Kirby htaccess rules - MOVED TO KIRBY SECRETS

With Kirby comes a great htaccess file. There is often no need to change it that much, but there are some things missing.

  • GZIP compression
  • Browser caching
  • Redirect from http to https and www to non www

Do you miss more things? Add an issue or a pull request.

https://github.com/jenstornell/kirby-htaccess-rules

8 Likes
# protect this .htaccess file

<files .htaccess>
  order allow,deny
  deny from all
</files>

# directory browsing disabled

Options All -Indexes

# keep header control

<IfModule mod_headers.c>
  Header set Connection keep-alive
  Header append Cache-Control "public"
</IfModule>

# allow .htpasswd in sub-dirs

ErrorDocument 401 default

# disable auto-indexing of my (C.V.) pdf file

<Files ~ "\.pdf$">
  Header set X-Robots-Tag "noindex, nofollow"
</Files>

That’s my .htaccess (along with Kirbys and your code).

3 Likes

i am using this in addition to kirbys htaccess code. etags, gzip, deflate.

# BEGIN EXPIRE AND ETAGS
FileETag MTime Size
<ifmodule mod_expires.c>
  <filesmatch "\.(jpg|gif|png|css|js)$">
       ExpiresActive on
       ExpiresDefault "access plus 1 year"
   </filesmatch>
</ifmodule>

Header unset ETag
FileETag None
# END EXPIRE AND ETAGS

# BEGIN GZIP
# mod_gzip compression (legacy, Apache 1.3)
<IfModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file \.(html?|xml|txt|css|js)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*

</IfModule>
# END GZIP

# DEFLATE compression
<IfModule mod_deflate.c>
# Set compression for: html,txt,xml,js,css
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript text/css     application/x-javascript
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/vnd.ms-fontobject
# Deactivate compression for buggy browsers
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
# Set header information for proxies
Header append Vary User-Agent
</IfModule>
# END DEFLATE
1 Like

Kirby comes with basic rules, because everybody wants something else.
If you’re going to pimp your htaccess, please look at something decent like the h5bp boilerplate htaccess.

3 Likes

That was exactly what I was looking for. Thanks for submitting these, @jenstornell .

1 Like

Thank you, @jenstornell and @1n3JgKl9pQ6cUMrW for sharing your ideas on .htaccess! I tried to adapt the kirby default .htaccess with your—also inspired by h5bp—setups.

# Kirby .htaccess

# disable apaches's server signature
ServerSignature Off

# set defaul charset for html & text
AddDefaultCharset utf-8

# set default index document
DirectoryIndex index.php

# set default error document
ErrorDocument 404 /error

<IfModule mod_access_compat.c>
    # restrict access to .git* & .ht* files
    <Files ~ "^\.(git|ht).*">
        Deny from all
        Satisfy all
    </Files>
</IfModule>

<IfModule mod_autoindex.c>
    # block access to directories without default index document
    Options -Indexes
</IfModule>

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteBase /

    # force https
    RewriteCond %{HTTPS} !=on
    RewriteCond %{ENV:HTTPS} !=on
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

    # block text files in the content folder from being accessed directly
    RewriteRule ^content/(.*)\.(txt|md|mdown)$ index.php [L]

    # block all files in the site folder from being accessed directly
    RewriteRule ^site/(.*) index.php [L]

    # block direct access to kirby and the panel sources
    RewriteRule ^(kirby|panel\/app|panel\/tests)/(.*) index.php [L]

    # make panel links work
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^panel/(.*) panel/index.php [L]

    # make site links work
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*) index.php [L]

    # prevent hacks
    RewriteCond %{QUERY_STRING} proc/self/environ [OR]
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
    RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*) index.php [F,L]
</IfModule>

<IfModule mod_filter.c>
    # compress all output of application type
    AddOutputFilterByType DEFLATE "application/javascript" "application/rss+xml" "application/x-font-ttf" \
                                  "application/x-javascript" "application/xhtml+xml" "application/xml"

    # compress all output of font type
    AddOutputFilterByType DEFLATE "font/eot" "font/opentype"

    # compress all output of image type
    AddOutputFilterByType DEFLATE "image/svg+xml" "image/x-icon"

    # compress all output of text type
    AddOutputFilterByType DEFLATE "text/css" "text/html" "text/javascript" "text/plain" "text/xml"
</IfModule>

<IfModule mod_headers.c>
    # serve more than just one file at a time
    Header set Connection keep-alive

    # prevent browsers from MIME-sniffing the response
    Header set X-Content-Type-Options "nosniff"

    # remove the "X-Powered-By" response header
    Header unset X-Powered-By

    # allow cross-origin access to web fonts
    <FilesMatch "\.(eot|otf|tt[cf]|woff2?)$">
        Header set Access-Control-Allow-Origin "*"
    </FilesMatch>
</IfModule>

<IfModule mod_mime.c>
    # set defaul charset for some media types
    AddCharset utf-8 .css .js .rss .xml

    # set default encoding type for svgz
    AddEncoding gzip svgz
</IfModule>

I’m looking at all my repos and try to improve them.

I wonder if Kirby Htaccess Rules should be merged with Kirby Secrets or continue to be standalone. What do you think?

  • Keep them apart
  • Merge them
  • Not sure

0 voters

1 Like

Most of you that voted want me to merge Kirby Htaccess Rules into Kirby Secrets and I agree. Now I’ve copied 3/4 rules to Kirby Secrets.

Htaccess-browser-cache
Htaccess-gzip-compression
Htaccess-redirect-to-https-non-www

I removed one rule that are already in the official docs:

https://getkirby.com/docs/developer-guide/security#prevent-directory-listings

I will shut down Kirby Htaccess Rules in about a month, give you some time to adapt.

Thanks for your votes! :slight_smile:

1 Like

Just a quick note that @jenstornell has completed the move of Kirby Htaccess Rules over to the Kirby Secrets wiki.

1 Like

Now the repo has been deleted and you can find all the information here instead: https://github.com/jenstornell/kirby-secrets/blob/master/docs/htaccess.md