File humhub-apache.conf of Package humhub
Alias /humhub "__humhub_web__"
<Directory "__humhub_web__">
AllowOverride All
Options FollowSymLinks
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order allow,deny
Allow from all
</IfModule>
<IfModule mod_authz_core.c>
# Apache 2.4
<Files "*">
Require host 127.0.0.1
# Require ip 128.252.135.
# Require host mydomain.com
# Require host host.mydomain.com
</Files>
<Files ~ "^humhub\.(js|php)|robots\.txt$|index\.php$">
Require all granted
</Files>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
<Files "*">
Order deny, allow
Deny from all
Allow from 127.0.0.1
# Allow from 128.252.135.
# Allow from .mydomain.com
# Allow from host.mydomain.com
</Files>
<Files ~ "^humhub\.(js|php)|robots\.txt$|index\.php$">
Allow from all
Satisfy any
</Files>
</IfModule>
<IfModule mod_mime.c>
AddType application/x-javascript .js
AddType text/css .css
</IfModule>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/css application/x-javascript text/x-component text/html text/plain text/xml application/javascript
<IfModule mod_setenvif.c>
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
</IfModule>
</IfModule>
Header append Vary User-Agent env=!dont-vary
# check if RewriteModule is availbale
<IfModule mod_rewrite.c>
Options +FollowSymLinks
RewriteEngine on
# uncomment if you've installed HumHub into a subdirectory relative to your webroot & adjust RewriteBase to match the install point
#RewriteBase /humhub
# uncomment to force https requests
#RewriteCond %{HTTPS} !=on
#RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$ [NC]
#RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# prevent httpd from serving dotfiles (.htaccess, .svn, .git, etc.) - except let's encrypt challenge
RedirectMatch 403 ^/?\.(?!well-known/acme-challenge/[\w-]{43}$)
# ensure permalink when url rewriting was enabled (index.php?r=content/perma&id=6 => /content/perma/?id=6
RewriteCond %{QUERY_STRING} ^r=content(/|%2)perma&id=([0-9]*)$
RewriteRule ^index\.php$ %{REQUEST_URI}/content/perma/?id=%2 [R=302,L]
RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
RewriteRule ^(.*) - [E=BASE:%1]
# Sets the HTTP_AUTHORIZATION header removed by apache
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule .? - [L]
RewriteRule .? %{ENV:BASE}/index.php [L]
</IfModule>
# Config files from vendor should not be readable via browser
<FilesMatch "^(\.|composer\.(json|lock|phar)$)">
<IfModule authz_core_module>
Require all denied
</IfModule>
<IfModule !authz_core_module>
Order deny,allow
Deny from all
</IfModule>
</FilesMatch>
<IfModule mod_php7.c>
# improved security
php_admin_value open_basedir "__humhub_web__:__humhub_conf__:__humhub_log__:/tmp:/usr/bin:/var/cache/apache2:/run/humhub_sessions"
php_admin_flag display_startup_errors Off
php_admin_flag display_errors Off
php_admin_flag file_uploads On
php_admin_flag allow_url_fopen Off
php_admin_value upload_tmp_dir "/var/cache/apache2"
php_admin_value session.save_path "/run/humhub_sessions/"
php_admin_value disable_functions "posix_setpgid,exec,ftp_login,mysql_pconnect,apache_setenv,popen,posix_getpwuid,posix_setsid,passthru,escapeshellcmd,ini_alter,ftp_raw,ftp_nb_fput,ini_restore,shell_exec,ftp_get,proc_get_status,highlight_file,proc_close,proc_terminate,syslog,ftp_connect,posix_uname,ini_get_all,proc_open,posix_kill,escapeshellarg,ftp_rawlist,posix_setuid,openlog,php_uname,system,ftp_exec,posix_mkfifo,proc_nice,ftp_put"
php_admin_value memory_limit "1024M"
php_admin_value max_execution_time 120
</IfModule>
</Directory>
