# ========================================
# HTACCESS OTIMIZADO PARA CPANEL
# Sistema SaaS para Empresas de Semijoias
# Compatível com PHP 7.4 e MariaDB 10.6.22
# ========================================
# Força PHP 7.4 (ajuste conforme sua hospedagem)
# AddHandler application/x-httpd-php74 .php
# Habilita rewrite engine
RewriteEngine On
# ========================================
# CONFIGURAÇÕES DE SEGURANÇA
# ========================================
# Bloqueia acesso a arquivos sensíveis
Order Allow,Deny
Deny from all
# Protege diretórios do sistema
RedirectMatch 404 /\.git
RedirectMatch 404 /config/
RedirectMatch 404 /database/
RedirectMatch 404 /logs/
RedirectMatch 404 /src/
RedirectMatch 404 /scripts/
RedirectMatch 404 /docs/
# Protege arquivos de configuração
Order Allow,Deny
Deny from all
Order Allow,Deny
Deny from all
# Headers de segurança
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# ========================================
# FORÇA HTTPS (DESCOMENTE PARA ATIVAR)
# ========================================
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# ========================================
# REMOVE WWW (OPCIONAL)
# ========================================
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
# ========================================
# MULTI-TENANCY - SUBDOMÍNIOS
# ========================================
# Captura subdomínio para multi-tenancy
RewriteCond %{HTTP_HOST} ^([^.]+)\.([^.]+\.[^.]+)$ [NC]
RewriteCond %1 !^(www|admin|api|mail|ftp|cpanel|webmail|webdisk|whm|ns1|ns2)$ [NC]
RewriteRule ^(.*)$ index.php?tenant=%1&path=$1 [QSA,L]
# ========================================
# ROTEAMENTO PRINCIPAL
# ========================================
# Redireciona tudo para index.php se o arquivo não existir
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/public/
RewriteRule ^(.*)$ index.php?path=$1 [QSA,L]
# ========================================
# PERFORMANCE E CACHE
# ========================================
# Compressão GZIP
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/json
AddOutputFilterByType DEFLATE image/svg+xml
# Cache de arquivos estáticos
ExpiresActive On
# CSS e JavaScript
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
ExpiresByType text/javascript "access plus 1 month"
# Imagens
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
ExpiresByType image/webp "access plus 1 month"
# Fontes
ExpiresByType font/woff "access plus 1 month"
ExpiresByType font/woff2 "access plus 1 month"
ExpiresByType application/font-woff "access plus 1 month"
# Outros
ExpiresByType application/pdf "access plus 1 month"
ExpiresByType text/x-component "access plus 1 month"
# Headers de cache para arquivos estáticos
Header set Cache-Control "max-age=2592000, public"
# ========================================
# CORS PARA API
# ========================================
# Permite CORS para API
SetEnvIf Origin "^(https?://.+\.seudominio\.com|https?://localhost)$" ORIGIN_SUB_DOMAIN=$1
Header set Access-Control-Allow-Origin "%{ORIGIN_SUB_DOMAIN}e" env=ORIGIN_SUB_DOMAIN
Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Header set Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With, X-CSRF-Token"
Header set Access-Control-Allow-Credentials "true"
# Responde a requisições OPTIONS
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
# ========================================
# CONFIGURAÇÕES PHP ESPECÍFICAS
# ========================================
# Limites de upload e execução
php_value upload_max_filesize 10M
php_value post_max_size 10M
php_value max_execution_time 300
php_value max_input_time 300
php_value memory_limit 256M
php_value max_input_vars 3000
# Configurações de sessão
php_value session.cookie_httponly 1
php_value session.cookie_secure 1
php_value session.use_strict_mode 1
php_value session.cookie_samesite "Strict"
php_value session.gc_maxlifetime 7200
# Configurações de segurança
php_flag expose_php off
php_flag allow_url_fopen off
php_flag allow_url_include off
# Configurações de erro
php_flag log_errors on
php_flag display_errors off
php_flag display_startup_errors off
php_value error_log logs/php_errors.log
# ========================================
# PÁGINAS DE ERRO CUSTOMIZADAS
# ========================================
# ErrorDocument 404 /src/views/errors/404.php
# ErrorDocument 403 /src/views/errors/403.php
# ErrorDocument 500 /src/views/errors/500.php
# ========================================
# PROTEÇÃO CONTRA HOTLINKING
# ========================================
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?seudominio\.com [NC]
RewriteCond %{HTTP_REFERER} !^https?://.*\.seudominio\.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|svg)$ - [F]
# ========================================
# MODO MANUTENÇÃO (DESCOMENTE PARA ATIVAR)
# ========================================
# RewriteCond %{REQUEST_URI} !/maintenance.html$
# RewriteCond %{REQUEST_URI} !/public/assets/
# RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.000$
# RewriteRule $ /maintenance.html [R=503,L]
# Header always set Retry-After "3600"
# ========================================
# OTIMIZAÇÕES ESPECÍFICAS CPANEL
# ========================================
# Desabilita server signature
ServerSignature Off
# Previne acesso a arquivos de backup
Order Allow,Deny
Deny from all
# Bloqueia user agents maliciosos
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC]
RewriteRule .* - [F]
# ========================================
# CONFIGURAÇÕES DE CHARSET
# ========================================
AddDefaultCharset UTF-8
AddCharset UTF-8 .html .css .js .xml .json .rss .atom
# ========================================
# MIME TYPES ADICIONAIS
# ========================================
AddType application/javascript .js
AddType text/css .css
AddType image/svg+xml .svg
AddType application/font-woff .woff
AddType application/font-woff2 .woff2
# ========================================
# LOGS PERSONALIZADOS (OPCIONAL)
# ========================================
CustomLog logs/access.log combined
ErrorLog logs/error.log
# ========================================
# FIM DA CONFIGURAÇÃO
# ========================================