first commit

webserver-configs/Caddyfile

@@ -0,0 +1,31 @@
+# To use this file simply install caddy and run the command below from the root of your Grav site
+# Once running it will redirect http://localhost to https://localhost (new default for Caddy2)
+# More infromation here: https://caddyserver.com/docs/
+#
+# $ caddy run --config webserver-configs/Caddyfile
+
+localhost
+encode gzip
+root * .
+file_server
+
+php_fastcgi 127.0.0.1:9000
+
+# Begin - Security
+# deny all direct access for these folders
+rewrite /(\.git|cache|bin|logs|backups|tests)/.* /403
+
+# deny running scripts inside core system folders
+rewrite /(system|vendor)/.*\.(txt|xml|md|html|htm|shtml|shtm|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ /403
+
+# deny running scripts inside user folder
+rewrite /user/.*\.(txt|md|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ /403
+
+# deny access to specific files in the root folder
+rewrite /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) /403
+
+respond /403 403
+## End - Security
+
+# global rewrite should come last.
+try_files {path} {path}/ /index.php?_url={uri}&{query}

webserver-configs/Caddyfile-0.8.x

@@ -0,0 +1,33 @@
+# Caddyfile for Caddy 0.8.x and below
+
+:8080
+gzip
+fastcgi / 127.0.0.1:9000 php
+
+# Begin - Security
+# deny all direct access for these folders
+rewrite {
+    r       /(\.git|cache|bin|logs|backups|tests)/.*$
+    status  403
+}
+# deny running scripts inside core system folders
+rewrite {
+    r       /(system|vendor)/.*\.(txt|xml|md|html|htm|shtml|shtm|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$
+    status  403
+}
+# deny running scripts inside user folder
+rewrite {
+    r       /user/.*\.(txt|md|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$
+    status  403
+}
+# deny access to specific files in the root folder
+rewrite {
+    r       /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess)
+    status  403
+}
+## End - Security
+
+# global rewrite should come last.
+rewrite {
+    to  {path} {path}/ /index.php?_url={uri}&{query}
+}

webserver-configs/htaccess.txt

@@ -0,0 +1,78 @@
+<IfModule mod_rewrite.c>
+
+RewriteEngine On
+
+## Begin RewriteBase
+# If you are getting 500 or 404 errors on subpages, you may have to uncomment the RewriteBase entry
+# You should change the '/' to your appropriate subfolder. For example if you have
+# your Grav install at the root of your site '/' should work, else it might be something
+# along the lines of: RewriteBase /<your_sub_folder>
+##
+
+# RewriteBase /
+
+## End - RewriteBase
+
+## Begin - X-Forwarded-Proto
+# In some hosted or load balanced environments, SSL negotiation happens upstream.
+# In order for Grav to recognize the connection as secure, you need to uncomment
+# the following lines.
+#
+# RewriteCond %{HTTP:X-Forwarded-Proto} https
+# RewriteRule .* - [E=HTTPS:on]
+#
+## End - X-Forwarded-Proto
+
+## Begin - Exploits
+# If you experience problems on your site block out the operations listed below
+# This attempts to block the most common type of exploit `attempts` to Grav
+#
+# Block out any script trying to use twig tags in URL.
+RewriteCond %{REQUEST_URI} ({{|}}|{%|%}) [OR]
+RewriteCond %{QUERY_STRING} ({{|}}|{%25|%25}) [OR]
+# Block out any script trying to base64_encode data within the URL.
+RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
+# Block out any script that includes a <script> tag in URL.
+RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
+# Block out any script trying to set a PHP GLOBALS variable via URL.
+RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
+# Block out any script trying to modify a _REQUEST variable via URL.
+RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
+# Return 403 Forbidden header and show the content of the root homepage
+RewriteRule .* index.php [F]
+#
+## End - Exploits
+
+## Begin - Index
+# If the requested path and file is not /index.php and the request
+# has not already been internally rewritten to the index.php script
+RewriteCond %{REQUEST_URI} !^/index\.php
+# and the requested path and file doesn't directly match a physical file
+RewriteCond %{REQUEST_FILENAME} !-f
+# and the requested path and file doesn't directly match a physical folder
+RewriteCond %{REQUEST_FILENAME} !-d
+# internally rewrite the request to the index.php script
+RewriteRule .* index.php [L]
+## End - Index
+
+## Begin - Security
+# Block all direct access for these folders
+RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
+# Block access to specific file types for these system folders
+RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ error [F]
+# Block access to specific file types for these user folders
+RewriteRule ^(user)/(.*)\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ error [F]
+# Block all direct access to .md files:
+RewriteRule \.md$ error [F]
+# Block all direct access to files and folders beginning with a dot
+RewriteRule (^|/)\.(?!well-known) - [F]
+# Block access to specific files in the root folder
+RewriteRule ^(LICENSE\.txt|composer\.lock|composer\.json|\.htaccess)$ error [F]
+## End - Security
+
+</IfModule>
+
+# Begin - Prevent Browsing and Set Default Resources
+Options -Indexes
+DirectoryIndex index.php index.html index.htm
+# End - Prevent Browsing and Set Default Resources

webserver-configs/lighttpd.conf

@@ -0,0 +1,48 @@
+############# DO NOT FORGET TO CHANGE "grav_path" BY YOUR ACTUAL GRAV INSTALLATION FOLDER #############
+############# IF GRAV IS AT THE ROOT OF YOUR WEBSITE, ie http://yoursite.tld POINTS TO    #############
+############# GRAV DIRECTLY, THEN JUST REMOVE ANY "/grav_path/" MENTION BELOW. OTHERWISE  #############
+############# WE ASSUME YOU RUN AN INSTALLATION SUCH AS http://yoursite.tld/grav_path/    #############
+#######################################################################################################
+### GRAV RULES FOR LIGHTTPD ###
+###        By Mr3ase        ###
+###  Last Rev. 2015/11/20   ###
+
+#PREVENTING EXPLOITS
+$HTTP["querystring"] =~ "base64_encode[^(]*\([^)]*\)" {
+    url.redirect = (".*" => "/grav_path/index.php"       )
+}
+$HTTP["querystring"] =~ "(<|%3C)([^s]*s)+cript.*(>|%3E)" {
+    url.redirect = (".*" => "/grav_path/index.php" )
+}
+$HTTP["querystring"] =~ "GLOBALS(=|\[|\%[0-9A-Z])" {
+    url.redirect = (".*" => "/grav_path/index.php" )
+}
+$HTTP["querystring"] =~ "_REQUEST(=|\[|\%[0-9A-Z])" {
+    url.redirect = (".*" => "/grav_path/index.php" )
+}
+
+#REROUTING TO THE INDEX PAGE
+url.rewrite-if-not-file = (
+    "^/grav_path/(.*)$" => "/grav_path/index.php?$1"
+)
+
+#IMPROVING SECURITY
+$HTTP["url"] =~ "^/grav_path/(LICENSE\.txt|composer\.json|composer\.lock|nginx\.conf|web\.config)$" {
+    url.access-deny = ("")
+}
+$HTTP["url"] =~ "^/grav_path/(\.git|cache|bin|logs|backup|tests)/(.*)" {
+    url.access-deny = ("")
+}
+$HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|twig|sh|bat)$" {
+    url.access-deny = ("")
+}
+$HTTP["url"] =~ "^/grav_path/(\.(.*))" {
+    url.access-deny = ("")
+}
+url.access-deny += (".md","~",".inc")
+
+#PREVENT BROWSING AND SET INDEXES
+$HTTP["url"] =~ "^/grav_path($|/)" {
+    dir-listing.activate = "disable"
+    index-file.names = ( "index.php", "index.html" , "index.htm" )
+}

webserver-configs/nginx.conf

@@ -0,0 +1,44 @@
+server {
+    #listen 80;
+    index index.html index.php;
+
+    ## Begin - Server Info
+    root /home/USER/www/html;
+    server_name localhost;
+    ## End - Server Info
+
+    ## Begin - Index
+    # for subfolders, simply adjust:
+    # `location /subfolder {`
+    # and the rewrite to use `/subfolder/index.php`
+    location / {
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+    ## End - Index
+
+    ## Begin - Security
+    # deny all direct access for these folders
+    location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
+    # deny running scripts inside core system folders
+    location ~* /(system|vendor)/.*\.(txt|xml|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    # deny running scripts inside user folder
+    location ~* /user/.*\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    # deny access to specific files in the root folder
+    location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
+    ## End - Security
+
+    ## Begin - PHP
+    location ~ \.php$ {
+        # Choose either a socket or TCP/IP address
+        fastcgi_pass unix:/var/run/php/php-fpm.sock;
+        # fastcgi_pass unix:/var/run/php5-fpm.sock; #legacy
+        # fastcgi_pass 127.0.0.1:9000;
+
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
+    }
+    ## End - PHP
+}
+

webserver-configs/web.config

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+    <system.webServer>
+        <defaultDocument>
+            <files>
+                <remove value="index.php" />
+                <add value="index.php" />
+            </files>
+        </defaultDocument>
+        <rewrite>
+            <rules>
+                <rule name="request_filename" stopProcessing="true">
+                    <match url="." ignoreCase="false" />
+                    <conditions logicalGrouping="MatchAll">
+                        <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
+                        <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
+                    </conditions>
+                    <action type="Rewrite" url="index.php" />
+                </rule>
+                <rule name="user_error_redirect" stopProcessing="true">
+                    <match url="^(user)/(.*)\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$" ignoreCase="false" />
+                    <action type="Redirect" url="error" redirectType="Permanent" />
+                </rule>
+                <rule name="ignore_folders" stopProcessing="true">
+                    <match url="^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*)" ignoreCase="false" />
+                    <action type="Redirect" url="error" redirectType="Permanent" />
+                </rule>
+                <rule name="system" stopProcessing="true">
+                    <match url="^system/(.*)\.(txt|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|twig|sh|bat)$" ignoreCase="false" />
+                    <action type="Redirect" url="error" redirectType="Permanent" />
+                </rule>
+                <rule name="vendor" stopProcessing="true">
+                    <match url="^vendor/(.*)\.(txt|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|twig|sh|bat)$" ignoreCase="false" />
+                    <action type="Redirect" url="error" redirectType="Permanent" />
+                </rule>
+            </rules>
+        </rewrite>
+    </system.webServer>
+    <system.web>
+        <httpRuntime requestPathInvalidCharacters="&lt;,&gt;,*,%,&amp;,\,?" />
+    </system.web>
+</configuration>