nextcloud/.htaccess

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Robots-Tag "none"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Download-Options "noopen"
    Header set X-Permitted-Cross-Domain-Policies "none"
    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for CSS and JS files
  <FilesMatch "\.(css|js)$">
    Header set Cache-Control "max-age=7200, public"
  </FilesMatch>
</IfModule>
<IfModule mod_php5.c>
  php_value upload_max_filesize 513M
  php_value post_max_size 513M
  php_value memory_limit 512M
  php_value mbstring.func_overload 0
  php_value always_populate_raw_post_data -1
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
  RewriteRule ^(\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]

  # Rewrite rules for `front_controller_active`
  Options -MultiViews
  RewriteRule ^core/js/oc.js$ index.php/core/js/oc.js [PT,E=PATH_INFO:$1]
  RewriteRule ^core/preview.png$ index.php/core/preview.png [PT,E=PATH_INFO:$1]
  RewriteCond %{REQUEST_FILENAME} !\.(css|js|svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$
  RewriteCond %{REQUEST_FILENAME} !core/img/favicon.ico$
  RewriteCond %{REQUEST_FILENAME} !/remote.php
  RewriteCond %{REQUEST_FILENAME} !/public.php
  RewriteCond %{REQUEST_FILENAME} !/cron.php
  RewriteCond %{REQUEST_FILENAME} !/core/ajax/update.php
  RewriteCond %{REQUEST_FILENAME} !/status.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v1.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v2.php
  RewriteCond %{REQUEST_FILENAME} !/updater/
  RewriteCond %{REQUEST_FILENAME} !/ocs-provider/
  RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
</IfModule>
<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>
Fix WebDAV (and Android Client) not being able to authorize on Debian Squeeze + mod_fcgid installs. 2012-11-09 16:30:07 +04:00			`<IfModule mod_headers.c>`
Add mod_proxy_fcgi and mod_fastcgi to .htaccess 2015-08-11 11:55:57 +03:00			`<IfModule mod_setenvif.c>`
			`<IfModule mod_fcgid.c>`
Add some generic default headers as well via PHP 2015-03-26 17:30:00 +03:00			`SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1`
			`RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION`
			`</IfModule>`
Add mod_proxy_fcgi and mod_fastcgi to .htaccess 2015-08-11 11:55:57 +03:00			`<IfModule mod_proxy_fcgi.c>`
			`SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1`
			`</IfModule>`
Add some generic default headers as well via PHP 2015-03-26 17:30:00 +03:00			`</IfModule>`

			`<IfModule mod_env.c>`
			`# Add security and privacy related headers`
			`Header set X-Content-Type-Options "nosniff"`
			`Header set X-XSS-Protection "1; mode=block"`
			`Header set X-Robots-Tag "none"`
			`Header set X-Frame-Options "SAMEORIGIN"`
Add X-Download-Options and X-Permitted-Cross-Domain-Policies Two small security hardenings for our IE users and those with Adobe products. Aligns it more with https://github.com/twitter/secureheaders#secureheaders--- 2016-01-11 23:20:42 +03:00			`Header set X-Download-Options "noopen"`
			`Header set X-Permitted-Cross-Domain-Policies "none"`
Add some generic default headers as well via PHP 2015-03-26 17:30:00 +03:00			`SetEnv modHeadersAvailable true`
			`</IfModule>`

			`# Add cache control for CSS and JS files`
			`<FilesMatch "\.(css\|js)$">`
			`Header set Cache-Control "max-age=7200, public"`
			`</FilesMatch>`
Fix WebDAV (and Android Client) not being able to authorize on Debian Squeeze + mod_fcgid installs. 2012-11-09 16:30:07 +04:00			`</IfModule>`
fix .htaccess file crashing apache+php-cgi 2011-08-22 19:16:37 +04:00			`<IfModule mod_php5.c>`
properly indent .htaccess 2015-08-16 16:40:03 +03:00			`php_value upload_max_filesize 513M`
			`php_value post_max_size 513M`
			`php_value memory_limit 512M`
			`php_value mbstring.func_overload 0`
			`php_value always_populate_raw_post_data -1`
			`php_value default_charset 'UTF-8'`
Fix .htaccess: php_value should be integer 2015-08-20 12:24:28 +03:00			`php_value output_buffering 0`
properly indent .htaccess 2015-08-16 16:40:03 +03:00			`<IfModule mod_env.c>`
			`SetEnv htaccessWorking true`
			`</IfModule>`
fix .htaccess file crashing apache+php-cgi 2011-08-22 19:16:37 +04:00			`</IfModule>`
don't try to use mod_rewrite when it isn't enabled having a broken web/card/caldav is much better as having no ownCloud at all :) 2012-01-03 07:55:19 +04:00			`<IfModule mod_rewrite.c>`
properly indent .htaccess 2015-08-16 16:40:03 +03:00			`RewriteEngine on`
			`RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]`
			`RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]`
			`RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]`
Update .well-known redirects to the new dav endpoint This reverts commit 68321efd29184fbc1bef409ec41f9b38501116ef. 2015-11-18 19:40:27 +03:00			`RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]`
			`RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]`
properly indent .htaccess 2015-08-16 16:40:03 +03:00			`RewriteRule ^remote/(.*) remote.php [QSA,L]`
			`RewriteRule ^(build\|tests\|config\|lib\|3rdparty\|templates)/.* - [R=404,L]`
Allow .well-known URI for letsencrypt See https://letsencrypt.readthedocs.org/en/latest/using.html#webroot 2015-12-06 01:22:05 +03:00			`RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*`
properly indent .htaccess 2015-08-16 16:40:03 +03:00			`RewriteRule ^(\.\|autotest\|occ\|issue\|indie\|db_\|console).* - [R=404,L]`
Support pretty URLs This changeset allows ownCloud to run with pretty URLs, they will be used if mod_rewrite and mod_env are available. This means basically that the `index.php` in the URL is not shown to the user anymore. Also the not deprecated functions to generate URLs have been modified to support this behaviour, old functions such as `filePath` will still behave as before for compatibility reasons. Examples: http://localhost/owncloud/index.php/s/AIDyKbxiRZWAAjP => http://localhost/owncloud/s/AIDyKbxiRZWAAjP http://localhost/owncloud/index.php/apps/files/ => http://localhost/owncloud/apps/files/ Due to the way our CSS and JS is structured the .htaccess uses some hacks for the final result but could be worse... And I was just annoyed by all that users crying for the removal of `index.php` ;-) 2015-02-11 03:10:03 +03:00
Set "SetEnv" within base `.htaccess` file mod_rewrite as used by the front controller may require a `RewriteBase` in case the installation is done using an alias. Since we cannot enforce a writable `.htaccess` file this will move the `front_controller_active` environment variable into the main .htaccess file. If administrators decide to have this one not writable they can still enable this feature by setting the `front_controller_active` environment variable within the Apache config. 2015-12-01 20:55:18 +03:00			# Rewrite rules for `front_controller_active`
fix indentation 2015-12-02 12:51:52 +03:00			`Options -MultiViews`
Append PATH_INFO to ensure that file can be loaded on update 2015-12-01 22:08:07 +03:00			`RewriteRule ^core/js/oc.js$ index.php/core/js/oc.js [PT,E=PATH_INFO:$1]`
			`RewriteRule ^core/preview.png$ index.php/core/preview.png [PT,E=PATH_INFO:$1]`
Allow jpg files to be statically served When using an background image in themes of type JPG, the current setting of owncloud's htaccess file does not allow to deliver these kinds of images as static content. Adding the file extensions as done in this commit, it works flawlessly. 2016-03-11 01:08:56 +03:00			`RewriteCond %{REQUEST_FILENAME} !\.(css\|js\|svg\|gif\|png\|html\|ttf\|woff\|ico\|jpg\|jpeg)$`
Allow .ico files Makes `/core/img/favicon.ico` accessible again via web. 2015-12-07 19:15:04 +03:00			`RewriteCond %{REQUEST_FILENAME} !core/img/favicon.ico$`
Set "SetEnv" within base `.htaccess` file mod_rewrite as used by the front controller may require a `RewriteBase` in case the installation is done using an alias. Since we cannot enforce a writable `.htaccess` file this will move the `front_controller_active` environment variable into the main .htaccess file. If administrators decide to have this one not writable they can still enable this feature by setting the `front_controller_active` environment variable within the Apache config. 2015-12-01 20:55:18 +03:00			`RewriteCond %{REQUEST_FILENAME} !/remote.php`
			`RewriteCond %{REQUEST_FILENAME} !/public.php`
			`RewriteCond %{REQUEST_FILENAME} !/cron.php`
			`RewriteCond %{REQUEST_FILENAME} !/core/ajax/update.php`
			`RewriteCond %{REQUEST_FILENAME} !/status.php`
			`RewriteCond %{REQUEST_FILENAME} !/ocs/v1.php`
			`RewriteCond %{REQUEST_FILENAME} !/ocs/v2.php`
Do not rewrite updater requests 2016-01-28 20:04:56 +03:00			`RewriteCond %{REQUEST_FILENAME} !/updater/`
Exclude ocs-provider from rewrite rule Otherwise `localhost/ocs-provider/` cannot be accessed if mod_rewrite is install ed. Only affects master. 2016-02-25 20:47:09 +03:00			`RewriteCond %{REQUEST_FILENAME} !/ocs-provider/`
Do not rewrite letsencrypt .well-known URI 2015-12-08 23:11:38 +03:00			`RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*`
don't try to use mod_rewrite when it isn't enabled having a broken web/card/caldav is much better as having no ownCloud at all :) 2012-01-03 07:55:19 +04:00			`</IfModule>`
add svg mimetype to default htaccess 2012-10-28 19:00:31 +04:00			`<IfModule mod_mime.c>`
properly indent .htaccess 2015-08-16 16:40:03 +03:00			`AddType image/svg+xml svg svgz`
			`AddEncoding gzip svgz`
add svg mimetype to default htaccess 2012-10-28 19:00:31 +04:00			`</IfModule>`
Reference module with `.c` Fixes https://github.com/owncloud/core/issues/13657 2015-01-28 14:42:15 +03:00			`<IfModule mod_dir.c>`
properly indent .htaccess 2015-08-16 16:40:03 +03:00			`DirectoryIndex index.php index.html`
Try to prefer index.php over index.html in the same directory Add JS redirect if that fails (HTTP-based redirects are disabled by default in more recent Firefox versions). 2013-04-24 17:11:53 +04:00			`</IfModule>`
added defaultcharset to utf-8 in htaccess 2013-02-26 20:38:59 +04:00			`AddDefaultCharset utf-8`
trying to fix /.well-known/host-meta 2012-05-11 12:47:42 +04:00			`Options -Indexes`
turn off mod_pagespeed 2014-01-08 10:56:08 +04:00			`<IfModule pagespeed_module>`
Add some generic default headers as well via PHP 2015-03-26 17:30:00 +03:00			`ModPagespeed Off`
adding cache control headers for css and js - fixes #11496 2014-10-14 08:36:53 +04:00			`</IfModule>`