<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order allow,deny
  </IfModule>
</FilesMatch>

Options -Indexes
ServerSignature Off

Options +FollowSymLinks

DirectoryIndex index.php index.html index.htm

AddType image/svg+xml svg svgz
AddEncoding gzip svgz

<IfModule mod_php5.c>
  php_value assert.active                   0
  php_flag session.auto_start               off
  php_value mbstring.http_input             pass
  php_value mbstring.http_output            pass
  php_flag mbstring.encoding_translation    off
  php_value always_populate_raw_post_data   -1
</IfModule>

<IfModule mod_expires.c>
  ExpiresActive On

  ExpiresDefault A1209600

  <FilesMatch \.php$>
    ExpiresActive Off
  </FilesMatch>

  <IfModule mod_headers.c>
    <filesMatch ".(css|jpg|jpeg|png|gif|js|ico|ttf|woff|woff2)$">
      Header set Cache-Control "max-age=2628000, public"
    </filesMatch>
  </IfModule>
</IfModule>

<IfModule mod_headers.c>
  <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf|woff|ttf|woff2)(\.gz)?$">
    Header unset ETag
    FileETag None
  </FilesMatch>
</IfModule>

<IfModule !mod_rewrite.c>
  FallbackResource /index.php
</IfModule>

<IfModule mod_rewrite.c>
  RewriteEngine on

  RewriteRule ^ - [E=protossl]
  RewriteCond %{HTTPS} on
  RewriteRule ^ - [E=protossl:s]

  RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

  RewriteRule "/\.|^\.(?!well-known/)" - [F]

  # RewriteCond %{HTTP_HOST} .
  # RewriteCond %{HTTP_HOST} !^www\. [NC]
  # RewriteRule ^ http%{ENV:protossl}://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
  RewriteRule ^ http%{ENV:protossl}://%1%{REQUEST_URI} [L,R=301]

  RewriteCond %{HTTPS} off
  RewriteCond %{HTTP:X-Forwarded-Proto} !https
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

  RewriteBase /

  RewriteCond %{REQUEST_URI} ^(.*)?/(install.php) [OR]
  RewriteCond %{REQUEST_URI} ^(.*)?/(rebuild.php)
  RewriteCond %{REQUEST_URI} !core
  RewriteRule ^ %1/core/%2 [L,QSA,R=301]

  RewriteRule ^core/install.php core/install.php?rewrite=ok [QSA,L]

  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_URI} !=/favicon.ico
  RewriteRule ^ index.php [L]

  RewriteCond %{REQUEST_URI} !/core/[^/]*\.php$
  RewriteCond %{REQUEST_URI} !/core/modules/system/tests/https?.php
  RewriteCond %{REQUEST_URI} !/core/modules/statistics/statistics.php$
  RewriteCond %{REQUEST_URI} !/vendor/maecia/inside/adminer.php$
  RewriteRule "^(.+/.*|autoload)\.php($|/)" - [F]

  <IfModule mod_headers.c>
    Header set X-UA-Compatible "IE=Edge"

    RewriteCond %{HTTP:Accept-encoding} gzip
    RewriteCond %{REQUEST_FILENAME}\.gz -s
    RewriteRule ^(.*)\.css $1\.css\.gz [QSA]

    RewriteCond %{HTTP:Accept-encoding} gzip
    RewriteCond %{REQUEST_FILENAME}\.gz -s
    RewriteRule ^(.*)\.js $1\.js\.gz [QSA]

    RewriteRule \.css\.gz$ - [T=text/css,E=no-gzip:1]
    RewriteRule \.js\.gz$ - [T=text/javascript,E=no-gzip:1]

    <FilesMatch "(\.js\.gz|\.css\.gz)$">
      Header set Content-Encoding gzip
      Header append Vary Accept-Encoding
    </FilesMatch>
  </IfModule>
</IfModule>

<IfModule mod_headers.c>
  Header always set X-Content-Type-Options nosniff
  Header unset X-Powered-By
  Header unset Server
  # Header set Access-Control-Allow-Origin "*"
  RequestHeader unset Proxy
</IfModule>
