How to: htaccess Configuration for XenForo 2 (No Cloudflare)

christ

christchrist is verified member.

Moderator
Staff member
Points 3
Solutions 0
Location
The Matrix </>
Messages
9
Joined
Feb 5, 2026
Reaction score
13
Points
3

🚀 Apache .htaccess Configuration for XenForo 2 (No Cloudflare)🚀

Always make a save of your .htaccess first or (rename .htaccess to .htaccess.old)



📘 Overview​


This document explains the Apache .htaccess configuration designed for a XenForo 2 installation running directly on Apache, with no Cloudflare in front.

Its purpose is to provide a clean, production‑ready setup with:

  • 🔒 Direct HTTP ➝ HTTPS redirection
  • 📡 Proper XenForo front‑controller routing
  • 🚀 Browser caching for static assets
  • 🗜️ Compression for text-based responses
  • 🛡️ Basic security headers
This setup assumes Apache is the public-facing server managing HTTPS traffic.

🌍 Environment Assumptions​

  • 🧩 Application: XenForo 2.x
  • 🖥️ Web server: Apache
  • 🌐 Reverse proxy/CDN: None
  • 📁 Install location: Web root
  • 🔐 HTTPS: Enabled in production

📂 Included File​

  • .htaccess-no-cloudflare — template configuration for use without Cloudflare

🧩 Required Apache Modules​

The configuration expects these modules to be available:

  • 🔁 mod_rewrite
  • 🧭 mod_headers
  • ⏳ mod_expires
  • 🗜️ mod_deflate
If a module is unavailable, its section is simply ignored.

⚙️ What the Configuration Does​

1️⃣ 🔀 Redirects HTTP ➝ HTTPS​

All HTTP requests are forced to HTTPS using a permanent redirect.
Ideal when Apache directly handles public traffic and TLS.

2️⃣ 🧭 Routes XenForo Through​

The rewrite logic ensures:

  • 📄 Existing files load normally
  • 📁 Existing directories load normally
  • 🚫 XenForo static paths bypass the router
  • 🎯 All other requests go through index.php
This is the expected behavior for XenForo's friendly URLs.

3️⃣ 🗂️ Adds Long‑Lived Cache Headers​

Static assets (images, JS, CSS, fonts) receive 1‑year caching.

Dynamic asset endpoints also benefit:

  • 🎨 css.php
  • ⚙️ js.php
This improves load times for returning users. 🚀

4️⃣ 🗜️ Enables Compression​

Compression applies to common text-based formats:

  • HTML
  • CSS
  • JS
  • JSON
  • XML
  • SVG
  • Fonts
This reduces bandwidth usage and speeds up page delivery. ⚡

5️⃣ 🛡️ Applies Basic Security Headers​

Security headers include:

  • 🛑 X-Content-Type-Options: nosniff
  • 🪟 X-Frame-Options: SAMEORIGIN
  • 🔍 Referrer-Policy: strict-origin-when-cross-origin
  • 🔐 Permissions-Policy
  • 🚧 Strict-Transport-Security
  • 🧱 Content-Security-Policy
HSTS only applies on HTTPS responses.
CSP is compatibility‑focused and should be tested with your add‑ons and embeds. 🔧

6️⃣ 🔒 Disables Directory Listing​

Included protections:

  • Options -Indexes
  • Deny access to dotfiles (.*)
Helps avoid accidental exposure of hidden files or folders.

✅ Pre‑Production Checks​

Before deploying, verify:

  • 📌 RewriteBase / matches your install path
  • 🔐 HTTPS virtual host is properly configured
  • 🔁 No conflicting redirect layers
  • 🧱 CSP is compatible with your external services
  • 🚨 HSTS fits your SSL/redirect policy

🧪 Validation Checklist​

After deployment, confirm:

  1. 🌐 HTTP correctly redirects to HTTPS
  2. 🌱 Friendly URLs work
  3. 🖼️ Static assets load normally
  4. 🎨 css.php and ⚙️ js.php deliver correct cache headers
  5. 🛡️ Security headers appear on normal + error responses
  6. 🔑 Login / logout / admin features work
  7. 🔁 No redirect loops
  8. 🧩 No CSP‑related console errors

📝 Final Note​

This .htaccess file is a solid, modern baseline for Apache‑based XenForo deployments.
However, it must be validated against:

  • your SSL/HTTPS setup
  • your installed add-ons
  • your hosting stack
The most critical parts to test are:

  • 🔐 HTTPS behavior
  • 🔁 Rewrite routing
  • 🧱 CSP compatibility

As a bonus for members, download the .htaccess file for this tutorial.
 

Attachments

You must log in or register to reply here.
Back
Top Bottom