263 lines
10 KiB
ApacheConf
263 lines
10 KiB
ApacheConf
# Send everythign as UTF-8 by default
|
|
AddDefaultCharset utf-8
|
|
|
|
# Set 404 Error fallback page
|
|
ErrorDocument 404 /404.html
|
|
|
|
# Disable the pattern matching based on filenames.
|
|
#
|
|
# This setting prevents Apache from returning a 404 error as the result
|
|
# of a rewrite when the directory with the same name does not exist.
|
|
Options -MultiViews
|
|
|
|
# Prevent Apache from adding a trailing footer line containing
|
|
# information about the server to the server-generated documents
|
|
# (e.g.: error messages, directory listings, etc.)
|
|
ServerSignature Off
|
|
|
|
# Remove `ETags` as resources are sent with far-future expires headers
|
|
FileETag None
|
|
|
|
<IfModule mod_headers.c>
|
|
# Rules to correctly serve gzip compressed CSS and JS files.
|
|
# Requires both mod_rewrite and mod_headers to be enabled.
|
|
|
|
# Serve correct encoding type for zopfli files
|
|
<FilesMatch "(\.js\.gz|\.css\.gz|\.svg\.gz|\.html\.gz|\.json\.gz)$">
|
|
Header set Content-Encoding gzip
|
|
# Force proxies to cache gzipped & non-gzipped css/js files separately.
|
|
Header append Vary Accept-Encoding
|
|
</FilesMatch>
|
|
|
|
# Serve correct encoding type for brotli files
|
|
<FilesMatch "(\.js\.br|\.css\.br|\.svg\.br|\.html\.br|\.json\.br)$">
|
|
Header set Content-Encoding br
|
|
# Force proxies to cache gzipped & non-gzipped css/js files separately.
|
|
Header append Vary Accept-Encoding
|
|
</FilesMatch>
|
|
|
|
# Set Content Security Policy options
|
|
Header set Content-Security-Policy "default-src 'self'; img-src 'self' *.github.com; connect-src 'self' api.asciidisco.com; require-sri-for script style; block-all-mixed-content; frame-ancestors 'self'; form-action 'self'; sandbox allow-same-origin allow-scripts; base-uri 'self';"
|
|
Header set X-Content-Type-Options nosniff
|
|
Header set X-Frame-Options DENY
|
|
|
|
# Set Referrer Policy header
|
|
Header set Referrer-Policy same-origin
|
|
|
|
# Detect WebP support with Header Vary Accept
|
|
Header append Vary Accept env=REDIRECT_accept
|
|
|
|
# Prevent some browsers from MIME-sniffing the response.
|
|
#
|
|
# This reduces exposure to drive-by download attacks and cross-origin
|
|
# data leaks, and should be left uncommented, especially if the server
|
|
# is serving user-uploaded content or content that could potentially be
|
|
# treated as executable by the browser.
|
|
Header set X-Content-Type-Options "nosniff"
|
|
|
|
# Prevent intermediate caches or proxies (e.g.: such as the ones
|
|
# used by mobile network providers) from modifying the website's content.
|
|
Header merge Cache-Control "no-transform"
|
|
|
|
# Enable HSTS
|
|
Header set Strict-Transport-Security "max-age=63072000"
|
|
|
|
# Protect website against clickjacking.
|
|
#
|
|
# The example below sends the `X-Frame-Options` response header with
|
|
# the value `DENY`, informing browsers not to display the content of
|
|
# the web page in any frame.
|
|
Header set X-Frame-Options "DENY"
|
|
|
|
# Try to re-enable the cross-site scripting (XSS) filter built into most web browsers.
|
|
Header set X-XSS-Protection "1; mode=block"
|
|
|
|
# Remove `ETags` and `Last-Modified` as resources are sent with far-future expires headers.
|
|
Header unset ETag
|
|
Header unset Last-Modified
|
|
|
|
# Remove server type header
|
|
Header unset X-Powered-By
|
|
|
|
# Set language header
|
|
<FilesMatch "(\.html|\.html\.gz|\.html\.br|\.js|\.js\.gz|\.js\.br|\.css|\.css\.gz|\.css\.br|\.svg|\.svg\.gz|\.svg\.br|\.json|\.json\.gz|\.json\.br|\.xml|\.xml\.gz|\.xml\.br)$">
|
|
Header set Content-Language en-GB
|
|
</FilesMatch>
|
|
|
|
# Unset X-FRAME-OPTIONS, X-XSS-Protection and Content-Security-Policy for everything but html
|
|
<FilesMatch "(\.js|\.js\.gz|\.js\.br|\.css|\.css\.gz|\.css\.br|\.svg|\.svg\.gz|\.svg\.br|\.json|\.json\.gz|\.json\.br|\.xml|\.xml\.gz|\.xml\.br|\.woff2|\.woff|\.jpg|\.jpeg|\.png|\.webm|\.gif|\.webp)$">
|
|
Header unset X-Frame-Options
|
|
Header unset X-XSS-Protection
|
|
Header unset Content-Security-Policy
|
|
</FilesMatch>
|
|
|
|
# HTTP/2 PUSH Maps
|
|
{{{PUSH_MANIFEST}}}
|
|
</IfModule>
|
|
|
|
<IfModule mod_mime.c>
|
|
# Data interchange
|
|
AddType application/atom+xml atom
|
|
AddType application/json json map topojson
|
|
AddType application/ld+json jsonld
|
|
AddType application/rss+xml rss
|
|
AddType application/vnd.geo+json geojson
|
|
AddType application/xml rdf xml
|
|
|
|
# JavaScript
|
|
AddType application/javascript js mjs
|
|
|
|
# Manifest files
|
|
AddType application/manifest+json webmanifest
|
|
AddType application/x-web-app-manifest+json webapp
|
|
AddType text/cache-manifest appcache
|
|
|
|
# Media files
|
|
AddType audio/mp4 f4a f4b m4a
|
|
AddType audio/ogg oga ogg opus
|
|
AddType image/bmp bmp
|
|
AddType image/svg+xml svg svgz
|
|
AddType image/webp webp
|
|
AddType video/mp4 f4v f4p m4v mp4
|
|
AddType video/ogg ogv
|
|
AddType video/webm webm
|
|
AddType video/x-flv flv
|
|
AddType image/x-icon cur ico
|
|
|
|
# Web fonts
|
|
AddType font/woff woff
|
|
AddType font/woff2 woff2
|
|
AddType application/vnd.ms-fontobject eot
|
|
AddType font/ttf ttf
|
|
AddType font/collection ttc
|
|
AddType font/otf otf
|
|
|
|
|
|
# Other
|
|
AddType application/octet-stream safariextz
|
|
AddType application/x-bb-appworld bbaw
|
|
AddType application/x-chrome-extension crx
|
|
AddType application/x-opera-extension oex
|
|
AddType application/x-xpinstall xpi
|
|
AddType text/calendar ics
|
|
AddType text/markdown markdown md
|
|
AddType text/vcard vcard vcf
|
|
AddType text/vnd.rim.location.xloc xloc
|
|
AddType text/vtt vtt
|
|
AddType text/x-component htc
|
|
AddType image/webp webp
|
|
|
|
# Send text resources as UTF-8 by default
|
|
AddCharset utf-8 .atom \
|
|
.bbaw \
|
|
.css \
|
|
.geojson \
|
|
.ics \
|
|
.js \
|
|
.json \
|
|
.jsonld \
|
|
.manifest \
|
|
.markdown \
|
|
.md \
|
|
.mjs \
|
|
.rdf \
|
|
.rss \
|
|
.topojson \
|
|
.vtt \
|
|
.webapp \
|
|
.webmanifest \
|
|
.xloc \
|
|
.xml
|
|
</IfModule>
|
|
|
|
<IfModule mod_rewrite.c>
|
|
# Serve brotli/zopfli compressed CSS files if they exist and the client accepts gzip.
|
|
RewriteCond %{HTTP:Accept-encoding} br
|
|
RewriteCond %{REQUEST_FILENAME}\.br -s
|
|
RewriteRule ^(.*)\.css $1\.css\.br [QSA]
|
|
RewriteCond %{HTTP:Accept-encoding} gzip
|
|
RewriteCond %{REQUEST_FILENAME}\.gz -s
|
|
RewriteRule ^(.*)\.css $1\.css\.gz [QSA]
|
|
|
|
# Serve brotli/zopfli compressed JS files if they exist and the client accepts gzip.
|
|
RewriteCond %{HTTP:Accept-encoding} br
|
|
RewriteCond %{REQUEST_FILENAME}\.br -s
|
|
RewriteRule ^(.*)\.js $1\.js\.br [QSA]
|
|
RewriteCond %{HTTP:Accept-encoding} gzip
|
|
RewriteCond %{REQUEST_FILENAME}\.gz -s
|
|
RewriteRule ^(.*)\.js $1\.js\.gz [QSA]
|
|
|
|
# Serve brotli/zopfli compressed SVG files if they exist and the client accepts gzip.
|
|
RewriteCond %{HTTP:Accept-encoding} br
|
|
RewriteCond %{REQUEST_FILENAME}\.br -s
|
|
RewriteRule ^(.*)\.svg $1\.svg\.br [QSA]
|
|
RewriteCond %{HTTP:Accept-encoding} gzip
|
|
RewriteCond %{REQUEST_FILENAME}\.gz -s
|
|
RewriteRule ^(.*)\.svg $1\.svg\.gz [QSA]
|
|
|
|
# Serve brotli/zopfli compressed SVG files if they exist and the client accepts gzip.
|
|
RewriteCond %{HTTP:Accept-encoding} br
|
|
RewriteCond %{REQUEST_FILENAME}\.br -s
|
|
RewriteRule ^(.*)\.html $1\.html\.br [QSA]
|
|
RewriteCond %{HTTP:Accept-encoding} gzip
|
|
RewriteCond %{REQUEST_FILENAME}\.gz -s
|
|
RewriteRule ^(.*)\.html $1\.html\.gz [QSA]
|
|
|
|
# Serve brotli/zopfli compressed JSON files if they exist and the client accepts gzip.
|
|
RewriteCond %{HTTP:Accept-encoding} br
|
|
RewriteCond %{REQUEST_FILENAME}\.br -s
|
|
RewriteRule ^(.*)\.json $1\.json\.br [QSA]
|
|
RewriteCond %{HTTP:Accept-encoding} gzip
|
|
RewriteCond %{REQUEST_FILENAME}\.gz -s
|
|
RewriteRule ^(.*)\.json $1\.json\.gz [QSA]
|
|
|
|
# Serve correct content types, and prevent mod_deflate double gzip.
|
|
RewriteRule \.css\.gz$ - [T=text/css,E=no-gzip:1]
|
|
RewriteRule \.css\.br$ - [T=text/css,E=no-gzip:1]
|
|
RewriteRule \.js\.gz$ - [T=text/javascript,E=no-gzip:1]
|
|
RewriteRule \.js\.br$ - [T=text/javascript,E=no-gzip:1]
|
|
RewriteRule \.svg\.gz$ - [T=image/svg+xml,E=no-gzip:1]
|
|
RewriteRule \.svg\.br$ - [T=image/svg+xml,E=no-gzip:1]
|
|
RewriteRule \.html\.gz$ - [T=text/html,E=no-gzip:1]
|
|
RewriteRule \.html\.br$ - [T=text/html,E=no-gzip:1]
|
|
RewriteRule \.json\.gz$ - [T=application/json,E=no-gzip:1]
|
|
RewriteRule \.json\.br$ - [T=application/json,E=no-gzip:1]
|
|
|
|
# Force redirect to HTTPS
|
|
RewriteEngine On
|
|
RewriteCond %{HTTPS} !=on
|
|
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
|
|
|
|
# Check if browser support WebP images
|
|
RewriteCond %{HTTP_ACCEPT} image/webp
|
|
# Check if WebP replacement image exists
|
|
RewriteCond %{DOCUMENT_ROOT}/$1.webp -f
|
|
# Serve WebP image instead
|
|
RewriteRule (.+)\.(jpe?g|png)$ $1.webp [T=image/webp,E=accept:1]
|
|
|
|
# Route requests to the latest deployment public folder
|
|
RewriteCond %{REQUEST_URI} !^/{{PUBLIC_FOLDER}}/
|
|
RewriteRule (.*) {{PUBLIC_FOLDER}}/$1 [L]
|
|
|
|
# Filename-based cache busting
|
|
# Rewrites all requests such as `/css/style.12sf65.css` to `/css/style.css`.
|
|
RewriteCond %{REQUEST_FILENAME} !-f
|
|
RewriteRule ^(.+)\.([a-zA-Z0-9]+)\.(bmp|css|cur|gif|ico|jpe?g|m?js|png|svgz?|webp|webmanifest)$ $1.$3 [L]
|
|
</IfModule>
|
|
|
|
<IfModule mod_expires.c>
|
|
# Serve resources with far-future expires headers
|
|
ExpiresActive on
|
|
ExpiresDefault "access plus 0 seconds"
|
|
|
|
# CSS
|
|
ExpiresByType text/css "access plus 1 year"
|
|
|
|
# HTML
|
|
ExpiresByType text/html "access plus 0 seconds"
|
|
|
|
# JavaScript
|
|
ExpiresByType application/javascript "access plus 1 year"
|
|
ExpiresByType application/x-javascript "access plus 1 year"
|
|
ExpiresByType text/javascript "access plus 1 year"
|
|
</IfModule> |