################################################################################################## # # aeSecure v2.1 (c) AVONTURE Christophe (http://www.aesecure.com/) # # !!! ---------------------------------------------------------------------------------------- !!! # !!! DON'T MODIFIY THIS FILE MANUALLY. IF YOU NEED TO ADD RULES IN IT, JUST USE YOUR !!! # !!! http://yoursite/aesecure/setup.php?YOUR_LONG_KEY PAGE INTERFACE AND GO TO OPTION 1.4 !!! # !!! "Manual edit of your .htaccess" !!! # !!! ---------------------------------------------------------------------------------------- !!! # # If the .htaccess file isn't working at all, check in your httpd.conf server file that # AllowOverride variable is not set on None and in that case change the settings to All # # So change "AllowOveridde None" to "AllowOverride All" (without double-quote). Restart then the Apache server. # ################################################################################################## #aeSecure 1.1 #AESECURE_BLOCKUSERAGENT_START #AESECURE_BLOCKUSERAGENT_END #AESECURE_BLOCKIP_START #AESECURE_BLOCKIP_END #AESECURE_BLOCKPARTURL_START #AESECURE_BLOCKPARTURL_END #AESECURE_BLOCKREFERRER_START #AESECURE_BLOCKREFERRER_END # Define the 403 - Access denied page ErrorDocument 403 'Access denied
aeSecure

Access denied, unauthorized access.

If you think it\'s an error, please inform the webmaster to help him to adjust his security rules. Thank you.

Code : 403 - Deny access
' # Force to mention index.html when trying to access f.i. to http://yoursite/images IndexIgnore * ## # READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE! # # The line just below this section: 'Options +FollowSymLinks' may cause problems # with some server configurations. It is required for use of mod_rewrite, but may already # be set by your server administrator in a way that dissallows changing it in # your .htaccess file. If using it causes your server to error out, comment it out (add # to # beginning of line), reload your site in your browser and test your sef url's. If they work, # it has been set by your server administrator and you do not need it set here. ## ## Can be commented out if causes errors, see notes above. Options +FollowSymLinks -Indexes # Define the default page ordering (first index.php if present, otherwise index.html) DirectoryIndex index.php index.html #AESECURE_MAINTENANCE_START #AESECURE_MAINTENANCE_END #AESECURE_COMPRESSION_START #AESECURE_COMPRESSION_END #Uncomment if want to force HTTPS and if your server can handle it #RewriteCond %{HTTPS} off #RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} # ------------------------------------------------------------------------- # -- Inclusion of the aeSecure Premium htaccess (only for Premium users) -- # ------------------------------------------------------------------------- # ------------------------------------------------------------------------- # ----------------------------- Site security ----------------------------- # ------------------------------------------------------------------------- # Activate PHP 5.4 which is more secure than older version # Comment this line when php is no more executed but downloaded, it's the case on local webserver (localhost) or # when your hosting company doesn't support php 5.4 yet #AddHandler application/x-httpd-php54 .php .php5 .php4 .php3. #AESECURE_FILEUPLOAD_START #AESECURE_FILEUPLOAD_END #AESECURE_ERRORREPORTING_START #aeSecure 1.3 # Disable errors and warnings; don't allow the user to see them but redirect them into a logfile php_flag display_errors off php_flag log_errors on php_value track_errors on php_value error_log aesecure/logs/error.log #AESECURE_ERRORREPORTING_END # Be sure that these php.ini variables are correctly initialized php_value register_globals off # Disable magic_quotes (if not yet done in httpd.conf) php_flag magic_quotes_runtime off php_flag magic_quotes_sybase off # Set your default timezone. php_value date.timezone Europe/Brussels # Increase cookie security; reduce XSS attacks # http://www.php.net/manual/fr/session.configuration.php#ini.session.cookie-httponly # CAUSE PROBLEM WITH AUTHENTIFICATION IN JOOMLA!® DON'T UNCOMMENT. #php_value session.cookie_secure true #php_value session.use_only_cookies true #php_value session.cookie_httponly true # ------------------------------ # --- Block files/folders RewriteEngine On #AESECURE_BLOCKFILE_START #aesecure 1.7 # Block direct access to these files : don't allow an url like f.i. http://yoursite/install.txt RewriteCond %{REQUEST_FILENAME} (boot.ini|changelog.php|changelog.txt|configuration.php|contributing.md|copyright.php|credits.php|htaccess.txt|httpd.conf|install.mysql)$ [NC,OR] RewriteCond %{QUERY_STRING} (boot.ini|changelog.php|changelog.txt|configuration.php|contributing.md|copyright.php|credits.php|htaccess.txt|httpd.conf|install.mysql).*$ [NC,OR] RewriteCond %{REQUEST_FILENAME} (install.pgsql|install.txt|joomla.xml|license.php|license.txt|maintainers.php|maintainers.txt|php.ini|phpinfo.php|readme.htm)$ [NC,OR] RewriteCond %{QUERY_STRING} (install.pgsql|install.txt|joomla.xml|license.php|license.txt|maintainers.php|maintainers.txt|php.ini|phpinfo.php|readme.htm).*$ [NC,OR] RewriteCond %{REQUEST_FILENAME} (readme.html|readme.txt|upgrade.txt|web.config.txt|web.config|wp-config.php)$ [NC,OR] RewriteCond %{QUERY_STRING} (readme.html|readme.txt|upgrade.txt|web.config.txt|web.config|wp-config.php).*$ RewriteCond %{SCRIPT_FILENAME} -f RewriteRule .* /aesecure/accessdenied.php?s=148 [L] #AESECURE_BLOCKFILE_END # Never direct access to these files or folder (aesecure) # Block f.i. http://yoursite/.htaccess, http://yoursite/configuration.php, ... RewriteCond %{REQUEST_FILENAME} .*\.(phtm?l?|ash?x|aspx?|cfml?|cgi|pl|jsp|sql)$ [NC,OR] RewriteCond %{REQUEST_FILENAME} .*\.(bak|config|dll|exe|sql|ini|log|sh|inc|dist)$ [NC,OR] RewriteCond %{REQUEST_FILENAME} .*\.(htaccess|htaccess_old|htpasswd)$ [NC] RewriteCond %{SCRIPT_FILENAME} -f RewriteRule .* /aesecure/accessdenied.php?s=148 [L] # ------------------------------ # --- Block fingerprint # Block &tp=1 or &tmpl=offline ... # Block f.i. http://yoursite/index.php?tmpl=offline RewriteCond %{QUERY_STRING} (^|&)tmpl=(system|offline) [NC] RewriteRule .* - [L] RewriteCond %{QUERY_STRING} (^|&)tp= [NC] RewriteRule .* - [F] # ------------------------------ # --- Block specific querystring # PHP Easter Eggs # Block f.i. http://yoursite/index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 but not if # the request comes from the webserver himself (=allowed on localhost and serveur (since called by Joomla backend)) RewriteCond %{REMOTE_ADDR} !127.0.0.1 RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?www\.compostelle-toulouse\.com [NC] RewriteRule .* /aesecure/accessdenied.php?s=758 [L] # Block out any script trying to modify a _REQUEST / PHP GLOBAL variables via URL # Block out any script trying to set a PHP GLOBALS variable via URL. # Block f.i. http://yoursite/index.php?GLOBALS=SuperMe RewriteCond %{QUERY_STRING} ((\?|&)GLOBALS(=|\[|\%[0-9A-Z]{0,2})?) [NC,OR] RewriteCond %{QUERY_STRING} ((\?|&)_REQUEST(=|\[|\%[0-9A-Z]{0,2})?) [NC] RewriteRule .* /aesecure/accessdenied.php?s=654 [L] # Block out any script that includes a