Jump to content
vBWarez - Rest In Peace

.htaccess file for vB5x with Exploit patches and Advanced caching.


Recommended Posts

This is an advanced vB5x [URL="http://www.htaccess-guide.com/"].htaccess[/URL] file. (With some modification, it can also be used on all other vB versions.)
This .htaccess file will protect vBulletin 5.x from all currently known [URL="https://vbwarez.net/threads/16930-Fix-for-vb5-1-x-Security-Exploits?highlight=exploit"]exploit attacks[/URL] without the need to alter any PHP or SQL data.
The cache control system is common to Apache servers and reduces page load times by roughly 40% on reload.

It offers -
Apache MOD caching;
Securing all HTAccess and Config files;
Redirecting all HTTP requests to HTTPS;
Enhance image compression and service if DEFLATE is supported;
Browser bug protection;
Advanced cookie control and expiration;
Extensive Header and Font control;
Offsite linking protection;
MIME caching;
PERL exploit defense;
ANSI and Script exploit defense;
Fake User Agent defense.

Note 1: You can not simply copy and paste this code. You must set the [COLOR="#00FF00"]site addresses[/COLOR] to match your own server.

Note 2: vB specific code is now highlighted in [COLOR="#FFA07A"]orange[/COLOR].
Although some of the other code is included in the vB .htaccess file, it is common to most .htaccess files and as such should be included.

Note 3: In order to include more files to be protected from 'hot linking', expand upon this line, [COLOR="#00FFFF"]<FilesMatch "\.(gif|png|swf|jpe?g)$">[/COLOR]
Presently it stops people off site from linking to webpage files, images/photos.
If you want to stop linking to other files, you might try for example-
<FilesMatch "\.(gif|png|swf|jpe?g[COLOR="#00FFFF"]|zip|rar|ace|mp3|mp4|avi[/COLOR])$">

Also, one might want to add ico to the list. Why? Specifically, the favicon.ico file is linked to browsers with bookmarked/favorite sites. Here is the kicker, every time a browser loads a page, it refreshes its favicon.ico files by testing the links, even if not on that website! A small site like this one, with lets say for example 100 users with the site bookmarked, visit an average of 100 other sites per day, THIS site just got hit with 10,000 file hits in one day. For those on metered bandwidth, that can really hurt. In the dialup days it was a site killer. By adding ico to the no-hot-linking code, the ico only loads from this site (and only if the cache needs updating).

Note 4: In order to disable the HTTP to HTTPS routing, locate and remove the code block in [COLOR="#FFFF00"]yellow[/COLOR].

[CODE]
# START Deny attempts to view the Htaccess file.
<Files .htaccess>
Order allow,deny
Deny from all
</Files>
# END Deny attempts to view the Htaccess file.

# Start Deny attempts to view the config file.
<Files includes/config.php>
Order allow,deny
Deny from all
</Files>
# End Deny attempts to view the config file.

<IfModule mod_rewrite.c>
RewriteEngine On

[COLOR="#FFFF00"] RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
[/COLOR]
#In some cases where you have other mod_rewrite rules, you may need to comment out the following line
#and change it to match your folder name. This resets the other mod_rewrite rules for just this directory
#If your site was www.example.com/forum, the setting would be /forum/
#RewriteBase /

[COLOR="#FFA07A"] # Send css calls directly to the correct file VBV-7807
RewriteRule ^css.php$ core/css.php [NC,L]
# Redirect old install path to core.
RewriteRule ^install/ core/install/ [NC,L]

# Main Redirect
RewriteCond %{REQUEST_URI} !\.(bmp|swf|gif|jpg|jpeg|png|css)$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?routestring=$1 [L,QSA]

# Because admincp is an actual directory.
RewriteRule ^(admincp/)$ index.php?routestring=$1 [L,QSA]
[/COLOR]

</IfModule>

<IfModule mod_deflate.c>

# Force compression for mangled headers.
# http://developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
</IfModule>
</IfModule>

# BEGIN Compress text files
<ifModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/xml text/css text/plain
AddOutputFilterByType DEFLATE image/svg+xml application/xhtml+xml application/xml
AddOutputFilterByType DEFLATE application/rdf+xml application/rss+xml application/atom+xml
AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript application/json
AddOutputFilterByType DEFLATE application/x-font-ttf application/x-font-otf
AddOutputFilterByType DEFLATE font/truetype font/opentype

# remove browser bugs
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
</ifModule>
# END Compress text files

# Compress all output labeled with one of the following MIME-types
# (for Apache versions below 2.3.7, you don't need to enable `mod_filter`
# and can remove the `<IfModule mod_filter.c>` and `</IfModule>` lines
# as `AddOutputFilterByType` is still in the core directives).
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE application/atom+xml \
application/javascript \
application/json \
application/rss+xml \
application/vnd.ms-fontobject \
application/x-font-ttf \
application/x-web-app-manifest+json \
application/xhtml+xml \
application/xml \
font/opentype \
image/svg+xml \
image/x-icon \
text/css \
text/html \
text/plain \
text/x-component \
text/xml
</IfModule>

</IfModule>

<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType application/ico A2592000
ExpiresByType application/java A2628000
ExpiresByType application/javascript A1209600
ExpiresByType application/javascript A2628000
ExpiresByType application/msword A2628000
ExpiresByType application/pdf A2628000
ExpiresByType application/vnd.ms-access A2628000
ExpiresByType application/vnd.ms-excel A2628000
ExpiresByType application/vnd.ms-fontobject A2592000
ExpiresByType application/vnd.ms-powerpoint A2628000
ExpiresByType application/vnd.ms-project A2628000
ExpiresByType application/vnd.ms-write A2628000
ExpiresByType application/vnd.oasis.opendocument.chart A2628000
ExpiresByType application/vnd.oasis.opendocument.database A2628000
ExpiresByType application/vnd.oasis.opendocument.formula A2628000
ExpiresByType application/vnd.oasis.opendocument.graphics A2628000
ExpiresByType application/vnd.oasis.opendocument.presentation A2628000
ExpiresByType application/vnd.oasis.opendocument.spreadsheet A2628000
ExpiresByType application/vnd.oasis.opendocument.text A2628000
ExpiresByType application/x-font-woff A2592000
ExpiresByType application/x-gzip A2628000
ExpiresByType application/x-ico A2592000
ExpiresByType application/x-javascript A2628000
ExpiresByType application/x-msdownload A2628000
ExpiresByType application/x-shockwave-flash A2628000
ExpiresByType application/x-tar A2628000
ExpiresByType application/zip A2628000
ExpiresByType audio/midi A2628000
ExpiresByType audio/mpeg A2628000
ExpiresByType audio/ogg A2628000
ExpiresByType audio/wav A2628000
ExpiresByType audio/wma A2628000
ExpiresByType audio/x-realaudio A2628000
ExpiresByType font/opentype A2592000
ExpiresByType font/otf A2592000
ExpiresByType font/truetype A2592000
ExpiresByType font/ttf A2592000
ExpiresByType font/x-woff A2592000
ExpiresByType image/bmp A2628000
ExpiresByType image/gif A2628000
ExpiresByType image/icon A2592000
ExpiresByType image/jpeg A2628000
ExpiresByType image/jpg A1209600
ExpiresByType image/png A2628000
ExpiresByType image/svg+xml A2592000
ExpiresByType image/tiff A2628000
ExpiresByType image/x-icon A2628000
ExpiresByType text/css A31536000
ExpiresByType text/javascript A1209600
ExpiresByType text/plain A3600
ExpiresByType text/richtext A3600
ExpiresByType text/xsd A3600
ExpiresByType text/xsl A3600
ExpiresByType video/asf A2628000
ExpiresByType video/avi A2628000
ExpiresByType video/divx A2628000
ExpiresByType video/mp4 A2628000
ExpiresByType video/mpeg A2628000
ExpiresByType video/quicktime A2628000
</IfModule>

<IfModule mod_headers.c>
Header set Connection keep-alive
<filesmatch "\.(ico|flv|gif|swf|eot|woff|otf|ttf|svg)$">
Header set Cache-Control "max-age=2592000, public"
</filesmatch>
<filesmatch "\.(jpg|jpeg|png)$">
Header set Cache-Control "max-age=1209600, public"
</filesmatch>
<filesmatch "\.(eot|woff|otf|ttf|svg)$">
Header set Cache-Control "max-age=2592000, public"
</filesmatch>
# css and js should use private for proxy caching https://developers.google.com/speed/docs/best-practices/caching#LeverageProxyCaching
<filesmatch "\.(css)$">
Header set Cache-Control "max-age=31536000, private"
</filesmatch>
<filesmatch "\.(js)$">
Header set Cache-Control "max-age=1209600, private"
</filesmatch>
</IfModule>


# deny requests for config files
<FilesMatch ".(ini|conf)$">
Order allow,deny
Deny from all
</FilesMatch>

# Disable ETags
<IfModule mod_headers.c>
Header Unset ETag
FileETag none
</IfModule>

# Default expires header if none specified (stay in browser cache for 7 days)
<IfModule mod_expires.c>

ExpiresActive on
ExpiresDefault "access plus 1 week"

# CSS
ExpiresByType text/css "access plus 1 year"

# Data interchange
ExpiresByType application/json "access plus 0 seconds"
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType text/xml "access plus 0 seconds"

# Favicon (cannot be renamed!)
ExpiresByType image/x-icon "access plus 1 week"

# HTML components (HTCs)
ExpiresByType text/x-component "access plus 1 month"

# HTML
ExpiresByType text/html "access plus 0 seconds"

# JavaScript
ExpiresByType application/javascript "access plus 1 year"

# Manifest files
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
ExpiresByType text/cache-manifest "access plus 0 seconds"

# Media
ExpiresByType audio/ogg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType video/mp4 "access plus 1 month"
ExpiresByType video/swf "access plus 1 month"
ExpiresByType video/ogg "access plus 1 month"
ExpiresByType video/webm "access plus 1 month"

# Web feeds
ExpiresByType application/atom+xml "access plus 1 hour"
ExpiresByType application/rss+xml "access plus 1 hour"

# Web fonts
ExpiresByType application/font-woff "access plus 1 month"
ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
ExpiresByType application/x-font-ttf "access plus 1 month"
ExpiresByType font/opentype "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"

</IfModule>


# add font types for chromium/chrome
AddType application/font-woff woff

[COLOR="#00FF00"]SetEnvIfNoCase Referer "^http://mywebsite.net/|https://mywebsitesecure.net/|http://localhost/|http://127.0.0.1/|https://localhost/|https://127.0.0.1/" locally_linked=1
[/COLOR]SetEnvIf Referer "^$" locally_linked=1
[COLOR="#00FFFF"]<FilesMatch "\.(gif|png|swf|jpe?g)$">[/COLOR]
Order Allow,Deny
Allow from env=locally_linked
</FilesMatch>

allow from localhost

# BEGIN W3TC Browser Cache
<IfModule mod_mime.c>
AddType application/ace .ace
AddType application/java .class
AddType application/javascript .js
AddType application/msword .doc .docx
AddType application/pdf .pdf
AddType application/rar .rar
AddType application/vnd.ms-access .mdb
AddType application/vnd.ms-excel .xla .xls .xlsx .xlt .xlw
AddType application/vnd.ms-powerpoint .pot .pps .ppt .pptx
AddType application/vnd.ms-project .mpp
AddType application/vnd.ms-write .wri
AddType application/vnd.oasis.opendocument.chart .odc
AddType application/vnd.oasis.opendocument.database .odb
AddType application/vnd.oasis.opendocument.formula .odf
AddType application/vnd.oasis.opendocument.graphics .odg
AddType application/vnd.oasis.opendocument.presentation .odp
AddType application/vnd.oasis.opendocument.spreadsheet .ods
AddType application/vnd.oasis.opendocument.text .odt
AddType application/x-gzip .gz .gzip
AddType application/x-javascript .js
AddType application/x-msdownload .exe
AddType application/x-shockwave-flash .swf
AddType application/x-tar .tar
AddType application/zip .zip
AddType audio/midi .mid .midi
AddType audio/mpeg .mp3 .m4a
AddType audio/ogg .ogg
AddType audio/wav .wav
AddType audio/wma .wma
AddType audio/x-realaudio .ra .ram
AddType image/bmp .bmp
AddType image/gif .gif
AddType image/jpeg .jpg .jpeg .jpe
AddType image/png .png
AddType image/svg+xml .svg .svgz
AddType image/tiff .tif .tiff
AddType image/x-icon .ico
AddType text/css .css
AddType text/html .html .htm
AddType text/plain .txt
AddType text/richtext .rtf .rtx
AddType text/xml .xml
AddType text/xsd .xsd
AddType text/xsl .xsl
AddType video/asf .asf .asx .wax .wmv .wmx
AddType video/avi .avi
AddType video/divx .divx
AddType video/mp4 .mp4 .m4v
AddType video/mpeg .mpeg .mpg .mpe
AddType video/quicktime .mov .qt
</IfModule>
# END W3TC Browser Cache

# Block User-agent Libwww-perl
RewriteCond %{HTTP_USER_AGENT} libwww-perl.*
RewriteRule .* – [F,L]

# proc/self/environ? no way!
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})

##
##  Commented version of Rewrite rules attributed to Ronald van den Heetkamp
##  Comments by http://bodvoc.com
#
# Prevent use of specified methods in HTTP Request
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
# Block out use of illegal or unsafe characters in the HTTP Request
RewriteCond %{THE_REQUEST} ^.*(r|n|%0A|%0D).* [NC,OR]
# Block out use of illegal or unsafe characters in the Referer Variable of the HTTP Request
RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
# Block out use of illegal or unsafe characters in any cookie associated with the HTTP Request
RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
# Block out use of illegal characters in URI or use of malformed URI
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|..).{0,9999}.* [NC,OR]
# NOTE - disable this rule if your site is integrated with Payment Gateways such as PayPal
# Block out use of empty User Agent Strings
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
# Block out use of User Agent Strings beginning with java, curl or wget
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
# Block out use of User Agent Strings containing specific robot (crawler) identifiers
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
# Block out use of User Agent Strings containing references to specific crawler libraries
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
# Block out use of illegal or unsafe characters in the User Agent variable
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
# Measures to block out SQL injection attacks
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
# Block out reference to localhost/loopback/127.0.0.1 in the Query String
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
# Block out use of illegal or unsafe characters in the Query String variable
RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
#
## End of commented Rewrite directives


[/CODE] Edited by Snail
Added notes.
Link to post
Share on other sites
[quote name='windowsguru']nice job Snail you come up with it?[/QUOTE]

Part of it is from the vB5.x installation.
I came up with a lot of it, especially the exploit fixes.
I also obtained many examples from numerous other sources and added them, sorted them, and tested them until it all worked.

This is the one I use on my vB5.1.9 server. Been running for nearly a year under vB5x and it works well.
In reviewing the vB5.2.2 .htaccess file, nothing changed, so the virtual folders and commands are still good.

Ever since people began using the 25 year old exploit attacks on vB's sad code, I have been looking for methods of protecting all forums without the hassle of editing all of their code. The .htaccess file seemed the best method.

It would not take too much to compare a vB 4x .htaccess file and add the new code to it.
In fact, anyone running an Apache server would benefit for much of the code as it will work for all hosting, not only vB.
Simply copy the code over, omitting the vB unique code.
The trick is checking all your code to avoid duplication. While duplication won't cause any crashes, it will use up double the resources and a small amount of additional bandwidth.

I will go back and edit the code to highlight vB specific code.
Okay, the vB specific code is now highlighted in [COLOR="#FFA07A"]orange[/color].
Although some of the other code is included in the vB .htaccess file, it is common to most .htaccess files and as such should be included. Edited by Snail
Link to post
Share on other sites
[quote name='windowsguru']I'm running Apache on my server with IPS 4.1 and would benefit from this as well as long as I change it for IPS.[/QUOTE]

Correct. .htaccess files are not per se' specific to any forum. It just so happens that this one includes code required to run vB5x.
By removing that code block and adding this to your server (and including any IPB specific code) it should work fine.

The one thing that seems to catch people up is that this code is set up to redirect ALL http requests to https.
If you are not running a secure server no pages will be served.
I HIGHLY recommend running on HTTPS these days. It is a tad bit slower and uses additional resources, but it also makes it more difficult for malicious hackers and governments to cause damage.
I will add a new note and highlight the routing code, to be removed for those who wish to remain on HTTP only.
Link to post
Share on other sites
[quote name='windowsguru']I'm running my own home made dedicated server and don't have a clue howto get https going[/QUOTE]

Depending upon what flavor of Apache you are using, Windows/Unix, v1x/v2x, Bare/WAMP/XAMP, et c. your setup will vary slightly.
Fortunately Apache is open source with a LOT of documentation.
The hardest part is in assigning SSL certificates.
I won't get into a how-to here as MANY websites already exist dedicated to instructing the process.
It is simply a matter of security which I recommend. I have highlighted the code block to remove for use on HTTP servers.
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...