# Disable signatures protection #
# Disable your Apache version number from showing up in HTTP headers for added security
ServerSignature Off
SecServerSignature ''
# Hide directory listings #
# Prevent viewing of .htaccess file #
# Apache ??? 2.3
Require all denied
# Apache 2.2
Order Allow,Deny
Deny from all
# Server protection #
# Do Not Track: Universal Third-Party Web Tracking Opt Out
# http://datatracker.ietf.org/doc/draft-mayer-do-not-track/
SetEnvIfNoCase DNT 1 DO_NOT_TRACK
# Protect against Apache HTTP Server Denial Of Service Vulnerability. CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
# HTTP Headers #
# Enable keep-alive
Header set Connection keep-alive
# Disable your PHP version number from showing up in HTTP headers for added security.
Header unset X-Powered-By
# Don't allow any pages to be framed externally - Defends against CSRF
Header set X-Frame-Options SAMEORIGIN
# Control Cross-Domain Policies
Header set X-Permitted-Cross-Domain-Policies "master-only"
# Turn on IE8-IE9 XSS prevention tools
Header set X-XSS-Protection "1; mode=block"
# Prevent mime based attacks
Header set X-Content-Type-Options "nosniff"
# Use this to force IE to hide that annoying browser compatibility button in the address bar.
# IE=edge means IE should use the latest (edge) version of its rendering engine.
# chrome=1 means IE should use the Chrome rendering engine if installed.
BrowserMatch MSIE ie
Header set X-UA-Compatible "IE=Edge"
# Disable server signature
Header set ServerSignature "Off"
Header set ServerTokens "Prod"
# Rewrite rules #
RewriteEngine on
RewriteBase /
# Core #
RewriteRule ^user/pm-?([0-9]+)-?([0-9]{0,})-?([0-9]{0,})-?([0-9]{0,})-?([a-z_]{0,})\.php$ /user/pm.php?pm=$1&id=$2&p=$3"e=$4 [L,QSA]
RewriteRule ^admin/cache/([\w/_-]*)$ /admin/cache/index.php?url=/$1 [L,QSA]
RewriteRule ^admin/config/([\w/_-]*)$ /admin/config/index.php?url=/$1 [L,QSA]
RewriteRule ^admin/content/([\w/_-]*)$ /admin/content/index.php?url=/$1 [L,QSA]
RewriteRule ^admin/errors/([\w/_-]*)$ /admin/errors/index.php?url=/$1 [L,QSA]
RewriteRule ^admin/files/([\w/_-]*)$ /admin/files/index.php?url=/$1 [L,QSA]
RewriteRule ^admin/langs/([\w/_-]*)$ /admin/langs/index.php?url=/$1 [L,QSA]
RewriteRule ^admin/maintain/([\w/_-]*)$ /admin/maintain/index.php?url=/$1 [L,QSA]
RewriteRule ^admin/member/([\w/_-]*)$ /admin/member/index.php?url=/$1 [L,QSA]
RewriteRule ^admin/modules/([\w/_-]*)$ /admin/modules/index.php?url=/$1 [L,QSA]
RewriteRule ^admin/server/([\w/_-]*)$ /admin/server/index.php?url=/$1 [L,QSA]
RewriteRule ^admin/smileys/([\w/_-]*)$ /admin/smileys/index.php?url=/$1 [L,QSA]
RewriteRule ^admin/themes/([\w/_-]*)$ /admin/themes/index.php?url=/$1 [L,QSA]
RewriteRule ^syndication/([\w/_-]*)$ /syndication/index.php?url=/$1 [L,QSA]
RewriteRule ^user/([\w/-_]*)$ /user/index.php?url=/$1 [L,QSA]
# Modules rules #
# database #
RewriteRule ^database/([\w/_-]*)$ /database/index.php?url=/$1 [L,QSA]
# faq #
RewriteRule ^faq/([\w/_-]*)$ /faq/index.php?url=/$1 [L,QSA]
# forum #
RewriteRule ^forum/forum-([0-9]+)-?([0-9]*)(\+?[^.]*)\.php$ /forum/forum.php?id=$1&p=$2 [L,QSA]
RewriteRule ^forum/topic-([0-9]+)-?([0-9]*)-?([0-9]*)-?([0-9]*)(\+?[^.]*)\.php$ /forum/topic.php?id=$1&pt=$2&idm=$3"e=$4 [L]
RewriteRule ^forum/cat-([0-9]+)(\+?[^.]*)\.php$ /forum/index.php?id=$1 [L,QSA]
# forum #
RewriteRule ^forum/([\w/_-]*)$ /forum/index.php?url=/$1 [L,QSA]
# guestbook #
RewriteRule ^guestbook/([\w/_-]*)$ /guestbook/index.php?url=/$1 [L,QSA]
# news #
RewriteRule ^news/([\w/_-]*)$ /news/index.php?url=/$1 [L,QSA]
# newsletter #
RewriteRule ^newsletter/([\w/_-]*)$ /newsletter/index.php?url=/$1 [L,QSA]
# online #
RewriteRule ^online/([\w/_-]*)$ /online/index.php?url=/$1 [L,QSA]
# pages #
RewriteRule ^pages/([a-z0-9-]+)$ /pages/pages.php?title=$1
# shoutbox #
RewriteRule ^shoutbox/([\w/_-]*)$ /shoutbox/index.php?url=/$1 [L,QSA]
# stats #
RewriteRule ^stats/stats-([a-z]+)\.php$ /stats/stats.php?$1=1 [L,QSA]
# sitemap #
RewriteRule ^sitemap/([\w/_-]*)$ /sitemap/index.php?url=/$1 [L,QSA]
# customization #
RewriteRule ^customization/([\w/_-]*(?:\.css)?)$ /customization/index.php?url=/$1 [L,QSA]
# wiki #
RewriteRule ^wiki/([a-z0-9-]+)/?$ /wiki/wiki.php?title=$1
# ReCaptcha #
RewriteRule ^ReCaptcha/([\w/_-]*)$ /ReCaptcha/index.php?url=/$1 [L,QSA]
# UrlUpdater #
RewriteRule ^news/news.php$ /news/ [L,R=301]
RewriteRule ^news/news-0\+([^.]*).php$ /news/0-root/ [L,R=301]
RewriteRule ^news/news-0-([0-9]*)\+([^.]*).php$ /news/0-root/$1-$2/ [L,R=301]
RewriteRule ^news/news-5\+([^.]*).php$ /news/5-l-actu-de-trainz/ [L,R=301]
RewriteRule ^news/news-5-([0-9]*)\+([^.]*).php$ /news/5-l-actu-de-trainz/$1-$2/ [L,R=301]
RewriteRule ^news/news-6\+([^.]*).php$ /news/6-trainz-c-est-beau/ [L,R=301]
RewriteRule ^news/news-6-([0-9]*)\+([^.]*).php$ /news/6-trainz-c-est-beau/$1-$2/ [L,R=301]
RewriteRule ^news/news-7\+([^.]*).php$ /news/7-la-video-de-la-semaine/ [L,R=301]
RewriteRule ^news/news-7-([0-9]*)\+([^.]*).php$ /news/7-la-video-de-la-semaine/$1-$2/ [L,R=301]
RewriteRule ^news/news-9\+([^.]*).php$ /news/9-trainz-en-puzzles/ [L,R=301]
RewriteRule ^news/news-9-([0-9]*)\+([^.]*).php$ /news/9-trainz-en-puzzles/$1-$2/ [L,R=301]
RewriteRule ^news/news-8\+([^.]*).php$ /news/8-projet-sardine/ [L,R=301]
RewriteRule ^news/news-8-([0-9]*)\+([^.]*).php$ /news/8-projet-sardine/$1-$2/ [L,R=301]
RewriteRule ^news/news-1\+([^.]*).php$ /news/1-news-du-site/ [L,R=301]
RewriteRule ^news/news-1-([0-9]*)\+([^.]*).php$ /news/1-news-du-site/$1-$2/ [L,R=301]
RewriteRule ^news/news-4\+([^.]*).php$ /news/4-divers/ [L,R=301]
RewriteRule ^news/news-4-([0-9]*)\+([^.]*).php$ /news/4-divers/$1-$2/ [L,R=301]
RewriteRule ^calendar/calendar$ /calendar/ [L,R=301]
RewriteRule ^calendar/calendar-([0-9]+)-([0-9]+)-([0-9]+)-?([0-9]*).php$ /calendar/$3-$2-$1/ [L,R=301]
RewriteRule ^guestbook/guestbook.php$ /guestbook/ [L,R=301]
# contact #
RewriteRule ^contact/([\w/_-]*)$ /contact/index.php?url=/$1 [L,QSA]
# download #
RewriteRule ^download/([\w/_-]*)$ /download/index.php?url=/$1 [L,QSA]
# dictionary #
RewriteRule ^dictionary/dictionary-([0-9a-z]+)-?([0-9]*)(\+?[^.]*)\.php$ /dictionary/dictionary.php?l=$1&cat=$2 [L,QSA]
# dictionary #
RewriteRule ^dictionary/([\w/_-]*)$ /dictionary/index.php?url=/$1 [L,QSA]
# PHP and HTTP protections #
# Disable the HTTP TRACE Method
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
# Block out use of illegal or unsafe characters in the HTTP Request
RewriteCond %{THE_REQUEST} ^.*(\r|\n|%0A|%0D).* [NC,OR]
# Block out use of illegal or unsafe characters in the Referer Variable of the HTTP Request
RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
RewriteRule .* - [F,L]
# Protect against PHP-CGI Remote Code Execution Bug. CVE-2012-1823
RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC]
RewriteRule .* - [F,L]
# Stop 'PHP Easter Eggs' from working, http://perishablepress.com/expose-php/
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
# Stop proc/self/environ?
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode/decode content via URL
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR]
# Block out any script that includes a