-
-
Notifications
You must be signed in to change notification settings - Fork 4.7k
Expand file tree
/
Copy path.htaccess
More file actions
201 lines (162 loc) · 6.95 KB
/
.htaccess
File metadata and controls
201 lines (162 loc) · 6.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
<IfModule mod_headers.c>
<IfModule mod_setenvif.c>
<IfModule mod_fcgid.c>
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
</IfModule>
<IfModule mod_proxy_fcgi.c>
SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>
<IfModule mod_lsapi.c>
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
</IfModule>
</IfModule>
<IfModule mod_env.c>
# Add security and privacy related headers
# Avoid doubled headers by unsetting headers in "onsuccess" table,
# then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
<If "%{REQUEST_URI} =~ m#/login$#">
# Only on the login page we need any Origin or Referer header set.
Header onsuccess unset Referrer-Policy
Header always set Referrer-Policy "same-origin"
</If>
<Else>
Header onsuccess unset Referrer-Policy
Header always set Referrer-Policy "no-referrer"
</Else>
Header onsuccess unset X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"
Header onsuccess unset X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"
Header onsuccess unset X-Permitted-Cross-Domain-Policies
Header always set X-Permitted-Cross-Domain-Policies "none"
Header onsuccess unset X-Robots-Tag
Header always set X-Robots-Tag "noindex, nofollow"
SetEnv modHeadersAvailable true
</IfModule>
# Add cache control for static resources
<FilesMatch "\.(css|js|mjs|svg|gif|png|jpg|webp|ico|wasm|tflite)$">
<If "%{QUERY_STRING} =~ /(^|&)v=/">
Header set Cache-Control "max-age=15778463, immutable"
</If>
<Else>
Header set Cache-Control "max-age=15778463"
</Else>
</FilesMatch>
# Let browsers cache OTF and WOFF files for a week
<FilesMatch "\.(otf|woff2?)$">
Header set Cache-Control "max-age=604800"
</FilesMatch>
</IfModule>
<IfModule mod_php.c>
php_value default_charset 'UTF-8'
php_value output_buffering 0
<IfModule mod_env.c>
SetEnv htaccessWorking true
</IfModule>
</IfModule>
<IfModule mod_mime.c>
AddType image/svg+xml svg svgz
AddType application/wasm wasm
AddEncoding gzip svgz
# Serve ESM javascript files (.mjs) with correct mime type
AddType text/javascript js mjs
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php index.html
</IfModule>
<IfModule pagespeed_module>
ModPagespeed Off
</IfModule>
#############
#### Rewrites
#############
<IfModule mod_rewrite.c>
RewriteEngine on
##
## Rule: Workaround for WebDAV with apache+php-cgi
##
## Context:
## - Sets the environment variable `HTTP_AUTHORIZATION` to the value of the `Authorization` request header
## - Always executed before and along with other rules (no `L` used)
## - XXX: *May* be replaced with an equivalent SetEnvIf in theory
## - XXX: SetEnvIf approach is already in use above for mod_proxy_cgi / mod_lsapi / mod_fcgid
##
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
##
## Rule: Workaround for WebDAV with MS DavClnt
##
## Context:
## - DavClnt attempts an OPTIONS request against `/` instead of the specified endpoint
## - Redirects the client to the endpoint rather than the login page (which confuses DavClnt)
##
RewriteCond %{HTTP_USER_AGENT} DavClnt
RewriteRule ^$ /remote.php/webdav/ [L,R=302]
##
## Rule: Map the RFC 8615 / RFC 6764 compliant well-known URI for CardDAV to our Remote DAV endpoint
##
RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
##
## Rule: Map the RFC 8615 / RFC 6764 compliant well-known URI for CalDAV to our Remote DAV endpoint
##
RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
##
## Rule: Map /remote* --> /remote.php* including the query string
##
## Context:
## - XXX: `QSA` seems unnecessary (no-op) here (query string is passed by default when the replacement URI doesn't contain a query string)
## - XXX: Is this even used anymore? Seems a relic from <NC12
##
RewriteRule ^remote/(.*) remote.php [QSA,L]
##
## Rule: Prevent access to non-public files
##
RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
##
## Rule: Maps most RFC 8615 compliant well-known URIs to our main frontend controller (/index.php) by default
##
## Context:
## - Intentionally excludes URIs used for HTTPS certificate verifications
## - RFC 8555 / ACME HTTP Challenges (acme-challenge)
## - File-based Validations (pki-validation)
## - XXX: `QSA` seems unnecessary (no-op) here (query string is passed by default when the replacement URI doesn't contain a query string)
## - XXX: Sometimes we are using `/index.php` and other times `index.php` as our replacement URI; this may be incorrect
##
RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
##
## Rule: Map the ocm-provider handling to our main frontend controller (/index.php)
##
## Context:
## - XXX: `QSA` seems unnecessary (no-op) here (query string is passed by default when the replacement URI doesn't contain a query string)
## - XXX: Sometimes we are using `/index.php` and other times `index.php` as our replacement URI; this may be incorrect
##
RewriteRule ^ocm-provider/?$ index.php [QSA,L]
##
## Rule: Prevent access to more non-public files
##
## Context:
## - XXX It may make sense to merge some of these with the others (i.e. the ones that don't need to be last)
##
RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
# Clients like xDavv5 on Android, or Cyberduck, use chunked requests.
# When FastCGI or FPM is used with apache, requests arrive to Nextcloud without any content.
# This leads to the creation of empty files.
# The following directive will force the problematic requests to be buffered before being forwarded to Nextcloud.
# This way, the "Transfer-Encoding" header is removed, the "Content-Length" header is set, and the request content is proxied to Nextcloud.
# Here are more information about the issue:
# - https://docs.cyberduck.io/mountainduck/issues/fastcgi/
# - https://docs.nextcloud.com/server/latest/admin_manual/issues/general_troubleshooting.html#troubleshooting-webdav
<IfModule mod_setenvif.c>
SetEnvIfNoCase Transfer-Encoding "chunked" proxy-sendcl=1
</IfModule>
# Apache disabled the sending of the server-side content-length header
# in their 2.4.59 patch updated which breaks some use-cases in Nextcloud.
# Setting ap_trust_cgilike_cl allows to bring back the usual behaviour.
# See https://bz.apache.org/bugzilla/show_bug.cgi?id=68973
<IfModule mod_env.c>
SetEnv ap_trust_cgilike_cl
</IfModule>
AddDefaultCharset utf-8
Options -Indexes