espocrm/.htaccess

<IfModule mod_headers.c>
    Header always set Access-Control-Allow-Origin "https://crm.bitbylaw.com,https://vm.vermieterhelden.de"
    Header always set Access-Control-Allow-Methods "POST, GET, PUT, PATCH, DELETE"
    Header always set Access-Control-Allow-Headers "Content-Type, Authorization"
</IfModule>

DirectoryIndex index.php

Options -Indexes

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Forbid access to sensitive directories
    RewriteRule ^/?data/ - [F]
    RewriteRule ^/?application/ - [F]
    RewriteRule ^/?custom/ - [F]
    RewriteRule ^/?vendor/ - [F]
    RewriteRule /?web\.config - [F]

    # Forbid direct access to `public` dir
    RewriteCond %{ENV:REDIRECT_STATUS} !=200
    RewriteRule ^/?public/? - [F,L]

    # Skip rewrite for `client` dir (static assets)
    RewriteRule ^client/ - [L]

    # Store base path
    RewriteCond %{REQUEST_URI}::$1 ^(.*?/)(.*)::\2$
    RewriteRule ^(.*)$ - [E=BASE:%1]

    # Add trailing slash for directories
    RewriteCond %{DOCUMENT_ROOT}/%{ENV:BASE}/public/$1 -d
    RewriteRule ^(.*?[^/])$ %{REQUEST_URI}/ [L,R=301,NE]

    # Custom domain: vm.vermieterhelden.de -> Portal vmh-vm
    RewriteCond %{HTTP_HOST} ^vm\.vermieterhelden\.de$ [NC]
    RewriteRule .* - [E=ESPO_PORTAL_ID:vmh-vm]
    RewriteCond %{HTTP_HOST} ^vm\.vermieterhelden\.de$ [NC]
    RewriteRule ^(.*)$ public/portal/vmh-vm/$1 [L,NC]

    # Path-based portal access on crm.bitbylaw.com
    RewriteCond %{HTTP_HOST} ^crm\.bitbylaw\.com$ [NC]
    RewriteCond %{REQUEST_URI} ^/portal/ [NC]
    RewriteRule ^(.*)$ public/$1 [L,NC]

    # General rewrite to `public` dir for non-portal requests
    RewriteCond %{HTTP_HOST} !^vm\.vermieterhelden\.de$ [NC]
    RewriteCond %{REQUEST_URI} !^/portal/ [NC]
    RewriteRule ^((?!public/).*)$ %{ENV:BASE}/public/$1 [L,NC]

    # Pass Authorization header
    RewriteRule .* - [E=HTTP_ESPO_CGI_AUTH:%{HTTP:Authorization}]
</IfModule>