-
Notifications
You must be signed in to change notification settings - Fork 2
/
.htaccess
181 lines (136 loc) · 8.04 KB
/
.htaccess
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
#
# Hey! Everything in here is better suited to httpd.conf, since
# we get a performance boost if we can turn off AllowOverride and
# not have to stat the webroot for every request. On the other
# hand, this means we never have to touch apache once it's up.
# Flexibility over performance.
#
# In an ideal world, you'd stick it in here on dev and your build
# system would bundle the changes into (a file included in) httpd.conf
# for your production deployment, perhaps wrapped in a <VirtualHost>
# block.
#
# ETags are a bad idea if you have multiple web servers. We'll do
# more explicit caching with Expires headers anyway.
FileETag none
# The base set of sensible PHP options. You could put these in your
# php.ini file too, but having them in your Apache config puts
# everything in one place. Magic quotes off because they are stupid.
# Register globals off for the same reason. Track errors is so that
# we can at least get at the error messages we hide using @func().
# last_modified is a bad idea if we have any dynamic content. Short
# tags make for a few saved bytes of cruft and are fine unless you're
# running another XML preprocessor over your code (wtf?).
php_value magic_quotes_gpc 0
php_value register_globals 0
php_value magic_quotes_runtime 0
php_value track_errors 1
php_value last_modified off
php_value short_open_tag on
# This value is very useful for development, but should be disabled
# on production deployments (by setting the value to 'off')
php_flag display_errors on
# this sets all current and future error flags on, except for E_NOTICE
# which can go fuck itself. we have some separate code for checking the
# one notice we do care about.
php_value error_reporting 2147483639
# Some basic pointers to php files
DirectoryIndex index.php
ErrorDocument 404 /404.php
ErrorDocument 403 /403.php
# Get mod_rewrite fired up
RewriteEngine on
RewriteCond %{HTTP_HOST} ^(.*)elb\.amazonaws\.com$
RewriteRule .* - [F]
# Login stuff
# RewriteRule ^signup/?$ signup.php [L]
# RewriteRule ^signin/?$ signin.php [L]
RewriteRule ^signout/?$ signout.php [L]
RewriteRule ^checkcookie/?$ checkcookie.php [L]
# Password retrieval stuff
RewriteRule ^forgot/?$ forgot.php [L]
RewriteRule ^reset/([a-zA-Z0-9]+)/?$ reset.php?reset=$1 [L,QSA]
# Account stuff
RewriteRule ^account/?$ account.php [L]
RewriteRule ^account/password/?$ account_password.php [L]
RewriteRule ^account/delete/?$ account_delete.php [L]
# General pages
RewriteRule ^about/?$ about.php [L,QSA]
RewriteRule ^contact/?$ contact.php [L,QSA]
RewriteRule ^id/?$ id.php [L] # mostly so we can get cfg.abs_root_url
RewriteRule ^id/([0-9]+)/?$ id.php?id=$1&%{QUERY_STRING} [L]
RewriteRule ^id/([0-9]+)/nearby/?$ id.php?id=$1&nearby=1&%{QUERY_STRING} [L]
RewriteRule ^id/([0-9]+)/info(.json)?$ info.php?id=$1&%{QUERY_STRING} [L]
RewriteRule ^nearby/?$ nearby.php?%{QUERY_STRING} [L]
RewriteRule ^nearby/([0-9]+)/?$ nearby.php?id=$1&%{QUERY_STRING} [L]
RewriteRule ^placetypes/([a-z]+)/?$ placetype.php?placetype=$1&%{QUERY_STRING} [L]
RewriteRule ^tags/([a-z]+)/in-([0-9]+)/?$ tag.php?tag=$1&wofid=$2&%{QUERY_STRING} [L]
RewriteRule ^tags/([a-z]+)/?$ tag.php?tag=$1&%{QUERY_STRING} [L]
RewriteRule ^search/?$ search.php?%{QUERY_STRING} [L]
# See all this stuff that's been commented out? It's a lot of hoop-jumping
# to separate API calls (api.example.com/rest) from all the other user-level
# administrative pages (example.com/api/methods) and to make sure things that
# need to be done over SSL are (like OAuth2). By default it's all commented out
# because what do I know about your webserver is configured. So spend a
# couple minutes looking at all this stuff and thinking about it and adjusting
# accordingly. Also: remember all the security around OAuth2 is predicated
# around the use of SSL. (20121103/straup)
# The API (as in both api.example.com and example.com/api)
# Ensure that all traffic to the API proper is over HTTPS
# Note that this is a api.example.com host not example.com
# (20121025/straup)
# RewriteCond %{HTTP_HOST} ^api.(.*)$
# RewriteCond %{HTTPS} off
# RewriteRule (.*) https://%{HTTP_HOST}/$1?%{QUERY_STRING} [R,L]
# The most basic rewrite, as this is the actual API
# RewriteCond %{HTTP_HOST} ^api.(.*)$
# RewriteRule ^rest/?$ api_rest.php?%{QUERY_STRING} [L]
# This one says: If we're the API and we're not hanging off /rest
# redirect to the site itself – note the %1% for capturing the domain
# sans 'api.' (20121025/straup)
# RewriteCond %{REQUEST_URI} !rest(.*)
# RewriteCond %{HTTP_HOST} ^api.(.*)$ [NC]
# RewriteRule .? http://%1%{REQUEST_URI} [R,L]
# RewriteCond %{HTTP_HOST} !^api.(.*)$
# RewriteRule ^api/rest/(.*)/?$ https://api.%{HTTP_HOST}/rest/?method=$1&%{QUERY_STRING} [R,L]
# RewriteCond %{HTTP_HOST} !^api.(.*)$
# RewriteRule ^rest/(.*)/?$ https://api.%{HTTP_HOST}/rest/?method=$1&%{QUERY_STRING} [R,L]
# The rest of the user/admin interfaces for doing API stuff
# This all (especially the oauth2 auth/token stuff) relies on the
# HTTPS rules for logged in users (20121024/straup)
RewriteRule ^(api)?/?$ api_index.php [L]
RewriteRule ^(api/)?methods/?$ api_methods.php [L]
RewriteRule ^(api/)?methods/print/?$ api_methods.php?print=2 [L]
RewriteRule ^(api/)?methods/explore/?$ api_methods.php [L]
RewriteRule ^(api/)?methods/(.*)/explore/?$ api_method_explore.php?method=$2&%{QUERY_STRING} [L]
RewriteRule ^(api/)?methods/(.*)/?$ api_method.php?method=$2&%{QUERY_STRING} [L]
RewriteRule ^(api/)?errors/?$ api_errors.php [L]
RewriteRule ^(api/)?pagination/?$ api_pagination.php [L]
RewriteRule ^(api/)?formats/?$ api_formats.php [L]
RewriteRule ^(api/)?formats/(.*)/?$ api_format.php?format=$2 [L]
RewriteRule ^(api/)?keys/?$ api_keys.php?%{QUERY_STRING} [L]
RewriteRule ^(api/)?keys/register/?$ api_keys_register.php?%{QUERY_STRING} [L]
RewriteRule ^(api/)?keys/([a-zA-Z0-9]+)/?$ api_key.php?api_key=$2&%{QUERY_STRING} [L]
RewriteRule ^(api/)?keys/([a-zA-Z0-9]+)/tokens(/page([0-9]+))?/?$ api_key_tokens.php?api_key=$2&page=$4&%{QUERY_STRING} [L]
RewriteRule ^(api/)?oauth2/?$ api_oauth2.php?%{QUERY_STRING} [L]
RewriteRule ^(api/)?oauth2/howto/?$ api_oauth2_howto.php?%{QUERY_STRING} [L]
RewriteRule ^(api/)?oauth2/authenticate/?$ api_oauth2_authenticate.php?%{QUERY_STRING} [L]
RewriteRule ^(api/)?oauth2/authenticate/like-magic/?$ api_oauth2_authenticate_like_magic.php?%{QUERY_STRING} [L]
RewriteRule ^(api/)?oauth2/access_token/?$ api_oauth2_access_token.php?%{QUERY_STRING} [L]
RewriteRule ^(api/)?oauth2/tokens(/page([0-9]+))?/?$ api_oauth2_tokens.php?page=$3&%{QUERY_STRING} [L]
RewriteRule ^(api/)?oauth2/tokens/([a-zA-Z0-9]+)/?$ api_oauth2_token.php?api_key=$2&%{QUERY_STRING} [L]
RewriteRule ^(api/)?rest/?$ api_rest.php?%{QUERY_STRING} [L]
# RewriteRule ^rest/(.*)/?$ api_rest.php?method=$1&%{QUERY_STRING} [L]
# for the pelias API
# the 'restpelias' stuff is to account for the way Mapzen does internal proxying
# which is ugly and unfortunate but hardly the end of the world so we just account
# for it here... (20170424/thisisaaronland)
RewriteRule ^(api/)?pelias/(v1)/((alt|name|names|preferred|variant)/)?autocomplete/?$ /$1rest?method=whosonfirst.pelias.autocomplete&query_field=$4&format=geojson&version=$2&%{QUERY_STRING} [L]
RewriteRule ^(api/)?pelias/(v1)/((alt|name|names|preferred|variant)/)?search/?$ /$1rest?method=whosonfirst.pelias.search&query_field=$4&format=geojson&version=$2&%{QUERY_STRING} [L]
RewriteRule ^(api/)?restpelias/(v1)/((alt|name|names|preferred|variant)/)?autocomplete/?$ /$1rest?method=whosonfirst.pelias.autocomplete&query_field=$4&format=geojson&version=$2&%{QUERY_STRING} [L]
RewriteRule ^(api/)?restpelias/(v1)/((alt|name|names|preferred|variant)/)?search/?$ /$1rest?method=whosonfirst.pelias.search&query_field=$4&format=geojson&version=$2&%{QUERY_STRING} [L]
RewriteRule ^ping/?$ ping.php?%{QUERY_STRING} [L]
# START OF flamework-mapzen-sso stuff
RewriteRule ^signin/?$ /signin_mapzen_oauth.php [L]
RewriteRule ^auth/?$ /auth_callback_mapzen_oauth.php?%{QUERY_STRING} [L]
# END OF flamework-mapzen-sso stuff