generated from figuren-theater/new-ft-module
-
Notifications
You must be signed in to change notification settings - Fork 0
/
.htaccess
485 lines (378 loc) · 17.2 KB
/
.htaccess
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
# ----------------------------------------------------------------------
# Redirect All Web Traffic to HTTPS
# ----------------------------------------------------------------------
<IfModule mod_rewrite.c>
RewriteEngine on
#
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
# Redirect all http traffic to https
# Use the lexographically equal operator !=on. If you just use off it gets treated as a regex.
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</IfModule>
# ----------------------------------------------------------------------
# Suppress the "www." at the beginning of URLs
# ----------------------------------------------------------------------
# The same content should never be available under two different URLs - especially not with and
# without "www." at the beginning, since this can cause SEO problems (duplicate content).
# That's why you should choose one of the alternatives and redirect the other one.
# By default option 1 (no "www.") is activated. Remember: Shorter URLs are sexier.
# no-www.org/faq.php?q=class_b
# If you rather want to use option 2, just comment out all option 1 lines
# and uncomment option 2.
# IMPORTANT: NEVER USE BOTH RULES AT THE SAME TIME!
# ----------------------------------------------------------------------
# Option 1:
# Rewrite "www.domain.com -> domain.com"
<IfModule mod_rewrite.c>
RewriteEngine on
#
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
#
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
</IfModule>
# BEGIN Figuren_Theater\Routes\Virtual_Uploads
#----------------------------------------------------------------------
# Handle upload_url redirects with custom URLs
# based on __media
#
# "__media" is a ugly hardcoded virtual directory
#
# ... to help with proper rewrite rules for media below
# the prefered domainname of the currently viewed site.
#
# It is used and needs to be updated at the following locations:
# - /.htaccess (automatically done)
# - /content/mu-plugins/FT/ft-routes/inc/virtual-uploads/namespace.php
# - /content/mu-plugins/Figuren_Theater/src/FeaturesRepo/UtilityFeature__managed_core_options.php
#
# The directives (lines) between 'BEGIN Figuren_Theater\Routes\Virtual_Uploads' and 'END Figuren_Theater\Routes\Virtual_Uploads' are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
#----------------------------------------------------------------------
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
RewriteCond %{HTTP_HOST} ^meta\.figuren\.(.*)$ [NC]
RewriteRule . - [E=FT_SITE_ID:4]
RewriteCond %{HTTP_HOST} ^heute\.(.*)$ [NC]
RewriteRule . - [E=FT_SITE_ID:101]
RewriteCond %{HTTP_HOST} ^puppen\.(.*)$ [NC,OR]
RewriteCond %{HTTP_HOST} ^figuren\.(.*)$ [NC]
RewriteRule . - [E=FT_SITE_ID:1]
RewriteCond %{HTTP_HOST} ^katharina-muschiol\.figuren\.(.*)$ [NC,OR]
RewriteCond %{HTTP_HOST} ^katharina-muschiol\.(.*)$ [NC]
RewriteRule . - [E=FT_SITE_ID:14]
RewriteCond %{HTTP_HOST} ^welttag\.puppen\.(.*)$ [NC]
RewriteRule . - [E=FT_SITE_ID:13]
RewriteCond %{HTTP_HOST} ^mein\.puppen\.(.*)$ [NC,OR]
RewriteCond %{HTTP_HOST} ^mein\.figuren\.(.*)$ [NC]
RewriteRule . - [E=FT_SITE_ID:12]
RewriteCond %{HTTP_HOST} ^websites\.fuer\.figuren\.(.*)$ [NC]
RewriteRule . - [E=FT_SITE_ID:5]
RewriteCond %{REQUEST_URI} !/(__media)/$ [NC]
RewriteCond %{REQUEST_URI} /__media/(.*)$ [NC]
RewriteRule __media/(.*)$ content/uploads/sites/%{ENV:FT_SITE_ID}/$1 [L]
</IfModule>
# END Figuren_Theater\Routes\Virtual_Uploads
# ----------------------------------------------------------------------
# Proper MIME type for all files
# ----------------------------------------------------------------------
# audio
AddType audio/ogg oga ogg
# video
AddType video/ogg ogv
AddType video/mp4 mp4
AddType video/webm webm
# Proper svg serving. Required for svg webfonts on iPad
# twitter.com/FontSquirrel/status/14855840545
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
# webfonts
AddType application/vnd.ms-fontobject eot
AddType font/truetype ttf
AddType font/opentype otf
AddType application/x-font-woff woff
# assorted types
AddType image/x-icon ico
AddType image/webp webp
AddType text/cache-manifest appcache manifest
AddType text/x-component htc
AddType application/x-chrome-extension crx
AddType application/x-xpinstall xpi
AddType application/octet-stream safariextz
AddType text/x-vcard vcf
# ----------------------------------------------------------------------
# Expires headers (for better cache control)
# ----------------------------------------------------------------------
# these are pretty far-future expires headers
# they assume you control versioning with cachebusting query params like
# <script src="application.js?20100608">
# additionally, consider that outdated proxies may miscache
# www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/
# if you don't use filenames to version, lower the css and js to something like
# "access plus 1 week" or so
#<IfModule mod_expires.c>
# ExpiresActive on
# Perhaps better to whitelist expires rules? Perhaps.
# ExpiresDefault "access plus 1 month"
# # cache.appcache needs re-requests in FF 3.6 (thx Remy ~Introducing HTML5)
# ExpiresByType text/cache-manifest "access plus 0 seconds"
# # your document html
# ExpiresByType text/html "access plus 0 seconds"
# # # data
# ExpiresByType text/xml "access plus 0 seconds"
# ExpiresByType application/xml "access plus 0 seconds"
# ExpiresByType application/json "access plus 0 seconds"
# # rss feed
# ExpiresByType application/rss+xml "access plus 1 hour"
# # favicon (cannot be renamed)
# ExpiresByType image/x-icon "access plus 1 year"
# media: images, video, audio
# ExpiresByType image/gif "access plus 1 year"
# ExpiresByType image/png "access plus 1 year"
# ExpiresByType image/jpg "access plus 1 year"
# ExpiresByType image/jpeg "access plus 1 year"
# ExpiresByType image/webp "access plus 1 year"
# ExpiresByType video/ogg "access plus 1 year"
# ExpiresByType audio/ogg "access plus 1 year"
# ExpiresByType audio/mp3 "access plus 1 year"
# ExpiresByType video/mp4 "access plus 1 year"
# ExpiresByType video/webm "access plus 1 year"
# # # htc files (css3pie)
# ExpiresByType text/x-component "access plus 1 month"
# # # webfonts
# ExpiresByType font/truetype "access plus 1 year"
# ExpiresByType font/opentype "access plus 1 year"
# ExpiresByType application/x-font-woff "access plus 1 year"
# ExpiresByType image/svg+xml "access plus 1 year"
# ExpiresByType application/vnd.ms-fontobject "access plus 1 year"
# # # css and javascript
# ExpiresByType text/css "access plus 1 month"
# ExpiresByType application/javascript "access plus 1 month"
# ExpiresByType text/javascript "access plus 1 month"
# <IfModule mod_headers.c>
# Header append Cache-Control "public"
# </IfModule>
#</IfModule>
<FilesMatch "\.(js|css)$">
# "The format is an absolute date and time as defined by HTTP-date in section 3.3.1..."
Header set Expires "Thu, 15 Apr 2024 20:00:00 GMT"
</FilesMatch>
# ----------------------------------------------------------------------
# figuren.theater CLEANUP
# redirect ugly or unstructured URLs from the beginning
# into the proper scheme, given in 03/2021
#
# Old scheme:
# %category%/%year%/%postname%
# NEW scheme:
# %category%/%year%/%month%/%postname%
# ----------------------------------------------------------------------
<IfModule mod_rewrite.c>
RewriteEngine on
#
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
# do this only for some of our URLs
RewriteCond %{HTTP_HOST} ^meta\.figuren\.theater [NC,OR]
RewriteCond %{HTTP_HOST} ^meta\.figuren\.test [NC]
# created with help from https://yoast.com/research/permalink-helper.php
# 1. Group: category
# 2. Group: year
# 3. Group: post_title !! in our new scheme, this 3rd param
# is representing the monthly archives,
# so make sure to prevent rewriting thoose.
RewriteRule ^([^/]+)/([0-9]{4})/([^/\d]+)/$ ?name=$3 [L]
</IfModule>
# ----------------------------------------------------------------------
# figuren.theater GEOLOCATION
# fun URLS using emoji
# ----------------------------------------------------------------------
<IfModule mod_rewrite.c>
RewriteEngine on
#
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
# do this only for the portal
# RewriteCond %{HTTP_HOST} ^figuren\.theater [NC,OR]
# RewriteCond %{HTTP_HOST} ^puppen\.theater [NC,OR]
# RewriteCond %{HTTP_HOST} ^figuren\.test [NC,OR]
# RewriteCond %{HTTP_HOST} ^puppen\.test [NC]
# rewrite map-emoji to proper URL
# RewriteCond %{REQUEST_URI} 🗺️
# RewriteRule ^(.*)🇦🇹(.*)$ index.php/$1/in/$2 [L]
# RewriteRule ^(.*)%F0%9F%97%BA%EF%B8%8F(.*)$ index.php/$1/in/$2 [L]
RewriteRule ^(.*)🗺️(.*)$ index.php/$1/in/$2 [L]
# rewrite flag-emoji to proper URLs
RewriteRule ^(.*)🇦🇹(.*)$ index.php/$1/in/at/$2 [L]
RewriteRule ^(.*)🇨🇭(.*)$ index.php/$1/in/ch/$2 [L]
RewriteRule ^(.*)🇩🇪(.*)$ index.php/$1/in/de/$2 [L]
</IfModule>
# BEGIN Cache Enabler
<IfModule mod_rewrite.c>
<IfModule mod_setenvif.c>
RewriteEngine On
RewriteBase /
# cache directory
SetEnvIf Host ^ CE_CACHE_DIR=/content/cache/cache-enabler
# default cache keys
SetEnvIf Host ^ CE_CACHE_KEY_SCHEME http-
SetEnvIf Host ^ CE_CACHE_KEY_DEVICE
SetEnvIf Host ^ CE_CACHE_KEY_WEBP
SetEnvIf Host ^ CE_CACHE_KEY_COMPRESSION
# scheme cache key
RewriteCond %{HTTPS} ^(on|1)$ [OR]
RewriteCond %{SERVER_PORT} =443 [OR]
RewriteCond %{HTTP:X-Forwarded-Proto} =https [OR]
RewriteCond %{HTTP:X-Forwarded-Scheme} =https
RewriteRule ^ - [E=CE_CACHE_KEY_SCHEME:https-]
# device cache key
# SetEnvIf User-Agent "(Mobile|Android|Silk/|Kindle|BlackBerry|Opera Mini|Opera Mobi)" CE_CACHE_KEY_DEVICE=-mobile
# webp cache key
# SetEnvIf Accept image/webp CE_CACHE_KEY_WEBP=-webp
# compression cache key
<IfModule mod_mime.c>
SetEnvIf Accept-Encoding gzip CE_CACHE_KEY_COMPRESSION=.gz
AddType text/html .gz
AddEncoding gzip .gz
</IfModule>
# get cache file
SetEnvIf Host ^ CE_CACHE_FILE_DIR=%{ENV:CE_CACHE_DIR}/%{HTTP_HOST}%{REQUEST_URI}
SetEnvIf Host ^ CE_CACHE_FILE_NAME=%{ENV:CE_CACHE_KEY_SCHEME}index%{ENV:CE_CACHE_KEY_DEVICE}%{ENV:CE_CACHE_KEY_WEBP}.html%{ENV:CE_CACHE_KEY_COMPRESSION}
SetEnvIf Host ^ CE_CACHE_FILE=%{ENV:CE_CACHE_FILE_DIR}/%{ENV:CE_CACHE_FILE_NAME}
# check if cache file exists
RewriteCond %{DOCUMENT_ROOT}%{ENV:CE_CACHE_FILE} -f
# check request method
RewriteCond %{REQUEST_METHOD} =GET
# check permalink structure has trailing slash
RewriteCond %{REQUEST_URI} /[^\./\?]+(\?.*)?$
# check permalink structure has no trailing slash
# RewriteCond %{REQUEST_URI} /[^\./\?]+/(\?.*)?$
# check excluded query strings
RewriteCond %{QUERY_STRING} !^(?!(fbclid|ref|mc_(cid|eid)|utm_(source|medium|campaign|term|content|expid)|gclid|fb_(action_ids|action_types|source)|age-verified|usqp|cn-reloaded|_ga|_ke)).+$
# check excluded cookies
RewriteCond %{HTTP_COOKIE} !(wp-postpass|wordpress_logged_in|comment_author)_
# deliver cache file
RewriteRule ^ %{ENV:CE_CACHE_FILE} [L]
</IfModule>
</IfModule>
# END Cache Enabler
# ----------------------------------------------------------------------
# Prevent Username Enumeration
#
# like: https://domain.com/?author=1
#
# The request will be redirected
# to the author’s page with the corresponding user ID,
# what we DON'T want.
#
# https://domain.com/author/admin_username
#
# We want to block all author scan attacks!
#
# Except admin requests like for "My posts"
# wp-admin/edit.php?post_type=post&author=1
# This should be OK!
# ----------------------------------------------------------------------
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !(wp-admin) [NC]
RewriteCond %{QUERY_STRING} author=\d
# send 403 Forbidden
RewriteRule ^ - [L,R=403]
</IfModule>
# ----------------------------------------------------------------------
# wordpress' house-internal rewrites
# ----------------------------------------------------------------------
<IfModule mod_rewrite.c>
# WP 3.5+ Version
# @see http://codex.wordpress.org/Multisite_Network_Administration#.htaccess_and_Mod_Rewrite
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
# Prevent -f checks on index.php.
RewriteRule ^index\.php$ - [L]
# add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
# (TEST: MULTI NETWORK)
# RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
# https://mu.wordpress.org/forums/topic/12676#post-93458
RewriteCond %{ENV:REDIRECT_STATUS} !^$ [OR]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
# RewriteRule ^(wp-(content|admin|includes).*) wp/$1 [L]
# (TEST: MULTI NETWORK)
# RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) wp/$2 [L]
# RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-includes.*) wp/$2 [L]
# RewriteRule ^([_0-9a-zA-Z-]+/)?(wp/)?(wp-(content|admin|includes).*) $3 [L]
RewriteRule ^([_0-9a-zA-Z-\/]+/)?(wp-(content|admin|includes).*) wp/$2 [L]
# RewriteRule ^(.*\.php)$ wp/$1 [L]
# (TEST: MULTI NETWORK)
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ wp/$2 [L]
# RewriteRule ^([_0-9a-zA-Z-]+/)?(wp/)?(.*\.php)$ $3 [L]
RewriteRule . index.php [L]
</IfModule>
# ----------------------------------------------------------------------
# Protect Important WP and Server Files
#
# Disables access to ...
# 1. old and (hope-) fully unused xmlrpc API
# 2. any log files
# 3. the wp-config.* files
# 4. most relevant dotfiles
# ----------------------------------------------------------------------
<FilesMatch "^(xmlrpc.php|php.*.log|error_log|wp-config.*|\.[hHeEgf][tTnNit][aApPvVtp].*|wp-cli.*.yml|package.json|composer.*|install.php|wp-signup.php)$">
Order deny,allow
Deny from all
</FilesMatch>
# ----------------------------------------------------------------------
# HTTP Headers for better security
# ----------------------------------------------------------------------
<IfModule mod_headers.c>
# HTTP Strict Transport Security (HSTS)
# https://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess#http_strict_transport_security_hsts
# Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
# Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# (1) Enable your site for HSTS preload inclusion.
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
#
Header set X-XSS-Protection "1; mode=block"
# Deactivates MIME Sniffing in Internet Explorer and Chrome.
#
Header set X-Content-Type-Options nosniff
#
# https://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess#frame_options
# SAMEORIGIN or DENY
#
# this prevents oEmbeds of our content to work properly
# @TODO #12 find a finer grained solution to
# Header set X-Frame-Options SAMEORIGIN
# Referrer Policy
# https://infosec.mozilla.org/guidelines/web_security#referrer-policy
#
# DISABLED to keep Referrers for the stats
# Header set Referrer-Policy: no-referrer-when-downgrade
# https://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess#content_security_policy_csp
#
# To make your CSP implementation easier, you can use an online CSP header generator.
# https://report-uri.com/home/generate/
#
# You should also use a validator to make sure your header does what you want it to do.
# https://csp-evaluator.withgoogle.com/
#
# Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
# Permmisions (former:Feature) Policy
# https://developer.chrome.com/docs/privacy-sandbox/permissions-policy/
# https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md
# https://www.permissionspolicy.com/
# CLEANUP
Header always unset X-Distributor
Header always unset X-Cache-Handler
Header always unset X-Redirect-By
Header always unset X-Powered-By
</IfModule>
# If you are using custom permalink, this trick does not work
ErrorDocument 404 /wp/index.php?error=404