MyShaarli/.htaccess

# Disable directory listing
Options -Indexes

RewriteEngine On

# Prevent accessing subdirectories not managed by SCM
RewriteRule ^(.git|doxygen|vendor) - [F]

# Forward the "Authorization" HTTP header
# fixes JWT token not correctly forwarded on some Apache/FastCGI setups
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
# Alternative (if the 2 lines above don't work)
# SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

# Slim URL Redirection
# Ionos Hosting needs RewriteBase /
# RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [QSA,L]

<LimitExcept GET POST PUT DELETE PATCH OPTIONS>
  <IfModule version_module>
    <IfVersion >= 2.4>
       Require all denied
    </IfVersion>
    <IfVersion < 2.4>
       Allow from none
       Deny from all
    </IfVersion>
  </IfModule>

  <IfModule !version_module>
    Require all denied
  </IfModule>
</LimitExcept>
htaccess: prevent accessing resources not managed by SCM See: - https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/ - https://stackoverflow.com/questions/2530372/how-do-i-disable-directory-browsing - https://httpd.apache.org/docs/current/mod/mod_rewrite.html Signed-off-by: VirtualTam <virtualtam@flibidi.net> 2018-01-20 16:20:53 +01:00			`# Disable directory listing`
			`Options -Indexes`

REST API structure using Slim framework * REST API routes are handle by Slim. * Every API controller go through ApiMiddleware which handles security. * First service implemented `/info`, for tests purpose. 2016-12-15 10:13:00 +01:00			`RewriteEngine On`
htaccess: prevent accessing resources not managed by SCM See: - https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/ - https://stackoverflow.com/questions/2530372/how-do-i-disable-directory-browsing - https://httpd.apache.org/docs/current/mod/mod_rewrite.html Signed-off-by: VirtualTam <virtualtam@flibidi.net> 2018-01-20 16:20:53 +01:00
			`# Prevent accessing subdirectories not managed by SCM`
			`RewriteRule ^(.git\|doxygen\|vendor) - [F]`

httpd: always forward the 'Authorization' header On some Apache HTTPD setups where the CGI/FastCGI mode is used, the HTTP header containing the JWT token is not forwarded, which results in the following error when attempting to use the REST API: "401 Not authorized: JWT token not provided" This patch allows forwarding the 'Authorization' header. An alternative would be to use the `CGIPassAuth` directive to allow all authorization headers to be forwarded. See: - https://secure.php.net/manual/en/features.http-auth.php#114877 - https://stackoverflow.com/questions/26475885/authorization-header-missing-in-php-post-request - https://stackoverflow.com/questions/13387516/authorization-header-missing-in-django-rest-framework-is-apache-to-blame - https://stackoverflow.com/questions/17018586/apache-2-4-php-fpm-and-authorization-headers - https://httpd.apache.org/docs/2.4/en/mod/core.html#cgipassauth Signed-off-by: VirtualTam <virtualtam@flibidi.net> 2018-03-22 22:23:41 +01:00			`# Forward the "Authorization" HTTP header`
Merge latest 0.12.2 2023-05-24 11:35:15 +02:00			`# fixes JWT token not correctly forwarded on some Apache/FastCGI setups`
httpd: always forward the 'Authorization' header On some Apache HTTPD setups where the CGI/FastCGI mode is used, the HTTP header containing the JWT token is not forwarded, which results in the following error when attempting to use the REST API: "401 Not authorized: JWT token not provided" This patch allows forwarding the 'Authorization' header. An alternative would be to use the `CGIPassAuth` directive to allow all authorization headers to be forwarded. See: - https://secure.php.net/manual/en/features.http-auth.php#114877 - https://stackoverflow.com/questions/26475885/authorization-header-missing-in-php-post-request - https://stackoverflow.com/questions/13387516/authorization-header-missing-in-django-rest-framework-is-apache-to-blame - https://stackoverflow.com/questions/17018586/apache-2-4-php-fpm-and-authorization-headers - https://httpd.apache.org/docs/2.4/en/mod/core.html#cgipassauth Signed-off-by: VirtualTam <virtualtam@flibidi.net> 2018-03-22 22:23:41 +01:00			`RewriteCond %{HTTP:Authorization} ^(.*)`
			`RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]`
Merge latest 0.12.2 2023-05-24 11:35:15 +02:00			`# Alternative (if the 2 lines above don't work)`
			`# SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0`
httpd: always forward the 'Authorization' header On some Apache HTTPD setups where the CGI/FastCGI mode is used, the HTTP header containing the JWT token is not forwarded, which results in the following error when attempting to use the REST API: "401 Not authorized: JWT token not provided" This patch allows forwarding the 'Authorization' header. An alternative would be to use the `CGIPassAuth` directive to allow all authorization headers to be forwarded. See: - https://secure.php.net/manual/en/features.http-auth.php#114877 - https://stackoverflow.com/questions/26475885/authorization-header-missing-in-php-post-request - https://stackoverflow.com/questions/13387516/authorization-header-missing-in-django-rest-framework-is-apache-to-blame - https://stackoverflow.com/questions/17018586/apache-2-4-php-fpm-and-authorization-headers - https://httpd.apache.org/docs/2.4/en/mod/core.html#cgipassauth Signed-off-by: VirtualTam <virtualtam@flibidi.net> 2018-03-22 22:23:41 +01:00
Merge latest 0.12.2 2023-05-24 11:35:15 +02:00			`# Slim URL Redirection`
			`# Ionos Hosting needs RewriteBase /`
			`# RewriteBase /`
REST API structure using Slim framework * REST API routes are handle by Slim. * Every API controller go through ApiMiddleware which handles security. * First service implemented `/info`, for tests purpose. 2016-12-15 10:13:00 +01:00			`RewriteCond %{REQUEST_FILENAME} !-f`
			`RewriteCond %{REQUEST_FILENAME} !-d`
			`RewriteRule ^ index.php [QSA,L]`
API - Apache - Specify allowed HTTP method in .htaccess 2018-07-05 20:47:26 +02:00
Merge latest 0.12.2 2023-05-24 11:35:15 +02:00			`<LimitExcept GET POST PUT DELETE PATCH OPTIONS>`
Use version condition in the root .htaccess Related to #1196 2018-08-10 17:45:29 +02:00			`<IfModule version_module>`
			`<IfVersion >= 2.4>`
			`Require all denied`
			`</IfVersion>`
			`<IfVersion < 2.4>`
			`Allow from none`
			`Deny from all`
			`</IfVersion>`
			`</IfModule>`

			`<IfModule !version_module>`
API - Apache - Specify allowed HTTP method in .htaccess 2018-07-05 20:47:26 +02:00			`Require all denied`
Use version condition in the root .htaccess Related to #1196 2018-08-10 17:45:29 +02:00			`</IfModule>`
API - Apache - Specify allowed HTTP method in .htaccess 2018-07-05 20:47:26 +02:00			`</LimitExcept>`