From 050676260ab860bfbb2318b14ee2e81ecc338871 Mon Sep 17 00:00:00 2001
From: Greg Sarjeant <1686767+gsarjeant@users.noreply.github.com>
Date: Sat, 14 Jun 2025 23:19:25 -0400
Subject: [PATCH] Simplify .htaccess. Get working from /tkr. Make that the
 default for apache. Simplify caching.

---
 examples/apache/.htaccess           | 34 ++++++++++++++++
 examples/apache/root/.htaccess      | 59 ----------------------------
 examples/apache/subfolder/.htaccess | 61 -----------------------------
 templates/main.php                  |  2 +-
 4 files changed, 35 insertions(+), 121 deletions(-)
 create mode 100644 examples/apache/.htaccess
 delete mode 100644 examples/apache/root/.htaccess
 delete mode 100644 examples/apache/subfolder/.htaccess

diff --git a/examples/apache/.htaccess b/examples/apache/.htaccess
new file mode 100644
index 0000000..4b29c8d
--- /dev/null
+++ b/examples/apache/.htaccess
@@ -0,0 +1,34 @@
+# Enable mod_rewrite
+RewriteEngine On
+
+# Security headers
+Header always set X-Frame-Options "SAMEORIGIN"
+Header always set X-XSS-Protection "1; mode=block"
+Header always set X-Content-Type-Options "nosniff"
+
+# Directory index
+DirectoryIndex public/index.php
+
+# Security: Block direct access to .php files (except through rewrites)
+RewriteCond %{THE_REQUEST} \s/[^?\s]*\.php[\s?] [NC]
+RewriteRule ^.*$ - [R=404,L]
+
+# Security: Block access to sensitive directories
+RewriteRule ^(storage|src|templates|uploads|config)(/.*)?$ - [F,L]
+
+# Security: Block access to hidden files
+RewriteRule ^\..*$ - [F,L]
+
+# Cache static files for 1 hour
+<FilesMatch "\.css$">
+    Header set Cache-Control "public, max-age=3600"
+</FilesMatch>
+
+# Serve the one static file we allow: css/tkr.css (but not css/custom/)
+RewriteCond %{REQUEST_URI} !^/css/custom/
+RewriteRule ^css/tkr\.css$ public/css/tkr.css [L]
+
+# Everything else goes to the front controller
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteCond %{REQUEST_FILENAME} !-d
+RewriteRule ^(.*)$ public/index.php [L]
\ No newline at end of file
diff --git a/examples/apache/root/.htaccess b/examples/apache/root/.htaccess
deleted file mode 100644
index 12c567c..0000000
--- a/examples/apache/root/.htaccess
+++ /dev/null
@@ -1,59 +0,0 @@
-# Enable mod_rewrite
-RewriteEngine On
-
-# Security headers
-# The first rule is to prevent including in a frame on a different domain.
-# Remove it if you want to do that.
-Header always set X-Frame-Options "SAMEORIGIN"
-Header always set X-XSS-Protection "1; mode=block"
-Header always set X-Content-Type-Options "nosniff"
-
-# Directory index
-# (Not actually used because everything gets handled by a rewrite rule
-# , but I'm keeping it for clarity about what's going on.)
-DirectoryIndex index.php
-
-# Deny access to hidden files (e.g. .htaccess)
-<FilesMatch "^\.">
-    Require all denied
-</FilesMatch>
-
-# Cache static files (excluding css/custom which goes through PHP)
-# Note that I don't actually serve most of this (just css)
-# but this prevents requests for static content from getting to the PHP handler.
-#
-# The /css/custom directory is excluded from this in a RewriteCond below:
-#     RewriteCond %{REQUEST_URI} !^/tkr/css/custom/
-#
-# Those requests are handled by the PHP app to serve custom css
-<FilesMatch "\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$">
-    ExpiresActive On
-    ExpiresDefault "access plus 1 year"
-    Header set Cache-Control "public, max-age=31536000, immutable"
-</FilesMatch>
-
-# Process PHP files
-<FilesMatch "\.php$">
-    SetHandler application/x-httpd-php
-</FilesMatch>
-
-# Skip rewriting if already in /tkr/public/ (prevents infinite loops)
-RewriteRule ^tkr/public/ - [L]
-
-# Block direct access to all .php files 
-# but allow internal rewrites to index.php
-RewriteCond %{THE_REQUEST} \.php [NC]
-RewriteRule ^.*\.php$ - [R=404,L]
-
-# Block access to sensitive directories
-RewriteRule ^(storage|src|templates|uploads|config)(/.*)?$ - [F,L]
-
-# If it's a static file that exists in /tkr/public, serve it directly
-# (but exclude css/custom which should go through PHP)
-RewriteCond %{REQUEST_URI} !^/css/custom/
-RewriteCond %{DOCUMENT_ROOT}/tkr/public%{REQUEST_URI} -f
-RewriteRule ^(.*)$ /tkr/public/$1 [L]
-
-# Send everything else to the front controller
-# (/tkr/public/index.php)
-RewriteRule ^.*$ /tkr/public/index.php [L]
diff --git a/examples/apache/subfolder/.htaccess b/examples/apache/subfolder/.htaccess
deleted file mode 100644
index 740a389..0000000
--- a/examples/apache/subfolder/.htaccess
+++ /dev/null
@@ -1,61 +0,0 @@
-# Enable mod_rewrite
-RewriteEngine On
-
-# Security headers
-# The first rule is to prevent including in a frame on a different domain.
-# Remove it if you want to do that.
-Header always set X-Frame-Options "SAMEORIGIN"
-Header always set X-XSS-Protection "1; mode=block"
-Header always set X-Content-Type-Options "nosniff"
-
-# Directory index
-DirectoryIndex index.php
-
-# Deny access to hidden files (e.g. .htaccess)
-<FilesMatch "^\.">
-    Require all denied
-</FilesMatch>
-
-# Cache static files (excluding css/custom which goes through PHP)
-# Note that I don't actually serve most of this (just css)
-# but this prevents requests for static content from getting to the PHP handler.
-#
-# The /css/custom directory is excluded from this in a RewriteCond below:
-#     RewriteCond %{REQUEST_URI} !^/tkr/css/custom/
-#
-# Those requests are handled by the PHP app to serve custom css
-<FilesMatch "\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$">
-    ExpiresActive On
-    ExpiresDefault "access plus 1 year"
-    Header set Cache-Control "public, max-age=31536000, immutable"
-</FilesMatch>
-
-# Process PHP files
-<FilesMatch "\.php$">
-    SetHandler application/x-httpd-php
-</FilesMatch>
-
-# Skip rewriting if already in /tkr/public/ (prevents infinite loops)
-RewriteRule ^tkr/public/ - [L]
-
-# Block direct access to all .php files 
-# but allow internal rewrites to index.php
-RewriteCond %{THE_REQUEST} \.php [NC]
-RewriteRule ^.*\.php$ - [R=404,L]
-
-# Block access to sensitive directories under /tkr
-RewriteRule ^tkr/(storage|src|templates|uploads|config)(/.*)?$ - [F,L]
-
-# Handle /tkr requests
-# (keep the path after /tkr for the next directive)
-RewriteCond %{REQUEST_URI} ^/tkr(/.*)?$
-
-# If it's a static file that exists in /tkr/public, serve it directly
-# (e.g. /tkr/public/css/tkr.css)
-RewriteCond %{REQUEST_URI} !^/tkr/css/custom/
-RewriteCond %{DOCUMENT_ROOT}/tkr/public%1 -f
-RewriteRule ^tkr(/.*)?$ /tkr/public$1 [L]
-
-# Send everything else to the front controller
-# (/tkr/public/index.php)
-RewriteRule ^tkr(/.*)?$ /tkr/public/index.php [L]
diff --git a/templates/main.php b/templates/main.php
index 6d0ca4a..30113ea 100644
--- a/templates/main.php
+++ b/templates/main.php
@@ -9,7 +9,7 @@
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1.0">
         <link rel="stylesheet"
-              href="<?= htmlspecialchars($config->basePath) ?>css/tkr.css?v=<?= time() ?>">
+              href="<?= htmlspecialchars($config->basePath) ?>css/tkr.css">
 <?php if (!empty($config->cssId)): ?>
         <link rel="stylesheet"
               href="<?= htmlspecialchars($config->basePath) ?>css/custom/<?= htmlspecialchars($config->customCssFilename()) ?>">