chamilo-lms/.htaccess

# Check that your Apache virtualhost have this settings:

#<Directory "/var/www/chamilo-classic">
#  AllowOverride All
#  Order allow,deny
#  Allow from all
#</Directory>

RewriteEngine on

# Disables access to myfile.php/something
AcceptPathInfo Off

# Prevent execution of PHP from directories used for different types of uploads
RedirectMatch 403 ^/app/(?!courses/proxy)(cache|courses|home|logs|upload|Resources/public/css)/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403 ^/main/default_course_document/images/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403 ^/main/lang/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403 ^/web/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403 ^/app/config/.*\.yml(\.dist)?$

# http://my.chamilo.net/certificates/?id=123 to http://my.chamilo.net/certificates/index.php?id=123
RewriteCond %{QUERY_STRING} ^id=(.*)$
RewriteRule ^certificates/$ certificates/index.php?id=%1 [L]

# Course redirection
RewriteRule ^courses/([^/]+)/?$ main/course_home/course_home.php?cDir=$1 [QSA,L]
RewriteRule ^courses/([^/]+)/index.php$ main/course_home/course_home.php?cDir=$1 [QSA,L]

# Rewrite everything in the scorm folder of a course to the download script
# except JS, CSS and some image files, which can be served directly
RewriteRule ^courses/([^/]+)/scorm/(.*([\.js|\.css|\.png|\.jpg|\.jpeg|\.gif]))$ app/courses/$1/scorm/$2 [QSA,L]
RewriteRule ^courses/([^/]+)/scorm/(.*)$ main/document/download_scorm.php?doc_url=/$2&cDir=$1 [QSA,L]

# Rewrite everything in the document folder of a course to the download script
# Except certificate resources, which might need to be accessible publicly to all
RewriteRule ^courses/([^/]+)/document/certificates/(.*)$ app/courses/$1/document/certificates/$2 [QSA,L]
# Note : since version 2.4.38-3 of Apache a security fix had a side effect that broke redirections with spaces.
# To fix this issue we did not have a common syntaxis but it work with one of those 2 options :
# changing at the end of the following line [QSA,L] for [QSA,L,B=\x20?] or for "[QSA,L,B= ?,BNP]" (with the quotes)
# We have opted to use the latter by default. If you are encountering "Not found" issues when entering course homepages,
# you might want to try either of the other 2 forms.
RewriteRule ^courses/([^/]+)/document/(.*)$ main/document/download.php?doc_url=/$2&cDir=$1 "[QSA,L,B= ?,BNP]"

# Optimize load of custom per-course icons in courses (avoid download_uploaded_files.php)
RewriteRule ^courses/([^/]+)/upload/course_home_icons/(.*([\.js|\.css|\.png|\.jpg|\.jpeg|\.gif]))$ app/courses/$1/upload/course_home_icons/$2 [QSA,L]
# Course upload files
# See note on line 37
RewriteRule ^courses/([^/]+)/upload/([^/]+)/(.*)$ main/document/download_uploaded_files.php?code=$1&type=$2&file=$3 "[QSA,L,B= ?,BNP]"

# Rewrite everything in the work folder
# See note on line 37
RewriteRule ^courses/([^/]+)/work/(.*)$ main/work/download.php?file=work/$2&cDir=$1 "[QSA,L,B= ?,BNP]"

RewriteRule ^courses/([^/]+)/course-pic85x85.png$ main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_image_source [QSA,L]
RewriteRule ^courses/([^/]+)/course-pic.png$ main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_image_large_source [QSA,L]
RewriteRule ^courses/([^/]+)/course-email-pic-cropped.png$ main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_email_image_source [QSA,L]
RewriteRule ^courses/([^/]+)/course-email-pic.png$ main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_email_image_large_source [QSA,L]

# Redirect all courses/ to app/courses/
RewriteRule ^courses/([^/]+)/(.*)$ app/courses/$1/$2 [QSA,L]

# About session
RewriteRule ^session/(\d{1,})/about/?$ main/session/about.php?session_id=$1 [QSA,L]

# About course
RewriteRule ^course/(\d{1,})/about/?$ main/course_info/about.php?course_id=$1 [QSA,L]

# Issued individual badge friendly URL
RewriteRule ^badge/(\d{1,})/?$ main/badge/issued.php?issue=$1 [QSA,L]

# Issued badges friendly URL
RewriteRule ^skill/(\d{1,})/user/(\d{1,})/?$ main/badge/issued_all.php?skill=$1&user=$2 [L]
# Support deprecated URL (avoid 404)
RewriteRule ^badge/(\d{1,})/user/(\d{1,})/?$ main/badge/issued_all.php?skill=$1&user=$2 [L]

# Support old URLs using the exercice (with a c) folder rather than exercise
RewriteRule ^main/exercice/(.*)$ main/exercise/$1 [QSA,L]
# Support old URLs using the newscorm folder rather than lp
RewriteRule ^main/newscorm/(.*)$ main/lp/$1 [QSA,L]

# service Information
RewriteRule ^service/(\d{1,})$ plugin/buycourses/src/service_information.php?service_id=$1 [L]

# LTI outcome service
RewriteRule ^lti/os$ plugin/ims_lti/outcome_service.php [L]

# Deny direct access to user my files
# See note on line 37
RewriteRule ^app/upload/users/([^/]+)/([^/]+)/my_files/(.*)$ main/social/download_my_files.php?user_id=$2&file=$3 "[QSA,L,B= ?,BNP]"

# Deny access
RewriteRule ^(tests|.git) - [F,L,NC]

# Add caching of woff font files to avoid loading 2*15KB each time with Chamilo
# default OpenSans font
AddType application/font-woff .woff .woff2
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType application/font-woff "access plus 1 month"
</IfModule>

# Force SSL/HTTPS
# We recommend you place this block in your VirtualHost config rather
# than uncommenting it below. However, if you have no other way,
# feel free to uncomment it, but please remember that this file will 
# be overwritten during your next Chamilo update.
# Also note this will only work if you have an SSL certificate
# configured elsewhere in your Apache configuration.

#RewriteCond %{HTTPS} !=on
#RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#<IfModule mod_headers.c>
#  Header always set Content-Security-Policy "upgrade-insecure-requests;"
#</IfModule>

# Disallow direct access to /main/inc/lib/javascript/bigupload/files
RedirectMatch 403 ^/main/inc/lib/javascript/bigupload/files

# Disallow MIME sniffing to prevent XSS from unknown/incorrect file extensions
<IfModule mod_headers.c>
  Header always set X-Content-Type-Options nosniff
</IfModule>

<Files "web.config">
  Require all denied
</Files>

<IfModule mod_autoindex.c>
  Options -Indexes
</IfModule>
Put .htaccess in the root. Don't add index.php inside courses. 11 years ago			`# Check that your Apache virtualhost have this settings:`

			`#<Directory "/var/www/chamilo-classic">`
			`# AllowOverride All`
			`# Order allow,deny`
			`# Allow from all`
			`#</Directory>`

			`RewriteEngine on`

Add AcceptPathInfo Off in order to disable access to myfile.php/something 4 years ago			`# Disables access to myfile.php/something`
			`AcceptPathInfo Off`

Security: add rules to .htaccess to prevent direct PHP execution from the corresponding directories and updates security.html with a missing change in the previous commit. Using security.html is still the recommended way to go for security, but in the absence of that, we want to make sure Chamilo is always more secure. 7 years ago			`# Prevent execution of PHP from directories used for different types of uploads`
Add app/courses/proxy.php add rule in .htaccess to allow that file BT#15402 7 years ago			`RedirectMatch 403 ^/app/(?!courses/proxy)(cache\|courses\|home\|logs\|upload\|Resources/public/css)/.*\.ph(p[3457]?\|t\|tml\|ar)$`
Security: Update PHP files extension matching pattern in .htaccess and documentation to match all possible forms supported by PHP 5 and PHP 7. 7 years ago			`RedirectMatch 403 ^/main/default_course_document/images/.*\.ph(p[3457]?\|t\|tml\|ar)$`
			`RedirectMatch 403 ^/main/lang/.*\.ph(p[3457]?\|t\|tml\|ar)$`
Update .htaccess. disallow PHP inside web/ 4 years ago			`RedirectMatch 403 ^/web/.*\.ph(p[3457]?\|t\|tml\|ar)$`
Security: Add forbidden access to .yml and .yml.dist to .htaccess - refs BT#20295 3 years ago			`RedirectMatch 403 ^/app/config/.*\.yml(\.dist)?$`
Security: add rules to .htaccess to prevent direct PHP execution from the corresponding directories and updates security.html with a missing change in the previous commit. Using security.html is still the recommended way to go for security, but in the absence of that, we want to make sure Chamilo is always more secure. 7 years ago
Put .htaccess in the root. Don't add index.php inside courses. 11 years ago			`# http://my.chamilo.net/certificates/?id=123 to http://my.chamilo.net/certificates/index.php?id=123`
Fix conflict with RewriteRule for user.php - refs BT#12242 9 years ago			`RewriteCond %{QUERY_STRING} ^id=(.*)$`
Put .htaccess in the root. Don't add index.php inside courses. 11 years ago			`RewriteRule ^certificates/$ certificates/index.php?id=%1 [L]`

			`# Course redirection`
fix course access with no final '/' in URL -refs CT#7976 10 years ago			`RewriteRule ^courses/([^/]+)/?$ main/course_home/course_home.php?cDir=$1 [QSA,L]`
Fix course redirection cDir (directory vs code) 10 years ago			`RewriteRule ^courses/([^/]+)/index.php$ main/course_home/course_home.php?cDir=$1 [QSA,L]`
Put .htaccess in the root. Don't add index.php inside courses. 11 years ago
			`# Rewrite everything in the scorm folder of a course to the download script`
Avoid checking image files in SCORM content to increase speed 7 years ago			`# except JS, CSS and some image files, which can be served directly`
			`RewriteRule ^courses/([^/]+)/scorm/(.*([\.js\|\.css\|\.png\|\.jpg\|\.jpeg\|\.gif]))$ app/courses/$1/scorm/$2 [QSA,L]`
Put .htaccess in the root. Don't add index.php inside courses. 11 years ago			`RewriteRule ^courses/([^/]+)/scorm/(.*)$ main/document/download_scorm.php?doc_url=/$2&cDir=$1 [QSA,L]`

			`# Rewrite everything in the document folder of a course to the download script`
Add temporary patch to make certificates media publicly accessible 9 years ago			`# Except certificate resources, which might need to be accessible publicly to all`
			`RewriteRule ^courses/([^/]+)/document/certificates/(.*)$ app/courses/$1/document/certificates/$2 [QSA,L]`
Global: Set Apache redirect rules in .htaccess to defaults that work with most Apache >2.4.38-3. 8 months ago			`# Note : since version 2.4.38-3 of Apache a security fix had a side effect that broke redirections with spaces.`
System: Security: indication on how to fix an apache since problem present since version 2.4.38-3 with rediction of URL with spaces not working any more - refs BT#20674 and BT#20614 2 years ago			`# To fix this issue we did not have a common syntaxis but it work with one of those 2 options :`
Documentation: Add precision bout the syntax for new RewriteRule with Apache > 2.4.38-3 9 months ago			`# changing at the end of the following line [QSA,L] for [QSA,L,B=\x20?] or for "[QSA,L,B= ?,BNP]" (with the quotes)`
Global: Set Apache redirect rules in .htaccess to defaults that work with most Apache >2.4.38-3. 8 months ago			`# We have opted to use the latter by default. If you are encountering "Not found" issues when entering course homepages,`
			`# you might want to try either of the other 2 forms.`
			`RewriteRule ^courses/([^/]+)/document/(.*)$ main/document/download.php?doc_url=/$2&cDir=$1 "[QSA,L,B= ?,BNP]"`
Put .htaccess in the root. Don't add index.php inside courses. 11 years ago
Fix .htaccess rule + update installation guide #2707 7 years ago			`# Optimize load of custom per-course icons in courses (avoid download_uploaded_files.php)`
			`RewriteRule ^courses/([^/]+)/upload/course_home_icons/(.*([\.js\|\.css\|\.png\|\.jpg\|\.jpeg\|\.gif]))$ app/courses/$1/upload/course_home_icons/$2 [QSA,L]`
Fix course image redirection see BT#12234 9 years ago			`# Course upload files`
Global: Set Apache redirect rules in .htaccess to defaults that work with most Apache >2.4.38-3. 8 months ago			`# See note on line 37`
			`RewriteRule ^courses/([^/]+)/upload/([^/]+)/(.*)$ main/document/download_uploaded_files.php?code=$1&type=$2&file=$3 "[QSA,L,B= ?,BNP]"`
Fix course image redirection see BT#12234 9 years ago
Put .htaccess in the root. Don't add index.php inside courses. 11 years ago			`# Rewrite everything in the work folder`
Global: Set Apache redirect rules in .htaccess to defaults that work with most Apache >2.4.38-3. 8 months ago			`# See note on line 37`
			`RewriteRule ^courses/([^/]+)/work/(.*)$ main/work/download.php?file=work/$2&cDir=$1 "[QSA,L,B= ?,BNP]"`
Fix course upload files redirection. 11 years ago
Fix course image redirection see BT#12234 9 years ago			`RewriteRule ^courses/([^/]+)/course-pic85x85.png$ main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_image_source [QSA,L]`
			`RewriteRule ^courses/([^/]+)/course-pic.png$ main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_image_large_source [QSA,L]`
Display: Fixes to course image header feature PR by @TheTomcat14 - refs #4599 2 years ago			`RewriteRule ^courses/([^/]+)/course-email-pic-cropped.png$ main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_email_image_source [QSA,L]`
Replace platform logo with course logo The update adds the possibility to upload a course logo with the same dimensions as the platform logo. The uploaded course logo can be applied to the header, email-template and pdf-export. 3 years ago			`RewriteRule ^courses/([^/]+)/course-email-pic.png$ main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_email_image_large_source [QSA,L]`
Fix course icon redirection. 10 years ago
Fix course image redirection see BT#12234 9 years ago			`# Redirect all courses/ to app/courses/`
			`RewriteRule ^courses/([^/]+)/(.*)$ app/courses/$1/$2 [QSA,L]`
Add About Session page - refs BT#9889 #TMI 10 years ago
			`# About session`
Admin - CAS : add QSA flag in redirect to keep CAS ticket in URL after redirection -refs BT#17887 5 years ago			`RewriteRule ^session/(\d{1,})/about/?$ main/session/about.php?session_id=$1 [QSA,L]`
Add Friendly URL rule for issued badges - refs CT#7881 10 years ago
Adding page about the course refs - BT#7683 7 years ago			`# About course`
Admin - CAS : add QSA flag in redirect to keep CAS ticket in URL after redirection -refs BT#17887 5 years ago			`RewriteRule ^course/(\d{1,})/about/?$ main/course_info/about.php?course_id=$1 [QSA,L]`
Adding page about the course refs - BT#7683 7 years ago
Added new "All Issued" page for Same skills badges obtained by a user - Ref BT#10651 9 years ago			`# Issued individual badge friendly URL`
Admin - CAS : add QSA flag in redirect to keep CAS ticket in URL after redirection -refs BT#17887 5 years ago			`RewriteRule ^badge/(\d{1,})/?$ main/badge/issued.php?issue=$1 [QSA,L]`
Added new "All Issued" page for Same skills badges obtained by a user - Ref BT#10651 9 years ago
			`# Issued badges friendly URL`
Skills: Fix htaccess url for badge - refs BT#15374 7 years ago			`RewriteRule ^skill/(\d{1,})/user/(\d{1,})/?$ main/badge/issued_all.php?skill=$1&user=$2 [L]`
Restore support for link to badges from version 1.10 - refs BT#10651 9 years ago			`# Support deprecated URL (avoid 404)`
Skills: Fix htaccess url for badge - refs BT#15374 7 years ago			`RewriteRule ^badge/(\d{1,})/user/(\d{1,})/?$ main/badge/issued_all.php?skill=$1&user=$2 [L]`
Refactoring: move main/exercice/ to main/exercise/ and related folders (except code for migration from 1.9 and 1.10) 9 years ago
			`# Support old URLs using the exercice (with a c) folder rather than exercise`
Refactoring: move main/newscorm/ to main/lp/ and related folders (except code for migration from 1.9 and 1.10) 9 years ago			`RewriteRule ^main/exercice/(.*)$ main/exercise/$1 [QSA,L]`
			`# Support old URLs using the newscorm folder rather than lp`
			`RewriteRule ^main/newscorm/(.*)$ main/lp/$1 [QSA,L]`
Block access to tests and .git via browser 9 years ago
Added Service Catalog and Reports Handler - Refs BT#12077 9 years ago			`# service Information`
			`RewriteRule ^service/(\d{1,})$ plugin/buycourses/src/service_information.php?service_id=$1 [L]`

WIP LTI verify oauth signature in service - refs BT#13469 7 years ago			`# LTI outcome service`
LTI set unique url and sourcedid for services - refs BT#13469 7 years ago			`RewriteRule ^lti/os$ plugin/ims_lti/outcome_service.php [L]`
WIP LTI verify oauth signature in service - refs BT#13469 7 years ago
Add "block_my_files_access" config see BT#15586 Block anon users in the upload / my_files folder 6 years ago			`# Deny direct access to user my files`
Global: Set Apache redirect rules in .htaccess to defaults that work with most Apache >2.4.38-3. 8 months ago			`# See note on line 37`
			`RewriteRule ^app/upload/users/([^/]+)/([^/]+)/my_files/(.*)$ main/social/download_my_files.php?user_id=$2&file=$3 "[QSA,L,B= ?,BNP]"`
Add "block_my_files_access" config see BT#15586 Block anon users in the upload / my_files folder 6 years ago
Block access to tests and .git via browser 9 years ago			`# Deny access`
			`RewriteRule ^(tests\|.git) - [F,L,NC]`
Boost: Add simple caching rules for woff font files to avoid loading OpenSans at each request 8 years ago
			`# Add caching of woff font files to avoid loading 2*15KB each time with Chamilo`
			`# default OpenSans font`
			`AddType application/font-woff .woff .woff2`
			`<IfModule mod_expires.c>`
			`ExpiresActive On`
			`ExpiresByType application/font-woff "access plus 1 month"`
			`</IfModule>`
Force https Force SSL/https - Uncomment if you need it Resolving insecure site and mixed-content warnings 4 years ago
Web server: Add documentation about uncommenting optional SSL block in .htaccess 4 years ago			`# Force SSL/HTTPS`
			`# We recommend you place this block in your VirtualHost config rather`
			`# than uncommenting it below. However, if you have no other way,`
			`# feel free to uncomment it, but please remember that this file will`
			`# be overwritten during your next Chamilo update.`
			`# Also note this will only work if you have an SSL certificate`
			`# configured elsewhere in your Apache configuration.`

			`#RewriteCond %{HTTPS} !=on`
			`#RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]`
			`#<IfModule mod_headers.c>`
			`# Header always set Content-Security-Policy "upgrade-insecure-requests;"`
			`#</IfModule>`
System: Security: Add header rule to avoid MIME-sniffing 2 years ago
Security: Add redirect to .htaccess to avoid direct access to bigupload temporary upload directory 2 years ago			`# Disallow direct access to /main/inc/lib/javascript/bigupload/files`
			`RedirectMatch 403 ^/main/inc/lib/javascript/bigupload/files`

			`# Disallow MIME sniffing to prevent XSS from unknown/incorrect file extensions`
System: Security: Add header rule to avoid MIME-sniffing 2 years ago			`<IfModule mod_headers.c>`
			`Header always set X-Content-Type-Options nosniff`
			`</IfModule>`
Security: Prevent access to web.config on Apache servers (also documented in the installation guide for nginx) - refs BT#22085 11 months ago
			`<Files "web.config">`
Security: Prevent directory indexing globally (no reason to enable it for web requests) - refs BT#22085 11 months ago			`Require all denied`
			`</Files>`

			`<IfModule mod_autoindex.c>`
			`Options -Indexes`
			`</IfModule>`