In the interest of saving time I'm going to post a finalized version of apache.conf for Drupal6. Most of the suggested changes come from the series of articles;
# Moved to httpd.conf so drupal6 can be disabled without affecting other virtual hosts.
# NameVirtualHost *:80
# NameVirtualHost *:443
<VirtualHost *:80>
UseCanonicalName Off
ServerName drupal6
ServerAdmin webmaster@localhost
DocumentRoot /usr/share/drupal6/
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/cert.pem
ServerAdmin webmaster@localhost
DocumentRoot /usr/share/drupal6/
</VirtualHost>
<DirectoryMatch "/usr/share/drupal6/(?!(.+/)+)">
# Block any file that starts with "."
<FilesMatch "^\..*$">
Order allow,deny
</FilesMatch>
# Block all files with "." in their names
<FilesMatch "^.*\..*$">
Order allow,deny
</FilesMatch>
# Allow "." files with safe content types
<FilesMatch "^.*\.(css|html?|txt|js|xml|xsl|gif|ico|jpe?g|png)$">
Order deny,allow
</FilesMatch>
<FilesMatch "^.*\.(f4a|f4b|f4p|f4v|flac|flv|mov|mp3|qt|swf)$">
Order deny,allow
</FilesMatch>
<FilesMatch "^.*\.(docx?|pptx?|xlsx?|odt|ods|odp|pdf)$">
Order deny,allow
</FilesMatch>
# Allow from anywhere
<FilesMatch "^(index|xmlrpc).php$">
Order deny,allow
</FilesMatch>
# Allow access to cron from server and local network only
<FilesMatch "^cron.php$">
Order allow,deny
Allow from 127.0.0.1 # Localhost
Allow from 192.168. # Local network (use your local IP range)
</FilesMatch>
# Allow access to install and update from server and local network only
<FilesMatch "^(install|update).php$">
Order allow,deny
Allow from 127.0.0.1 # Localhost
Allow from 192.168. # Local network (use your local IP range)
</FilesMatch>
</DirectoryMatch>
<Directory /usr/share/drupal6/>
Options +FollowSymLinks
AllowOverride All
order allow,deny
allow from all
</Directory>
# Include rewrite rules here instead of .htaccess so it will be easier
# to disable .htaccess during performance tuning.
<IfModule mod_rewrite.c>
RewriteEngine on
# If your site can be accessed both with and without the 'www.' prefix, you
# can use one of the following settings to redirect users to your preferred
# URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option:
#
# To redirect all users to access the site WITH the 'www.' prefix,
# (http://example.com/... will be redirected to http://www.example.com/...)
# adapt and uncomment the following:
# RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
# RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301]
#
# To redirect all users to access the site WITHOUT the 'www.' prefix,
# (http://www.example.com/... will be redirected to http://example.com/...)
# uncomment and adapt the following:
# RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]
# RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]
# Return 404's for any access to CSS, JS, and images
# unless they come from your site's pages or a trusted host.
RewriteCond %{REMOTE_ADDR} !^127.0.0.1$
RewriteCond %{HTTP_REFERER} !^https?://%{HTTP_HOST}/.*$ [NC]
RewriteRule .(css|js|ico|gif|jpe?g|png)$ - [R=404]
# Return 404's for all Drupal .php, .inc, .module, and .info files
# if served to hosts other than the local network hosts, but allow
# /index.php and /xmlrpc.php.
RewriteCond %{REMOTE_ADDR} !^127.0.0.1$
RewriteCond %{REQUEST_URI} ^.*\.(php|inc|module|info)$
RewriteCond %{REQUEST_URI} !^/(index|xmlrpc).php$
RewriteRule .* - [R=404]
# Rewrite index.php to /
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*index\.php\ HTTP/
RewriteRule ^(.*)index\.php$ /$1 [L,R=301]
# Force trailing / for directories
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.+[^/])$ $1/ [L,R=301]
</IfModule>
Speaking of SEO, you might want to consider adding Path Redirect and Global Redirect modules. I found that both were necessary to deal with SEO issues related to PathAuto.
Alon, Thanks for taking the time to consider all these changes. I know there are a lot of them.
Information is free, knowledge is acquired, but wisdom is earned.
Rushing to get items posted for consideration
In the interest of saving time I'm going to post a finalized version of apache.conf for Drupal6. Most of the suggested changes come from the series of articles;
Drupal and Apache Security Checklist Part 1, Part 2, Part 3
by Nadeau Software Consulting
# Moved to httpd.conf so drupal6 can be disabled without affecting other virtual hosts. # NameVirtualHost *:80 # NameVirtualHost *:443 <VirtualHost *:80> UseCanonicalName Off ServerName drupal6 ServerAdmin webmaster@localhost DocumentRoot /usr/share/drupal6/ </VirtualHost> <VirtualHost *:443> SSLEngine on SSLCertificateFile /etc/ssl/certs/cert.pem ServerAdmin webmaster@localhost DocumentRoot /usr/share/drupal6/ </VirtualHost> <DirectoryMatch "/usr/share/drupal6/(?!(.+/)+)"> # Block any file that starts with "." <FilesMatch "^\..*$"> Order allow,deny </FilesMatch> # Block all files with "." in their names <FilesMatch "^.*\..*$"> Order allow,deny </FilesMatch> # Allow "." files with safe content types <FilesMatch "^.*\.(css|html?|txt|js|xml|xsl|gif|ico|jpe?g|png)$"> Order deny,allow </FilesMatch> <FilesMatch "^.*\.(f4a|f4b|f4p|f4v|flac|flv|mov|mp3|qt|swf)$"> Order deny,allow </FilesMatch> <FilesMatch "^.*\.(docx?|pptx?|xlsx?|odt|ods|odp|pdf)$"> Order deny,allow </FilesMatch> # Allow from anywhere <FilesMatch "^(index|xmlrpc).php$"> Order deny,allow </FilesMatch> # Allow access to cron from server and local network only <FilesMatch "^cron.php$"> Order allow,deny Allow from 127.0.0.1 # Localhost Allow from 192.168. # Local network (use your local IP range) </FilesMatch> # Allow access to install and update from server and local network only <FilesMatch "^(install|update).php$"> Order allow,deny Allow from 127.0.0.1 # Localhost Allow from 192.168. # Local network (use your local IP range) </FilesMatch> </DirectoryMatch> <Directory /usr/share/drupal6/> Options +FollowSymLinks AllowOverride All order allow,deny allow from all </Directory> # Include rewrite rules here instead of .htaccess so it will be easier # to disable .htaccess during performance tuning. <IfModule mod_rewrite.c> RewriteEngine on # If your site can be accessed both with and without the 'www.' prefix, you # can use one of the following settings to redirect users to your preferred # URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option: # # To redirect all users to access the site WITH the 'www.' prefix, # (http://example.com/... will be redirected to http://www.example.com/...) # adapt and uncomment the following: # RewriteCond %{HTTP_HOST} ^example\.com$ [NC] # RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301] # # To redirect all users to access the site WITHOUT the 'www.' prefix, # (http://www.example.com/... will be redirected to http://example.com/...) # uncomment and adapt the following: # RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC] # RewriteRule ^(.*)$ http://example.com/$1 [L,R=301] # Return 404's for any access to CSS, JS, and images # unless they come from your site's pages or a trusted host. RewriteCond %{REMOTE_ADDR} !^127.0.0.1$ RewriteCond %{HTTP_REFERER} !^https?://%{HTTP_HOST}/.*$ [NC] RewriteRule .(css|js|ico|gif|jpe?g|png)$ - [R=404] # Return 404's for all Drupal .php, .inc, .module, and .info files # if served to hosts other than the local network hosts, but allow # /index.php and /xmlrpc.php. RewriteCond %{REMOTE_ADDR} !^127.0.0.1$ RewriteCond %{REQUEST_URI} ^.*\.(php|inc|module|info)$ RewriteCond %{REQUEST_URI} !^/(index|xmlrpc).php$ RewriteRule .* - [R=404] # Rewrite index.php to / RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*index\.php\ HTTP/ RewriteRule ^(.*)index\.php$ /$1 [L,R=301] # Force trailing / for directories RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^(.+[^/])$ $1/ [L,R=301] </IfModule>The last two items were suggested by Drupal SEO: How Duplicate Content Hurts Drupal Sites and Duplicate Title Tags "/" and "/index.php"
Speaking of SEO, you might want to consider adding Path Redirect and Global Redirect modules. I found that both were necessary to deal with SEO issues related to PathAuto.
Alon, Thanks for taking the time to consider all these changes. I know there are a lot of them.
Information is free, knowledge is acquired, but wisdom is earned.