# ----------------------------------------------------------------------
# | 8G Firewall for Security - Do not change this part @Update 03/2024
# ----------------------------------------------------------------------

# 8G FIREWALL v1.5 20250927
# https://perishablepress.com/8g-firewall/

# 8G:[CORE]
ServerSignature Off
Options -Indexes
RewriteEngine On
RewriteBase /

SetEnv TZ Australia/Hobart
Options +SymLinksIfOwnerMatch

<FilesMatch "(?i)\.(tpl|ini|log)$">
	Require all denied
</FilesMatch>

# Allow Robots.txt to pass through
RewriteRule ^robots.txt - [L]
RewriteCond %{REQUEST_URI} !^(/\.well-known)

RewriteCond %{QUERY_STRING} ^route=common/home$
RewriteCond %{REQUEST_METHOD} !^POST$
RewriteRule ^index\.php$ http://%{HTTP_HOST}? [R=301,L]

# ── Block all other dotfiles ───────────────────────────────────────────────
RewriteRule (?:^|/)\. - [F,L]

# ── www → non-www (301) ────────────────────────────────────────────────────
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]

# ── Pass existing files and directories directly ─────────────────────────────
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]

# ── Pass dashboard, login, controllers and other migrated paths directly ──────
# (prevents the modX vhost catch-all from intercepting these requests)
RewriteRule ^(dashboard|login|controllers|api|components|layouts|config|lib|pdf-files|client-assets|vendor)(/|$) - [L]