72 lines
3.0 KiB
ApacheConf
72 lines
3.0 KiB
ApacheConf
|
# Preventing access to .htaccess
|
||
|
|
<Files ~ "^.*\.([Hh][Tt][Aa]|[Pp][Yy])">
|
||
|
|
Require all denied
|
||
|
|
</Files>
|
||
|
|
|
||
|
|
|
||
|
|
# Fixing some encoding issues on non-HTML files.
|
||
|
|
# Mostly affects the old privacy policies written in french. (Accents have issues in non-utf8 encodings !)
|
||
|
|
AddCharset utf-8 .css .txt .js .md .ts .mjs
|
||
|
|
#<Files ~ "\.txt?$">
|
||
|
|
# Header set Content-Type "text/plain; charset=utf-8"
|
||
|
|
#</Files>
|
||
|
|
#AddDefaultCharset utf-8
|
||
|
|
|
||
|
|
|
||
|
|
# Adding MIME types
|
||
|
|
AddType text/typescript .ts
|
||
|
|
AddType text/javascript .js
|
||
|
|
AddType text/javascript .mjs
|
||
|
|
AddType application/wasm .wasm
|
||
|
|
AddType video/x-matroska .mkv
|
||
|
|
AddType image/apng .apng
|
||
|
|
|
||
|
|
|
||
|
|
# Correcting some default options for security and language/content redirection.
|
||
|
|
# FollowSymlinks is also on since it's required for "mod_rewrite" and the server is jailed/containerized.
|
||
|
|
Options -Indexes +FollowSymlinks -ExecCGI
|
||
|
|
|
||
|
|
|
||
|
|
# Setting up GZIP.
|
||
|
|
# It's optional since reverse-proxies or caching layers will usually do it for us.
|
||
|
|
<ifModule mod_gzip.c>
|
||
|
|
mod_gzip_on Yes
|
||
|
|
mod_gzip_dechunk Yes
|
||
|
|
mod_gzip_item_include file \.(html?|txt|css|js|mjs|php|pl)$
|
||
|
|
mod_gzip_item_include handler ^cgi-script$
|
||
|
|
mod_gzip_item_include mime ^text/.*
|
||
|
|
mod_gzip_item_include mime ^application/x-javascript.*
|
||
|
|
mod_gzip_item_exclude mime ^image/.*
|
||
|
|
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
|
||
|
|
</ifModule>
|
||
|
|
|
||
|
|
|
||
|
|
# Setting some headers for security.
|
||
|
|
# Will cause "fail-safe crashes" if the "headers" module isn't enabled.
|
||
|
|
Header always set X-Frame-Options "deny"
|
||
|
|
#Header always set Content-Security-Policy "default-src 'self' archives.nibblepoker.lu archives.nibblepoker.com nibblepoker.com nibblepoker.lu; style-src 'self' nibblepoker.lu;img-src 'self' archives.nibblepoker.lu archives.nibblepoker.com nibblepoker.com nibblepoker.lu data:; object-src 'none'; child-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content"
|
||
|
|
Header always set X-XSS-Protection " 1; mode=block"
|
||
|
|
Header always set Referrer-Policy "no-referrer"
|
||
|
|
Header always set X-Content-Type-Options "nosniff"
|
||
|
|
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
||
|
|
#Header always set Cache-Control "max-age=300, public"
|
||
|
|
Header always set Access-Control-Allow-Origin "*"
|
||
|
|
Header always set Permissions-Policy "browsing-topics=(), interest-cohort=()"
|
||
|
|
|
||
|
|
# Removing some headers since they often raise BS alarms about too much back-end info being sent to clients.
|
||
|
|
# Note: These headers can actually be removed by most reverse-proxies.
|
||
|
|
Header unset X-Powered-By
|
||
|
|
|
||
|
|
|
||
|
|
# Handling all other redirections.
|
||
|
|
# Will cause "fail-safe crashes" if the "rewrite" module isn't enabled.
|
||
|
|
RewriteEngine On
|
||
|
|
|
||
|
|
# Serving normal pages when a specific language key is at the beginning of the requested path.
|
||
|
|
# We use a regex to match all supported languages and use the 3rd ground, `(.*)` as `$3`, as the "real" path.
|
||
|
|
RewriteRule ^((en|fr)/)(.*)$ /$3 [QSA]
|
||
|
|
|
||
|
|
# Handling requests for "robots.txt" and "sitemap.txt" via PHP.
|
||
|
|
RewriteRule ^(en/|fr/)?robots.txt$ robots.php [L]
|
||
|
|
RewriteRule ^(en/|fr/)?sitemap.txt$ sitemap.php [L]
|