-
-
Notifications
You must be signed in to change notification settings - Fork 5
/
.htaccess
362 lines (320 loc) · 15.9 KB
/
.htaccess
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
RewriteEngine On
##
## HTTP Error Document
##
## This will not respect the language selected via the language
## chooser, but rather will use the language specified by
## mod_negotiation below.
##
ErrorDocument 403 /403.html
ErrorDocument 404 /404.html
##
## REDIRECT TO GITLAB FOR BADGES
##
## Temporary work around while we figure out why the /badges directory
## isn't getting deployed correctly. Forwards all requests for files
## in the /badge directory to GitLab Pages.
##
RewriteCond %{REQUEST_URI} ^/badge/(.*)$ [NC]
RewriteRule ^.*$ https://fdroid.gitlab.io/artwork/badge/%1 [L,R=302]
##
## SEARCH QUERIES
##
## Search queries used to read the `fdfilter` query parameter.
##
#
# The first .* matches anything (if any) before the "fdfilter"
# parameter. The second .*? captures the value of this parameter. It
# is non-gready so that it doesn't capture subsequent &'s. The third
# &.* matches any subsequent parameters. I would have liked to be
# able to do something like &?.* so that only if there was a trailing
# & then we would match, but that is incorrect. Instead, we use a
# second rewrite rule that is less strict to match the case when there
# is no trailing parameters.
#
# Rewrites:
# /any/path?leading_param=blah&fdfilter=query&trailing_param=blah -> /packages/#q=query
# /any/path?fdfilter=query&trailing_param=blah -> /packages/#q=query
#
RewriteCond %{QUERY_STRING} ^.*fdfilter=(.*?)&.*$
#
# If you were to leave off the "?" at the end, then it appends the
# entire query string from the original request. By having "?" here,
# it shows no query string at all, which is what we are after.
#
RewriteRule ^(.*)$ /packages/#q=%1? [L,R=301,NE]
#
# The less specific version of the above rule, for when there is no
# trailing parameters.
#
# Rewrites:
# /any/path?leading_param&fdfilter=query -> /packages/#q=query
# /any/path?fdfilter=query -> /packages/#q=query
#
RewriteCond %{QUERY_STRING} ^.*fdfilter=(.*?)$
RewriteRule ^(.*)$ /packages/#q=%1? [L,R=301,NE]
##
## PACKAGE DETAILS
##
## Package detail pages are shown for the package name specified by
## the `fdid` query parameter.
##
#
# Rewrites:
# /any/path?leading_param=blah&fdid=org.fdroid.fdroid&trailing_param=blah -> /packages/org.fdroid.fdroid/
# /any/path?fdid=org.fdroid.fdroid&trailing_param=blah -> /packages/org.fdroid.fdroid/
#
RewriteCond %{QUERY_STRING} ^.*fdid=(.*?)&.*$
RewriteRule ^(.*)$ /packages/%1/? [L,R=301]
#
# The less specific version of the above rule, for when there is no
# trailing parameters.
#
# Rewrites:
# /any/path?leading_param=blah&fdid=org.fdroid.fdroid -> /packages/org.fdroid.fdroid/
# /any/path?fdid=org.fdroid.fdroid -> /org.fdroid.fdroid/
#
RewriteCond %{QUERY_STRING} ^.*fdid=(.*?)$
RewriteRule ^(.*)$ /packages/%1/? [L,R=301]
#
# This is from the android docs about the android manifest `package`
# attribute:
#
# A full Java-language-style package name for the Android
# application. The name should be unique. The name may contain
# uppercase or lowercase letters ('A' through 'Z'), numbers, and
# underscores ('_'). However, individual package name parts may only
# start with letters.
#
# This is a simplified regex, which ignores the "individual package
# parts..." bit.
#
RewriteRule ^app/([a-zA-Z0-9_.]*)$ /packages/$1/ [L,R=301]
##
## CATEGORIES
##
## Categories are browsed using the `fdcategory` query parameter.
## Note: This is often specified twice, and if so, the latter is
## used. This is categored for because the first .* is greedy, so will
## consume any prior `fdcategory=` strings before capturing the last.
##
#
# Rewrites:
# /any/path?leading_param=blah&fdcategory=System&trailing_param=blah -> /packages/category/System/
# /any/path?fdcategory=System&trailing_param=blah -> /packages/category/System/
#
RewriteCond %{QUERY_STRING} ^.*fdcategory=(.*?)&.*$
RewriteRule ^(.*)$ /packages/category/%1/? [L,R=301]
#
# The less specific version of the above rule, for when there is no
# trailing parameters.
#
# Rewrites:
# /any/path?leading_param=blah&fdcategory=System -> /packages/category/System/
# /any/path?fdcategory=System -> /packages/category/System/
#
RewriteCond %{QUERY_STRING} ^.*fdcategory=(.*)$
RewriteRule ^(.*)$ /packages/category/%1/? [L,R=301]
##
## MISC PAGES
##
## Some random parts which could technically be done via Jekyll, but
## seeing as we are adding rewrite rules here that are highly specific
## to the existing website, it would be nice to keep other redirects
## here also.
##
#
# Match anything else which begins with repository/browse. Be generous
# in what we accept after the /browse part of the path, because we
# have more specific rules earlier which will catch more important
# URLs, such as /repository/browse?fdfilter=query
#
RewriteRule ^repository/browse.*$ /packages/ [L,R=301]
##
## LANGUAGE CHOOSER
##
## Support for the language chooser for users without JavaScript. If
## JavaScript is enabled, then this rule will not end up getting used
## as the browser can redirect appropriately.
##
## NOTE: This will only work for websites with a `baseurl` of
## `/`. This is because the .htaccess file has no insight into
## what the `baseurl` actually is, so we presume `/` as it will
## be for https://f-droid.org.
##
## The lanugage chooser sends GET requests to, for example,
## `...?lang=fr`. However, the users need to end up on
## `/fr/...`. Given we need the site to work without JavaScript, the
## only real way to do this is by rewriting the URL on the server.
## Given this is a static site, we don't expect much usage of query
## parameters for anything other than legacy redirects, and so this
## doesn't make a huge effort to maintain query parameters when
## rewriting.
##
#
# Rewrites:
# /any/path?lang=fr -> /fr/any/path
# /any/path?lang=fr_CA -> /fr_CA/any/path
# /any/path?trailing_param=blah&lang=fr -> /fr/any/path
# Wont correctly rewrite:
# /any/path?trailing_param=blah&lang=fr&trailing_param=blah -> /fr/any/path
#
RewriteCond %{REQUEST_URI} !^/archive
RewriteCond %{REQUEST_URI} !^/assets
RewriteCond %{REQUEST_URI} !^/css
RewriteCond %{REQUEST_URI} !^/repo
RewriteCond %{REQUEST_URI} !^/wiki
RewriteCond %{REQUEST_URI} !^/wp-content
RewriteCond %{QUERY_STRING} ^.*lang=(.*)$
RewriteRule ^(.*)$ /%1/$1? [L,R=302]
# ============================================================================== #
# HTTP security headers
# Content Security Policy is delivered via a HTTP response header and
# defines approved sources of content that the browser may load.
#
# * https://f-droid.org so staging copies can fetch icons
# * https://fdroid.gitlab.io for "Get on F-Droid" badges
Header always set Content-Security-Policy: "\
default-src 'self'; \
\
child-src 'none'; \
connect-src 'self'; \
frame-ancestors 'self'; \
img-src 'self' https://f-droid.org https://fdroid.gitlab.io; \
media-src 'self'; \
object-src 'none'; \
script-src 'self' 'unsafe-inline'; \
style-src 'self' 'unsafe-inline'; \
"
#
# The browser will set the referrer header to the origin from which
# the request was made, but only send referrer info to HTTPS
# sites. This will strip any path information from the referrer
# information.
#
Header always set Referrer-Policy: "strict-origin"
#
# Setting this header will prevent MSIE from interpreting files as
# something else than declared by the content type in the HTTP
# headers. Requires mod_headers to be enabled.
#
Header always set X-Content-Type-Options: "nosniff"
#
# Setting this header will prevent other sites from embedding pages
# from this site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
Header always set X-Frame-Options: "sameorigin"
#
# This header is used to configure the built in reflective XSS
# protection found in Internet Explorer, Chrome and Safari
# (Webkit). Valid settings for the header are 0, which disables the
# protection, 1 which enables the protection and 1; mode=block which
# tells the browser to block the response if it detects an attack
# rather than sanitising the script.
#
Header always set X-Xss-Protection: "1; mode=block"
## Permanent Redirects
## Simple 301 Redirects for pages that have permanently moved
RedirectPermanent /news-and-reviews /news
RedirectPermanent /translate /docs/Translation_and_Localization
RedirectPermanent /repository/issues /issues
RedirectPermanent /manual/html_node/Building-Applications.html /docs/Building_Applications/
RedirectPermanent /manual/html_node/Build-Server.html /docs/Build_Server_Setup/
RedirectPermanent /manual/html_node/Data.html /docs/Building_Applications/
RedirectPermanent /manual/html_node/Importing-Applications.html /docs/Importing_Applications/
RedirectPermanent /manual/html_node/Metadata.html /docs/Build_Metadata_Reference/
RedirectPermanent /manual/html_node/Setup.html /docs/Installing_the_Server_and_Repo_Tools/
RedirectPermanent /manual/html_node/Signing.html /docs/Signing_Process/
RedirectPermanent /manual/html_node/Simple-Binary-Repository.html /docs/Setup_an_F-Droid_App_Repo/
RedirectPermanent /manual/html_node/System-Requirements.html /docs/Installing_the_Server_and_Repo_Tools/
RedirectPermanent /manual/html_node/Update-Processing.html /docs/Update_Processing/
RedirectPermanent /manual/html_node/Overview.html /docs/
RedirectPermanent /manual/html_node /docs
RedirectPermanent /manual/fdroid.html /docs/
RedirectPermanent /manual /docs
RedirectPermanent /wiki/page/Build_Server_Setup /docs/Build_Server_Setup
RedirectPermanent /wiki/page/Client_Bug_Reports /docs/Client_Bug_Reports
RedirectPermanent /wiki/page/FAQ_-_App_Developers /docs/FAQ_-_App_Developers
RedirectPermanent /wiki/page/FAQ_-_Client /docs/FAQ_-_Client
RedirectPermanent /wiki/page/FAQ_-_General /docs/FAQ_-_General
RedirectPermanent /wiki/page/Feeds /docs/Feeds
RedirectPermanent /wiki/page/Getting_logcat_messages_after_crash /docs/Getting_logcat_messages_after_crash
RedirectPermanent /wiki/page/How_to_Help /docs/How_to_Help
RedirectPermanent /wiki/page/How_to_update_an_app /docs/How_to_update_an_app
RedirectPermanent /wiki/page/Inclusion_How-To /docs/Inclusion_How-To
RedirectPermanent /wiki/page/Inclusion_Policy /docs/Inclusion_Policy
RedirectPermanent /wiki/page/Installing_the_Server/Repo_Tools /docs/Installing_the_Server_and_Repo_Tools
RedirectPermanent /wiki/page/Release_Channels_and_Signing_Keys /docs/Release_Channels_and_Signing_Keys
RedirectPermanent /wiki/page/Repository_Style_Guide /docs/Repository_Style_Guide
RedirectPermanent /wiki/page/Security_Model /docs/Security_Model
RedirectPermanent /wiki/page/Setup_an_FDroid_App_Repo /docs/Setup_an_F-Droid_App_Repo
RedirectPermanent /wiki/page/Verification_Server /docs/Verification_Server
RedirectPermanent /wiki/page/Whitelabel_Builds /docs/Whitelabel_Builds
RedirectPermanent /posts/andors-trail /2011/11/30/andors-trail.html
RedirectPermanent /posts/a-new-ux-6-years-in-the-making /2017/04/04/new-ux.html
RedirectPermanent /posts/beem /2010/10/05/beem.html
RedirectPermanent /posts/book-catalogue /2010/10/06/book-catalogue.html
RedirectPermanent /posts/client-0-100-released /2016/06/14/client-0-100-released.html
RedirectPermanent /posts/client-0-101-released /2016/10/03/client-0-101-released.html
RedirectPermanent /posts/client-0-102-released /2016/12/15/client-0-102-released.html
RedirectPermanent /posts/client-0-14 /2010/11/15/client-0-14.html
RedirectPermanent /posts/client-0-28-released /2012/08/26/client-0-28-released.html
RedirectPermanent /posts/client-0-31-released /2012/09/01/client-0-31-released.html
RedirectPermanent /posts/client-0-33-released /2012/09/13/client-0-33-released.html
RedirectPermanent /posts/client-0-38-released /2012/09/19/client-0-38-released.html
RedirectPermanent /posts/client-0-42-released /2013/03/24/client-0-42-released.html
RedirectPermanent /posts/client-0-45-released /2013/05/29/client-0-45-released.html
RedirectPermanent /posts/client-0-46-released /2013/05/31/client-0-46-released.html
RedirectPermanent /posts/client-0-50-released /2013/08/21/client-0-50-released.html
RedirectPermanent /posts/client-0-54-released /2013/11/05/client-0-54-released.html
RedirectPermanent /posts/client-0-55-released /2013/11/12/client-0-55-released.html
RedirectPermanent /posts/client-0-58-released /2014/01/13/client-0-58-released.html
RedirectPermanent /posts/client-0-63-released /2014/04/08/client-0-63-released.html
RedirectPermanent /posts/client-0-66-released /2014/05/02/client-0-66-released.html
RedirectPermanent /posts/client-0-76-released /2014/10/14/client-0-76-released.html
RedirectPermanent /posts/client-0-78-released /2015/01/02/client-0-78-released.html
RedirectPermanent /posts/client-0-83-released /2015/03/26/client-0-83-released.html
RedirectPermanent /posts/client-0-88-released /2015/04/29/client-0-88-released.html
RedirectPermanent /posts/client-0-91-released /2015/05/29/client-0-91-released.html
RedirectPermanent /posts/client-0-92-released /2015/06/08/client-0-92-released.html
RedirectPermanent /posts/client-0-95-1-released /2015/08/13/client-0-95-1-released.html
RedirectPermanent /posts/client-0-95-released /2015/08/06/client-0-95-released.html
RedirectPermanent /posts/client-0-97-released /2015/11/17/client-0-97-released.html
RedirectPermanent /posts/client-0-98-1-released /2016/02/15/client-0-98-1-released.html
RedirectPermanent /posts/client-0-98-released /2016/02/02/client-0-98-released.html
RedirectPermanent /posts/client-0-99-released /2016/03/03/client-0-99-released.html
RedirectPermanent /posts/connectbot /2010/11/04/connectbot.html
RedirectPermanent /posts/connect-your-charger /2010/10/01/connect-your-charger.html
RedirectPermanent /posts/fbreader /2010/10/07/fbreader.html
RedirectPermanent /posts/f-droid-at-fosdem /2014/01/11/f-droid-at-fosdem.html
RedirectPermanent /posts/f-droid-at-rmll /2014/07/01/f-droid-at-rmll.html
RedirectPermanent /posts/f-droid-is-here /2010/09/29/f-droid-is-here.html
RedirectPermanent /posts/f-droid-repository-alpha /2010/10/20/f-droid-repository-alpha.html
RedirectPermanent /posts/f-droid-talk-catalonia /2013/10/28/f-droid-talk-catalonia.html
RedirectPermanent /posts/f-droid-workshop-berlin /2013/07/27/f-droid-workshop-berlin.html
RedirectPermanent /posts/fosdem-schedules /2011/02/04/fosdem-schedules.html
RedirectPermanent /posts/get-it-on-f-droid-badges /2016/05/29/get-it-on-f-droid-badges.html
RedirectPermanent /posts/gvsig-mini /2010/10/13/gvsig-mini.html
RedirectPermanent /posts/k-9-mail /2010/09/29/k-9-mail.html
RedirectPermanent /posts/lifesaver /2010/10/02/lifesaver.html
RedirectPermanent /posts/mathdoku /2010/10/16/mathdoku.html
RedirectPermanent /posts/missile-intercept /2010/10/22/missile-intercept.html
RedirectPermanent /posts/mythmote /2010/10/04/mythmote.html
RedirectPermanent /posts/netcounter /2010/10/13/netcounter.html
RedirectPermanent /posts/no-free-beer /2010/09/30/no-free-beer.html
RedirectPermanent /posts/permissions /2010/10/01/permissions.html
RedirectPermanent /posts/repository-client-0-17 /2011/01/17/repository-client-0-17.html
RedirectPermanent /posts/repository-client-0-20 /2011/02/01/repository-client-0-20.html
RedirectPermanent /posts/repository-client-0-21 /2011/02/24/repository-client-0-21.html
RedirectPermanent /posts/repository-client-0-22 /2011/05/20/repository-client-0-22.html
RedirectPermanent /posts/repository-client-0-23 /2011/11/14/repository-client-0-23.html
RedirectPermanent /posts/repository-client-0-24 /2011/12/05/repository-client-0-24.html
RedirectPermanent /posts/repository-client-0-25 /2012/01/12/repository-client-0-25.html
RedirectPermanent /posts/repository-vapourware /2010/10/15/repository-vapourware.html
RedirectPermanent /posts/sailing-into-a-new-decade-of-discussions /2017/02/20/new-forum.html
RedirectPermanent /posts/second-f-droid-workshop /2013/08/14/second-f-droid-workshop.html
RedirectPermanent /posts/security-notice-textsecure /2012/08/23/security-notice-textsecure.html
RedirectPermanent /posts/sokoban /2011/01/06/sokoban.html
RedirectPermanent /posts/statusnet-mobile /2010/10/14/statusnet-mobile.html
RedirectPermanent /posts/the-donate-pledge /2010/10/22/the-donate-pledge.html