src/Vidal-ru/Vidal/master/web/.htaccess
# RWR v20160313
RewriteEngine On
# Redirect from www ---------------------------------------------------------------------
#RewriteBase /
#RewriteCond %{HTTP_HOST} ^www.(.*)$ [NC]
#RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
# Config --------------------------------------------------------------------------------
# s-0001
<IfModule autoindex_module.c>
IndexIgnore *
</IfModule>
# s-0002
ServerSignature Off
Options -Indexes
DirectoryIndex index.php index.html index.htm
# s-0003
ErrorDocument 400 default
ErrorDocument 401 default
ErrorDocument 403 "Forbidden"
ErrorDocument 404 "Page Not Found"
# s-0004
<IfModule mod_php4.c>
php_flag magic_quotes_gpc off
php_flag magic_quotes_runtime off
php_flag register_globals off
</IfModule>
<IfModule mod_php5.c>
php_flag display_errors off
php_flag magic_quotes_gpc off
php_flag magic_quotes_runtime off
php_flag register_globals off
</IfModule>
# WAF Rules -----------------------------------------------------------------------------
# Block methods
# s-0005
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule .* - [F,L]
# Apache range security problem
# s-0006
RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(s*,s*[0-9]*-[0-9]*)+
RewriteRule .* - [F]
# RFI/LFI Protection
# s-0007
RewriteCond %{QUERY_STRING} ![a-zA-Z0-9_]=http://www.vidal.ru/
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=https:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=ftp:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=gopher:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(..//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [OR]
RewriteCond %{QUERY_STRING} (../|%2e%2e%2f|%2e%2e/|..%2f|%2e.%2f|%2e./|.%2e%2f|.%2e/) [OR]
RewriteCond %{QUERY_STRING} =|w| [NC]
RewriteRule .* - [F,L]
# Block system file and folder access
# s-0008
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127.0.0.1) [NC,OR]
RewriteCond %{QUERY_STRING} (.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} $_POST [NC,OR]
RewriteCond %{QUERY_STRING} wp-config.php [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:).*(;).* [NC,OR]
RewriteCond %{QUERY_STRING} =PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule .* - [F,L]
RewriteCond %{THE_REQUEST} (%0A|%0D|\r|\n) [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
#RewriteCond %{THE_REQUEST} ? HTTP/ [NC,OR]
#RewriteCond %{THE_REQUEST} /* HTTP/ [NC,OR]
RewriteCond %{REQUEST_URI} owssvr.dll [NC,OR]
RewriteCond %{REQUEST_URI} server-status [NC]
RewriteRule .* - [F,L]
RewriteRule /DOCUMENT_ROOT - [F,L]
RewriteRule /_mem_bin - [F,L]
RewriteRule /msadc - [F,L]
RewriteRule /_vti_bin - [F,L]
RewriteRule /_vti_inf.html - [F,L]
# Shellshock
RewriteCond %{QUERY_STRING} (s*)s*{s*:;s*};
RewriteCond %{THE_REQUEST} (s*)s*{s*:;s*};
RewriteCond %{HTTP_REFERER} (s*)s*{s*:;s*};
RewriteCond %{HTTP_USER_AGENT} (s*)s*{s*:;s*};
RewriteRule .* - [F,L]
# Block 3rd parties
# s-0009
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress.com|img.youtube|tinypic.com|upload.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress.com|img.youtube|tinypic.com|upload.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F,L]
# TimThumb blocker
# s-0010
RewriteCond %{HTTP_REFERER} ^.*%{HTTP_HOST}.*
RewriteCond %{REQUEST_URI} (timthumb.php|phpthumb.php|thumb.php|thumbs.php) [NC,OR]
RewriteCond %{REQUEST_URI} (uploadify/uploadify.php) [NC]
RewriteRule .* - [F,L]
# Block suspicious user agents
# s-0011
#RewriteCond %{HTTP_USER_AGENT} (AESOP_com_SpiderMan|AhrefsBot|Alexibot|Anonymouse.org|asterias|attach|BackDoorBot|BackWeb|Bandit|Baiduspider|BatchFTP|Bigfoot|Black.Hole|BlackWidow|BlowFish|Bot mailto:craftbot@yahoo.com|BotALot|BTWebClient|Buddy|BuiltBotTough|Bullseye|BunnySlippers|Cegbfeieh|CheeseBot|CherryPicker|ChinaClaw|Collector|CommentReader|Copier|CopyRightCheck|cosmos|Crescent|Curl|Custo|DA|DISCo|discobot|DIIbot|DittoSpyder|Dolphin|Download|Download Demon|Download Devil|Download Wonder|Downloader|dragonfly|Drip|eCatch|EasyDL|ebingbong|EirGrabber|EmailCollector|EmailSiphon|EmailWolf|EroCrawler|Exabot|Express WebPictures|Extractor|EyeNetIE|Ezooms|FileHound|FlashGet|Foobot|flunky|FrontPage|GetRight|GetSmart|GetWeb!|Go!Zilla|Go-Ahead-Got-It|gotit|Grabber|GrabNet|Grafula|Harvest|havij|hloader|HMView|httplib|HTTrack|humanlinks|ia_archiver|igdeSpyder|IlseBot|Image Stripper|Image Sucker|Indy Library|InfoNaviRobot|InfoTekies|Intelliseek|InterGET|Internet Ninja|Iria|Jakarta|JennyBot|JetCar|JOC|JustView|Jyxobot|Kenjin.Spider|Keyword.Density|larbin|LeechFTP|LexiBot|lftp|libWeb/clsHTTP|likse|LinkextractorPro|LinkScan/8.1a.Unix|LNSpiderguy|LinkWalker|lwp-trivial|LWP::Simple|Magnet|Mag-Net|MarkWatch|Mass Downloader|Mata.Hari|Media Center PC|Memo|MJ12bot|Microsoft.URL|Microsoft URL Control|MIDown tool|MIIxpc|Mirror|Missigua Locator|Mister PiX|moget|Mozilla/3.Mozilla/2.01|Mozilla.*NEWT|NAMEPROTECT|Navroad|NearSite|NetAnts|Netcraft|NetMechanic|NetSpider|Net Vampire|NetZIP|NextGenSearchBot|NG|NICErsPRO|NimbleCrawler|Ninja|NPbot|Octopus|Offline Explorer|Offline Navigator|Openfind|OutfoxBot|PageGrabber|Papa Foto|pavuk|pcBrowser|PHP version tracker|Pockey|ProPowerBot/2.14|ProWebWalker|psbot|Pump|QueryN.Metasearch|RealDownload|Reaper|Recorder|ReGet|RepoMonkey|RMA|Siphon|sitecheck.internetseer.com|SiteSnagger|Slurp|SlySearch|SmartDownload|Snake|Snapbot|Snoopy|sogou|SpaceBison|SpankBot|spanner|Sqworm|Stripper|Sucker|SuperBot|SuperHTTP|Surfbot|suzuran|Szukacz/1.4|Tagoobot|tAkeOut|Teleport|Telesoft|TurnitinBot/1.5|The.Intraformant|TheNomad|TightTwatBot|Titan|toCrawl/UrlDispatcher|True_Robot|turingos|TurnitinBot|Twiceler|URLy.Warning|Vacuum|VCI|VoidEYE|Web Image Collector|Web Sucker|WebAuto|WebBandit|Webclipping.com|WebCopier|WebEMailExtrac.*|WebEnhancer|WebFetch|WebGo IS|Web.Image.Collector|WebLeacher|WebmasterWorldForumBot|WebReaper|WebSauger|WebSite|Website eXtractor|Website Quester|Webster|WebStripper|WebWhacker|WebZIP|Wget|Whacker|Widow|WISENutbot|WWWOFFLE|WWW-Collector-E|Xaldon|Xenu|Yeti|Zeus|Zyborg) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|’|>|'|"|)|(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC]
RewriteRule .* - [F,L]
RewriteCond %{HTTP_USER_AGENT} ":s:[0-9]+:" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "JDatabaseDriver" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "NT 5.1; SV1" [NC]
RewriteRule .* - [F,L]
RewriteCond %{HTTP:X-FORWARDED-FOR} ":s:[0-9]+:" [NC,OR]
RewriteCond %{HTTP:X-FORWARDED-FOR} "JDatabaseDriver" [NC]
RewriteRule .* - [F,L]
# Filter out referer
# s-0012
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC]
RewriteRule .* - [F,L]
# Protect against SQL Injections and code injection
# s-0013
RewriteCond %{QUERY_STRING} ^(.*)([-_a-z]{1,15})=(eval|chmod|chdir|mkdir|rmdir|whoami|uname|unzip|gunzip|grep|more|umask|telnet|ssh|ftp|which|mkmode|touch|logname|edit_file|search_text|find_text|php_eval|download_file|ftp_file_down|ftp_file_up|ftp_brute|mail_file|mysql|mysql_dump|db_query|file_get_contents)([^a-zA-Z0-9].+)*$ [OR]
RewriteCond %{QUERY_STRING} ^(.*)(wget|shell_exec|passthru|popen|proc_open)(.*)$
RewriteRule .* - [F,L]
# s-0014
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C).*embed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C).*object.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C).*iframe.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*([^)]*) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*((|)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(x00|x04|x08|x0d|x1b|x3c|x3e|x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^(]*( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} -[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule .* - [F,L]
# Block sensitive files
# s-0015
<FilesMatch ".(cfg|pl|htaccess|htpasswd|ini|phps|fla|psd|log|sh|sql|inc|tpl|svn|git|cvs|phtml|asp)$">
Order Allow,Deny
Deny from All
</FilesMatch>
# Block sensitive files
# s-0016
<FilesMatch ".(cgi)$">
Order Allow,Deny
Deny from All
</FilesMatch>
# Block unsafe system components
# s-0017
RewriteRule /phpmy/ - [F,L]
RewriteRule /phpmyadmin/ - [F,L]
RewriteRule /phpMy/ - [F,L]
RewriteRule /_phpmyadmin/ - [F,L]
RewriteRule /pma/ - [F,L]
RewriteRule /MyAdmin/ - [F,L]
RewriteRule scripts/setup.php - [F,L]
RewriteRule /backup - [F,L]
RewriteRule dumper.php - [F,L]
RewriteRule /admin/phpmyadmin - [F,L]
RewriteRule /admin/pma - [F,L]
RewriteRule /dbadmin - [F,L]
RewriteRule /mysql-admin - [F,L]
RewriteRule /mysqlmanager - [F,L]
RewriteRule /mysql - [F,L]
RewriteRule /phpadmin - [F,L]
RewriteRule /phpmanager - [F,L]
RewriteRule /phpmyadmin1 - [F,L]
RewriteRule /phpmyadmin2 - [F,L]
RewriteRule /phpMyAdmin-2 - [F,L]
RewriteRule /php-myadmin - [F,L]
RewriteRule /phpmy-admin - [F,L]
RewriteRule /pma2005 - [F,L]
RewriteRule /PMA2005 - [F,L]
RewriteRule /p/m/a - [F,L]
RewriteRule /pma - [F,L]
RewriteRule /sqlmanager - [F,L]
RewriteRule /sqlweb - [F,L]
RewriteRule /typo3/phpmyadmin - [F,L]
RewriteRule /webadmin - [F,L]
RewriteRule /webdb - [F,L]
RewriteRule /web/phpMyAdmin - [F,L]
RewriteRule /xampp/phpmyadmin - [F,L]
RewriteRule /myadminscripts/setup.php - [F,L]
RewriteRule /mysqladmin - [F,L]
RewriteRule /php-my-admin - [F,L]
RewriteRule /phpmyadmin - [F,L]
RewriteRule /websql - [F,L]
RewriteRule /myadmin - [F,L]
RewriteRule /sql/ - [F,L]
RewriteRule /mysql/ - [F,L]
RewriteRule /setup.php?dir - [F,L]
RewriteRule /MSOffice/cltreq.asp - [F,L]
RewriteRule ///?_SERVER[DOCUMENT_ROOT] - [F,L]
RewriteRule //?_SERVER[DOCUMENT_ROOT] - [F,L]
RewriteRule /pagead/test_domain.js - [F,L]
RewriteRule /pagead/osd.js - [F,L]
RewriteRule /pagead/expansion_embed.js - [F,L]
RewriteRule /pagead/render_ads.js - [F,L]
RewriteRule /pagead/atf.js - [F,L]
RewriteRule (.*)cmd.exe$ - [F,L]
# Block parasite traffic
# s-0018
RewriteCond %{HTTP_REFERER} iskalko.ru [NC,OR]
RewriteCond %{HTTP_REFERER} buttons-for-website.com
RewriteCond %{HTTP_REFERER} semalt.semalt.com
RewriteCond %{HTTP_REFERER} cenoval.ru
RewriteCond %{HTTP_REFERER} darodar.com
RewriteCond %{HTTP_REFERER} cenokos.ru
RewriteCond %{HTTP_REFERER} seoexperimenty.ru
RewriteCond %{HTTP_REFERER} gobongo.info
RewriteCond %{HTTP_REFERER} adcash.com
RewriteCond %{HTTP_REFERER} websocial.me
RewriteCond %{HTTP_REFERER} cityadspix.com
RewriteCond %{HTTP_REFERER} luxup.ru
RewriteCond %{HTTP_REFERER} superiends.org
RewriteCond %{HTTP_REFERER} socialseet.ru
RewriteCond %{HTTP_REFERER} screentoolkit.com
RewriteCond %{HTTP_REFERER} cur.lv
RewriteRule .* - [F]
###########################################################################
AddDefaultCharset utf-8
# снимаем ограничение используемой памяти - иначе админке не хватает
php_value memory_limit -1
# очистка сессий не раньше, чем через месяц
php_value session.gc_maxlifetime 2592000
# закачка больших видео-файлов в админке
php_value upload_max_filesize 50M
php_value post_max_size 50M
php_value max_execution_time 1200
# прочие радости настроек сервера
php_flag output_buffering On
php_flag magic_quotes_gpc Off
php_value allow_url_fopen 0
php_value allow_url_include 0
php_value mail.add_x_header 1
php_value expose_php 0
php_value date.timezone Europe/Moscow
Redirect 301 /novosti/4611 http://www.vidal.ru/novosti/4618
# Use the front controller as index file. It serves as fallback solution when
# every other rewrite/redirect fails (e.g. in an aliased environment without
# mod_rewrite). Additionally, this reduces the matching process for the
# startpage (path "/") because otherwise Apache will apply the rewritting rules
# to each configured DirectoryIndex file (e.g. index.php, index.html, index.pl).
DirectoryIndex app.php
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^195.62.52.105
RewriteRule (.*) http://www.vidal.ru/$1 [R=301,L]
# redirect last slash to non-slash
RewriteRule ^(.+[^/])/$ http://%{HTTP_HOST}/$1 [R=301,L]
# old subdomains
RewriteCond %{HTTP_HOST} ^(twiga.vidal.ru|mailserver.vidal.ru|vidal.ru)
RewriteRule ^(.*)$ http://www.vidal.ru/$1 [R=301,L]
# Determine the RewriteBase automatically and set it as environment variable.
# If you are using Apache aliases to do mass virtual hosting or installed the
# project in a subdirectory, the base path will be prepended to allow proper
# resolution of the app.php file and to redirect to the correct URI. It will
# work in environments without path prefix as well, providing a safe, one-size
# fits all solution. But as you do not need it in this case, you can comment
# the following 2 lines to eliminate the overhead.
RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::2$
RewriteRule ^(.*) - [E=BASE:%1]
# Redirect to URI without front controller to prevent duplicate content
# (with and without `/app.php`). Only do this redirect on the initial
# rewrite by Apache and not on subsequent cycles. Otherwise we would get an
# endless redirect loop (request -> rewrite to front controller ->
# redirect -> request -> ...).
# So in case you get a "too many redirects" error or you always get redirected
# to the startpage because your Apache does not expose the REDIRECT_STATUS
# environment variable, you have 2 choices:
# - disable this feature by commenting the following 2 lines or
# - use Apache >= 2.3.9 and replace all L flags by END flags and remove the
# following RewriteCond (best solution)
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^app.php(/(.*)|$) %{ENV:BASE}/$2 [R=301,L]
# If the requested filename exists, simply serve it.
# We only want to let Apache serve files and not directories.
RewriteCond %{REQUEST_URI} !^/download
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule .? - [L]
# Rewrite all other queries to the front controller.
RewriteRule .? %{ENV:BASE}/app.php [L]
</IfModule>
<IfModule !mod_rewrite.c>
<IfModule mod_alias.c>
# When mod_rewrite is not available, we instruct a temporary redirect of
# the startpage to the front controller explicitly so that the website
# and the generated links can still be used.
RedirectMatch 302 ^/$ /app.php/
# RedirectTemp cannot be used instead
</IfModule>
</IfModule>
<IfModule mod_headers.c>
<FilesMatch ".(flv|gif|jpg|jpeg|png|ico|swf|js|css|pdf)$">
Header set Cache-Control "max-age=2592000"
</FilesMatch>
</IfModule>
######################################################
#<Files reprotect.php>
#AuthName "Need authorization"
#AuthType Basic
#AuthUserFile /home/twigavid/vidal/2016-03-25_12.03.46/web/psw/.htpasswd
#require valid-user
#</Files>
#<Files unprotect.php>
#AuthName "Need authorization"
#AuthType Basic
#AuthUserFile /home/twigavid/vidal/2016-03-25_12.03.46/web/psw/.htpasswd
#require valid-user
#</Files>
#<Files revtest.php>
#AuthName "Need authorization"
#AuthType Basic
#AuthUserFile /home/twigavid/vidal/2016-03-25_12.03.46/web/psw/.htpasswd
#require valid-user
#</Files>
# .htaccess how to set password for single URL
SetEnvIf Request_URI "^/bundles/vidalmain/kcfinder" export_uri
SetEnvIf Request_URI "^/admin" export_uri
SetEnvIf Request_URI "^/reprotect.php" export_uri
SetEnvIf Request_URI "^/revtest.php" export_uri
SetEnvIf Request_URI "^/unprotect.php" export_uri
AuthType Basic
AuthName "Need authorization"
#AuthUserFile C:/wamp/www/Vidal/web/psw/.htpasswd
AuthUserFile /home/twigavid/public_html/current/web/psw/.htpasswd
Require valid-user
Order allow,deny
Allow from all
Deny from env=export_uri
Satisfy any
On Github License
Files