mirror of https://github.com/flarum/flarum
- Clean up .htaccess and use best practices from h5bp/server-configs.
- Extract Nginx config from docs into a new .nginx.conf file which can
be included in the server block. Also uses best practices from
h5bp/server-configs.
- Remove "Allow access if Flarum is installed in a subdirectory but
another .htaccess in a higher directory denies access" rule. I'm not
sure why this was in here. Traced it back to
c17588f1cd (diff-8052c42ab3b8aa06a3f5f788a4ddccc2)
but there's no real rationale behind why such an edge case should be
included in the default .htaccess?
pull/59/head
Toby Zerner
6 years ago
parent
3ec2aad36e
commit
b4a09a072f
@ -0,0 +1,63 @@
|
||||
# Pass requests that don't refer directly to files in the filesystem to index.php
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php?$query_string;
|
||||
}
|
||||
|
||||
# The following directives are based on best practices from H5BP Nginx Server Configs
|
||||
# https://github.com/h5bp/server-configs-nginx
|
||||
|
||||
# Expire rules for static content
|
||||
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
|
||||
add_header Cache-Control "max-age=0";
|
||||
}
|
||||
|
||||
location ~* \.(?:rss|atom)$ {
|
||||
add_header Cache-Control "max-age=3600";
|
||||
}
|
||||
|
||||
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ {
|
||||
add_header Cache-Control "max-age=2592000";
|
||||
access_log off;
|
||||
}
|
||||
|
||||
location ~* \.(?:css|js)$ {
|
||||
add_header Cache-Control "max-age=31536000";
|
||||
access_log off;
|
||||
}
|
||||
|
||||
location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
|
||||
add_header Cache-Control "max-age=2592000";
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# Gzip compression
|
||||
gzip on;
|
||||
gzip_comp_level 5;
|
||||
gzip_min_length 256;
|
||||
gzip_proxied any;
|
||||
gzip_vary on;
|
||||
gzip_types
|
||||
application/atom+xml
|
||||
application/javascript
|
||||
application/json
|
||||
application/ld+json
|
||||
application/manifest+json
|
||||
application/rss+xml
|
||||
application/vnd.geo+json
|
||||
application/vnd.ms-fontobject
|
||||
application/x-font-ttf
|
||||
application/x-web-app-manifest+json
|
||||
application/xhtml+xml
|
||||
application/xml
|
||||
font/opentype
|
||||
image/bmp
|
||||
image/svg+xml
|
||||
image/x-icon
|
||||
text/cache-manifest
|
||||
text/css
|
||||
text/plain
|
||||
text/vcard
|
||||
text/vnd.rim.location.xloc
|
||||
text/vtt
|
||||
text/x-component
|
||||
text/x-cross-domain-policy;
|
||||
@ -1,83 +1,129 @@
|
||||
# Allow access if Flarum is installed in a subdirectory,
|
||||
# but another .htaccess in a higher directory denies access.
|
||||
|
||||
<IfModule mod_authz_core.c>
|
||||
Require all granted
|
||||
</IfModule>
|
||||
<IfModule !mod_authz_core.c>
|
||||
Order Allow,Deny
|
||||
Allow from all
|
||||
</IfModule>
|
||||
|
||||
# Fix for https://httpoxy.org vulnerability
|
||||
<IfModule mod_headers.c>
|
||||
RequestHeader unset Proxy
|
||||
</IfModule>
|
||||
<IfModule mod_security.c>
|
||||
SecRule &REQUEST_HEADERS:Proxy "@gt 0" "id:1000005,log,deny,msg:'httpoxy denied'"
|
||||
</IfModule>
|
||||
|
||||
|
||||
<IfModule mod_rewrite.c>
|
||||
RewriteEngine on
|
||||
|
||||
# Ensure the Authorization HTTP header is available to PHP
|
||||
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
|
||||
|
||||
# Uncomment the following lines if you are not using a `public` directory
|
||||
# to prevent sensitive resources from being exposed.
|
||||
# RewriteRule /\.git / [F,L]
|
||||
# RewriteRule ^composer\.(lock|json)$ / [F,L]
|
||||
# RewriteRule ^config.php$ / [F,L]
|
||||
# RewriteRule ^flarum$ / [F,L]
|
||||
# RewriteRule ^storage/(.*)?$ / [F,L]
|
||||
# RewriteRule ^vendor/(.*)?$ / [F,L]
|
||||
|
||||
# Pass requests that don't refer directly to files in the filesystem to index.php
|
||||
RewriteCond %{REQUEST_FILENAME} !-f
|
||||
RewriteCond %{REQUEST_FILENAME} !-d
|
||||
RewriteRule !^assets index.php [QSA,L]
|
||||
RewriteRule ^ index.php [QSA,L]
|
||||
</IfModule>
|
||||
|
||||
# MultiViews can mess up our rewriting scheme
|
||||
Options -MultiViews
|
||||
# Disable directory listings
|
||||
Options -Indexes
|
||||
|
||||
# Autoindex will list all assets files which is not so good
|
||||
Options -Indexes
|
||||
</IfModule>
|
||||
# MultiViews can mess up our rewriting scheme
|
||||
Options -MultiViews
|
||||
|
||||
<IfModule mod_deflate.c>
|
||||
# Compress all output labeled with one of the following MIME-types
|
||||
<IfModule mod_filter.c>
|
||||
AddOutputFilterByType DEFLATE application/atom+xml \
|
||||
application/javascript \
|
||||
application/json \
|
||||
application/vnd.ms-fontobject \
|
||||
application/x-font-ttf \
|
||||
application/x-web-app-manifest+json \
|
||||
application/xhtml+xml \
|
||||
application/xml \
|
||||
font/opentype \
|
||||
image/svg+xml \
|
||||
image/x-icon \
|
||||
text/css \
|
||||
text/html \
|
||||
text/plain \
|
||||
text/xml
|
||||
</IfModule>
|
||||
</IfModule>
|
||||
# The following directives are based on best practices from H5BP Apache Server Configs
|
||||
# https://github.com/h5bp/server-configs-apache
|
||||
|
||||
# Configure cache expiry for different file types
|
||||
# Expire rules for static content
|
||||
<IfModule mod_expires.c>
|
||||
ExpiresActive on
|
||||
ExpiresDefault "access plus 1 second"
|
||||
|
||||
ExpiresDefault "access plus 1 month"
|
||||
ExpiresByType text/css "access plus 1 year"
|
||||
ExpiresByType application/atom+xml "access plus 1 hour"
|
||||
ExpiresByType application/rdf+xml "access plus 1 hour"
|
||||
ExpiresByType application/rss+xml "access plus 1 hour"
|
||||
ExpiresByType application/json "access plus 0 seconds"
|
||||
ExpiresByType application/ld+json "access plus 0 seconds"
|
||||
ExpiresByType application/schema+json "access plus 0 seconds"
|
||||
ExpiresByType application/vnd.geo+json "access plus 0 seconds"
|
||||
ExpiresByType application/xml "access plus 0 seconds"
|
||||
ExpiresByType text/calendar "access plus 0 seconds"
|
||||
ExpiresByType text/xml "access plus 0 seconds"
|
||||
ExpiresByType image/vnd.microsoft.icon "access plus 1 week"
|
||||
ExpiresByType image/x-icon "access plus 1 week"
|
||||
ExpiresByType text/html "access plus 0 seconds"
|
||||
ExpiresByType application/javascript "access plus 1 year"
|
||||
ExpiresByType application/x-javascript "access plus 1 year"
|
||||
ExpiresByType text/javascript "access plus 1 year"
|
||||
ExpiresByType application/manifest+json "access plus 1 week"
|
||||
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
|
||||
ExpiresByType text/cache-manifest "access plus 0 seconds"
|
||||
ExpiresByType text/markdown "access plus 0 seconds"
|
||||
ExpiresByType audio/ogg "access plus 1 month"
|
||||
ExpiresByType image/bmp "access plus 1 month"
|
||||
ExpiresByType image/gif "access plus 1 month"
|
||||
ExpiresByType image/jpeg "access plus 1 month"
|
||||
ExpiresByType image/png "access plus 1 month"
|
||||
ExpiresByType application/atom+xml "access plus 1 hour"
|
||||
ExpiresByType application/rss+xml "access plus 1 hour"
|
||||
ExpiresByType application/font-woff2 "access plus 1 month"
|
||||
ExpiresByType application/font-woff "access plus 1 month"
|
||||
ExpiresByType image/svg+xml "access plus 1 month"
|
||||
ExpiresByType image/webp "access plus 1 month"
|
||||
ExpiresByType video/mp4 "access plus 1 month"
|
||||
ExpiresByType video/ogg "access plus 1 month"
|
||||
ExpiresByType video/webm "access plus 1 month"
|
||||
ExpiresByType application/wasm "access plus 1 year"
|
||||
ExpiresByType font/collection "access plus 1 month"
|
||||
ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
|
||||
ExpiresByType application/x-font-ttf "access plus 1 month"
|
||||
ExpiresByType font/eot "access plus 1 month"
|
||||
ExpiresByType font/opentype "access plus 1 month"
|
||||
ExpiresByType image/svg+xml "access plus 1 month"
|
||||
ExpiresByType font/otf "access plus 1 month"
|
||||
ExpiresByType application/x-font-ttf "access plus 1 month"
|
||||
ExpiresByType font/ttf "access plus 1 month"
|
||||
ExpiresByType application/font-woff "access plus 1 month"
|
||||
ExpiresByType application/x-font-woff "access plus 1 month"
|
||||
ExpiresByType font/woff "access plus 1 month"
|
||||
ExpiresByType application/font-woff2 "access plus 1 month"
|
||||
ExpiresByType font/woff2 "access plus 1 month"
|
||||
ExpiresByType text/x-cross-domain-policy "access plus 1 week"
|
||||
</IfModule>
|
||||
|
||||
# Gzip compression
|
||||
<IfModule mod_deflate.c>
|
||||
<IfModule mod_filter.c>
|
||||
AddOutputFilterByType DEFLATE "application/atom+xml" \
|
||||
"application/javascript" \
|
||||
"application/json" \
|
||||
"application/ld+json" \
|
||||
"application/manifest+json" \
|
||||
"application/rdf+xml" \
|
||||
"application/rss+xml" \
|
||||
"application/schema+json" \
|
||||
"application/vnd.geo+json" \
|
||||
"application/vnd.ms-fontobject" \
|
||||
"application/wasm" \
|
||||
"application/x-font-ttf" \
|
||||
"application/x-javascript" \
|
||||
"application/x-web-app-manifest+json" \
|
||||
"application/xhtml+xml" \
|
||||
"application/xml" \
|
||||
"font/collection" \
|
||||
"font/eot" \
|
||||
"font/opentype" \
|
||||
"font/otf" \
|
||||
"font/ttf" \
|
||||
"image/bmp" \
|
||||
"image/svg+xml" \
|
||||
"image/vnd.microsoft.icon" \
|
||||
"image/x-icon" \
|
||||
"text/cache-manifest" \
|
||||
"text/calendar" \
|
||||
"text/css" \
|
||||
"text/html" \
|
||||
"text/javascript" \
|
||||
"text/plain" \
|
||||
"text/markdown" \
|
||||
"text/vcard" \
|
||||
"text/vnd.rim.location.xloc" \
|
||||
"text/vtt" \
|
||||
"text/x-component" \
|
||||
"text/x-cross-domain-policy" \
|
||||
"text/xml"
|
||||
</IfModule>
|
||||
</IfModule>
|
||||
|
||||
# Fix for https://httpoxy.org vulnerability
|
||||
<IfModule mod_headers.c>
|
||||
RequestHeader unset Proxy
|
||||
</IfModule>
|
||||
|
||||
Loading…
Reference in new issue