summaryrefslogtreecommitdiff
path: root/puppet/modules/apache/files/include.d
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/apache/files/include.d')
-rw-r--r--puppet/modules/apache/files/include.d/defaults.inc5
-rw-r--r--puppet/modules/apache/files/include.d/joomla.inc30
-rw-r--r--puppet/modules/apache/files/include.d/silverstripe.inc17
3 files changed, 52 insertions, 0 deletions
diff --git a/puppet/modules/apache/files/include.d/defaults.inc b/puppet/modules/apache/files/include.d/defaults.inc
new file mode 100644
index 00000000..3e5e7d73
--- /dev/null
+++ b/puppet/modules/apache/files/include.d/defaults.inc
@@ -0,0 +1,5 @@
+RewriteEngine on
+RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
+RewriteRule .* - [F]
+
+ServerSignature Off
diff --git a/puppet/modules/apache/files/include.d/joomla.inc b/puppet/modules/apache/files/include.d/joomla.inc
new file mode 100644
index 00000000..1535ce37
--- /dev/null
+++ b/puppet/modules/apache/files/include.d/joomla.inc
@@ -0,0 +1,30 @@
+########## Begin - Rewrite rules to block out some common exploits
+# against joomla's
+#
+# Block out any script trying to set a mosConfig value through the URL
+RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
+
+# Block out any script trying to base64_encode crap to send via URL
+RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
+
+# Block out any script that includes a <script> tag in URL
+RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
+
+# Block out any script trying to set a PHP GLOBALS variable via URL
+RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
+
+# Block out any script trying to modify a _REQUEST variable via URL
+RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
+
+# Block out any script that tries to set CONFIG_EXT (com_extcal2 issue)
+RewriteCond %{QUERY_STRING} CONFIG_EXT(\[|\%20|\%5B).*= [NC,OR]
+
+# Block out any script that tries to set sbp or sb_authorname via URL (simpleboard)
+RewriteCond %{QUERY_STRING} sbp(=|\%20|\%3D) [OR]
+RewriteCond %{QUERY_STRING} sb_authorname(=|\%20|\%3D)
+
+# Send all blocked request to homepage with 403 Forbidden error!
+RewriteRule ^(.*)$ index.php [F,L]
+#
+########## End - Rewrite rules to block out some common exploits
+
diff --git a/puppet/modules/apache/files/include.d/silverstripe.inc b/puppet/modules/apache/files/include.d/silverstripe.inc
new file mode 100644
index 00000000..40c44e46
--- /dev/null
+++ b/puppet/modules/apache/files/include.d/silverstripe.inc
@@ -0,0 +1,17 @@
+# silverstripe .htaccess
+<Files *.ss>
+ Order deny,allow
+ Deny from all
+ #Allow from 127.0.0.1
+</Files>
+
+<IfModule mod_rewrite.c>
+ RewriteEngine On
+ #RewriteBase /
+
+ RewriteCond %{REQUEST_URI} !(\.gif$)|(\.jpg$)|(\.png$)|(\.css$)|(\.js$)
+
+ RewriteCond %{REQUEST_URI} ^(.*)$
+ RewriteCond %{REQUEST_FILENAME} !-f
+ RewriteRule .* sapphire/main.php?url=%1&%{QUERY_STRING} [L]
+</IfModule>