Announcement

**Felix2** · 09-17-2016, 11:50 PM

Part 1 of 2

Code:

# START Deny attempts to view the Htaccess file.
<Files .htaccess>
Order allow,deny
Deny from all
</Files>
# END Deny attempts to view the Htaccess file.

# Start Deny attempts to view the config file.
<Files includes/config.php>
Order allow,deny
Deny from all
</Files>  
# End Deny attempts to view the config file.

<IfModule mod_rewrite.c>
    RewriteEngine On

[COLOR=#FF8C00]    RewriteCond %{HTTP_HOST} www.[/COLOR][COLOR=#0000FF][B]MYWEBSITE[/B][/COLOR][COLOR=#FF8C00][B]\.[/B][/COLOR][COLOR=#0000FF][B]ORG[/B][/COLOR]
[COLOR=#FF8C00]    RewriteRule (.*) https://[/COLOR][COLOR=#0000FF][B]MYWEBSITE.ORG[/B][/COLOR][COLOR=#FF8C00]/$1 [R=301,L,QSA]
    
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L][/COLOR]

[COLOR=#008000][B]    #In some cases where you have other mod_rewrite rules, you may need to comment out the following line
    #and change it to match your folder name. This resets the other mod_rewrite rules for just this directory
    #If your site was www.example.com/forum, the setting would be /forum/
    #RewriteBase /

    # Send css calls directly to the correct file VBV-7807
    RewriteRule ^css.php$ core/css.php [NC,L]

    # Redirect old install path to core.
    RewriteRule ^install/ core/install/ [NC,L]

    # Main Redirect
    RewriteCond %{REQUEST_URI} !\.(bmp|swf|gif|jpg|jpeg|png|css)$
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ index.php?routestring=$1 [L,QSA]

    # Because admincp is an actual directory.
    RewriteRule ^(admincp/)$ index.php?routestring=$1 [L,QSA]

</IfModule>[/B][/COLOR]

<IfModule mod_deflate.c>

    # Force compression for mangled headers.
    # http://developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping
    <IfModule mod_setenvif.c>
        <IfModule mod_headers.c>
            SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
            RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
        </IfModule>
    </IfModule>

# BEGIN Compress text files
<ifModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/html text/xml text/css text/plain
  AddOutputFilterByType DEFLATE image/svg+xml application/xhtml+xml application/xml
  AddOutputFilterByType DEFLATE application/rdf+xml application/rss+xml application/atom+xml
  AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript application/json
  AddOutputFilterByType DEFLATE application/x-font-ttf application/x-font-otf
  AddOutputFilterByType DEFLATE font/truetype font/opentype

# remove browser bugs
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
</ifModule>
# END Compress text files

    # Compress all output labeled with one of the following MIME-types
    # (for Apache versions below 2.3.7, you don't need to enable `mod_filter`
    #  and can remove the `<IfModule mod_filter.c>` and `</IfModule>` lines
    #  as `AddOutputFilterByType` is still in the core directives).
    <IfModule mod_filter.c>
        AddOutputFilterByType DEFLATE application/atom+xml \
                                      application/javascript \
                                      application/json \
                                      application/rss+xml \
                                      application/vnd.ms-fontobject \
                                      application/x-font-ttf \
                                      application/x-web-app-manifest+json \
                                      application/xhtml+xml \
                                      application/xml \
                                      font/opentype \
                                      image/svg+xml \
                                      image/x-icon \
                                      text/css \
                                      text/html \
                                      text/plain \
                                      text/x-component \
                                      text/xml
    </IfModule>

</IfModule>

<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType application/ico A2592000
    ExpiresByType application/java A2628000
    ExpiresByType application/javascript A1209600
    ExpiresByType application/javascript A2628000
    ExpiresByType application/msword A2628000
    ExpiresByType application/pdf A2628000
    ExpiresByType application/vnd.ms-access A2628000
    ExpiresByType application/vnd.ms-excel A2628000
    ExpiresByType application/vnd.ms-fontobject A2592000
    ExpiresByType application/vnd.ms-powerpoint A2628000
    ExpiresByType application/vnd.ms-project A2628000
    ExpiresByType application/vnd.ms-write A2628000
    ExpiresByType application/vnd.oasis.opendocument.chart A2628000
    ExpiresByType application/vnd.oasis.opendocument.database A2628000
    ExpiresByType application/vnd.oasis.opendocument.formula A2628000
    ExpiresByType application/vnd.oasis.opendocument.graphics A2628000
    ExpiresByType application/vnd.oasis.opendocument.presentation A2628000
    ExpiresByType application/vnd.oasis.opendocument.spreadsheet A2628000
    ExpiresByType application/vnd.oasis.opendocument.text A2628000
    ExpiresByType application/x-font-woff A2592000
    ExpiresByType application/x-gzip A2628000
    ExpiresByType application/x-ico A2592000
    ExpiresByType application/x-javascript A2628000
    ExpiresByType application/x-msdownload A2628000
    ExpiresByType application/x-shockwave-flash A2628000
    ExpiresByType application/x-tar A2628000
    ExpiresByType application/zip A2628000
    ExpiresByType audio/midi A2628000
    ExpiresByType audio/mpeg A2628000
    ExpiresByType audio/ogg A2628000
    ExpiresByType audio/wav A2628000
    ExpiresByType audio/wma A2628000
    ExpiresByType audio/x-realaudio A2628000
    ExpiresByType font/opentype A2592000
    ExpiresByType font/otf A2592000
    ExpiresByType font/truetype A2592000
    ExpiresByType font/ttf A2592000
    ExpiresByType font/x-woff A2592000
    ExpiresByType image/bmp A2628000
    ExpiresByType image/gif A2628000
    ExpiresByType image/icon A2592000
    ExpiresByType image/jpeg A2628000
    ExpiresByType image/jpg A1209600
    ExpiresByType image/png A2628000
    ExpiresByType image/svg+xml A2592000
    ExpiresByType image/tiff A2628000
    ExpiresByType image/x-icon A2628000
    ExpiresByType text/css A31536000
    ExpiresByType text/javascript A1209600
    ExpiresByType text/plain A3600
    ExpiresByType text/richtext A3600
    ExpiresByType text/xsd A3600
    ExpiresByType text/xsl A3600
    ExpiresByType video/asf A2628000
    ExpiresByType video/avi A2628000
    ExpiresByType video/divx A2628000
    ExpiresByType video/mp4 A2628000
    ExpiresByType video/mpeg A2628000
    ExpiresByType video/quicktime A2628000
</IfModule>

<IfModule mod_headers.c>
    Header set Connection keep-alive
    <filesmatch "\.(ico|flv|gif|swf|eot|woff|otf|ttf|svg)$">
        Header set Cache-Control "max-age=2592000, public"
    </filesmatch>
    <filesmatch "\.(jpg|jpeg|png)$">
        Header set Cache-Control "max-age=1209600, public"
    </filesmatch>
    <filesmatch "\.(eot|woff|otf|ttf|svg)$">
        Header set Cache-Control "max-age=2592000, public"
    </filesmatch>
    # css and js should use private for proxy caching https://developers.google.com/speed/docs/best-practices/caching#LeverageProxyCaching
    <filesmatch "\.(css)$">
        Header set Cache-Control "max-age=31536000, private"
    </filesmatch>
    <filesmatch "\.(js)$">
        Header set Cache-Control "max-age=1209600, private"
    </filesmatch>
</IfModule>

**Felix2** · 09-17-2016, 11:51 PM

Part 2 of 2

Code:

# deny requests for config files
<FilesMatch ".(ini|conf)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Disable ETags
<IfModule mod_headers.c>
    Header Unset ETag
    FileETag none
</IfModule>

# Default expires header if none specified (stay in browser cache for 7 days)
<IfModule mod_expires.c>

    ExpiresActive on
    ExpiresDefault                                      "access plus 1 week"

  # CSS
    ExpiresByType text/css                              "access plus 1 year"

  # Data interchange
    ExpiresByType application/json                      "access plus 0 seconds"
    ExpiresByType application/xml                       "access plus 0 seconds"
    ExpiresByType text/xml                              "access plus 0 seconds"

  # Favicon (cannot be renamed!)
    ExpiresByType image/x-icon                          "access plus 1 week"

  # HTML components (HTCs)
    ExpiresByType text/x-component                      "access plus 1 month"

  # HTML
    ExpiresByType text/html                             "access plus 0 seconds"

  # JavaScript
    ExpiresByType application/javascript                "access plus 1 year"

  # Manifest files
    ExpiresByType application/x-web-app-manifest+json   "access plus 0 seconds"
    ExpiresByType text/cache-manifest                   "access plus 0 seconds"

  # Media
    ExpiresByType audio/ogg                             "access plus 1 month"
    ExpiresByType image/gif                             "access plus 1 month"
    ExpiresByType image/jpeg                            "access plus 1 month"
    ExpiresByType image/png                             "access plus 1 month"
    ExpiresByType video/mp4                             "access plus 1 month"
    ExpiresByType video/swf                             "access plus 1 month"
    ExpiresByType video/ogg                             "access plus 1 month"
    ExpiresByType video/webm                            "access plus 1 month"

  # Web feeds
    ExpiresByType application/atom+xml                  "access plus 1 hour"
    ExpiresByType application/rss+xml                   "access plus 1 hour"

  # Web fonts
    ExpiresByType application/font-woff                 "access plus 1 month"
    ExpiresByType application/vnd.ms-fontobject         "access plus 1 month"
    ExpiresByType application/x-font-ttf                "access plus 1 month"
    ExpiresByType font/opentype                         "access plus 1 month"
    ExpiresByType image/svg+xml                         "access plus 1 month"

</IfModule>


# add font types for chromium/chrome
AddType application/font-woff woff

[COLOR=#800080][B]SetEnvIfNoCase Referer "^https://MYWEBSITE.ORG/" locally_linked=1
SetEnvIfNoCase Referer "^http://MYWEBSITE-ALT.ORG/|https://MYWEBSITE-ALT.ORG/|http://localhost/|http://127.0.0.1/|https://localhost/|https://127.0.0.1/" locally_linked=1[/B][/COLOR]
SetEnvIf Referer "^$" locally_linked=1
<FilesMatch "\.(ico|gif|png|swf|jpe?g|zip|rar|ace|mp3|mp4|avi|ogg|ogv|webm|css)$">
  Order Allow,Deny
  Allow from env=locally_linked
</FilesMatch>

allow from localhost

# BEGIN W3TC Browser Cache
<IfModule mod_mime.c>
AddType application/ace .ace
AddType application/java .class
AddType application/javascript .js
AddType application/msword .doc .docx
AddType application/pdf .pdf
AddType application/rar .rar
AddType application/vnd.ms-access .mdb
AddType application/vnd.ms-excel .xla .xls .xlsx .xlt .xlw
AddType application/vnd.ms-powerpoint .pot .pps .ppt .pptx
AddType application/vnd.ms-project .mpp
AddType application/vnd.ms-write .wri
AddType application/vnd.oasis.opendocument.chart .odc
AddType application/vnd.oasis.opendocument.database .odb
AddType application/vnd.oasis.opendocument.formula .odf
AddType application/vnd.oasis.opendocument.graphics .odg
AddType application/vnd.oasis.opendocument.presentation .odp
AddType application/vnd.oasis.opendocument.spreadsheet .ods
AddType application/vnd.oasis.opendocument.text .odt
AddType application/x-gzip .gz .gzip
AddType application/x-javascript .js
AddType application/x-msdownload .exe
AddType application/x-shockwave-flash .swf
AddType application/x-tar .tar
AddType application/zip .zip
AddType audio/midi .mid .midi
AddType audio/mpeg .mp3 .m4a
AddType audio/ogg .ogg
AddType audio/wav .wav
AddType audio/wma .wma
AddType audio/x-realaudio .ra .ram
AddType image/bmp .bmp
AddType image/gif .gif
AddType image/jpeg .jpg .jpeg .jpe
AddType image/png .png
AddType image/svg+xml .svg .svgz
AddType image/tiff .tif .tiff
AddType image/x-icon .ico
AddType text/css .css
AddType text/html .html .htm
AddType text/plain .txt
AddType text/richtext .rtf .rtx
AddType text/xml .xml
AddType text/xsd .xsd
AddType text/xsl .xsl
AddType video/asf .asf .asx .wax .wmv .wmx
AddType video/avi .avi
AddType video/divx .divx
AddType video/mp4 .mp4 .m4v
AddType video/mpeg .mpeg .mpg .mpe
AddType video/quicktime .mov .qt
</IfModule>
# END W3TC Browser Cache

# Block User-agent Libwww-perl
RewriteCond %{HTTP_USER_AGENT} libwww-perl.*
RewriteRule .* – [F,L]

# proc/self/environ? no way!
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})

##
##&nbsp; Commented version of Rewrite rules attributed to Ronald van den Heetkamp
##&nbsp; Comments by http://bodvoc.com
#
# Prevent use of specified methods in HTTP Request
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
# Block out use of illegal or unsafe characters in the HTTP Request
RewriteCond %{THE_REQUEST} ^.*(r|n|%0A|%0D).* [NC,OR]
# Block out use of illegal or unsafe characters in the Referer Variable of the HTTP Request
RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
# Block out use of illegal or unsafe characters in any cookie associated with the HTTP Request
RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
# Block out use of illegal characters in URI or use of malformed URI
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|..).{0,9999}.* [NC,OR]
# NOTE - disable this rule if your site is integrated with Payment Gateways such as PayPal
# Block out  use of empty User Agent Strings
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
# Block out  use of User Agent Strings beginning with java, curl or wget
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
# Block out  use of User Agent Strings containing specific robot (crawler) identifiers
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
# Block out  use of User Agent Strings containing references to specific crawler libraries
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
# Block out  use of illegal or unsafe characters in the User Agent variable
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
# Measures to block out  SQL injection attacks
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
# Block out  reference to localhost/loopback/127.0.0.1 in the Query String
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
# Block out  use of illegal or unsafe characters in the Query String variable
RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
#
## End of commented Rewrite directives

**glennrocksvb** · 09-18-2016, 06:52 AM

Originally posted by Felix2 View Post

This subject really doesn't have a proper place on this forum so I'm jamming it into here.

Create a blog and put this topic there.

**Felix2** · 09-18-2016, 08:19 AM

That didn't go any better, other than to move the problems elsewhere and make them worse

The BLOG doesn't format the text properly and still has the same text limits.

**alsuheimat** · 09-18-2016, 10:44 AM

I do not have enough experience to do that?

Can I attach a file?

**Felix2** · 09-18-2016, 10:55 AM

S

Originally posted by alsuheimat View Post

I do not have enough experience to do that?

Can I attach a file?

Sure. I can look at it. Give me a day or two to reply with an updated one. It will make for a good example here.

**alsuheimat** · 09-18-2016, 11:03 AM

Originally posted by Felix2 View Post

Sure. I can look at it. Give me a day or two to reply with an updated one. It will make for a good example here.

thanks

**Felix2** · 09-18-2016, 11:32 AM

Had a user suggest after reading this they would switch over to HTTPS since it seems so easy.
Figured I post the reply here as it may help others in deciding.

May not be so simple. Depends. I thought it would be simple as flipping a switch, 2 weeks later I had it all done.
The issue, for self hosted servers, is in the security certificates.
If using a 3rd party host, they are usually covered.
When self hosting, you have to create them. Easy enough.
Then you have to register them. PitA if you don't want to spend a fortune.
It is a balance between security and ease of access.
If you are running a public forum, it isn't that big a deal and http works.
If your forum is private and you need / want more security, then going to https is worth the headache to switch over.
Don't forget, https also slows down connections. Depending upon the number of users, amount of data posted, use of RSS aggregation, bandwidth/metering, et c., going to https can double data usage.
Worse for me because standard https is 256bit encryption, whereas my forum is a LOT higher than that.
All things to consider.

**glennrocksvb** · 09-18-2016, 08:45 PM

Felix2 I created a new forum channel and moved this topic. Also removed your htaccess blog.

**Daryn** · 03-14-2017, 11:32 AM

When it comes to certs, nowadays you can use letsencrypt to get short term, auto-renewing certs. I'm using them on my forum now and the setup wasn't hard. Getting HTTPS is a good idea in general, especially if you're considering using HTTP/2. HTTP/2 over TLS is more effecient than HTTP as you can serve everything over a single connection instead of having to open and close connections for each and every element being fetched. If you guys are interested in that, I'll put together a walkthrough once I get it all working.

I'll try this htaccess as it does look a bit better and more comprehensive than the default one that ships with vb5.

**NumNum** · 03-17-2017, 08:08 AM

Where was this moved to glennrocksvb ?

**Daryn** · 03-17-2017, 08:52 AM

Just to be clear. I did testing with HTTP/2 with vb5. They don't get on too well. HTTP/1.1 with letsencrypt certs work fine though.

**Daryn** · 03-27-2017, 10:43 AM

Finally went through and installed this on my site. Works really well. It seems like you've gone through and compiled a bunch of sensible protections along with the vb5 rewrites and deflates. Nice job!

Announcement

.htaccess

.htaccess

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Users Viewing This Page

Latest Posts