snipe-it/public/.htaccess

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews
    </IfModule>

    RewriteEngine On

    # Needed for https://letsencrypt.org/ certificates.
    RewriteRule ^\.well-known/acme-challenge/ - [L]

    # Uncomment these two lines to force SSL redirect in Apache
    # RewriteCond %{HTTPS} off
    # RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]


    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # Handle Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]

    # Handle Authorization Header
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    # Security Headers
    # Header set Strict-Transport-Security "max-age=2592000" env=HTTPS
    # Header set X-XSS-Protection "1; mode=block"
    # Header set X-Content-Type-Options nosniff
    # Header set X-Permitted-Cross-Domain-Policies "master-only"

</IfModule>
Options -Indexes

# DENY ACCESS TO IIS CONFIG FILE

# Apache 2.2+
<IfModule !authz_core_module>
	<Files "web.config">
	    Order allow,deny
    	Deny from all
    </Files>
</IfModule>

# Apache 2.4+
<IfModule authz_core_module>
	<Files "web.config">
      Require all denied
    </Files>
</IfModule>
Version 3 - hold onto your butts 2016-03-25 01:18:05 -07:00			`<IfModule mod_rewrite.c>`
			`<IfModule mod_negotiation.c>`
			`Options -MultiViews`
			`</IfModule>`

			`RewriteEngine On`

add rewrite rule for Let's Encrypt certificates The LE tools need access to a stable path to automatically obtain certificates, so add a rewrite rule to allow it. 2021-09-14 13:21:31 -07:00			`# Needed for https://letsencrypt.org/ certificates.`
Change the `[END]` directive in `.htaccess` to `[L]` This allows backwards-compatibility with older Apache versions (which we _used_ to have), and should do the exact same thing. 2021-11-17 15:29:51 -08:00			`RewriteRule ^\.well-known/acme-challenge/ - [L]`
add rewrite rule for Let's Encrypt certificates The LE tools need access to a stable path to automatically obtain certificates, so add a rewrite rule to allow it. 2021-09-14 13:21:31 -07:00
Added content security middleware 2017-09-28 19:45:15 -07:00			`# Uncomment these two lines to force SSL redirect in Apache`
Version 3 - hold onto your butts 2016-03-25 01:18:05 -07:00			`# RewriteCond %{HTTPS} off`
			`# RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]`

Added content security middleware 2017-09-28 19:45:15 -07:00

Version 3 - hold onto your butts 2016-03-25 01:18:05 -07:00			`# Redirect Trailing Slashes If Not A Folder...`
			`RewriteCond %{REQUEST_FILENAME} !-d`
Update some composer dependencies to try to fix everything breaking in subdirectories. Attempts to fix #4052, it seems to help here. (#4078) 2017-09-29 17:05:20 -07:00			`RewriteCond %{REQUEST_URI} (.+)/$`
			`RewriteRule ^ %1 [L,R=301]`
Version 3 - hold onto your butts 2016-03-25 01:18:05 -07:00
			`# Handle Front Controller...`
			`RewriteCond %{REQUEST_FILENAME} !-d`
			`RewriteCond %{REQUEST_FILENAME} !-f`
			`RewriteRule ^ index.php [L]`

			`# Handle Authorization Header`
			`RewriteCond %{HTTP:Authorization} .`
			`RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]`
Added content security middleware 2017-09-28 19:45:15 -07:00
			`# Security Headers`
Commented out security headers - might req apache module 2017-09-29 14:00:05 -07:00			`# Header set Strict-Transport-Security "max-age=2592000" env=HTTPS`
			`# Header set X-XSS-Protection "1; mode=block"`
			`# Header set X-Content-Type-Options nosniff`
			`# Header set X-Permitted-Cross-Domain-Policies "master-only"`
Added content security middleware 2017-09-28 19:45:15 -07:00
Version 3 - hold onto your butts 2016-03-25 01:18:05 -07:00			`</IfModule>`
Port/reenable most unit tests. (#5921) * Port/reenable most unit tests. Should probably flesh out notifications tests in the next few days. * Disable json checkin in ApiAssetsTest@index for now. It's broken, but hiding other real broken things. * Re Disable Groups allowDelete 2018-07-23 06:48:21 -07:00			`Options -Indexes`
Exclude web.config from Apache 2021-10-11 05:14:00 -07:00
Try conditiinal formatting to support apache 2.2 and 2.4 Signed-off-by: snipe <snipe@snipe.net> 2022-05-13 18:01:06 -07:00			`# DENY ACCESS TO IIS CONFIG FILE`

			`# Apache 2.2+`
			`<IfModule !authz_core_module>`
			`<Files "web.config">`
			`Order allow,deny`
			`Deny from all`
			`</Files>`
			`</IfModule>`

			`# Apache 2.4+`
			`<IfModule authz_core_module>`
			`<Files "web.config">`
			`Require all denied`
			`</Files>`
			`</IfModule>`