.htaccess in OLS dummy question

ljubacanoa · Jan 17, 2023

As far as I can see, .htaccess is not fully supported in OLS (it is in Enterprise) and it should to mean (if I get well "full support" meaning) that many settings should be directly set in .htaccess. However, when I add my settings in .htaccess, nothing is changed. It is obvious how OLS make some kind of rewrite of .htaccess.

Question is - if I didn't missed some other settings (in Console), what is exact position in .htaccess where I should to add my settings (before OLS section, between OLS and WP section or ofter WP section)?

Cold-Egg · Jan 17, 2023

Not quite sure about the issue. Usually, you can put the .htaccess file under the document root location, and, only rewrite rules will be adopted, others will be ignored.

ljubacanoa · Jan 17, 2023

Did I understand well that NO OTHER settings added by me in .htaccess file will be applied, except Rewrite Rules (what I can add in Console also)?

Besically, it is waste of time to add anything to .htaccess file (as it is easier to add rewrite rules in Console), correct?

P.S. - Here is code, initially added after # END NON_LSCACHE

Apache config:

# BEGIN ModPagespeed
<IfModule pagespeed_module>
  ModPagespeed off
</IfModule>
# END ModPagespeed

# START - [Security] Blocked access to ".ht" files
<FilesMatch "^\.ht">
  Deny from all
</FilesMatch>
<FilesMatch "^\.ftp">
  Deny from all
</FilesMatch>
<FilesMatch "^php.ini$">
  Deny from all
</FilesMatch>
<FilesMatch "^\.well-known">
  Allow from all
</FilesMatch>
# END

# BEGIN cors
<FilesMatch "\.(?:ttf|eot|woff|otf)$">
  Header set Access-Control-Allow-Origin "*"
</FilesMatch>
#END

# BEGIN Directory browsing
<IfModule mod_autoindex.c>
  Options -Indexes
</IfModule>
# END Directory browsing

DirectoryIndex index.php index.html /index.php
Options None
Options FollowSymLinks
ServerSignature Off


# START WordPress Regular Expression
<IfModule mod_rewrite.c>
  RewriteEngine On

  # [Security] Canonical domain settings
  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

  # [Security] We block TRACE and TRACK requests
  RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
  RewriteRule .* - [F]

  # [Security] General static files
  RewriteRule readme\.(html|txt) - [L,R=404]
  RewriteRule (licencia|license|LICENSE|olvasdel|lisenssi|liesmich)\.(html|txt) - [L,R=404]

  # [Security] WordPress own files
  RewriteRule ^wp-config - [L,R=404]
  RewriteRule ^wp-cron\.php - [L,R=404]
  RewriteRule ^wp-admin/(install|setup-config|upgrade)\.php - [L,R=404]
  RewriteRule ^wp-admin/maint/repair\.php - [L,R=404]
  RewriteRule ^wp-links-opml\.php$ - [L,R=404]

  # [Security] User listing blocking
  RewriteCond %{QUERY_STRING} ^author= [NC]
  RewriteRule .* - [F,L]
  RewriteRule ^author/ - [F,L]

  # [Security] Folder Listing Lock
  RewriteRule ^wp-content/mu-plugins/$ - [L,R=404]
  RewriteRule ^wp-content/(plugins|themes)/(.+)/$ - [L,R=404]

  # [Security] Block insecure files
  RewriteRule ^wp-content/(?:uploads|files)/.+\.(html|js|php|shtml|swf)$ - [L,R=403]
  RewriteRule ^wp-content/plugins/.+\.(aac|avi|bz2|cur|docx?|eot|exe|flv|gz|heic|htc|m4a|midi?|mov|mp3|mp4|mpe?g|ogg|ogv|otf|pdf|pptx?|rar|rtf|tar|tgz|tiff?|ttc|wav|wmv|xlsx?|zip) - [L,R=404]

  # [Security] Other locks
  RewriteRule ^sftp-config.json - [L,R=404]
  RewriteRule (access|error)_log - [L,R=404]
  RewriteRule installer-log\.txt - [L,R=404]
  RewriteRule wp-content/debug\.log - [L,R=404]
  RewriteRule (^#.*#|\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|sw[op])|~)$ - [L,R=404]

</IfModule>
# END

# START - [Security] Mitigation CVE-2018-6389
<FilesMatch "load-(scripts|styles)\.php">
  Deny from all
</FilesMatch>
# END

# START - [Security] XML-RPC
<FilesMatch "xmlrpc\.php">
    Deny from all
</FilesMatch>
# END

# START - [Security] Do not execute files in Uploads
<FilesMatch "wp-content/uploads/(.+)\.php">
  Deny from all
</FilesMatch>
# END

# BEGIN WordPress
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

  ### START WP includes
  RewriteRule ^wp-admin/includes/ - [F,L]
  RewriteRule !^wp-includes/ - [S=3]
  RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
  RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
  RewriteRule ^wp-includes/theme-compat/ - [F,L]
  ### END WP includes

  ### START SQL Injection
  RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
  RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
  RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
  RewriteRule ^(.*)$ index.php [F,L]
  ### END SQL Injection

  RewriteRule ^index\.php$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /index.php [L]
</IfModule>
# END WordPress

# BEGIN HTTP Security Headers
<IfModule mod_headers.c>
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  Header always set Content-Security-Policy: upgrade-insecure-requests;
  Header always set X-XSS-Protection "1; mode=block"
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "DENY"
  Header unset Pragma
  Header always unset WP-Super-Cache
  Header always unset X-Pingback
</IfModule>
# END HTTP Security Headers

# BEGIN HttpHeadersCompression
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE application/javascript
  AddOutputFilterByType DEFLATE application/x-javascript
  AddOutputFilterByType DEFLATE application/json
  AddOutputFilterByType DEFLATE application/ld+json
  AddOutputFilterByType DEFLATE application/manifest+json
  AddOutputFilterByType DEFLATE application/rdf+xml
  AddOutputFilterByType DEFLATE application/rss+xml
  AddOutputFilterByType DEFLATE application/schema+json
  AddOutputFilterByType DEFLATE application/vnd.geo+json
  AddOutputFilterByType DEFLATE application/x-web-app-manifest+json
  AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
  AddOutputFilterByType DEFLATE application/x-font-ttf
  AddOutputFilterByType DEFLATE application/xhtml+xml
  AddOutputFilterByType DEFLATE application/xml
  AddOutputFilterByType DEFLATE font/opentype
  AddOutputFilterByType DEFLATE font/eot
  AddOutputFilterByType DEFLATE image/bmp
  AddOutputFilterByType DEFLATE image/svg+xml
  AddOutputFilterByType DEFLATE image/x-icon
  AddOutputFilterByType DEFLATE image/vnd.microsoft.icon
  AddOutputFilterByType DEFLATE text/javascript
  AddOutputFilterByType DEFLATE text/css
  AddOutputFilterByType DEFLATE text/html
  AddOutputFilterByType DEFLATE text/plain
  AddOutputFilterByType DEFLATE text/x-component
  AddOutputFilterByType DEFLATE text/xml
</IfModule>
# END HttpHeadersCompression

Cold-Egg · Jan 18, 2023

Correct.
Other settings cab be done from the web console.
1. Pagespeed module is disabled by default , no need to config.
2. CORS can be added from the context (https://openlitespeed.org/kb/setting-up-cors-on-openlitespeed/)

ljubacanoa · Jan 18, 2023

Hello,

Thanks for make me more clear and for two remarks. So, I'm clear with headers and Rewrite Rules, but it is not clear form me how and where in console to add rest of the settings (if I need that at all in OLS server). I would greatly appreciate it if you could help here with this "rest of the setup".

Remaining setups are:

Apache config:

# START - [Security] Blocked access to ".ht" files
<FilesMatch "^\.ht">
  Deny from all
</FilesMatch>
<FilesMatch "^\.ftp">
  Deny from all
</FilesMatch>
<FilesMatch "^php.ini$">
  Deny from all
</FilesMatch>
<FilesMatch "^\.well-known">
  Allow from all
</FilesMatch>
# END

# BEGIN Directory browsing
<IfModule mod_autoindex.c>
  Options -Indexes
</IfModule>
# END Directory browsing

# BEGIN SymLinks
DirectoryIndex index.php index.html /index.php
Options None
Options FollowSymLinks
ServerSignature Off
# END SymLinks

# START - [Security] Mitigation CVE-2018-6389
<FilesMatch "load-(scripts|styles)\.php">
  Deny from all
</FilesMatch>
# END

# START - [Security] XML-RPC
<FilesMatch "xmlrpc\.php">
    Deny from all
</FilesMatch>
# END

# START - [Security] Do not execute files in Uploads
<FilesMatch "wp-content/uploads/(.+)\.php">
  Deny from all
</FilesMatch>
# END

# BEGIN HttpHeadersCompression
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE application/javascript
  AddOutputFilterByType DEFLATE application/x-javascript
  AddOutputFilterByType DEFLATE application/json
  AddOutputFilterByType DEFLATE application/ld+json
  AddOutputFilterByType DEFLATE application/manifest+json
  AddOutputFilterByType DEFLATE application/rdf+xml
  AddOutputFilterByType DEFLATE application/rss+xml
  AddOutputFilterByType DEFLATE application/schema+json
  AddOutputFilterByType DEFLATE application/vnd.geo+json
  AddOutputFilterByType DEFLATE application/x-web-app-manifest+json
  AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
  AddOutputFilterByType DEFLATE application/x-font-ttf
  AddOutputFilterByType DEFLATE application/xhtml+xml
  AddOutputFilterByType DEFLATE application/xml
  AddOutputFilterByType DEFLATE font/opentype
  AddOutputFilterByType DEFLATE font/eot
  AddOutputFilterByType DEFLATE image/bmp
  AddOutputFilterByType DEFLATE image/svg+xml
  AddOutputFilterByType DEFLATE image/x-icon
  AddOutputFilterByType DEFLATE image/vnd.microsoft.icon
  AddOutputFilterByType DEFLATE text/javascript
  AddOutputFilterByType DEFLATE text/css
  AddOutputFilterByType DEFLATE text/html
  AddOutputFilterByType DEFLATE text/plain
  AddOutputFilterByType DEFLATE text/x-component
  AddOutputFilterByType DEFLATE text/xml
</IfModule>
# END HttpHeadersCompression

.htaccess in OLS dummy question

ljubacanoa

Member

Cold-Egg

Administrator

ljubacanoa

Member

Cold-Egg

Administrator

ljubacanoa

Member