Task #28368
closed
Enhance default .htaccess settings
100%
Description
Idea popped up after seeing lots of Google results "polluted" by BE login forms being indexed.
TYPO3 could come out-of-the-box with some enhanced settings. We already provide default .htaccess settings and of course users of non-Apache server have to handle it manually but we could have some additional default settings, without going to deep. Here are some ideas:
- Restrict indexation to /typo3, /t3lib, ... does not make sense to allow it anyway
- Templates are commonly stored in /fileadmin/templates, restrict access to .ts, .txt, .html (non-processed configuration files)
We'll see if it makes sense at all.
Updated by Xavier Perseguers over 13 years ago
- Priority changed from Should have to Could have
Updated by Steffen Gebert over 13 years ago
Well, putting that into robots.txt would probably fit better, wouldn't it?
What about #22599?
Updated by Rens Admiraal over 13 years ago
Just some thoughts:
deny access to fileadmin/templates/*.(txt|ts) for securing typoscript files in default templates folder
deny access to *.sql directly beneath typo3conf (which can be imported using the install tool)
Updated by Soren Malling over 13 years ago
I'll agree with Steffen G., use robots.txt
I'll suggest
User-agent: *
Disallow: /typo3
Disallow: /typo3temp
Disallow: /typo3conf
Disallow: /t3lib
And +1 for Rens Admiraals suggestion! :)
Updated by Steffen Gebert over 13 years ago
BUT this only works with TYPO3 being in the root folder of the document root. Nevertheless, I'm fine with adding a robots.txt with these rules to the introduction package and declare it as template (however, not comment the rules out).
+1 for the SQL thingy
Updated by Xavier Perseguers over 13 years ago
Of course the robots.txt is the good choice for (trying) to prevent indexation, not .htaccess. I mixed up ideas here but anyway, we kept being tuned ;-)
Updated by Philipp Gampe over 13 years ago
A .htaccess rule for denying access to the _recycler_ folders would be cool. (If it works for all _recycler_ folders at all levels.)
Updated by Xavier Perseguers over 13 years ago
This does the trick:
RewriteEngine on RewriteRule _recycler_/ - [F]
Updated by Mr. Hudson over 13 years ago
Patch set 1 of change I94c09f50616af55cfdd9577097251692b2111ae7 has been pushed to the review server.
It is available at http://review.typo3.org/3462
Updated by Mr. Hudson over 13 years ago
Patch set 2 of change I94c09f50616af55cfdd9577097251692b2111ae7 has been pushed to the review server.
It is available at http://review.typo3.org/3462
Updated by Xavier Perseguers over 13 years ago
- Status changed from New to Under Review
- Assignee set to Xavier Perseguers
Updated by Xavier Perseguers over 13 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Change has been successfully cherry-picked as 5443c1bdd76848d9d638f8a536820b4c75c95ca2.
Updated by Xavier Perseguers over 13 years ago
For completeness, configuration when using nginx instead of Apache is as follows:
server {
# your config here
## Security settings
## - Restrict access to deleted files in Recycler directories
## - Restrict access to TypoScript files in default directories
## - Restrict access to Private extension directories
location ~ /fileadmin/(.+/)?_recycler_/ { deny all; }
location ~* /fileadmin/templates/.+\.(txt|ts)$ { deny all; }
location ~ /typo3conf/ext/[^/]+/Resources/Private/ { deny all; }
## Default location
location / {
...
Updated by Xavier Perseguers over 12 years ago
- Status changed from Resolved to Closed
Updated by Ernesto Baschny over 11 years ago
- Target version deleted (
4.6.0-beta1)