From 9161f1b7b917b2a47c74bc5c944d943d32dd6799 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Wed, 27 Apr 2022 08:18:35 +0100
Subject: [PATCH] Add RewriteRule exception for ms-files.php

---
 Dockerfile              | 2 ++
 docker/htaccess         | 5 +++--
 docker/htaccess-noindex | 1 +
 3 files changed, 6 insertions(+), 2 deletions(-)
 create mode 100644 docker/htaccess-noindex

diff --git a/Dockerfile b/Dockerfile
index 8cf8bafb..9dd0bad9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,6 +9,8 @@ FROM registry.git.autistici.org/ai3/docker/apache2-php-base:master
 COPY --from=build /build/app/ /opt/noblogs/www
 
 COPY docker/htaccess /opt/noblogs/www/.htaccess
+COPY docker/htaccess-noindex /opt/noblogs/www/wp-admin/.htaccess
+COPY docker/htaccess-noindex /opt/noblogs/www/wp-includes/.htaccess
 COPY docker/wp-config.php /opt/noblogs/www/wp-config.php
 COPY docker/wp-cache-config.php /opt/noblogs/www/wp-content/wp-cache-config.php
 COPY docker/conf /tmp/conf
diff --git a/docker/htaccess b/docker/htaccess
index 1c59a616..92aefd93 100644
--- a/docker/htaccess
+++ b/docker/htaccess
@@ -27,10 +27,11 @@ RewriteRule ^gallery/[0-9]+/(.*)$  wp-includes/ms-files.php?file=2010/08/$1 [L]
 RewriteRule ^resource/[^/]+/preview/(.*)$ wp-includes/ms-files.php?file=2010/08/$1 [L]
 RewriteRule ^resource/[^/]+/download/(.*)$ wp-includes/ms-files.php?file=2010/08/$1 [L]
 
-# hardening of wp-includes
+# hardening of wp-includes (with the exception of ms-files.php, the WP multisite file server).
 RewriteRule ^wp-admin/includes/ - [F,L]
 RewriteRule !^wp-includes/ - [S=3]
-RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
+RewriteCond %{REQUEST_URI} !^wp-includes/ms-files.php$
+RewriteRule ^wp-includes/.+\.php$ - [F,L]
 RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
 RewriteRule ^wp-includes/theme-compat/ - [F,L]
 
diff --git a/docker/htaccess-noindex b/docker/htaccess-noindex
new file mode 100644
index 00000000..5a928f6d
--- /dev/null
+++ b/docker/htaccess-noindex
@@ -0,0 +1 @@
+Options -Indexes
-- 
GitLab