Developing (v7+)

Performance and security

Permalink 1 user found helpful March 26, 2013 at 8:09 PM

As Concrete5 gains popularity I can see its performance and security coming under closer scrutiny.

I recently ran some test sites thru GTMetrix [http://gtmetrix.com/] which can be a sobering experience. Even if you take issue with the stats you can't take issue with the relative comparison after tweaking your own site and re-running it.

I recently did this with C5 5.6.1 with all the caching turned on and got a rating of 34% for speed. That hurt - especially on a dedicated server - so I utilised some htaccess rules from the Joomla Community that I have seen work pretty well.

THe rules are complicated for beginners in htaccess and let me state these are only tested with 5.6.1 on linux and apache 2 [some rules wont work on apache 1.x]

Anyway here are the contents of my htaccess file that took my relative speed from 34% score to 64%. There is still some more tweaking to do to the site to squeeze more out of it but this is a boost in the right direction.

ref:http://docs.joomla.org/Htaccess_examples_(security)

########## Begin - Automatic compression of resources
# Compress text, html, javascript, css, xml, kudos to Komra.de
# May kill access to your site for old versions of Internet Explorer
# The server needs to be compiled with mod_deflate otherwise it will send HTTP 500 Error.
# mod_deflate is not available on Apache 1.x series. Can only be used with Apache 2.x server.
# AddOutputFilterByType is now deprecated by Apache. Use mod_filter in the future.
<ifModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/html text/xml text/css text/plain
  AddOutputFilterByType DEFLATE image/svg+xml application/xhtml+xml application/xml
  AddOutputFilterByType DEFLATE application/rdf+xml application/rss+xml application/atom+xml
  AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript application/json
  AddOutputFilterByType DEFLATE application/x-font-ttf application/x-font-otf
  AddOutputFilterByType DEFLATE font/truetype font/opentype
</ifModule>
########## Begin - Optimal default expiration time

Viewing 15 lines of 91 lines. View entire code block.

 
########## Begin - Automatic compression of resources
# Compress text, html, javascript, css, xml, kudos to Komra.de
# May kill access to your site for old versions of Internet Explorer
# The server needs to be compiled with mod_deflate otherwise it will send HTTP 500 Error.
# mod_deflate is not available on Apache 1.x series. Can only be used with Apache 2.x server.
# AddOutputFilterByType is now deprecated by Apache. Use mod_filter in the future.
 
<ifModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/html text/xml text/css text/plain
  AddOutputFilterByType DEFLATE image/svg+xml application/xhtml+xml application/xml
  AddOutputFilterByType DEFLATE application/rdf+xml application/rss+xml application/atom+xml
  AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript application/json
  AddOutputFilterByType DEFLATE application/x-font-ttf application/x-font-otf
  AddOutputFilterByType DEFLATE font/truetype font/opentype
</ifModule>
 
########## Begin - Optimal default expiration time
## Note: this might cause problems and you might have to comment it out by
## placing a hash in front of this section's lines
 
   # Enable expiration control
   ExpiresActive On
 
   # Default expiration: 1 hour after request
   ExpiresDefault "now plus 1 hour"
 
   # CSS and JS expiration: 1 week after request
   ExpiresByType text/css "now plus 1 week"
   ExpiresByType application/javascript "now plus 1 week"
   ExpiresByType application/x-javascript "now plus 1 week"
 
   # Image files expiration: 1 month after request
   ExpiresByType image/bmp "now plus 1 month"
   ExpiresByType image/gif "now plus 1 month"
   ExpiresByType image/jpeg "now plus 1 month"
   ExpiresByType image/jp2 "now plus 1 month"
   ExpiresByType image/pipeg "now plus 1 month"
   ExpiresByType image/png "now plus 1 month"
   ExpiresByType image/svg+xml "now plus 1 month"
   ExpiresByType image/tiff "now plus 1 month"
   ExpiresByType image/vnd.microsoft.icon "now plus 1 month"
   ExpiresByType image/x-icon "now plus 1 month"
   ExpiresByType image/ico "now plus 1 month"
   ExpiresByType image/icon "now plus 1 month"
   ExpiresByType text/ico "now plus 1 month"
   ExpiresByType application/ico "now plus 1 month"
   ExpiresByType image/vnd.wap.wbmp "now plus 1 month"
   ExpiresByType application/vnd.wap.wbxml "now plus 1 month"
   ExpiresByType application/smil "now plus 1 month"
 
   # Audio files expiration: 1 month after request
   ExpiresByType audio/basic "now plus 1 month"
   ExpiresByType audio/mid "now plus 1 month"
   ExpiresByType audio/midi "now plus 1 month"
   ExpiresByType audio/mpeg "now plus 1 month"
   ExpiresByType audio/x-aiff "now plus 1 month"
   ExpiresByType audio/x-mpegurl "now plus 1 month"
   ExpiresByType audio/x-pn-realaudio "now plus 1 month"
   ExpiresByType audio/x-wav "now plus 1 month"
 
   # Movie files expiration: 1 month after request
   ExpiresByType application/x-shockwave-flash "now plus 1 month"
   ExpiresByType x-world/x-vrml "now plus 1 month"
   ExpiresByType video/x-msvideo "now plus 1 month"
   ExpiresByType video/mpeg "now plus 1 month"
   ExpiresByType video/mp4 "now plus 1 month"
   ExpiresByType video/quicktime "now plus 1 month"
   ExpiresByType video/x-la-asf "now plus 1 month"
   ExpiresByType video/x-ms-asf "now plus 1 month"
 
########## End - Optimal expiration time
 
# BEGIN Cache-Control Headers
<ifModule mod_headers.c>
  <filesMatch "\.(ico|jpe?g|png|gif|swf)$">
    Header set Cache-Control "public"
  </filesMatch>
  <filesMatch "\.(css)$">
    Header set Cache-Control "public"
  </filesMatch>
  <filesMatch "\.(js)$">
    Header set Cache-Control "private"
  </filesMatch>
  <filesMatch "\.(x?html?|php)$">
    Header set Cache-Control "private, must-revalidate"
  </filesMatch>
</ifModule>
# END Cache-Control Headers
 
# BEGIN Turn ETags Off
FileETag None
# END Turn ETags Off
 
 
# -- concrete5 urls start --
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME}/index.html !-f
RewriteCond %{REQUEST_FILENAME}/index.php !-f
RewriteRule . index.php [L]
</IfModule>
# -- concrete5 urls end --

mnakalay replied on Mar 26, 2013 at 9:04 pm Permalink Reply

Hello,
I'm a bit confused, you htaccess adds a lot to improve performance (gzipping, expiry dates) but I don't see anything helping with security. Wasn't that part of the topic?

alanski replied on Mar 27, 2013 at 3:08 am Permalink Reply

Late night post :)
Yes there is some more....

Again from the same source as above, there are a few htaccess rules targeted at sql / file injections and anti spam...

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# If the request query string contains /proc/self/environ (by SigSiu.net)
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
# Block out any script trying to set a mosConfig value through the URL
# (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin)
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode or base64_decode data within the URL
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR]
## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines:
# RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR]
# RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR]
# Block out any script that includes a <script> tag in URL

Viewing 15 lines of 61 lines. View entire code block.

 
########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# If the request query string contains /proc/self/environ (by SigSiu.net)
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
# Block out any script trying to set a mosConfig value through the URL
# (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin)
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode or base64_decode data within the URL
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR]
## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines:
# RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR]
# RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
########## End - Rewrite rules to block out some common exploits
 
########## Begin - File injection protection, by SigSiu.net
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]
########## End - File injection protection
 
########## Begin - Basic antispam Filter, by SigSiu.net
## I removed some common words, tweak to your liking
## This code uses PCRE and works only with Apache 2.x.
## This code will NOT work with Apache 1.x servers.
RewriteCond %{QUERY_STRING} \b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b [NC]
## Note: The final RewriteCond must NOT use the [OR] flag.
RewriteRule .* - [F]
## Note: The previous lines are a "compressed" version
## of the filters. You can add your own filters as:
## RewriteCond %{QUERY_STRING} \bbadword\b [NC,OR]
## where "badword" is the word you want to exclude.
########## End - Basic antispam Filter, by SigSiu.net
 
########## Begin - Advanced server protection - query strings, referrer and config
# Advanced server protection, version 3.2 - May 2011
# by Nicholas K. Dionysopoulos
 
## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
## your PHP version). Seehttp://www.0php.com/php_easter_egg.php... and
##http://osvdb.org/12184 for more information
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteRule .* - [F]
 
## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
##http://www.sigsiu.net/presentations/fortifying_your_joomla_website....
## May cause problems on legitimate requests
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]
RewriteRule .* - [F]

alanski replied on Mar 27, 2013 at 3:10 am Permalink Reply

Should say / remind anyone using this that it is an example that can be added upon as well as edited, and more importantly, it might interfere with some legitimate requests, though I havent found it to do so yet......

Phallanx replied on Mar 27, 2013 at 11:03 am Permalink Reply

Surprised these ones aren't in there

RewriteCond %{QUERY_STRING} allow_url_include [NC,OR] 
RewriteCond %{QUERY_STRING} auto_prepend_file [NC] 
RewriteRule ^.*$ - [F,L]

Forums

Developing (v7+)

Performance and security

Code

Post Reply

Delete Post

Mark Post as Spam

Destroy Spammer

Sign In?