src/thiagohps/htaccess/master/.htaccess - Htaccess File

src/thiagohps/htaccess/master/.htaccess

#------------------------------------------------------------------------------
# Proteção do arquivo .htaccess 
#------------------------------------------------------------------------------
<Files .htaccess>
order allow,deny
deny from all
</Files>

#------------------------------------------------------------------------------
# Páginas de error personalizadas
#------------------------------------------------------------------------------
ErrorDocument 400 http://exemplo.com.br/index.php
ErrorDocument 401 http://exemplo.com.br/index.php
ErrorDocument 403 http://exemplo.com.br/index.php
ErrorDocument 404 http://exemplo.com.br/index.php
ErrorDocument 500 http://exemplo.com.br/index.php

#------------------------------------------------------------------------------
# Use codificação UTF-8 para qualquer coisa como text/plain ou text/html
#------------------------------------------------------------------------------
AddDefaultCharset utf-8

#------------------------------------------------------------------------------
# Força UTF-8 para um número de formatos de arquivo
#------------------------------------------------------------------------------
AddCharset utf-8 .atom .css .js .json .rss .vtt .xml

#------------------------------------------------------------------------------
# Desativar pesquisa nos diretórios dos sites
#------------------------------------------------------------------------------
Options All -Indexes

#------------------------------------------------------------------------------
# Ativa mod_rewrite usado em filtros contra certos robôs piratas
#------------------------------------------------------------------------------
RewriteEngine On

#------------------------------------------------------------------------------
# Exceção de tipos de arquivos que robôs podem acessar
#------------------------------------------------------------------------------
RewriteCond %{REQUEST_URI} !^/robots.txt
RewriteCond %{REQUEST_URI} !^/sitemap.xml

#------------------------------------------------------------------------------
# Bloqueio contra softwares que baixam páginas do site para navegação off-line
#------------------------------------------------------------------------------
RewriteCond %{HTTP_USER_AGENT} ^-?$ [OR] 

#------------------------------------------------------------------------------
# Bloqueio contra tipos de requisição gerados por robôs
#------------------------------------------------------------------------------
RewriteCond %{HTTP_USER_AGENT} ^curl|^Fetch API Request|GT::WWW|^HTTP::Lite|httplib|^Java/1.|^Java 1.|^LWP|libWeb|libwww|^PEAR|PECL::HTTP|PHPCrawl|python|Rsync|Snoopy|^URI::Fetch|WebDAV|^Wget [NC] 
RewriteRule (.*) - [F]

#------------------------------------------------------------------------------
# O arquivo index.php vai ser o padrão do diretório raiz 
#------------------------------------------------------------------------------
DirectoryIndex index.php

#------------------------------------------------------------------------------
# Proíbe que outros tipos de arquivos sejam utilizados como index
#------------------------------------------------------------------------------
<Files ~ "^(index).(p?s?x?htm?|txt|aspx?|cfml?|cgi|pl|php[3-9]|jsp|xml)$">
order allow,deny
deny from all
</Files>

#------------------------------------------------------------------------------
# Arquivos permitidos a serem executados no servidor e proibidos pela web
#------------------------------------------------------------------------------
<Files ~ ".(inc|class|sql|ini|conf|exe|dll|bin|tpl|bkp|dat|c|h|py|spd|theme|module)$">
deny from all
</Files>

#------------------------------------------------------------------------------
# Proíbe a exibição de certos arquivos de configuração como login, config, adm
#------------------------------------------------------------------------------
<Files ~ "^(install?|admin|(wp-)?config(.inc)?|configure|configuration|login|logging|options?.inc|option|settings?(.inc)?|functions?(.inc)?|setup(.inc)?|default|home|main|errors?|members?|hacke?r?d?|[-_a-z0-9.]*mafia[-_a-z0-9.]*|[-_a-z0-9.]*power[-_a-z0-9.]*|[-_a-z0-9.]*jihad[-_a-z0-9.]*|php|shell|ssh|root|cmd|[0-9]{1,6}|test|data).(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml)$">
order allow,deny
deny from all
</Files>

#------------------------------------------------------------------------------
# Código para neutralizar URLs falsas
#------------------------------------------------------------------------------
RedirectMatch gone ^/_vti.*
RedirectMatch gone ^/MSOffice.*
RedirectMatch gone ^[-_a-z0-9/.]*//.*
RedirectMatch gone ^.*/etc/passwd.*

#------------------------------------------------------------------------------
# Filtro contra XSS, redirecionamento HTTP, base64_encode, injeção sql simples
#------------------------------------------------------------------------------
RewriteEngine On
RewriteCond %{REQUEST_METHOD} (GET|POST) [NC]
RewriteCond %{QUERY_STRING} ^(.*)(%3C|<)/?script(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)(%3D|=)?javascript(%3A|:)(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)document.location.href(.*)$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)(%3D|=)http(%3A|:)(/|%2F){2}(.*)$ [NC,OR] 

#------------------------------------------------------------------------------
# Cuidado e atenção com essa regra pois ela pode quebrar redirecionamentos
#------------------------------------------------------------------------------
RewriteCond %{QUERY_STRING} ^(.*)base64_encode(.*)$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)GLOBALS(=|[|%[0-9A-Z]{0,2})(.*)$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)_REQUEST(=|[|%[0-9A-Z]{0,2})(.*)$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)(SELECT(%20|+)|UNION(%20|+)ALL|INSERT(%20|+)|DELETE(%20|+)|CHAR(|UPDATE(%20|+)|REPLACE(%20|+)|LIMIT(%20|+))(.*)$ [NC]
RewriteRule (.*) - [F]

#------------------------------------------------------------------------------
# Filtro contra phpshell.php, RemoteView, C99.php, r57.php, etc
#------------------------------------------------------------------------------
RewriteEngine On
RewriteCond %{REQUEST_URI} .*((php|my)?shell|remview.*|phpremoteview.*|sshphp.*|pcom|nstview.*|c99|r57|webadmin.*|phpget.*|phpwriter.*|fileditor.*|locus7.*|storm7.*).(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml) [NC,OR]
RewriteCond %{REQUEST_METHOD} (GET|POST) [NC]
RewriteCond %{QUERY_STRING} ^(.*)=/home/wwwindus/public_html/(.*)$ [OR]
RewriteCond %{QUERY_STRING} ^work_dir=.*$ [OR]
RewriteCond %{QUERY_STRING} ^command=.*&output.*$ [OR]
RewriteCond %{QUERY_STRING} ^nts_[a-z0-9_]{0,10}=.*$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)cmd=.*$ [OR] 

#------------------------------------------------------------------------------
# Cuidado e atenção com essa regra ela pode quebrar o seu site
#------------------------------------------------------------------------------
RewriteCond %{QUERY_STRING} ^c=(t|setup|codes)$ [OR]
RewriteCond %{QUERY_STRING} ^act=((about|cmd|selfremove|chbd|trojan|backc|massbrowsersploit|exploits|grablogins|upload.*)|((chmod|f)&f=.*))$ [OR]
RewriteCond %{QUERY_STRING} ^act=(ls|search|fsbuff|encoder|tools|processes|ftpquickbrute|security|sql|eval|update|feedback|cmd|gofile|mkfile)&d=.*$ [OR]
RewriteCond %{QUERY_STRING} ^&?c=(l?v?i?&d=|v&fnot=|setup&ref=|l&r=|d&d=|tree&d|t&d=|e&d=|i&d=|codes|md5crack).*$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)([-_a-z]{1,15})=(ls|cd|cat|rm|mv|vim|chmod|chdir|concat|mkdir|rmdir|pwd|clear|whoami|uname|tar|zip|unzip|gzip|gunzip|grep|more|ln|umask|telnet|ssh|ftp|head|tail|which|mkmode|touch|logname|edit_file|search_text|find_text|php_eval|download_file|ftp_file_down|ftp_file_up|ftp_brute|mail_file|mysql|mysql_dump|db_query)([^a-zA-Z0-9].+)*$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)(wget|shell_exec|passthru|system|exec|popen|proc_open)(.*)$
RewriteRule (.*) - [F]

#------------------------------------------------------------------------------
# Filtro contra a injeção de códigos no MySQL, RFI, base64, etc
#------------------------------------------------------------------------------
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(..//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} =PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (../|..) [OR]
RewriteCond %{QUERY_STRING} ftp: [NC,OR]
RewriteCond %{QUERY_STRING} http: [NC,OR]
RewriteCond %{QUERY_STRING} https: [NC,OR]
RewriteCond %{QUERY_STRING} =|w| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C).*iframe.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*([^)]*) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (./|../|.../)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127.0.0.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^(]*( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]

#------------------------------------------------------------------------------
# Proteção dedicada exclusivamente a SQL Injection
#------------------------------------------------------------------------------
RewriteRule ^.*EXEC(@.*$        - [R=404,L,NC]
RewriteRule ^.*CAST(.*$         - [R=404,L,NC]
RewriteRule ^.*DECLARE.*$        - [R=404,L,NC] 
RewriteRule ^.*DECLARE%20.*$     - [R=404,L,NC]
RewriteRule ^.*NVARCHAR.*$       - [R=404,L,NC] 
RewriteRule ^.*sp_password.*$    - [R=404,L,NC]
RewriteRule ^.*%20xp_.*$         - [R=404,L,NC]

#------------------------------------------------------------------------------
# Protege contra ataque DOS, limitando o tamanho de upload de arquivos
#------------------------------------------------------------------------------
LimitRequestBody 10240000

#------------------------------------------------------------------------------
# Força a compressão de arquivos a serem enviados para o navegador
#------------------------------------------------------------------------------
<IfModule mod_deflate.c>

    # Force compression for mangled headers.
    # http://developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping
    <IfModule mod_setenvif.c>
        <IfModule mod_headers.c>
            SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)s*,?s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
            RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
        </IfModule>
    </IfModule>

    # Compress all output labeled with one of the following MIME-types
    # (for Apache versions below 2.3.7, you don't need to enable `mod_filter`
    #  and can remove the `<IfModule mod_filter.c>` and `</IfModule>` lines
    #  as `AddOutputFilterByType` is still in the core directives).
    <IfModule mod_filter.c>
        AddOutputFilterByType DEFLATE application/atom+xml 
                                      application/javascript 
                                      application/json 
                                      application/rss+xml 
                                      application/vnd.ms-fontobject 
                                      application/x-font-ttf 
                                      application/x-web-app-manifest+json 
                                      application/xhtml+xml 
                                      application/xml 
                                      font/opentype 
                                      image/svg+xml 
                                      image/x-icon 
                                      text/css 
                                      text/html 
                                      text/plain 
                                      text/x-component 
                                      text/xml
    </IfModule>

</IfModule>

#------------------------------------------------------------------------------
# Controle do Cache-Control e Expires Header no navegador
#------------------------------------------------------------------------------
<ifModule mod_headers.c>
  <filesMatch ".(ico|jpe?g|png|gif|swf)$">
    Header set Cache-Control "public"
  </filesMatch>
  <filesMatch ".(css)$">
    Header set Cache-Control "public"
  </filesMatch>
  <filesMatch ".(js)$">
    Header set Cache-Control "private"
  </filesMatch>
  <filesMatch ".(x?html?|php)$">
    Header set Cache-Control "private, must-revalidate"
  </filesMatch>
</ifModule>

#------------------------------------------------------------------------------
# Força a utilização do Cache-Control e Expires Header no navegador
#------------------------------------------------------------------------------
<IfModule mod_headers.c>
    Header unset ETag
</IfModule>
FileETag None

<IfModule mod_expires.c>
    ExpiresActive on
    ExpiresDefault                                      "access plus 1 month"

  # CSS
    ExpiresByType text/css                              "access plus 4 hour"

  # Data interchange
    ExpiresByType application/json                      "access plus 0 seconds"
    ExpiresByType application/xml                       "access plus 0 seconds"
    ExpiresByType text/xml                              "access plus 0 seconds"

  # Favicon (cannot be renamed!)
    ExpiresByType image/x-icon                          "access plus 1 week"

  # HTML components (HTCs)
    ExpiresByType text/x-component                      "access plus 1 month"

  # HTML
    ExpiresByType text/html                             "access plus 0 seconds"

  # JavaScript
    ExpiresByType application/javascript                "access plus 1 year"

  # Manifest files
    ExpiresByType application/x-web-app-manifest+json   "access plus 0 seconds"
    ExpiresByType text/cache-manifest                   "access plus 0 seconds"

  # Media
    ExpiresByType audio/ogg                             "access plus 1 month"
    ExpiresByType image/gif                             "access plus 4 hour"
    ExpiresByType image/jpeg                            "access plus 4 hour"
    ExpiresByType image/png                             "access plus 4 hour"
    ExpiresByType video/mp4                             "access plus 1 month"
    ExpiresByType video/ogg                             "access plus 1 month"
    ExpiresByType video/webm                            "access plus 1 month"

  # Web feeds
    ExpiresByType application/atom+xml                  "access plus 1 hour"
    ExpiresByType application/rss+xml                   "access plus 1 hour"

  # Web fonts
    ExpiresByType application/font-woff2                "access plus 1 month"
    ExpiresByType application/font-woff                 "access plus 1 month"
    ExpiresByType application/vnd.ms-fontobject         "access plus 1 month"
    ExpiresByType application/x-font-ttf                "access plus 1 month"
    ExpiresByType font/opentype                         "access plus 1 month"
    ExpiresByType image/svg+xml                         "access plus 1 month"
</IfModule>

On Github License

Files

Download PDF of Htaccess file
DEFLATE, GET, HTTP_USER_AGENT, POST, QUERY_STRING, REQUEST_METHOD, REQUEST_URI

Comments

Apache