First commit

developer/webserver-configs/Caddyfile

@@ -0,0 +1,31 @@
+:8080
+gzip
+fastcgi / 127.0.0.1:9000 php
+
+# Begin - Security
+# deny all direct access for these folders
+rewrite {
+    r       /(.git|cache|bin|logs|backups|tests)/.*$
+    status  403
+}
+# deny running scripts inside core system folders
+rewrite {
+    r       /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$
+    status  403
+}
+# deny running scripts inside user folder
+rewrite {
+    r       /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$
+    status  403
+}
+# deny access to specific files in the root folder
+rewrite {
+    r       /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess)
+    status  403
+}
+## End - Security
+
+# global rewrite should come last.
+rewrite {
+    to  {path} {path}/ /index.php?_url={uri}
+}

developer/webserver-configs/htaccess.txt

@@ -0,0 +1,65 @@
+<IfModule mod_rewrite.c>
+
+RewriteEngine On
+
+## Begin RewriteBase
+# If you are getting 404 errors on subpages, you may have to uncomment the RewriteBase entry
+# You should change the '/' to your appropriate subfolder. For example if you have
+# your Grav install at the root of your site '/' should work, else it might be something
+# along the lines of: RewriteBase /<your_sub_folder>
+##
+
+# RewriteBase /
+
+## End - RewriteBase
+
+## Begin - Exploits
+# If you experience problems on your site block out the operations listed below
+# This attempts to block the most common type of exploit `attempts` to Grav
+#
+# Block out any script trying to base64_encode data within the URL.
+RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
+# Block out any script that includes a <script> tag in URL.
+RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
+# Block out any script trying to set a PHP GLOBALS variable via URL.
+RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
+# Block out any script trying to modify a _REQUEST variable via URL.
+RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
+# Return 403 Forbidden header and show the content of the root homepage
+RewriteRule .* index.php [F]
+#
+## End - Exploits
+
+## Begin - Index
+# If the requested path and file is not /index.php and the request
+# has not already been internally rewritten to the index.php script
+RewriteCond %{REQUEST_URI} !^/index\.php
+# and the requested path and file doesn't directly match a physical file
+RewriteCond %{REQUEST_FILENAME} !-f
+# and the requested path and file doesn't directly match a physical folder
+RewriteCond %{REQUEST_FILENAME} !-d
+# internally rewrite the request to the index.php script
+RewriteRule .* index.php [L]
+## End - Index
+
+## Begin - Security
+# Block all direct access for these folders
+RewriteRule ^(.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
+# Block access to specific file types for these system folders
+RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ error [F]
+# Block access to specific file types for these user folders
+RewriteRule ^(user)/(.*)\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ error [F]
+# Block all direct access to .md files:
+RewriteRule \.md$ error [F]
+# Block all direct access to files and folders beginning with a dot
+RewriteRule (^\.|/\.) - [F]
+# Block access to specific files in the root folder
+RewriteRule ^(LICENSE.txt|composer.lock|composer.json|\.htaccess)$ error [F]
+## End - Security
+
+</IfModule>
+
+# Begin - Prevent Browsing and Set Default Resources
+Options -Indexes
+DirectoryIndex index.php index.html index.htm
+# End - Prevent Browsing and Set Default Resources

developer/webserver-configs/lighttpd.conf

@@ -0,0 +1,48 @@
+############# DO NOT FORGET TO CHANGE "grav_path" BY YOUR ACTUAL GRAV INSTALLATION FOLDER #############
+############# IF GRAV IS AT THE ROOT OF YOUR WEBSITE, ie http://yoursite.tld POINTS TO    #############
+############# GRAV DIRECTLY, THEN JUST REMOVE ANY "/grav_path/" MENTION BELOW. OTHERWISE  #############
+############# WE ASSUME YOU RUN AN INSTALLATION SUCH AS http://yoursite.tld/grav_path/    #############
+#######################################################################################################
+### GRAV RULES FOR LIGHTTPD ###
+###        By Mr3ase        ###
+###  Last Rev. 2015/11/20   ###
+
+#PREVENTING EXPLOITS
+$HTTP["querystring"] =~ "base64_encode[^(]*\([^)]*\)" {
+    url.redirect = (".*" => "/grav_path/index.php"       )
+}
+$HTTP["querystring"] =~ "(<|%3C)([^s]*s)+cript.*(>|%3E)" {
+    url.redirect = (".*" => "/grav_path/index.php" )
+}
+$HTTP["querystring"] =~ "GLOBALS(=|\[|\%[0-9A-Z])" {
+    url.redirect = (".*" => "/grav_path/index.php" )
+}
+$HTTP["querystring"] =~ "_REQUEST(=|\[|\%[0-9A-Z])" {
+    url.redirect = (".*" => "/grav_path/index.php" )
+}
+
+#REROUTING TO THE INDEX PAGE
+url.rewrite-if-not-file = (
+    "^/grav_path/(.*)$" => "/grav_path/index.php"
+)
+
+#IMPROVING SECURITY
+$HTTP["url"] =~ "^/grav_path/(LICENSE.txt|composer.json|composer.lock|nginx.conf|web.config)$" {
+    url.access-deny = ("")
+}
+$HTTP["url"] =~ "^/grav_path/(.git|cache|bin|logs|backup|tests)/(.*)" {
+    url.access-deny = ("")
+}
+$HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|yaml|php|twig|sh|bat)$" {
+    url.access-deny = ("")
+}
+$HTTP["url"] =~ "^/grav_path/(\.(.*))" {
+    url.access-deny = ("")
+}
+url.access-deny = (".md","~",".inc")
+
+#PREVENT BROWSING AND SET INDEXES
+$HTTP["url"] =~ "^/grav_path($|/)" {
+    dir-listing.activate = "disable"
+    index-file.names = ( "index.php", "index.html" , "index.htm" )
+}

developer/webserver-configs/nginx.conf

@@ -0,0 +1,43 @@
+server {
+    #listen 80;
+    index index.html index.php;
+
+    ## Begin - Server Info
+    root /home/USER/www/html;
+    server_name localhost;
+    ## End - Server Info
+
+    ## Begin - Index
+    # for subfolders, simply adjust:
+    # `location /subfolder {`
+    # and the rewrite to use `/subfolder/index.php`
+    location / {
+        try_files $uri $uri/ /index.php?_url=$uri;
+    }
+    ## End - Index
+
+    ## Begin - PHP
+    location ~ \.php$ {
+        # Choose either a socket or TCP/IP address
+        fastcgi_pass unix:/var/run/php5-fpm.sock;
+        # fastcgi_pass 127.0.0.1:9000;
+
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
+    }
+    ## End - PHP
+
+    ## Begin - Security
+    # deny all direct access for these folders
+    location ~* /(.git|cache|bin|logs|backups|tests)/.*$ { return 403; }
+    # deny running scripts inside core system folders
+    location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    # deny running scripts inside user folder
+    location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    # deny access to specific files in the root folder
+    location ~ /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) { return 403; }
+    ## End - Security
+}
+

developer/webserver-configs/web.config

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+    <system.webServer>
+        <defaultDocument>
+            <files>
+                <remove value="index.php" />
+                <add value="index.php" />
+            </files>
+        </defaultDocument>
+        <rewrite>
+            <rules>
+                <rule name="request_filename" stopProcessing="true">
+                    <match url="." ignoreCase="false" />
+                    <conditions logicalGrouping="MatchAll">
+                        <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
+                        <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
+                    </conditions>
+                    <action type="Rewrite" url="index.php" />
+                </rule>
+                <rule name="user_error_redirect" stopProcessing="true">
+                    <match url="^(user)/(.*)\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$" ignoreCase="false" />
+                    <action type="Redirect" url="error" redirectType="Permanent" />
+                </rule>
+                <rule name="ignore_folders" stopProcessing="true">
+                    <match url="^(.git|cache|bin|logs|backup|webserver-configs|tests)/(.*)" ignoreCase="false" />
+                    <action type="Redirect" url="error" redirectType="Permanent" />
+                </rule>
+                <rule name="system" stopProcessing="true">
+                    <match url="^system/(.*)\.(txt|md|html|yaml|php|twig|sh|bat)$" ignoreCase="false" />
+                    <action type="Redirect" url="error" redirectType="Permanent" />
+                </rule>
+                <rule name="vendor" stopProcessing="true">
+                    <match url="^vendor/(.*)\.(txt|md|html|yaml|php|twig|sh|bat)$" ignoreCase="false" />
+                    <action type="Redirect" url="error" redirectType="Permanent" />
+                </rule>
+            </rules>
+        </rewrite>
+    </system.webServer>
+    <system.web>
+        <httpRuntime requestPathInvalidCharacters="&lt;,&gt;,*,%,&amp;,\,?" />
+    </system.web>
+</configuration>