From 443e9e61a34585df431f994376f15388d51f16de Mon Sep 17 00:00:00 2001 From: An Phan Date: Tue, 27 Jan 2015 16:59:36 +0800 Subject: [PATCH] First batch --- CONTRIBUTING.md | 16 +++ README.md | 270 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 286 insertions(+) create mode 100644 CONTRIBUTING.md create mode 100644 README.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..3a00612 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,16 @@ +# Contributing + +1. Fork the repo. +2. Add your section following the [styling guide](#styling). +3. Commit changes. +4. Push your commit. +5. Create a pull request. +6. Wait with your fingers crossed. + +## Styling + +- Put your snippets into corresponding sections. +- Use `###` headers for your snippets. +- Add some note/description if applicable. People will thank you for that. +- For Apache-related examples, wrap your commands in a `apacheconf` code block. +- For command-line examples, wrap your commands in a `bash` code block. \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..9dc9057 --- /dev/null +++ b/README.md @@ -0,0 +1,270 @@ +# .htaccess Snippets +A collection of useful .htaccess, all in one place. I decided to create this repo after getting so tired (and bored) with Googling everytime there's a need of forcing `www` for my new website. + +**Disclaimer**: While dropping the snippet into an `.htaccess` file is most of the time sufficient, there are cases when certain modifications might be required. Use with your own risks. + +## Table of Contents +- [Rewrite and Redirection](#rewrite-and-redirection) +- [Security](#security) +- [Performance](#performance) +- [Miscellaneous](#miscellaneous) + +## Rewrite and Redirection +Note: It is assumed that you have `mod_rewrite` installed and enabled. + +### Force www +``` apacheconf +RewriteEngine on +RewriteCond %{HTTP_HOST} ^example\.com [NC] +RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301,NC] +``` + +### Force www in a Generic Way +``` apacheconf +RewriteCond %{HTTP_HOST} !^$ +RewriteCond %{HTTP_HOST} !^www\. [NC] +RewriteCond %{HTTPS}s ^on(s)| +RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L] +``` +This works for _any_ domain. [Source](https://stackoverflow.com/questions/4916222/htaccess-how-to-force-www-in-a-generic-way) + +### Force non-www +It's actually [recommended](http://no-www.org/) to remove `www` from your domain. Surprise surprise! +``` apacheconf +RewriteEngine on +RewriteCond %{HTTP_HOST} ^www\.example\.com [NC] +RewriteRule ^(.*)$ http://example.com/$1 [L,R=301] +``` + +### Force HTTPS +``` apacheconf +RewriteEngine on +RewriteCond %{HTTPS} !on +RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} +``` + +### Force Trailing Slash +``` apacheconf +RewriteCond %{REQUEST_URI} /+[^\.]+$ +RewriteRule ^(.+[^/])$ %{REQUEST_URI}/ [R=301,L] +``` + +### Redirect a Single Page +``` apacheconf +Redirect 301 /oldpage.html http://www.yoursite.com/newpage.html +Redirect 301 /oldpage2.html http://www.yoursite.com/folder/ +``` +[Source](http://css-tricks.com/snippets/htaccess/301-redirects/) + +### Redirect an Entire Site +``` apacheconf +Redirect 301 / http://newsite.com/ +``` +This way does it with links intact. That is `www.oldsite.com/some/crazy/link.html` will become `www.newsite.com/some/crazy/link.html`. This is extremely helpful when you are just "moving" a site to a new domain. [Source](http://css-tricks.com/snippets/htaccess/301-redirects/) + +## Security +### Deny All Access +``` apacheconf +Deny from All +``` + +But wait, this will lock you out from your content as well! Thus introducing... + +### Deny All Access Except Yours +``` apacheconf +Order deny, allow +Deny from All +Allow from xxx.xxx.xxx.xxx +``` +`xxx.xxx.xxx.xxx` is your IP. If you replace the last three digits with 0/12 for example, this will specify a range of IPs within the same network, thus saving you the trouble to list all allowed IPs separately. [Source](http://speckyboy.com/2013/01/08/useful-htaccess-snippets-and-hacks/) + +Now of course there's a reversed version: + +### Allow All Access Except Spammers' +``` apacheconf +Order deny, allow +Allow from All +Deny from xxx.xxx.xxx.xxx +Deny from xxx.xxx.xxx.xxy +``` + +### Deny Access to Hidden Files and Directories +Hidden files and directories (those whose names start with a dot `.`) should most, if not all, of the time be secured. For example: `.htaccess`, `.htpasswd`, `.git`, `.hg`... +``` apacheconf +RewriteCond %{SCRIPT_FILENAME} -d [OR] +RewriteCond %{SCRIPT_FILENAME} -f +RewriteRule "(^|/)\." - [F] +``` + +### Disable Directory Browsing +``` apacheconf +Options All -Indexes +``` + +### Disable Image Hotlinking +``` apacheconf +RewriteEngine on +RewriteCond %{HTTP_REFERER} !^$ +RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC] +RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L] +``` + +### Password Protect a Directory +First you need to create a `.htpasswd` file somewhere in the system: +``` bash +htpasswd -c /home/fellowship/.htpasswd boromir +``` + +Then you can use it for authentication: +``` apacheconf +AuthType Basic +AuthName "One does not simply" +AuthUserFile /home/fellowship/.htpasswd +Require valid-user +``` + +## Performance +### Compress Text Files +``` apacheconf + + + # Force compression for mangled headers. + # http://developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping + + + SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding + RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding + + + + # Compress all output labeled with one of the following MIME-types + # (for Apache versions below 2.3.7, you don't need to enable `mod_filter` + # and can remove the `` and `` lines + # as `AddOutputFilterByType` is still in the core directives). + + AddOutputFilterByType DEFLATE application/atom+xml \ + application/javascript \ + application/json \ + application/rss+xml \ + application/vnd.ms-fontobject \ + application/x-font-ttf \ + application/x-web-app-manifest+json \ + application/xhtml+xml \ + application/xml \ + font/opentype \ + image/svg+xml \ + image/x-icon \ + text/css \ + text/html \ + text/plain \ + text/x-component \ + text/xml + + + +``` +[Source](https://h5bp.com) + + +### Set Expires Headers +_Expires headers_ tell the browser whether they should request a specific file from the server or just grab it from the cache. It is advisable to set static content's expires headers to something far in the future. +If you don't control versioning with filename-based cache busting, consider lowering the cache time for resources like CSS and JS to something like 1 week. [Source](http://h5bp.com) +``` apacheconf + + ExpiresActive on + ExpiresDefault "access plus 1 month" + + # CSS + ExpiresByType text/css "access plus 1 year" + + # Data interchange + ExpiresByType application/json "access plus 0 seconds" + ExpiresByType application/xml "access plus 0 seconds" + ExpiresByType text/xml "access plus 0 seconds" + + # Favicon (cannot be renamed!) + ExpiresByType image/x-icon "access plus 1 week" + + # HTML components (HTCs) + ExpiresByType text/x-component "access plus 1 month" + + # HTML + ExpiresByType text/html "access plus 0 seconds" + + # JavaScript + ExpiresByType application/javascript "access plus 1 year" + + # Manifest files + ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds" + ExpiresByType text/cache-manifest "access plus 0 seconds" + + # Media + ExpiresByType audio/ogg "access plus 1 month" + ExpiresByType image/gif "access plus 1 month" + ExpiresByType image/jpeg "access plus 1 month" + ExpiresByType image/png "access plus 1 month" + ExpiresByType video/mp4 "access plus 1 month" + ExpiresByType video/ogg "access plus 1 month" + ExpiresByType video/webm "access plus 1 month" + + # Web feeds + ExpiresByType application/atom+xml "access plus 1 hour" + ExpiresByType application/rss+xml "access plus 1 hour" + + # Web fonts + ExpiresByType application/font-woff "access plus 1 month" + ExpiresByType application/vnd.ms-fontobject "access plus 1 month" + ExpiresByType application/x-font-ttf "access plus 1 month" + ExpiresByType font/opentype "access plus 1 month" + ExpiresByType image/svg+xml "access plus 1 month" + +``` + +### Turn eTags Off +By removing the ETag header, you disable caches and browsers from being able to validate files, so they are forced to rely on your Cache-Control and Expires header. [Source](http://www.askapache.com/htaccess/apache-speed-etags.html) +``` apacheconf + + Header unset ETag + +FileETag None +``` + + +## Miscellaneous + +### Set PHP Variables +``` apacheconf +php_value + +# For example: +php_value upload_max_filesize 50M +php_value max_execution_time 240 +``` + +### Custom Error Pages +``` apacheconf +ErrorDocument 400 /errors/breakingbad.html +ErrorDocument 401 /errors/notrespassing.html +ErrorDocument 403 /errors/mordor.html +ErrorDocument 404 /errors/halflife3.html +ErrorDocument 500 /errors/notabugitsafeature.html +``` + +### Force Downloading +Sometimes you want to force the browser to download some content instead of displaying it. The following snippet will help. +``` apacheconf + + ForceType application/octet-stream + Header set Content-Disposition attachment + +``` + +### Allow Cross-Domain Fonts +CDN-served webfonts might not work in Firefox or IE due to [CORS](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing). The following snippet from [HTML5Boilerplate](http://h5bp.com) should make it happen. +``` apacheconf + + + Header set Access-Control-Allow-Origin "*" + + +``` \ No newline at end of file