chamilo-lms/.htaccess

# Check that your Apache virtualhost have this settings:

#<Directory "/var/www/chamilo-classic">
#  AllowOverride All
#  Order allow,deny
#  Allow from all
#</Directory>

RewriteEngine on

# Prevent execution of PHP from directories used for different types of uploads
RedirectMatch 403 ^/app/(?!courses/proxy)(cache|courses|home|logs|upload|Resources/public/css)/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403 ^/main/default_course_document/images/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403 ^/main/lang/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403 ^/web/css/.*\.ph(p[3457]?|t|tml|ar)$

# http://my.chamilo.net/certificates/?id=123 to http://my.chamilo.net/certificates/index.php?id=123
RewriteCond %{QUERY_STRING} ^id=(.*)$
RewriteRule ^certificates/$ certificates/index.php?id=%1 [L]

# Course redirection
RewriteRule ^courses/([^/]+)/?$ main/course_home/course_home.php?cDir=$1 [QSA,L]
RewriteRule ^courses/([^/]+)/index.php$ main/course_home/course_home.php?cDir=$1 [QSA,L]

# Rewrite everything in the scorm folder of a course to the download script
# except JS, CSS and some image files, which can be served directly
RewriteRule ^courses/([^/]+)/scorm/(.*([\.js|\.css|\.png|\.jpg|\.jpeg|\.gif]))$ app/courses/$1/scorm/$2 [QSA,L]
RewriteRule ^courses/([^/]+)/scorm/(.*)$ main/document/download_scorm.php?doc_url=/$2&cDir=$1 [QSA,L]

# Rewrite everything in the document folder of a course to the download script
# Except certificate resources, which might need to be accessible publicly to all
RewriteRule ^courses/([^/]+)/document/certificates/(.*)$ app/courses/$1/document/certificates/$2 [QSA,L]
RewriteRule ^courses/([^/]+)/document/(.*)$ main/document/download.php?doc_url=/$2&cDir=$1 [QSA,L]

# Optimize load of custom per-course icons in courses (avoid download_uploaded_files.php)
RewriteRule ^courses/([^/]+)/upload/course_home_icons/(.*([\.js|\.css|\.png|\.jpg|\.jpeg|\.gif]))$ app/courses/$1/upload/course_home_icons/$2 [QSA,L]
# Course upload files
RewriteRule ^courses/([^/]+)/upload/([^/]+)/(.*)$ main/document/download_uploaded_files.php?code=$1&type=$2&file=$3 [QSA,L]

# Rewrite everything in the work folder
RewriteRule ^courses/([^/]+)/work/(.*)$ main/work/download.php?file=work/$2&cDir=$1 [QSA,L]

RewriteRule ^courses/([^/]+)/course-pic85x85.png$ main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_image_source [QSA,L]
RewriteRule ^courses/([^/]+)/course-pic.png$ main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_image_large_source [QSA,L]

# Redirect all courses/ to app/courses/
RewriteRule ^courses/([^/]+)/(.*)$ app/courses/$1/$2 [QSA,L]

# About session
RewriteRule ^session/(\d{1,})/about/?$ main/session/about.php?session_id=$1 [L]

# About course
RewriteRule ^course/(\d{1,})/about/?$ main/course_info/about.php?course_id=$1 [L]

# Issued individual badge friendly URL
RewriteRule ^badge/(\d{1,})/?$ main/badge/issued.php?issue=$1 [L]

# Issued badges friendly URL
RewriteRule ^skill/(\d{1,})/user/(\d{1,})/?$ main/badge/issued_all.php?skill=$1&user=$2 [L]
# Support deprecated URL (avoid 404)
RewriteRule ^badge/(\d{1,})/user/(\d{1,})/?$ main/badge/issued_all.php?skill=$1&user=$2 [L]

# Support old URLs using the exercice (with a c) folder rather than exercise
RewriteRule ^main/exercice/(.*)$ main/exercise/$1 [QSA,L]
# Support old URLs using the newscorm folder rather than lp
RewriteRule ^main/newscorm/(.*)$ main/lp/$1 [QSA,L]

# service Information
RewriteRule ^service/(\d{1,})$ plugin/buycourses/src/service_information.php?service_id=$1 [L]

# LTI outcome service
RewriteRule ^lti/os$ plugin/ims_lti/outcome_service.php [L]

# This rule is very generic and should always remain at the bottom of .htaccess
# http://my.chamilo.net/jdoe to http://my.chamilo.net/user.php?jdoe
RewriteRule ^([^/.]+)/?$ user.php?$1 [L]

# Deny direct access to user my files
RewriteRule ^app/upload/users/([^/]+)/([^/]+)/my_files/(.*)$ main/social/download_my_files.php?user_id=$2&file=$3 [QSA,L]

# Deny access
RewriteRule ^(tests|.git) - [F,L,NC]

# Add caching of woff font files to avoid loading 2*15KB each time with Chamilo
# default OpenSans font
AddType application/font-woff .woff .woff2
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType application/font-woff "access plus 1 month"
</IfModule>

# Add MOD Security exceptions against XSS Attack confusion in main/lp/*.php
# See https://github.com/chamilo/chamilo-lms/issues/3163
<IfModule mod_security.c>
	<If "%{REQUEST_URI} =~ m#main/lp#">
		SecRuleRemoveById 212000-212999
	</If>
</IfModule>

<IfModule mod_security2.c>
	<If "%{REQUEST_URI} =~ m#main/lp#">
		SecRuleRemoveById 212000-212999
	</If>
</IfModule>
Put .htaccess in the root. Don't add index.php inside courses. 11 years ago			`# Check that your Apache virtualhost have this settings:`

			`#<Directory "/var/www/chamilo-classic">`
			`# AllowOverride All`
			`# Order allow,deny`
			`# Allow from all`
			`#</Directory>`

			`RewriteEngine on`

Security: add rules to .htaccess to prevent direct PHP execution from the corresponding directories and updates security.html with a missing change in the previous commit. Using security.html is still the recommended way to go for security, but in the absence of that, we want to make sure Chamilo is always more secure. 7 years ago			`# Prevent execution of PHP from directories used for different types of uploads`
Add app/courses/proxy.php add rule in .htaccess to allow that file BT#15402 7 years ago			`RedirectMatch 403 ^/app/(?!courses/proxy)(cache\|courses\|home\|logs\|upload\|Resources/public/css)/.*\.ph(p[3457]?\|t\|tml\|ar)$`
Security: Update PHP files extension matching pattern in .htaccess and documentation to match all possible forms supported by PHP 5 and PHP 7. 7 years ago			`RedirectMatch 403 ^/main/default_course_document/images/.*\.ph(p[3457]?\|t\|tml\|ar)$`
			`RedirectMatch 403 ^/main/lang/.*\.ph(p[3457]?\|t\|tml\|ar)$`
			`RedirectMatch 403 ^/web/css/.*\.ph(p[3457]?\|t\|tml\|ar)$`
Security: add rules to .htaccess to prevent direct PHP execution from the corresponding directories and updates security.html with a missing change in the previous commit. Using security.html is still the recommended way to go for security, but in the absence of that, we want to make sure Chamilo is always more secure. 7 years ago
Put .htaccess in the root. Don't add index.php inside courses. 11 years ago			`# http://my.chamilo.net/certificates/?id=123 to http://my.chamilo.net/certificates/index.php?id=123`
Fix conflict with RewriteRule for user.php - refs BT#12242 9 years ago			`RewriteCond %{QUERY_STRING} ^id=(.*)$`
Put .htaccess in the root. Don't add index.php inside courses. 11 years ago			`RewriteRule ^certificates/$ certificates/index.php?id=%1 [L]`

			`# Course redirection`
fix course access with no final '/' in URL -refs CT#7976 10 years ago			`RewriteRule ^courses/([^/]+)/?$ main/course_home/course_home.php?cDir=$1 [QSA,L]`
Fix course redirection cDir (directory vs code) 11 years ago			`RewriteRule ^courses/([^/]+)/index.php$ main/course_home/course_home.php?cDir=$1 [QSA,L]`
Put .htaccess in the root. Don't add index.php inside courses. 11 years ago
			`# Rewrite everything in the scorm folder of a course to the download script`
Avoid checking image files in SCORM content to increase speed 7 years ago			`# except JS, CSS and some image files, which can be served directly`
			`RewriteRule ^courses/([^/]+)/scorm/(.*([\.js\|\.css\|\.png\|\.jpg\|\.jpeg\|\.gif]))$ app/courses/$1/scorm/$2 [QSA,L]`
Put .htaccess in the root. Don't add index.php inside courses. 11 years ago			`RewriteRule ^courses/([^/]+)/scorm/(.*)$ main/document/download_scorm.php?doc_url=/$2&cDir=$1 [QSA,L]`

			`# Rewrite everything in the document folder of a course to the download script`
Add temporary patch to make certificates media publicly accessible 9 years ago			`# Except certificate resources, which might need to be accessible publicly to all`
			`RewriteRule ^courses/([^/]+)/document/certificates/(.*)$ app/courses/$1/document/certificates/$2 [QSA,L]`
Put .htaccess in the root. Don't add index.php inside courses. 11 years ago			`RewriteRule ^courses/([^/]+)/document/(.*)$ main/document/download.php?doc_url=/$2&cDir=$1 [QSA,L]`

Fix .htaccess rule + update installation guide #2707 7 years ago			`# Optimize load of custom per-course icons in courses (avoid download_uploaded_files.php)`
			`RewriteRule ^courses/([^/]+)/upload/course_home_icons/(.*([\.js\|\.css\|\.png\|\.jpg\|\.jpeg\|\.gif]))$ app/courses/$1/upload/course_home_icons/$2 [QSA,L]`
Fix course image redirection see BT#12234 9 years ago			`# Course upload files`
			`RewriteRule ^courses/([^/]+)/upload/([^/]+)/(.*)$ main/document/download_uploaded_files.php?code=$1&type=$2&file=$3 [QSA,L]`

Put .htaccess in the root. Don't add index.php inside courses. 11 years ago			`# Rewrite everything in the work folder`
			`RewriteRule ^courses/([^/]+)/work/(.*)$ main/work/download.php?file=work/$2&cDir=$1 [QSA,L]`
Fix course upload files redirection. 11 years ago
Fix course image redirection see BT#12234 9 years ago			`RewriteRule ^courses/([^/]+)/course-pic85x85.png$ main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_image_source [QSA,L]`
			`RewriteRule ^courses/([^/]+)/course-pic.png$ main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_image_large_source [QSA,L]`
Fix course icon redirection. 11 years ago
Fix course image redirection see BT#12234 9 years ago			`# Redirect all courses/ to app/courses/`
			`RewriteRule ^courses/([^/]+)/(.*)$ app/courses/$1/$2 [QSA,L]`
Add About Session page - refs BT#9889 #TMI 11 years ago
			`# About session`
Fix rewrite rule on htaccess for About Session page - refs BT#9889 #TMI 11 years ago			`RewriteRule ^session/(\d{1,})/about/?$ main/session/about.php?session_id=$1 [L]`
Add Friendly URL rule for issued badges - refs CT#7881 10 years ago
Adding page about the course refs - BT#7683 8 years ago			`# About course`
			`RewriteRule ^course/(\d{1,})/about/?$ main/course_info/about.php?course_id=$1 [L]`

Added new "All Issued" page for Same skills badges obtained by a user - Ref BT#10651 10 years ago			`# Issued individual badge friendly URL`
Skills: Fix htaccess url for badge - refs BT#15374 7 years ago			`RewriteRule ^badge/(\d{1,})/?$ main/badge/issued.php?issue=$1 [L]`
Added new "All Issued" page for Same skills badges obtained by a user - Ref BT#10651 10 years ago
			`# Issued badges friendly URL`
Skills: Fix htaccess url for badge - refs BT#15374 7 years ago			`RewriteRule ^skill/(\d{1,})/user/(\d{1,})/?$ main/badge/issued_all.php?skill=$1&user=$2 [L]`
Restore support for link to badges from version 1.10 - refs BT#10651 10 years ago			`# Support deprecated URL (avoid 404)`
Skills: Fix htaccess url for badge - refs BT#15374 7 years ago			`RewriteRule ^badge/(\d{1,})/user/(\d{1,})/?$ main/badge/issued_all.php?skill=$1&user=$2 [L]`
Refactoring: move main/exercice/ to main/exercise/ and related folders (except code for migration from 1.9 and 1.10) 10 years ago
			`# Support old URLs using the exercice (with a c) folder rather than exercise`
Refactoring: move main/newscorm/ to main/lp/ and related folders (except code for migration from 1.9 and 1.10) 10 years ago			`RewriteRule ^main/exercice/(.*)$ main/exercise/$1 [QSA,L]`
			`# Support old URLs using the newscorm folder rather than lp`
			`RewriteRule ^main/newscorm/(.*)$ main/lp/$1 [QSA,L]`
Block access to tests and .git via browser 9 years ago
Added Service Catalog and Reports Handler - Refs BT#12077 9 years ago			`# service Information`
			`RewriteRule ^service/(\d{1,})$ plugin/buycourses/src/service_information.php?service_id=$1 [L]`

WIP LTI verify oauth signature in service - refs BT#13469 7 years ago			`# LTI outcome service`
LTI set unique url and sourcedid for services - refs BT#13469 7 years ago			`RewriteRule ^lti/os$ plugin/ims_lti/outcome_service.php [L]`
WIP LTI verify oauth signature in service - refs BT#13469 7 years ago
Fix conflict with RewriteRule for user.php - refs BT#12242 9 years ago			`# This rule is very generic and should always remain at the bottom of .htaccess`
			`# http://my.chamilo.net/jdoe to http://my.chamilo.net/user.php?jdoe`
			`RewriteRule ^([^/.]+)/?$ user.php?$1 [L]`

Add "block_my_files_access" config see BT#15586 Block anon users in the upload / my_files folder 7 years ago			`# Deny direct access to user my files`
			`RewriteRule ^app/upload/users/([^/]+)/([^/]+)/my_files/(.*)$ main/social/download_my_files.php?user_id=$2&file=$3 [QSA,L]`

Block access to tests and .git via browser 9 years ago			`# Deny access`
			`RewriteRule ^(tests\|.git) - [F,L,NC]`
Boost: Add simple caching rules for woff font files to avoid loading OpenSans at each request 8 years ago
			`# Add caching of woff font files to avoid loading 2*15KB each time with Chamilo`
			`# default OpenSans font`
			`AddType application/font-woff .woff .woff2`
			`<IfModule mod_expires.c>`
			`ExpiresActive On`
			`ExpiresByType application/font-woff "access plus 1 month"`
			`</IfModule>`
Security: Add ModSecurity exceptions in .htaccess against false positive XSS detection - refs #3163 5 years ago
			`# Add MOD Security exceptions against XSS Attack confusion in main/lp/*.php`
			`# See https://github.com/chamilo/chamilo-lms/issues/3163`
			`<IfModule mod_security.c>`
			`<If "%{REQUEST_URI} =~ m#main/lp#">`
			`SecRuleRemoveById 212000-212999`
			`</If>`
			`</IfModule>`

			`<IfModule mod_security2.c>`
			`<If "%{REQUEST_URI} =~ m#main/lp#">`
			`SecRuleRemoveById 212000-212999`
			`</If>`
			`</IfModule>`