summaryrefslogtreecommitdiffstats
path: root/.htaccess
Commit message (Collapse)AuthorAgeFilesLines
* Fix Cache-Control header of non-versioned assetsNicolas Guichard2023-03-151-5/+6
| | | | | | | | | | | | | | | | Non-cache-busted assets such as /dist/core-main.js also matched the regex meant for cache-busted assets (note the ? at the end of the regex). The FilesMatch directive for cache-busted assets coming after the non-cache-busted version all assets actually got the immutable flag in their Cache-Control header. This caused client-side errors on updates. Query strings are not actually passed to FilesMatch directives so we need another way to tell cache-busted/versionned assets apart from non-versioned assets, here using If/Else directives. Signed-off-by: Nicolas Guichard <nicolas@guichard.eu>
* Change X-Robots-Tag header from "none" to "noindex, nofollow"MichaIng2023-02-151-1/+1
| | | | | | | | | | While "none" is indeed equivalent to "noindex, nofollow" for Google, but seems to be not supported by Bing and probably other search engines. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta/name#other_metadata_names https://developers.google.com/search/docs/crawling-indexing/robots-meta-tag?hl=de#comma-separated-list https://www.bing.com/webmasters/help/which-robots-metatags-does-bing-support-5198d240 Signed-off-by: MichaIng <micha@dietpi.com>
* Remove legacy Internet Explorer headersMichaIng2022-03-191-3/+0
| | | | | | X-UA-Compatible and X-Download-Options headers are interpreted or relevant for Internet Explorer only. With the deprecation of Internet Explorer support in Nextcloud 20 and planned support removal already in Nextcloud 22, these became obsolete and are hereby removed, including their removal from setup checks. Signed-off-by: MichaIng <micha@dietpi.com>
* Improve caching policyCarl Schwan2022-02-161-0/+4
| | | | | | | | | | | | | | * Cache css with version in url. This makes most js and css requests to be cached by the browser * Force caching previews, the etag is in the url so that if the propfind gives a new etag, we will refresh it otherwise it's no use to try to fetch the new etag and do tons of DB queries Tested with firefox and 'debug' => false (important so that the js/css urls are generated with ?v= parameter) Signed-off-by: Carl Schwan <carl@carlschwan.eu>
* Allow to serve static WebAssembly and TensorFlow Lite filesDaniel Calviño Sánchez2021-11-171-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since Talk 13 (and thus Nextcloud 23) WebAssembly (.wasm) and TensorFlow Lite (.tflite) files need to be loaded from the web server to provide certain features (like the background blur in the WebUI). Those files can be treated in a similar way to other static resources, and there should not be any problem caching or compressing them. However, as compressed TensorFlow Lite files are only ~12% smaller, the compression directive depends on the MIME type and there is no standard MIME type for TensorFlow Lite files it is not worth to compress them. Moreover, no directives to compress WebAssembly files were added either, as it seems that they would override any other compression directives set in the default server configuration; for reference it could be done with something like: <IfModule mod_deflate.c> <IfModule mod_filter.c> AddOutputFilterByType DEFLATE application/wasm </IfModule> </IfModule> Depending on the setup "application/wasm" may not be associated with ".wasm" files, so the directive was added just in case, as otherwise browsers log a warning. Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
* Fix module name for PHP8+acsfer2021-08-201-1/+3
|
* Update .htaccess (PHP8 and mod_lsapi)acsfer2021-08-201-10/+29
| | | | | - Add `mod_lsapi` (Cloudlinux) authorization headers - Add `mod_php8` php_values - Reformating for better lisibilty
* Cache images on browseracsfer2021-07-061-1/+1
| | | Fix #26851
* Make sure we properly ass well-known paths to index.phpJulius Härtl2020-12-291-2/+2
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Add well known handlers APIChristoph Wurst2020-12-161-4/+0
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Fix security header setting in .htaccess by adding 'onsuccess unset'zertrin2020-03-051-0/+17
| | | | | | | | | | | | | | | | | | | The headers might already be set by the system administrator at the http server level (apache or nginx) for some or all virtualhosts. Using "always set" in the .htaccess of Nextcloud leads to the situation where the headers might be set twice (once in the default 'onsuccess' table and once in the 'always' table)! Which leads to warnings in the admin area. Adding "onsuccess unset" solves the problem, and forces the header in the 'onsucess' table to be unset, and the header in the 'always' table to be set. NOTE: with this change, Nextcloud overrides whatever the system administrator might have already set See github issues #16893 #16476 #16938 #18017 and discussion in PR #19002 Signed-off-by: zertrin <zertrin@gmail.com>
* +nodeinfo public serviceMaxence Lange2019-08-291-0/+1
| | | Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
* Remove duplicated spacesJ0WI2019-08-111-2/+2
| | | | Signed-off-by: J0WI <J0WI@users.noreply.github.com>
* Use "always" condition for security headersJ0WI2019-08-111-7/+7
| | | | Signed-off-by: J0WI <J0WI@users.noreply.github.com>
* Sort headersJ0WI2019-08-111-4/+4
| | | | Signed-off-by: J0WI <J0WI@users.noreply.github.com>
* Add X-Frame-Options header to .htaccessJ0WI2019-08-111-0/+1
| | | | Signed-off-by: J0WI <J0WI@users.noreply.github.com>
* Remove the upload and memory settingJoas Schilling2019-03-041-3/+0
| | | | | | | | | | * Remove unneeded private method phpFileSize() * Bump autoloader * Remove setUploadLimit tests * Remove integrity check hacks for upload limit Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Remove unused php5 config from .htaccessMorris Jobke2019-03-041-12/+0
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Fix loading of .woff2 files in .htaccessJulius Härtl2018-11-181-1/+1
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Merge pull request #11396 from nextcloud/wellknown-webfingerMorris Jobke2018-10-241-0/+1
|\ | | | | adding .well-known/webfinger
| * adding .well-known/webfingerMaxence Lange2018-10-101-0/+1
| | | | | | Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
* | Add "Referrer-Policy" to htaccess file, addresses issue #11099Patrik Kernstock2018-10-111-0/+1
|/ | | | Signed-off-by: Patrik Kernstock <info@pkern.at>
* Merge pull request #7419 from Abijeet/feature-7175Morris Jobke2018-03-061-1/+1
|\ | | | | Fixes #7175 - Allow to search for email address in user management
| * Added newline to end of htaccess fileAbijeet2017-12-181-1/+1
| | | | | | | | Signed-off-by: Abijeet <abijeetpatro@gmail.com>
| * Adds search by email function on the users screen.Abijeet2017-12-161-2/+2
| | | | | | | | | | | | | | | | | | | | | | Fixes #7175. - Updated the query to fetch the users in users > everyone tab. - Updated the query to fetch the users in users > admin tab. - Tested to ensure that the disabled users are also being fetched. - Added test cases. Signed-off-by: Abijeet <abijeetpatro@gmail.com>
* | Correct mistaken regex wildcard in .htaccessDan Callahan2018-02-281-1/+1
| | | | | | | | | | | | Fixes #8578 Signed-off-by: Dan Callahan <dan.callahan@gmail.com>
* | Handle SSL certificate verifications for others than Let's EncryptRobert Scheck2018-02-051-1/+1
|/ | | | | | | | | | | | | | | | | Do no longer (wrongly) rewrite URLs like * http://example.net/.well-known/pki-validation/file.txt (Comodo) * http://example.net/.well-known/pki-validation/fileauth.txt (DigiCert, Thawte, GeoTrust) * http://example.net/.well-known/pki-validation/gsdv.txt (GlobalSign) * http://example.net/.well-known/pki-validation/starfield.htm (Starfield, GoDaddy) * http://example.net/.well-known/pki-validation/swisssign-check.txt (SwissSign) for automated SSL certificate verifications. All (common commercial) certificate authorities (CA) except Let's Encrypt (via ACME) seem to use "pki-validation" rather "acme-challenge" for their domain control validation (DCV). Signed-off-by: Robert Scheck <robert@fedoraproject.org>
* Move X-Frame-Options into PHPLukas Reschke2017-03-261-1/+0
| | | | | | The public calendar view should be embeddable and we can't do that if the .htaccess sets a global X-Frame-Options. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Fix for Win Clients sometimes not connectingFlole9982017-02-031-0/+2
| | | Fix for Win Clients sometimes not connecting
* Cache js, css and woff files for a week (#26591)Jörn Friedrich Dreyer2016-11-141-2/+7
| | | | | | increases the cache duration for css and js files from 2 hours to half a year. Should they change the versionhash changes as well and a new file is fetched. Half a year should be long enough for oc updates. Also allows caching woff files for 7 days. Currently, there is no versionhash available, but pressing F5 will also refresh the woff files.
* Make sure memory limit is > post size and upload filesizeJoas Schilling2016-09-131-4/+4
|
* Also cache WOFF, SVG and GIFLukas Reschke2016-08-081-2/+2
|
* .htaccess update making two rules non-capturingMartin2016-06-031-2/+2
|
* Do not automatically try to enable index.php-less URLs (#24539)Lukas Reschke2016-05-121-17/+0
| | | | | | | | | | | | | | | | | The current logic for mod_rewrite relies on the fact that people have properly configured ownCloud, basically it reads from the `overwrite.cli.ur l` entry and then derives the `RewriteBase` from it. This usually works. However, since the ownCloud packages seem to install themselves at `/owncloud` (because subfolders are cool or so…) _a lot_ of people have just created a new Virtual Host for it or have simply symlinked the path etc. This means that `overwrite.cli.url` is wrong, which fails hard if it is used as RewriteBase since Apache does not know where it should serve files from. In the end the ownCloud instance will not be accessible anymore and users will be frustrated. Also some shared hosters like 1&1 (because using shared hosters is so awesome… ;-)) have somewhat dubious Apache configurations or use versions of mod_rewrite from the mediveal age. (because updating is money or so…) Anyhow. This makes this explicitly an opt-in configuration flag. If `htaccess.RewriteBase` is set then it will configure index.php-less URLs, if admins set that after installation and don't want to wait until the next ownCloud version they can run `occ maintenance:update:htaccess`. For ownCloud 9.0 we also have to add a repair step to make sure that instances that already have a RewriteBase configured continue to use it by copying it into the config file. That way all existing URLs stay valid. That one is not in this PR since this is unneccessary in master. Effectively this reduces another risk of breakage when updating from ownCloud 8 to ownCloud 9. Fixes https://github.com/owncloud/core/issues/24525, https://github.com/owncloud/core/issues/24426 and probably some more.
* Use raw PATH_INFOLukas Reschke2016-03-171-2/+2
| | | | | | PATH_INFO will be empty at this point and thus the logic in base.php did not catch this. Changing this to "getRawPathInfo" will ensure that the path info is properly read. Fixes https://github.com/owncloud/core/issues/23199
* always_populate_raw_post_data has been removed with PHP 7.0Lukas Reschke2016-03-151-1/+0
|
* Duplicate block for PHP 7Lukas Reschke2016-03-151-0/+12
|
* Allow jpg files to be statically servedStephan Köninger2016-03-101-1/+1
| | | When using an background image in themes of type JPG, the current setting of owncloud's htaccess file does not allow to deliver these kinds of images as static content. Adding the file extensions as done in this commit, it works flawlessly.
* Add base rewrite rule only when RewriteBase is definedLukas Reschke2016-03-091-1/+0
| | | | In case Apache is configured with an `Alias` such as with the ownCloud packages the rewrite rules will fail when no valid RewriteBase is configured.
* Exclude ocs-provider from rewrite ruleLukas Reschke2016-02-251-0/+1
| | | | | Otherwise `localhost/ocs-provider/` cannot be accessed if mod_rewrite is install ed. Only affects master.
* Merge pull request #18194 from RealRancor/proxy_fcgiThomas Müller2016-02-051-2/+5
|\ | | | | Add mod_proxy_fcgi to .htaccess
| * Add mod_proxy_fcgi and mod_fastcgi to .htaccessRealRancor2015-11-171-2/+5
| |
* | Do not rewrite updater requestsVictor Dubiniuk2016-01-281-0/+1
| |
* | Add X-Download-Options and X-Permitted-Cross-Domain-PoliciesLukas Reschke2016-01-121-0/+2
| | | | | | | | Two small security hardenings for our IE users and those with Adobe products. Aligns it more with https://github.com/twitter/secureheaders#secureheaders---
* | Remove CSP stuff from .htaccessLukas Reschke2016-01-081-7/+0
| | | | | | :cry: Seems like Apache is inconsistent fun between versions. Let's remove it thus for now.
* | always check if the csp is emptyJörn Friedrich Dreyer2016-01-081-1/+1
| |
* | Use setifempty to please incompatible httpd versionsLukas Reschke2016-01-081-3/+6
| | | | | | | | Some httpd versions have problem with the old logic leading to resourced served with multiple headers.
* | Merge pull request #20966 from knox/masterThomas Müller2016-01-071-0/+2
|\ \ | | | | | | Do not rewrite letsencrypt .well-known URI
| * \ Merge branch 'master' into mastermbi2015-12-301-4/+0
| |\ \
| * | | Do not rewrite letsencrypt .well-known URImbi2015-12-081-0/+1
| | | |