From b4a09a072f32f1c0fe6d0cfd210e1ea05bf423f6 Mon Sep 17 00:00:00 2001 From: Toby Zerner Date: Wed, 21 Nov 2018 17:26:02 +1030 Subject: [PATCH] Update .htaccess rules and add .nginx.conf - Clean up .htaccess and use best practices from h5bp/server-configs. - Extract Nginx config from docs into a new .nginx.conf file which can be included in the server block. Also uses best practices from h5bp/server-configs. - Remove "Allow access if Flarum is installed in a subdirectory but another .htaccess in a higher directory denies access" rule. I'm not sure why this was in here. Traced it back to https://github.com/flarum/flarum/commit/c17588f1cd60418604aa3bf2d8885a42f5e2e871#diff-8052c42ab3b8aa06a3f5f788a4ddccc2 but there's no real rationale behind why such an edge case should be included in the default .htaccess? --- .nginx.conf | 63 +++++++++++++++++++ public/.htaccess | 156 ++++++++++++++++++++++++++++++----------------- 2 files changed, 164 insertions(+), 55 deletions(-) create mode 100644 .nginx.conf diff --git a/.nginx.conf b/.nginx.conf new file mode 100644 index 0000000..fdb3270 --- /dev/null +++ b/.nginx.conf @@ -0,0 +1,63 @@ +# Pass requests that don't refer directly to files in the filesystem to index.php +location / { + try_files $uri $uri/ /index.php?$query_string; +} + +# The following directives are based on best practices from H5BP Nginx Server Configs +# https://github.com/h5bp/server-configs-nginx + +# Expire rules for static content +location ~* \.(?:manifest|appcache|html?|xml|json)$ { + add_header Cache-Control "max-age=0"; +} + +location ~* \.(?:rss|atom)$ { + add_header Cache-Control "max-age=3600"; +} + +location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ { + add_header Cache-Control "max-age=2592000"; + access_log off; +} + +location ~* \.(?:css|js)$ { + add_header Cache-Control "max-age=31536000"; + access_log off; +} + +location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ { + add_header Cache-Control "max-age=2592000"; + access_log off; +} + +# Gzip compression +gzip on; +gzip_comp_level 5; +gzip_min_length 256; +gzip_proxied any; +gzip_vary on; +gzip_types + application/atom+xml + application/javascript + application/json + application/ld+json + application/manifest+json + application/rss+xml + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy; diff --git a/public/.htaccess b/public/.htaccess index 523eae0..373746f 100644 --- a/public/.htaccess +++ b/public/.htaccess @@ -1,83 +1,129 @@ -# Allow access if Flarum is installed in a subdirectory, -# but another .htaccess in a higher directory denies access. - - - Require all granted - - - Order Allow,Deny - Allow from all - - -# Fix for https://httpoxy.org vulnerability - - RequestHeader unset Proxy - - - SecRule &REQUEST_HEADERS:Proxy "@gt 0" "id:1000005,log,deny,msg:'httpoxy denied'" - - - RewriteEngine on + # Ensure the Authorization HTTP header is available to PHP RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] + # Uncomment the following lines if you are not using a `public` directory + # to prevent sensitive resources from being exposed. + # RewriteRule /\.git / [F,L] + # RewriteRule ^composer\.(lock|json)$ / [F,L] + # RewriteRule ^config.php$ / [F,L] + # RewriteRule ^flarum$ / [F,L] + # RewriteRule ^storage/(.*)?$ / [F,L] + # RewriteRule ^vendor/(.*)?$ / [F,L] + + # Pass requests that don't refer directly to files in the filesystem to index.php RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d - RewriteRule !^assets index.php [QSA,L] + RewriteRule ^ index.php [QSA,L] + - # MultiViews can mess up our rewriting scheme - Options -MultiViews +# Disable directory listings +Options -Indexes - # Autoindex will list all assets files which is not so good - Options -Indexes - +# MultiViews can mess up our rewriting scheme +Options -MultiViews - - # Compress all output labeled with one of the following MIME-types - - AddOutputFilterByType DEFLATE application/atom+xml \ - application/javascript \ - application/json \ - application/vnd.ms-fontobject \ - application/x-font-ttf \ - application/x-web-app-manifest+json \ - application/xhtml+xml \ - application/xml \ - font/opentype \ - image/svg+xml \ - image/x-icon \ - text/css \ - text/html \ - text/plain \ - text/xml - - +# The following directives are based on best practices from H5BP Apache Server Configs +# https://github.com/h5bp/server-configs-apache -# Configure cache expiry for different file types +# Expire rules for static content ExpiresActive on - ExpiresDefault "access plus 1 second" - + ExpiresDefault "access plus 1 month" ExpiresByType text/css "access plus 1 year" + ExpiresByType application/atom+xml "access plus 1 hour" + ExpiresByType application/rdf+xml "access plus 1 hour" + ExpiresByType application/rss+xml "access plus 1 hour" ExpiresByType application/json "access plus 0 seconds" + ExpiresByType application/ld+json "access plus 0 seconds" + ExpiresByType application/schema+json "access plus 0 seconds" + ExpiresByType application/vnd.geo+json "access plus 0 seconds" ExpiresByType application/xml "access plus 0 seconds" + ExpiresByType text/calendar "access plus 0 seconds" ExpiresByType text/xml "access plus 0 seconds" + ExpiresByType image/vnd.microsoft.icon "access plus 1 week" ExpiresByType image/x-icon "access plus 1 week" ExpiresByType text/html "access plus 0 seconds" ExpiresByType application/javascript "access plus 1 year" + ExpiresByType application/x-javascript "access plus 1 year" + ExpiresByType text/javascript "access plus 1 year" + ExpiresByType application/manifest+json "access plus 1 week" ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds" ExpiresByType text/cache-manifest "access plus 0 seconds" + ExpiresByType text/markdown "access plus 0 seconds" + ExpiresByType audio/ogg "access plus 1 month" + ExpiresByType image/bmp "access plus 1 month" ExpiresByType image/gif "access plus 1 month" ExpiresByType image/jpeg "access plus 1 month" ExpiresByType image/png "access plus 1 month" - ExpiresByType application/atom+xml "access plus 1 hour" - ExpiresByType application/rss+xml "access plus 1 hour" - ExpiresByType application/font-woff2 "access plus 1 month" - ExpiresByType application/font-woff "access plus 1 month" + ExpiresByType image/svg+xml "access plus 1 month" + ExpiresByType image/webp "access plus 1 month" + ExpiresByType video/mp4 "access plus 1 month" + ExpiresByType video/ogg "access plus 1 month" + ExpiresByType video/webm "access plus 1 month" + ExpiresByType application/wasm "access plus 1 year" + ExpiresByType font/collection "access plus 1 month" ExpiresByType application/vnd.ms-fontobject "access plus 1 month" - ExpiresByType application/x-font-ttf "access plus 1 month" + ExpiresByType font/eot "access plus 1 month" ExpiresByType font/opentype "access plus 1 month" - ExpiresByType image/svg+xml "access plus 1 month" + ExpiresByType font/otf "access plus 1 month" + ExpiresByType application/x-font-ttf "access plus 1 month" + ExpiresByType font/ttf "access plus 1 month" + ExpiresByType application/font-woff "access plus 1 month" + ExpiresByType application/x-font-woff "access plus 1 month" + ExpiresByType font/woff "access plus 1 month" + ExpiresByType application/font-woff2 "access plus 1 month" + ExpiresByType font/woff2 "access plus 1 month" + ExpiresByType text/x-cross-domain-policy "access plus 1 week" + + +# Gzip compression + + + AddOutputFilterByType DEFLATE "application/atom+xml" \ + "application/javascript" \ + "application/json" \ + "application/ld+json" \ + "application/manifest+json" \ + "application/rdf+xml" \ + "application/rss+xml" \ + "application/schema+json" \ + "application/vnd.geo+json" \ + "application/vnd.ms-fontobject" \ + "application/wasm" \ + "application/x-font-ttf" \ + "application/x-javascript" \ + "application/x-web-app-manifest+json" \ + "application/xhtml+xml" \ + "application/xml" \ + "font/collection" \ + "font/eot" \ + "font/opentype" \ + "font/otf" \ + "font/ttf" \ + "image/bmp" \ + "image/svg+xml" \ + "image/vnd.microsoft.icon" \ + "image/x-icon" \ + "text/cache-manifest" \ + "text/calendar" \ + "text/css" \ + "text/html" \ + "text/javascript" \ + "text/plain" \ + "text/markdown" \ + "text/vcard" \ + "text/vnd.rim.location.xloc" \ + "text/vtt" \ + "text/x-component" \ + "text/x-cross-domain-policy" \ + "text/xml" + + + +# Fix for https://httpoxy.org vulnerability + + RequestHeader unset Proxy