# BEGIN FOSSBilling
# Read documentation https://fossbilling.org/docs for more information.
Options -Indexes +SymLinksIfOwnerMatch
<IfModule !mod_rewrite.c>
    DirectoryIndex rewrite-missing.html
    FallbackResource rewrite-missing.html
</IfModule>
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    # Rewrite rules to block out some common exploits.
    RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (GLOBALS|_REQUEST)(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule .* index.php [F]

    # Alias from bb-ipn.php to ipn.php for those who have upgraded from BoxBilling.
    RewriteRule ^bb-ipn\.php$ /ipn.php [L]

    # Allow access to the index.php, ipn.php, /install/index.php, and /install/install.php files.
    RewriteCond %{REQUEST_URI} ^/(index\.php|ipn\.php|install/index\.php|install/install\.php) [NC]
    RewriteRule ^ - [L]

    # Block direct access to sensitive files and file types.
    RewriteCond %{REQUEST_URI} /?.+\.(htaccess|htpasswd|bak|conf|inc|ini|lock|log|old|sh|sql|twig|yaml|php) [NC,OR]
    RewriteCond %{REQUEST_URI} /?.*(composer.json|README.md|CHANGELOG.md) [NC]
    RewriteRule ^(.*)$ index.php?_url=/$1&_errcode=404 [L]

    # Rewrite to allow custom pages to function correctly
    RewriteRule ^page/(.*)$ index.php?_url=/custompages/$1

    # Rewrite non-existent file/directory names to index.php.
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ index.php?_url=/$1 [QSA,L]

</IfModule>
# END FOSSBilling
