############# DO NOT FORGET TO CHANGE "grav_path" BY YOUR ACTUAL GRAV INSTALLATION FOLDER ############# ############# IF GRAV IS AT THE ROOT OF YOUR WEBSITE, ie http://yoursite.tld POINTS TO ############# ############# GRAV DIRECTLY, THEN JUST REMOVE ANY "/grav_path/" MENTION BELOW. OTHERWISE ############# ############# WE ASSUME YOU RUN AN INSTALLATION SUCH AS http://yoursite.tld/grav_path/ ############# ####################################################################################################### ### GRAV RULES FOR LIGHTTPD ### ### By Mr3ase ### ### Last Rev. 2015/11/20 ### #PREVENTING EXPLOITS $HTTP["querystring"] =~ "base64_encode[^(]*\([^)]*\)" { url.redirect = (".*" => "/grav_path/index.php" ) } $HTTP["querystring"] =~ "(<|%3C)([^s]*s)+cript.*(>|%3E)" { url.redirect = (".*" => "/grav_path/index.php" ) } $HTTP["querystring"] =~ "GLOBALS(=|\[|\%[0-9A-Z])" { url.redirect = (".*" => "/grav_path/index.php" ) } $HTTP["querystring"] =~ "_REQUEST(=|\[|\%[0-9A-Z])" { url.redirect = (".*" => "/grav_path/index.php" ) } #REROUTING TO THE INDEX PAGE url.rewrite-if-not-file = ( "^/grav_path/(.*)$" => "/grav_path/index.php?$1" ) #IMPROVING SECURITY $HTTP["url"] =~ "^/grav_path/(LICENSE\.txt|composer\.json|composer\.lock|nginx\.conf|web\.config)$" { url.access-deny = ("") } $HTTP["url"] =~ "^/grav_path/(\.git|cache|bin|logs|backup|tests)/(.*)" { url.access-deny = ("") } $HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|json|yaml|yml|php|twig|sh|bat)$" { url.access-deny = ("") } $HTTP["url"] =~ "^/grav_path/(\.(.*))" { url.access-deny = ("") } url.access-deny += (".md","~",".inc") #PREVENT BROWSING AND SET INDEXES $HTTP["url"] =~ "^/grav_path($|/)" { dir-listing.activate = "disable" index-file.names = ( "index.php", "index.html" , "index.htm" ) }