• twitter image
  • facebook image
  • youtube image
  • linkedin image
Language: CMS Made Simple Czech CMS Made Simple France CMS Made Simple Hungary CMS Made Simple Russia CMS Made Simple Netherlands

All times are UTC




Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 3 posts ] 
Author Message
 Post subject: .htaccess - General Improvments as of 2018-01-01
PostPosted: Mon Jan 01, 2018 11:11 pm 
Offline
New Member
New Member

Joined: Fri Dec 25, 2015 4:03 pm
Posts: 9
Hi all,

in the last 2 week, I spent literally days with SEO improving, speed testing, cache optimization and security settings on my various CMSMS 2.2.3.1 installations.

Finally I am happy with the settings and I get "A" ratings on most topics when testing on GTMetrics (https://gtmetrix.com/) and WebPageTest (https://www.webpagetest.org/).

Since it was quiet some tidious work and a lot of time have bee invested into that, I would like to share my settings here. It hopefully may help to save some time when you try to improve your setup.

It is based on the original template (included in the actual cmsms setup), adds lots of security measures including the G6 firewall and properly working cache/gzip settings.

These settings I run now - so far without any issue - on 3 different hostings (1&1, webland.ch, hoststar.ch) for cmsms version 2.2.3.1.

BR Hupi

PS: please also post some further improvements or ideas in case you have some.


Code:
# This file is specific to Apache configurations
# It attempts to optimize traffic and configuration for your CMS Made Simple website
# Many options are disabled by default, as some providers do not allow you to override some of these settings in the .htaccess file
# Please read carefully each section comment and enable/disable parts as required
# Updated 2018-01-01 by Hupi (hupi@hupi.ch) / v3-with-cache-and-G6-firewall

#
# START - Attempt to override some PHP settings
#
# These settings may be helpful on some hosts if your default configuration does not meet CMSMS's minimum requirements,
# and your host has given your account appropriate permissions.
   #php_value upload_max_filesize "10M"
   #php_value session_save_path "tmp/cache"
   #php_value session.cookie_httponly true
   #php_flag magic_quotes_gpc Off
   #php_flag register_globals Off
   #php_flag session.use_trans_sid Off
# To prevent E_STRICT problems with PHP 5.3+ you can uncomment the following lines
# Note: These settings should only be enabled for production sites!
   #php_flag display_startup_errors 0
   #php_flag display_errors 0
   #php_flag html_errors 0
   #php_value docref_root 0
   #php_value docref_ext 0
#
# END - Attempt to override some PHP settings
#

#
# START - Misc settings
#
# Disallow directory indexes. This can be an important security enhancement
   #Options -Indexes

# Don't allow the browser to know the type of signature
ServerSignature Off

# Allow the Apache server to follow symbolic links.  This is usually not necessary
   #Options +FollowSymLinks

# Define / add missing mime-types (used on some hosts due to mod-sec settings). If admin panel does not works properly, try this
   #AddType application/javascript .js
#
# END - Misc settings
#

#
# START - Enable pretty URLS and related stuff (only applicable if url_rewriting is set to 'mod_rewrite' in the config.php)
# This is for good SEO results basically mandatory
#
<IfModule mod_rewrite.c>
RewriteEngine on

# If your CMSMS installation is in a subdirectory of your domain, you may need to specify the relative path (from the root of the domain) here
# i.e: RewriteBase /cmsms
RewriteBase /

# IMPORTANT: Activate ONLY 1 of the next two sections (HTTP or HTTPS). DO NOT activate both
# Both section removes www from any URLs that have them. This is mainly for SEO improvements.
# Example: request "http(s)://www.example.com/test/" will look like "http(s)://example.com/test/"

# START - HTTP hosting (Activate this section for HTTP hosting only)
   RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
   RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
# END - HTTP hosting

# START - HTTPS hosting (Activate this section for HTTPS hosting only)
   #RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
   #RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

   # Force all URLs to https instead of http (HTTPS hosting only)
   #RewriteCond %{HTTPS} off
   #RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# END - HTTPS hosting

# Rewrites urls in the form of /parent/child/grandchild but only rewrites if the requested URL is not a file or directory.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA]
</IfModule>
#
# END - Enable pretty URLS
#


#
# START - Security settings
#

# Blocking Libwww-perl access to improve website security
<IfModule mod_rewrite.c>
   RewriteCond %{HTTP_USER_AGENT} libwww-perl.*
   RewriteRule .* ? [F,L]
</IfModule>

#
# The following are highly recommended security settings for files in your CMSMS install that should not be browsed directly.
#
RedirectMatch 403 ^/.*\.htaccess$
RedirectMatch 403 ^/.*\.ini$
RedirectMatch 403 ^/.*config\.php$
RedirectMatch 403 ^.*/assets/.*\.php$
RedirectMatch 403 ^.*/assets/.*\.tpl$
RedirectMatch 403 ^.*/doc/.*$
RedirectMatch 403 ^.*/lib/.*\.php$
RedirectMatch 403 ^.*/log/.*$
RedirectMatch 403 ^.*/modules/.*\.php$
RedirectMatch 403 ^.*/tmp/.*\.php$
RedirectMatch 403 ^.*/uploads/.*\.php$

# Disallow cross-certification
<IfModule mod_headers.c>
   Header set X-Frame-Options "SAMEORIGIN"
   Header set X-XSS-Protection "1; mode=block"
   Header set X-Content-Type-Options "nosniff"
</IfModule>
#
# END - Security settings
#

#
# START - Cache settings (source: "WP FastestCache" adapted for CMS Made Simple by Hupi)
#

# BEGIN FastestCache
<FilesMatch "index\.(html|htm)$">
   AddDefaultCharset UTF-8
   <ifModule mod_headers.c>
      FileETag None
      Header unset ETag
      Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
      Header set Pragma "no-cache"
      Header set Expires "Mon, 29 Oct 1923 20:30:00 GMT"
   </ifModule>
</FilesMatch>
# END FastestCache

# BEGIN Gzip FastestCache
<IfModule mod_deflate.c>
   AddType x-font/woff .woff
   AddType x-font/ttf .ttf
   AddOutputFilterByType DEFLATE image/svg+xml
   AddOutputFilterByType DEFLATE text/plain
   AddOutputFilterByType DEFLATE text/html
   AddOutputFilterByType DEFLATE text/xml
   AddOutputFilterByType DEFLATE text/css
   AddOutputFilterByType DEFLATE text/ecmascript
   AddOutputFilterByType DEFLATE application/x-pointplus
   AddOutputFilterByType DEFLATE application/ecmascript
   AddOutputFilterByType DEFLATE text/javascript
   AddOutputFilterByType DEFLATE application/xml
   AddOutputFilterByType DEFLATE application/xhtml+xml
   AddOutputFilterByType DEFLATE application/rss+xml
   AddOutputFilterByType DEFLATE application/javascript
   AddOutputFilterByType DEFLATE application/x-javascript
   AddOutputFilterByType DEFLATE application/x-font-ttf
   AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
   AddOutputFilterByType DEFLATE font/opentype font/ttf font/eot font/otf
   # Exceptions for old browsers
   BrowserMatch ^Mozilla/4 gzip-only-text/html
   BrowserMatch ^Mozilla/4\.0[678] no-gzip
   BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
</IfModule>
# END Gzip FastestCache

# BEGIN LBC FastestCache
# Values in seconds ( 1 day=86400, 1 week=604800, 1 month=2592000, 1 year=31104000 )
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|webp|js|css|swf|x-html|css|xml|js|woff|woff2|ttf|svg|eot)(\.gz)?$">
   <IfModule mod_expires.c>
      AddType application/font-woff2 .woff2
      ExpiresActive On
      ExpiresDefault A2592000
      ExpiresByType image/webp A2592000
      ExpiresByType image/gif A2592000
      ExpiresByType image/png A2592000
      ExpiresByType image/jpg A2592000
      ExpiresByType image/jpeg A2592000
      ExpiresByType image/ico A2592000
      ExpiresByType image/svg+xml A2592000
      ExpiresByType text/css A2592000
      ExpiresByType text/javascript A2592000
      ExpiresByType application/javascript A2592000
      ExpiresByType application/x-javascript A2592000
      ExpiresByType application/font-woff2 A2592000
   </IfModule>
   <IfModule mod_headers.c>
      Header set Expires "max-age=2592000, public"
      Header append Vary Accept-Encoding
      Header set Connection keep-alive
      Header unset ETag
      FileETag None
   </IfModule>
</FilesMatch>
# END LBC FastestCache

#
# END - Cache settings
#

#
# START - G6 Firewall. This should stop most hacking attemps rightaway
# Original settings from the autor "https://perishablepress.com/6g/".
# I did not apply changes. Complete section can be removed too (up to you)
#
# 6G FIREWALL/BLACKLIST
# @ https://perishablepress.com/6g/

# 6G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
   RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
   RewriteCond %{QUERY_STRING} ([a-z0-9]{2000,}) [NC,OR]
   RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
   RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
   RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
   RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
   RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
   RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
   RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
   RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
   RewriteRule .* - [F]
</IfModule>

# 6G:[REQUEST METHOD]
<IfModule mod_rewrite.c>
   RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|put|trace|track) [NC]
   RewriteRule .* - [F]
</IfModule>

# 6G:[REFERRERS]
<IfModule mod_rewrite.c>
   RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000,}) [NC,OR]
   RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
   RewriteRule .* - [F]
</IfModule>

# 6G:[REQUEST STRINGS]
<IfModule mod_alias.c>
   RedirectMatch 403 (?i)([a-z0-9]{2000,})
   RedirectMatch 403 (?i)(https?|ftp|php):/
   RedirectMatch 403 (?i)(base64_encode)(.*)(\()
   RedirectMatch 403 (?i)(=\\\'|=\\%27|/\\\'/?)\.
   RedirectMatch 403 (?i)/(\$(\&)?|\*|\"|\.|,|&|&amp;?)/?$
   RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")
   RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)
   RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
   RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
   RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
   RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
</IfModule>

# 6G:[USER AGENTS]
<IfModule mod_setenvif.c>
   SetEnvIfNoCase User-Agent ([a-z0-9]{2000,}) bad_bot
   SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
   
   # Apache < 2.3
   <IfModule !mod_authz_core.c>
      Order Allow,Deny
      Allow from all
      Deny from env=bad_bot
   </IfModule>

   # Apache >= 2.3
   <IfModule mod_authz_core.c>
      <RequireAll>
         Require all Granted
         Require not env bad_bot
      </RequireAll>
   </IfModule>
</IfModule>

# 6G:[BAD IPS]
<Limit GET HEAD OPTIONS POST PUT>
   Order Allow,Deny
   Allow from All
   # uncomment/edit/repeat next line to block IPs
   # Deny from 123.456.789
</Limit>

#
# END - G6 Firewall
#


Attachments:
htaccess-v3-with-cache-and-G6-firewall.txt [9.75 KiB]
Downloaded 62 times
Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: .htaccess - General Improvments as of 2018-01-01
PostPosted: Tue Jan 02, 2018 2:34 pm 
Offline
Dev Team Member
Dev Team Member
User avatar

Joined: Wed Apr 23, 2008 7:53 am
Posts: 7540
Location: The Netherlands
Thank you for sharing this!!

Grtz. Rolf

_________________
Image

Did my post help you solving a problem at your (customers) website and it saved you many hours of work? Great!! Consider buying me a cup of coffee in return! [ Click here ]



Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: .htaccess - General Improvments as of 2018-01-01
PostPosted: Tue Jan 02, 2018 8:15 pm 
Offline
Forum Members
Forum Members

Joined: Tue Jun 12, 2007 1:29 pm
Posts: 246
Yeah, thank you for this, much appreciated!


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 3 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
HostPapa CMS Made Simple hosting