# Lume 论坛 .htaccess

# 1. 强制 HTTPS（取消下方注释以启用）
# RewriteEngine On
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

# 2. 强制非WWW（取消下方注释以启用，将 example.com 替换为你的域名）
# RewriteEngine On
# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
# RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

# 3. 目录结构重写（文件已移至子文件夹，URL保持不变）
<IfModule mod_rewrite.c>
    RewriteEngine On

    # 用户页面 -> pages/
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(forum|post|thread|search|profile|user|signin|rankings|drafts|messages|notifications|recharge|uid_shop|uid_change|vip|jail|captcha|edit_thread)\.php$ pages/$1.php [L,QSA]

    # AJAX接口 -> api/
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^ajax_(.+)\.php$ api/ajax_$1.php [L,QSA]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^collector_api\.php$ api/collector_api.php [L,QSA]

    # 操作处理 -> actions/
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(reply|moderator_action|pin_post|move_thread|delete_attachment|thread_pay|oauth_callback|download)\.php$ actions/$1.php [L,QSA]

    # includes/ 文件转发
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(header|footer|copyright|ad)\.php$ includes/$1.php [L,QSA]

    # ===== SEO伪静态规则 =====
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^thread/([0-9]+)\.html$ pages/thread.php?id=$1 [L,QSA]
    RewriteRule ^forum/([0-9]+)\.html$ pages/forum.php?id=$1 [L,QSA]
    RewriteRule ^user/([0-9]+)\.html$ pages/user.php?id=$1 [L,QSA]
    RewriteRule ^post\.html$ pages/post.php [L,QSA]
    RewriteRule ^search\.html$ pages/search.php [L,QSA]
    RewriteRule ^login\.html$ login.php [L,QSA]
    RewriteRule ^register\.html$ register.php [L,QSA]
    RewriteRule ^sitemap\.xml$ sitemap.xml [L]
</IfModule>

# 4. 安全设置
<IfModule mod_headers.c>
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
</IfModule>

# 5. 缓存控制
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/svg+xml "access plus 1 month"
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/png "access plus 1 month"
    ExpiresByType image/gif "access plus 1 month"
    ExpiresByType image/webp "access plus 1 month"
    ExpiresByType text/css "access plus 1 week"
    ExpiresByType application/javascript "access plus 1 week"
    ExpiresByType text/html "access plus 5 minutes"
    ExpiresByType application/json "access plus 0 seconds"
</IfModule>

<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/css application/javascript application/json application/xml image/svg+xml
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4\.0[678] no-gzip
    BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
</IfModule>

<IfModule mod_headers.c>
    # ETag 启用
    Header unset ETag
    FileETag MTime Size

    # 静态资源长缓存（与 expires 配合）
    <FilesMatch "\.(js|css|png|jpg|jpeg|gif|webp|svg|ico|woff2?)$">
        Header set Cache-Control "public, max-age=2592000"
    </FilesMatch>

    # CSP（内容安全策略）— 默认仅允许同源
    Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src * data: blob:; media-src *; frame-ancestors 'self';"

    # Referrer-Policy
    Header always set Referrer-Policy "strict-origin-when-cross-origin"

    # Permissions-Policy
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</IfModule>

# 6. 禁止访问敏感文件
<FilesMatch "\.(htaccess|htpasswd|ini|log|sh|sql|bak)$">
    Require all denied
</FilesMatch>

# 7. 默认字符集
AddDefaultCharset UTF-8
