETag
  442. </IfModule>
  443.  
  444. FileETag None
  445.  
  446. # ------------------------------------------------------------------------------
  447. # | Expires headers (for better cache control) |
  448. # ------------------------------------------------------------------------------
  449.  
  450. # The following expires headers are set pretty far in the future. If you don't
  451. # control versioning with filename-based cache busting, consider lowering the
  452. # cache time for resources like CSS and JS to something like 1 week.
  453.  
  454. <IfModule mod_expires.c>
  455.  
  456. ExpiresActive on
  457. ExpiresDefault "access plus 1 month"
  458.  
  459. # CSS
  460. ExpiresByType text/css "access plus 1 year"
  461.  
  462. # Data interchange
  463. ExpiresByType application/json "access plus 0 seconds"
  464. ExpiresByType application/xml "access plus 0 seconds"
  465. ExpiresByType text/xml "access plus 0 seconds"
  466.  
  467. # Favicon (cannot be renamed!)
  468. ExpiresByType image/x-icon "access plus 1 week"
  469.  
  470. # HTML components (HTCs)
  471. ExpiresByType text/x-component "access plus 1 month"
  472.  
  473. # HTML
  474. ExpiresByType text/html "access plus 0 seconds"
  475.  
  476. # JavaScript
  477. ExpiresByType application/javascript "access plus 1 year"
  478.  
  479. # Manifest files
  480. ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
  481. ExpiresByType text/cache-manifest "access plus 0 seconds"
  482.  
  483. # Media
  484. ExpiresByType audio/ogg "access plus 1 month"
  485. ExpiresByType image/gif "access plus 1 month"
  486. ExpiresByType image/jpeg "access plus 1 month"
  487. ExpiresByType image/png "access plus 1 month"
  488. ExpiresByType video/mp4 "access plus 1 month"
  489. ExpiresByType video/ogg "access plus 1 month"
  490. ExpiresByType video/webm "access plus 1 month"
  491.  
  492. # Web feeds
  493. ExpiresByType application/atom+xml "access plus 1 hour"
  494. ExpiresByType application/rss+xml "access plus 1 hour"
  495.  
  496. # Web fonts
  497. ExpiresByType application/font-woff "access plus 1 month"
  498. ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
  499. ExpiresByType application/x-font-ttf "access plus 1 month"
  500. ExpiresByType font/opentype "access plus 1 month"
  501. ExpiresByType image/svg+xml "access plus 1 month"
  502.  
  503. </IfModule>
  504.  
  505. # ------------------------------------------------------------------------------
  506. # | Filename-based cache busting |
  507. # ------------------------------------------------------------------------------
  508.  
  509. # If you're not using a build process to manage your filename version revving,
  510. # you might want to consider enabling the following directives to route all
  511. # requests such as `/css/style.12345.css` to `/css/style.css`.
  512.  
  513. # To understand why this is important and a better idea than `*.css?v231`, read:
  514. # http://stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring
  515.  
  516. # <IfModule mod_rewrite.c>
  517. # RewriteCond %{REQUEST_FILENAME} !-f
  518. # RewriteRule ^(.+)\.(\d+)\.(js|css|png|jpg|gif)$ $1.$3 [L]
  519. # </IfModule>
  520.  
  521. # ------------------------------------------------------------------------------
  522. # | File concatenation |
  523. # ------------------------------------------------------------------------------
  524.  
  525. # Allow concatenation from within specific CSS and JS files, e.g.:
  526. # Inside of `script.combined.js` you could have
  527. # <!--#include file="libs/jquery.js" -->
  528. # <!--#include file="plugins/jquery.idletimer.js" -->
  529. # and they would be included into this single file.
  530.  
  531. # <IfModule mod_include.c>
  532. # <FilesMatch "\.combined\.js$">
  533. # Options +Includes
  534. # AddOutputFilterByType INCLUDES application/javascript application/json
  535. # SetOutputFilter INCLUDES
  536. # </FilesMatch>
  537. # <FilesMatch "\.combined\.css$">
  538. # Options +Includes
  539. # AddOutputFilterByType INCLUDES text/css
  540. # SetOutputFilter INCLUDES
  541. # </FilesMatch>
  542. # </IfModule>
  543.  
  544. # ------------------------------------------------------------------------------
  545. # | Persistent connections |
  546. # ------------------------------------------------------------------------------
  547.  
  548. # Allow multiple requests to be sent over the same TCP connection:
  549. # http://httpd.apache.org/docs/current/en/mod/core.html#keepalive.
  550.  
  551. # Enable if you serve a lot of static content but, be aware of the
  552. # possible disadvantages!
  553.  
  554. # <IfModule mod_headers.c>
  555. # Header set Connection Keep-Alive
  556. # </IfModule>
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!