nextcloud/.htaccess

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Robots-Tag "none"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Download-Options "noopen"
    Header set X-Permitted-Cross-Domain-Policies "none"
    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for CSS and JS files
  <FilesMatch "\.(css|js)$">
    Header set Cache-Control "max-age=7200, public"
  </FilesMatch>
</IfModule>
<IfModule mod_php5.c>
  php_value upload_max_filesize 513M
  php_value post_max_size 513M
  php_value memory_limit 512M
  php_value mbstring.func_overload 0
  php_value always_populate_raw_post_data -1
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
  RewriteRule ^(\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]

  # Rewrite rules for `front_controller_active`
  Options -MultiViews
  RewriteRule ^core/js/oc.js$ index.php/core/js/oc.js [PT,E=PATH_INFO:$1]
  RewriteRule ^core/preview.png$ index.php/core/preview.png [PT,E=PATH_INFO:$1]
  RewriteCond %{REQUEST_FILENAME} !\.(css|js|svg|gif|png|html|ttf|woff|ico)$
  RewriteCond %{REQUEST_FILENAME} !core/img/favicon.ico$
  RewriteCond %{REQUEST_FILENAME} !/remote.php
  RewriteCond %{REQUEST_FILENAME} !/public.php
  RewriteCond %{REQUEST_FILENAME} !/cron.php
  RewriteCond %{REQUEST_FILENAME} !/core/ajax/update.php
  RewriteCond %{REQUEST_FILENAME} !/status.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v1.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v2.php
  RewriteCond %{REQUEST_FILENAME} !/updater/
  RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
  RewriteRule .* index.php [PT,E=PATH_INFO:$1]
</IfModule>
<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>
Fix WebDAV (and Android Client) not being able to authorize on Debian Squeeze + mod_fcgid installs. 2012-11-09 16:30:07 +04:00			`<IfModule mod_headers.c>`
Add mod_proxy_fcgi and mod_fastcgi to .htaccess 2015-08-11 11:55:57 +03:00			`<IfModule mod_setenvif.c>`
			`<IfModule mod_fcgid.c>`
Add some generic default headers as well via PHP 2015-03-26 17:30:00 +03:00			`SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1`
			`RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION`
			`</IfModule>`
Add mod_proxy_fcgi and mod_fastcgi to .htaccess 2015-08-11 11:55:57 +03:00			`<IfModule mod_proxy_fcgi.c>`
			`SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1`
			`</IfModule>`
Add some generic default headers as well via PHP 2015-03-26 17:30:00 +03:00			`</IfModule>`

			`<IfModule mod_env.c>`
			`# Add security and privacy related headers`
			`Header set X-Content-Type-Options "nosniff"`
			`Header set X-XSS-Protection "1; mode=block"`
			`Header set X-Robots-Tag "none"`
			`Header set X-Frame-Options "SAMEORIGIN"`
Add X-Download-Options and X-Permitted-Cross-Domain-Policies Two small security hardenings for our IE users and those with Adobe products. Aligns it more with https://github.com/twitter/secureheaders#secureheaders--- 2016-01-11 23:20:42 +03:00			`Header set X-Download-Options "noopen"`
			`Header set X-Permitted-Cross-Domain-Policies "none"`
Add some generic default headers as well via PHP 2015-03-26 17:30:00 +03:00			`SetEnv modHeadersAvailable true`
			`</IfModule>`

			`# Add cache control for CSS and JS files`
			`<FilesMatch "\.(css\|js)$">`
			`Header set Cache-Control "max-age=7200, public"`
			`</FilesMatch>`
Fix WebDAV (and Android Client) not being able to authorize on Debian Squeeze + mod_fcgid installs. 2012-11-09 16:30:07 +04:00			`</IfModule>`
fix .htaccess file crashing apache+php-cgi 2011-08-22 19:16:37 +04:00			`<IfModule mod_php5.c>`
properly indent .htaccess 2015-08-16 16:40:03 +03:00			`php_value upload_max_filesize 513M`
			`php_value post_max_size 513M`
			`php_value memory_limit 512M`
			`php_value mbstring.func_overload 0`
			`php_value always_populate_raw_post_data -1`
			`php_value default_charset 'UTF-8'`
Fix .htaccess: php_value should be integer 2015-08-20 12:24:28 +03:00			`php_value output_buffering 0`
properly indent .htaccess 2015-08-16 16:40:03 +03:00			`<IfModule mod_env.c>`
			`SetEnv htaccessWorking true`
			`</IfModule>`
fix .htaccess file crashing apache+php-cgi 2011-08-22 19:16:37 +04:00			`</IfModule>`
don't try to use mod_rewrite when it isn't enabled having a broken web/card/caldav is much better as having no ownCloud at all :) 2012-01-03 07:55:19 +04:00			`<IfModule mod_rewrite.c>`
properly indent .htaccess 2015-08-16 16:40:03 +03:00			`RewriteEngine on`
			`RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]`
			`RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]`
			`RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]`
Update .well-known redirects to the new dav endpoint This reverts commit 68321efd29184fbc1bef409ec41f9b38501116ef. 2015-11-18 19:40:27 +03:00			`RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]`
			`RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]`
properly indent .htaccess 2015-08-16 16:40:03 +03:00			`RewriteRule ^remote/(.*) remote.php [QSA,L]`
			`RewriteRule ^(build\|tests\|config\|lib\|3rdparty\|templates)/.* - [R=404,L]`
Allow .well-known URI for letsencrypt See https://letsencrypt.readthedocs.org/en/latest/using.html#webroot 2015-12-06 01:22:05 +03:00			`RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*`
properly indent .htaccess 2015-08-16 16:40:03 +03:00			`RewriteRule ^(\.\|autotest\|occ\|issue\|indie\|db_\|console).* - [R=404,L]`
Support pretty URLs This changeset allows ownCloud to run with pretty URLs, they will be used if mod_rewrite and mod_env are available. This means basically that the `index.php` in the URL is not shown to the user anymore. Also the not deprecated functions to generate URLs have been modified to support this behaviour, old functions such as `filePath` will still behave as before for compatibility reasons. Examples: http://localhost/owncloud/index.php/s/AIDyKbxiRZWAAjP => http://localhost/owncloud/s/AIDyKbxiRZWAAjP http://localhost/owncloud/index.php/apps/files/ => http://localhost/owncloud/apps/files/ Due to the way our CSS and JS is structured the .htaccess uses some hacks for the final result but could be worse... And I was just annoyed by all that users crying for the removal of `index.php` ;-) 2015-02-11 03:10:03 +03:00
Set "SetEnv" within base `.htaccess` file mod_rewrite as used by the front controller may require a `RewriteBase` in case the installation is done using an alias. Since we cannot enforce a writable `.htaccess` file this will move the `front_controller_active` environment variable into the main .htaccess file. If administrators decide to have this one not writable they can still enable this feature by setting the `front_controller_active` environment variable within the Apache config. 2015-12-01 20:55:18 +03:00			# Rewrite rules for `front_controller_active`
fix indentation 2015-12-02 12:51:52 +03:00			`Options -MultiViews`
Append PATH_INFO to ensure that file can be loaded on update 2015-12-01 22:08:07 +03:00			`RewriteRule ^core/js/oc.js$ index.php/core/js/oc.js [PT,E=PATH_INFO:$1]`
			`RewriteRule ^core/preview.png$ index.php/core/preview.png [PT,E=PATH_INFO:$1]`
Allow ico files to be served statically 2016-01-06 15:34:40 +03:00			`RewriteCond %{REQUEST_FILENAME} !\.(css\|js\|svg\|gif\|png\|html\|ttf\|woff\|ico)$`
Allow .ico files Makes `/core/img/favicon.ico` accessible again via web. 2015-12-07 19:15:04 +03:00			`RewriteCond %{REQUEST_FILENAME} !core/img/favicon.ico$`
Set "SetEnv" within base `.htaccess` file mod_rewrite as used by the front controller may require a `RewriteBase` in case the installation is done using an alias. Since we cannot enforce a writable `.htaccess` file this will move the `front_controller_active` environment variable into the main .htaccess file. If administrators decide to have this one not writable they can still enable this feature by setting the `front_controller_active` environment variable within the Apache config. 2015-12-01 20:55:18 +03:00			`RewriteCond %{REQUEST_FILENAME} !/remote.php`
			`RewriteCond %{REQUEST_FILENAME} !/public.php`
			`RewriteCond %{REQUEST_FILENAME} !/cron.php`
			`RewriteCond %{REQUEST_FILENAME} !/core/ajax/update.php`
			`RewriteCond %{REQUEST_FILENAME} !/status.php`
			`RewriteCond %{REQUEST_FILENAME} !/ocs/v1.php`
			`RewriteCond %{REQUEST_FILENAME} !/ocs/v2.php`
Do not rewrite updater requests 2016-01-28 20:04:56 +03:00			`RewriteCond %{REQUEST_FILENAME} !/updater/`
Do not rewrite letsencrypt .well-known URI 2015-12-08 23:11:38 +03:00			`RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*`
Set "SetEnv" within base `.htaccess` file mod_rewrite as used by the front controller may require a `RewriteBase` in case the installation is done using an alias. Since we cannot enforce a writable `.htaccess` file this will move the `front_controller_active` environment variable into the main .htaccess file. If administrators decide to have this one not writable they can still enable this feature by setting the `front_controller_active` environment variable within the Apache config. 2015-12-01 20:55:18 +03:00			`RewriteRule .* index.php [PT,E=PATH_INFO:$1]`
don't try to use mod_rewrite when it isn't enabled having a broken web/card/caldav is much better as having no ownCloud at all :) 2012-01-03 07:55:19 +04:00			`</IfModule>`
add svg mimetype to default htaccess 2012-10-28 19:00:31 +04:00			`<IfModule mod_mime.c>`
properly indent .htaccess 2015-08-16 16:40:03 +03:00			`AddType image/svg+xml svg svgz`
			`AddEncoding gzip svgz`
add svg mimetype to default htaccess 2012-10-28 19:00:31 +04:00			`</IfModule>`
Reference module with `.c` Fixes https://github.com/owncloud/core/issues/13657 2015-01-28 14:42:15 +03:00			`<IfModule mod_dir.c>`
properly indent .htaccess 2015-08-16 16:40:03 +03:00			`DirectoryIndex index.php index.html`
Try to prefer index.php over index.html in the same directory Add JS redirect if that fails (HTTP-based redirects are disabled by default in more recent Firefox versions). 2013-04-24 17:11:53 +04:00			`</IfModule>`
added defaultcharset to utf-8 in htaccess 2013-02-26 20:38:59 +04:00			`AddDefaultCharset utf-8`
trying to fix /.well-known/host-meta 2012-05-11 12:47:42 +04:00			`Options -Indexes`
turn off mod_pagespeed 2014-01-08 10:56:08 +04:00			`<IfModule pagespeed_module>`
Add some generic default headers as well via PHP 2015-03-26 17:30:00 +03:00			`ModPagespeed Off`
adding cache control headers for css and js - fixes #11496 2014-10-14 08:36:53 +04:00			`</IfModule>`