Vanilla on Apache - HL Vanilla Community
<main> <article class="userContent"> <div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6030677/uploads/KM846Y3R951Y/microsoftteams-image-288-29.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6030677/uploads/KM846Y3R951Y/microsoftteams-image-288-29.png" alt="MicrosoftTeams-image (8).png" height="108" width="1356" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p>Vanilla has excellent built-in support for Apache. It’s designed to work without additional confguration being necessary, but every setup is different.</p><h2 data-id="requirements">Requirements</h2><p>You need to have the <a href="http://httpd.apache.org/docs/current/mod/mod_rewrite.html" rel="nofollow noreferrer ugc">mod_rewrite</a> module enabled.</p><h3 data-id="about-.htaccess">About .htaccess</h3><p>Vanilla includes an <a href="https://github.com/vanilla/vanilla/blob/master/.htaccess.dist" rel="nofollow noreferrer ugc">.htaccess</a> file for full Apache support. <code class="code codeInline" spellcheck="false" tabindex="0">.htaccess</code> files <a href="http://httpd.apache.org/docs/current/howto/htaccess.html" rel="nofollow noreferrer ugc">must be enabled for your web root</a> (unless you can use the content of the <code class="code codeInline" spellcheck="false" tabindex="0">.htaccess</code> in your main server config file instead).</p><p>It’s renamed to <code class="code codeInline" spellcheck="false" tabindex="0">.htacess</code> during the install process. It’s named with a <code class="code codeInline" spellcheck="false" tabindex="0">.dist</code> appended to start to prevent folks from accidentally overwriting it during copy/paste upgrades.</p><p>To run Vanilla in a subfolder, you may need to edit it as indicated within the file.</p><p>The provided <code class="code codeInline" spellcheck="false" tabindex="0">.htaccess</code> already comes with some decent security hardening:</p><ul><li>The only PHP script that can be requested directly is <code class="code codeInline" spellcheck="false" tabindex="0">/index.php</code>.</li><li>Folders that should not be accessed from the web return a 403.</li></ul><h3 data-id="default-virtualhost-entry">Default VirtualHost entry</h3><p>By default, Apache will respond to any ServerName option until a domain which doesn’t match any VirtualHost is requested. Make sure you have a default entry added. Not doing so can make you susceptible to host header injection attacks. (tricking your server into rendering pages based on a third-party domain).</p><p>Also see these <a href="https://httpd.apache.org/docs/2.4/vhosts/examples.html" rel="nofollow noreferrer ugc">VirtuaHost Examples</a>.</p><h3 data-id="contributing">Contributing</h3><p>We’re always eager to learn about various host restrictions and challenges you might run into. Start a discussion on the <a href="https://open.vanillaforums.com/discussions" rel="nofollow noreferrer ugc">community forum</a> to tell us about situations you’ve come across or to request help with Apache.</p> </article> </main>