Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Ideal .htaccess file for GS. Help please
#1
I found this by googling. It's for wordpress but I made some changes to adopt for GS. I'm not sure if this is the "best" so I'd appreciate any help. My installation is default GS template.

******************************************

# protect the htaccess file
<files .htaccess>
order allow,deny
deny from all
</files>

# disable the server signature
ServerSignature Off

# limit file uploads to 10mb
### LimitRequestBody 10240000

# protect gsconfig.php
<files gsconfig.php>
order allow,deny
deny from all
</files>

#who has access who doesnt
order allow,deny
#deny from 000.000.000.000
allow from all

#custom error docs
ErrorDocument 404 /notfound.php
ErrorDocument 403 /forbidden.php
ErrorDocument 500 /error.php

# disable directory browsing
Options All -Indexes

#redirect old to new
###Redirect 301 /old.php http://www.MYWEBSITE.com/new.php

#block referring domains
RewriteEngine on
RewriteCond %{HTTP_REFERER} digg\.com [NC]
RewriteRule .* – [F]

#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?MYWEBSITE.com/.*$ [NC]
#RewriteRule \.(gif|jpg)$ – [F]
#RewriteRule \.(gif|jpg)$ http://www.MYWEBSITE.com/stealingisbad.gif [R,L]

# php compression – use with caution
<ifmodule mod_php4.c>
php_value zlib.output_compression 16386
</ifmodule>

# set the canonical url
RewriteEngine On
RewriteCond %{HTTP_HOST} ^MYWEBSITE\.com$ [NC]
RewriteRule ^(.*)$ http://www.MYWEBSITE.com/$1 [R=301,L]

# protect from spam comments
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
#RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*MYWEBSITE.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

*************************************************

Please comment what lines are needed, what's not? Are there missing entries to improve security?


Thanks in advance!
Reply
#2
Hi spring this is my .htaccess, tuned for speed. hth

Code:
AddDefaultCharset UTF-8
RewriteEngine on

ExpiresActive On
ExpiresDefault A180

<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$">
   Header unset Last-Modified
   ExpiresDefault A1209600
   Header append Cache-Control "public"
</FilesMatch>

<FilesMatch "\.(html|htm|php)$">
   ExpiresDefault A3600
   Header append Cache-Control "private, proxy-revalidate"
</FilesMatch>

Header unset ETag
FileETag None

<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript text/javascript application/xhtml+xml
</IfModule>

# Usually it RewriteBase is just '/', but
# replace it with your subdirectory path
# RewriteBase /

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule /?([A-Za-z0-9-]+)/?$ index.php?id=$1 [QSA,L]
Reply
#3
hi Marrco,

I have doubt what to do next, do I just merge your version to mine?

You said tuned for speed but I'm not sure if merging will improve speed or cause conflicts with other entries.


Thanks
Reply
#4
A .htaccess file, much like marrco’s, has actually been discussed by me and Chris over at the GetSimple Issue Tracker.

As for your HTACCESS:
Code:
<files gsconfig.php>
order allow,deny
deny from all
</files>
This is a little unneeded. The file itself will not run if a browser is pointed at it and will display a message by itself. But of course if you don’t want to allow access to it at all, use this.
Code:
#who has access who doesnt
order allow,deny
#deny from 000.000.000.000
allow from all
Unless you’re going to put in some “deny from …” lines you might as well remove this.
Code:
#custom error docs
ErrorDocument 404 /notfound.php
ErrorDocument 403 /forbidden.php
ErrorDocument 500 /error.php
I believe 404 errors are already handled by GetSimple. A clean GetSimple installation wont include any notfound.php, forbidden.php and error.php files so that might break your server. (404 error -> notfound.php -> 404 error -> …) If you have created those files, it’s OK.
Code:
#block referring domains
RewriteEngine on
RewriteCond %{HTTP_REFERER} digg\.com [NC]
RewriteRule .* – [F]
You don’t want people to be able to visit you when they clicked a link on digg.com?
Code:
# protect from spam comments
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
#RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*MYWEBSITE.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Can be removed as there is no “wp-comments-post.php” file to protect.

It is very clear that this .htaccess file is aimed at WordPress and it really features very little you’d normally need.

Another note is redundency. You only have to state “RewriteEngine On” once on top of the file if you plan to use it. Besides, the .htaccess file supplied with GetSimple already turns it on.
“Don’t forget the important ˚ (not °) on the a,” says the Unicode lover.
Help us test a key change for the core! ¶ Problems with GetSimple? Be sure to enable debug mode!
Reply
#5
marrco: using cache expire for files is really so useful ?
Using such rules for websites based on GS make them sound like news portals.

When it goes to: mod_deflate or mod_gzip, I'd firstly make sure if compression isn't already turned on by ISP.


spring: using rewrite rules you don't understand may do more harm, than bring positive things Wink
Addons: blue business theme, Online Visitors, Notepad
Reply
#6
yojoe Wrote:spring: using rewrite rules you don't understand may do more harm, than bring positive things Wink

Agree perfectly. That's exactly what bothers me so I figured early on it would be best to ask for help. I'm so busy researching and writing articles for my site until I came to this issue by accident.

Always glad I found this friendly community. Thanks to all.
Reply
#7
yojoe Wrote:marrco: using cache expire for files is really so useful ?

It's not just about cache expire, it's also trying to lower http requests. Unsetting Etags and last-modified is to tell your browser NOT to ask if the file has changed (and receive a 403), but to just use the cached version.

Only drawback is that you have to use versioning for static files, (ie. when you change an image change the name too, or just add a 'version number' like in logo_03.png)

I'm not sure it works as intended with GS, still doing some test, but that's my goal. (quite different that the one Zegnåt discussed). It's based on yslow and google page speed suggestions.

but do your tests!
Reply




Users browsing this thread: 1 Guest(s)