lighttpd.conf

############# DO NOT FORGET TO CHANGE "grav_path" BY YOUR ACTUAL GRAV INSTALLATION FOLDER #############
############# IF GRAV IS AT THE ROOT OF YOUR WEBSITE, ie http://yoursite.tld POINTS TO    #############
############# GRAV DIRECTLY, THEN JUST REMOVE ANY "/grav_path/" MENTION BELOW. OTHERWISE  #############
############# WE ASSUME YOU RUN AN INSTALLATION SUCH AS http://yoursite.tld/grav_path/    #############
#######################################################################################################
### GRAV RULES FOR LIGHTTPD ###
###        By Mr3ase        ###
###  Last Rev. 2015/11/20   ###

#PREVENTING EXPLOITS
$HTTP["querystring"] =~ "base64_encode[^(]*\([^)]*\)" {
    url.redirect = (".*" => "/grav_path/index.php"       )
}
$HTTP["querystring"] =~ "(<|%3C)([^s]*s)+cript.*(>|%3E)" {
    url.redirect = (".*" => "/grav_path/index.php" )
}
$HTTP["querystring"] =~ "GLOBALS(=|\[|\%[0-9A-Z])" {
    url.redirect = (".*" => "/grav_path/index.php" )
}
$HTTP["querystring"] =~ "_REQUEST(=|\[|\%[0-9A-Z])" {
    url.redirect = (".*" => "/grav_path/index.php" )
}

#REROUTING TO THE INDEX PAGE
url.rewrite-if-not-file = (
    "^/grav_path/(.*)$" => "/grav_path/index.php"
)

#IMPROVING SECURITY
$HTTP["url"] =~ "^/grav_path/(LICENSE.txt|composer.json|composer.lock|nginx.conf|web.config)$" {
    url.access-deny = ("")
}
$HTTP["url"] =~ "^/grav_path/(.git|cache|bin|logs|backup)/(.*)" {
    url.access-deny = ("")
}
$HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|yaml|php|twig|sh|bat)$" {
    url.access-deny = ("")
}
$HTTP["url"] =~ "^/grav_path/(\.(.*))|(\.(.*)/)" {
    url.access-deny = ("")
}
url.access-deny = (".md","~",".inc")

#PREVENT BROWSING AND SET INDEXES
$HTTP["url"] =~ "^/grav_path($|/)" {
    dir-listing.activate = "disable"
    index-file.names = ( "index.php", "index.html" , "index.htm" )
}