How do I prevent apache from serving the .git directory? Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Come Celebrate our 10 Year Anniversary!apache deny directive not workingApache2 Permission denied: access to / deniedHow do I prevent my swf files being hotlinked, downloaded etcHow to tell which local branch is tracking which remote branch in Git?How do I tell Git for Windows where to find my private RSA key?How can I prevent Apache from asking for credentials on non SSL siteFully restrict access to sub-directories with .htaccessgit push over smart HTTP fails with 403How can I block HTTP while allowing FTP using htaccess under Apache?Rewrite not working in htaccess (apache2.2.22, windows server 2012)
I'm having difficulty getting my players to do stuff in a sandbox campaign
How to market an anarchic city as a tourism spot to people living in civilized areas?
Determine whether f is a function, an injection, a surjection
Do working physicists consider Newtonian mechanics to be "falsified"?
When is phishing education going too far?
Losing the Initialization Vector in Cipher Block Chaining
What's the difference between (size_t)-1 and ~0?
Can a monk deflect thrown melee weapons?
Mortgage adviser recommends a longer term than necessary combined with overpayments
Windows 10: How to Lock (not sleep) laptop on lid close?
How did the aliens keep their waters separated?
Autumning in love
Keep going mode for require-package
Interesting examples of non-locally compact topological groups
Two different pronunciation of "понял"
Was credit for the black hole image misattributed?
The following signatures were invalid: EXPKEYSIG 1397BC53640DB551
Why does this iterative way of solving of equation work?
Passing functions in C++
Can the prologue be the backstory of your main character?
3 doors, three guards, one stone
How can I protect witches in combat who wear limited clothing?
Can't figure this one out.. What is the missing box?
Am I ethically obligated to go into work on an off day if the reason is sudden?
How do I prevent apache from serving the .git directory?
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!apache deny directive not workingApache2 Permission denied: access to / deniedHow do I prevent my swf files being hotlinked, downloaded etcHow to tell which local branch is tracking which remote branch in Git?How do I tell Git for Windows where to find my private RSA key?How can I prevent Apache from asking for credentials on non SSL siteFully restrict access to sub-directories with .htaccessgit push over smart HTTP fails with 403How can I block HTTP while allowing FTP using htaccess under Apache?Rewrite not working in htaccess (apache2.2.22, windows server 2012)
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have started using git for deployment of websites for testing. How do I prevent apache from serving the .git directory contents?
I tried
<Directorymatch "^/.*/.svn/">
Order deny,allow
Deny from all
</Directorymatch>
with no success.
I know that I can create a .htaccess file in each .git directory and deny access, but I wanted something I could put into the main config file that makes this global across all websites.
apache-2.2 git
edited Feb 23 '17 at 8:27
Noctis Skytower
1035
asked Mar 31 '10 at 12:11
ShoanShoan
75021022
add a comment |
I have started using git for deployment of websites for testing. How do I prevent apache from serving the .git directory contents?
I tried
<Directorymatch "^/.*/.svn/">
Order deny,allow
Deny from all
</Directorymatch>
with no success.
I know that I can create a .htaccess file in each .git directory and deny access, but I wanted something I could put into the main config file that makes this global across all websites.
apache-2.2 git
edited Feb 23 '17 at 8:27
Noctis Skytower
1035
asked Mar 31 '10 at 12:11
ShoanShoan
75021022
3
Once you've prevented apache from serving the directory you may also need to hide the .git directory with "IndexIgnore .git" if you have Indexes enabled on your directory.
– Ryan
Jul 21 '15 at 18:17
add a comment |
I have started using git for deployment of websites for testing. How do I prevent apache from serving the .git directory contents?
I tried
<Directorymatch "^/.*/.svn/">
Order deny,allow
Deny from all
</Directorymatch>
with no success.
I know that I can create a .htaccess file in each .git directory and deny access, but I wanted something I could put into the main config file that makes this global across all websites.
apache-2.2 git
edited Feb 23 '17 at 8:27
Noctis Skytower
1035
asked Mar 31 '10 at 12:11
ShoanShoan
75021022
I have started using git for deployment of websites for testing. How do I prevent apache from serving the .git directory contents?
I tried
<Directorymatch "^/.*/.svn/">
Order deny,allow
Deny from all
</Directorymatch>
with no success.
I know that I can create a .htaccess file in each .git directory and deny access, but I wanted something I could put into the main config file that makes this global across all websites.
apache-2.2 git
apache-2.2 git
edited Feb 23 '17 at 8:27
Noctis Skytower
1035
asked Mar 31 '10 at 12:11
ShoanShoan
75021022
edited Feb 23 '17 at 8:27
Noctis Skytower
1035
asked Mar 31 '10 at 12:11
ShoanShoan
75021022
edited Feb 23 '17 at 8:27
Noctis Skytower
1035
edited Feb 23 '17 at 8:27
Noctis Skytower
1035
edited Feb 23 '17 at 8:27
Noctis Skytower
1035
1035
asked Mar 31 '10 at 12:11
ShoanShoan
75021022
asked Mar 31 '10 at 12:11
ShoanShoan
75021022
asked Mar 31 '10 at 12:11
ShoanShoan
75021022
75021022
3
Once you've prevented apache from serving the directory you may also need to hide the .git directory with "IndexIgnore .git" if you have Indexes enabled on your directory.
– Ryan
Jul 21 '15 at 18:17
add a comment |
3
Once you've prevented apache from serving the directory you may also need to hide the .git directory with "IndexIgnore .git" if you have Indexes enabled on your directory.
– Ryan
Jul 21 '15 at 18:17
3
3
Once you've prevented apache from serving the directory you may also need to hide the .git directory with "IndexIgnore .git" if you have Indexes enabled on your directory.
– Ryan
Jul 21 '15 at 18:17
Once you've prevented apache from serving the directory you may also need to hide the .git directory with "IndexIgnore .git" if you have Indexes enabled on your directory.
– Ryan
Jul 21 '15 at 18:17
add a comment |
11 Answers
11
active
oldest
votes
It's not working because you have 'svn' and not 'git' in the rule.
All you have to do is to replace the 'svn' with 'git'.
<Directorymatch "^/.*/.git/">
Order deny,allow
Deny from all
</Directorymatch>
edited Oct 25 '18 at 18:18
Wale Adeniji
33
answered Mar 31 '10 at 12:45
sinpingsinping
1,7271212
1
When I create a .htaccess containing only your code, I get the error: "<DirectoryMatch not allowed here"
– Shoan
Jul 27 '10 at 19:03
2
It has to be in the Apache conf. See: httpd.apache.org/docs/1.3/mod/core.html#directorymatch
– sinping
Jul 28 '10 at 12:45
2
The simplest regex is<DirectoryMatch /.git/>
– Bachsau
Apr 5 '17 at 18:00
Check this for perfect solution magento.stackexchange.com/questions/202840/…
– Pratik Kamani
Nov 23 '17 at 5:25
1st, thanks to singping/OP. Note that in Apache 2.4 the "Order,deny" and next line have been replaced by "Require all denied". Also, many installations the file called "Apache conf" above is named "httpd.conf" --- singping's usage was just a casual statement, so don't search for that literal name (should probably go without saying, but you never know how people might read it).
– Kevin_Kinsey
Sep 14 '18 at 21:44
add a comment |
This has the same effect as many of the other answers but is much simpler:
RedirectMatch 404 /.git
This can go into .htaccess or your server config file. It hides any file or directory whose name begins with .git (e.g. a .git directory or .gitignore file) by returning a 404. So not only are the contents of your Git repo hidden, its very existence is hidden too.
answered Aug 1 '13 at 10:19
Bennett McElweeBennett McElwee
1,3912108
2
I really like this solution. It's simple and elegant.
– Shoan
Mar 8 '14 at 9:02
2
Putting this in the root htdocs directory does a global job, too.
– jor
Feb 27 '15 at 14:19
4
Love this option the best as well. Seems to me that it is more secure to return a 404 for requests like /.git or /.gitignore so that the fact that git is even being used can't be determined from the outside.
– Ezra Free
Sep 6 '15 at 2:54
1
Be aware that with if you have directory listings enabled, the.gitfolders will still be visible, but you'll get the 404 when you try to access them.
– Andy Madge
Feb 4 '16 at 15:21
1
@BennettMcElwee yep agreed, there's almost never a good reason to have directory listing enabled globally on a production server. Just thought it deserved a mention in case it catches someone out.
– Andy Madge
Feb 4 '16 at 21:01
|
show 5 more comments
If you don't use .htaccess files but instead want to use /etc/apache2/httpd.conf (or whatever your server's master conf file is) to hide both .git directories and .gitignore files, you can use the following. I found the answer above for master conf setting did not hide the gitignore file.
# do not allow .git version control files to be issued
<Directorymatch "^/.*/.git+/">
Order deny,allow
Deny from all
</Directorymatch>
<Files ~ "^.git">
Order allow,deny
Deny from all
</Files>
answered Aug 28 '12 at 21:49
Kyle SloanKyle Sloan
13912
1
Dosn't block thewww.example.com/.git/configfile in Apache httpd 2.4.27.
– ilhan
Sep 18 '17 at 12:09
add a comment |
If you're on a shared hosting service and don't have access to apache.conf, you can still do it in your .htaccess file, like this:
RewriteEngine On
RewriteRule "^(.*/)?.git/" - [F,L]
answered Mar 23 '11 at 19:21
danortondanorton
555623
thanks this worked for me in a shared hosting situation where the top answer didn't
– Plato
Oct 1 '14 at 23:34
add a comment |
### never deliver .git folders, .gitIgnore
RewriteRule ^(.*/)?.git+ - [R=404,L]
# 2nd line of defense (if no mod_rewrite)
RedirectMatch 404 ^(.*/)?.git+
This works in .htaccess, no http.conf access required. Include this as the first of rewrite rules. Prepend Rewrite On if needed.
From a security angle, I prefer a bogus 404 over an 403, more informative to the attacker.
Comment one of the two out, to ensure, the other works for you, too.
Btw, good changes are, your lithmus test for the two are:
http://localhost/.gitignore
http://localhost/.git/HEAD
answered May 26 '13 at 10:08
Frank NockeFrank Nocke
381414
Why have both rules? The simpler RedirectMatch suffices on its own. (Also, the regexes don't seem quite right -- why the plus on the end?)
– Bennett McElwee
Aug 1 '13 at 10:20
Personal Paranoia / doubled security. If RewriteEngine happens to get turned off (central config changes, poor team communication, unlucky server "update",... you name it :-) The + is obsolete or should be a $, good point! (no time for testing, sorry.)
– Frank Nocke
Aug 2 '13 at 12:24
If you're worried that RewriteEngine might be off, just putRewriteEngine Onbefore your RewriteRule. But anyhow it is tautological and redundant because the simpler RedirectMatch suffices on its own. Though even that could be simplified. Basically I am recommending my answer instead. :)
– Bennett McElwee
Aug 3 '13 at 4:51
+1 for the litmus test.
– user172409
Jul 15 '14 at 14:58
add a comment |
To protect both the .git directory as well as other files such as .gitignore and .gitmodules using .htaccess, use:
RewriteEngine On
RewriteRule ^(.*/)?.git+ - [F,L]
ErrorDocument 403 "Access Forbidden"
answered Oct 28 '11 at 22:04
scribuscribu
2771310
4
Does work for me, however the trailing ErrorDocument has no impact. From a security angle, I'd fancy a bogus 404 over an informative 403 to the attacker...
– Frank Nocke
May 26 '13 at 10:01
1
This is a bad idea, because it discloses information to hackers. A 403 means it's there, a 404 means it's not. Every fact on a server's setup is usefull to a hacker. I'd consider revising this.
– GerardJP
Dec 10 '14 at 10:25
add a comment |
I always add the following line into vhost template
RedirectMatch 404 /\.(svn|git|hg|bzr|cvs)(/|$)
Just to be sure that no one can access VCS specific data. Works perfect.
answered Mar 18 '16 at 15:48
ALex_hhaALex_hha
5,65011732
add a comment |
Assuming your webserver is using a different user than the one you use to access the .git repository, you could disable the execute bit for others on the .git directory.
This should work with other webservers and doesn't rely on performance-consuming .htaccess files.
answered Dec 11 '12 at 15:09
MartijnMartijn
236513
add a comment |
For those looking to simply deny all "hidden" files and directories on a Linux distribution (generally all files beginning with a "."), here's what works on Apache 2.4 when placed in server conf context:
<FilesMatch "^.(.*)$">
Require all denied
</FilesMatch>
<DirectoryMatch "/.(.*)">
Require all denied
</DirectoryMatch>
And here's the older Apache 2.2 style (same regex, just different auth directives):
<FilesMatch "^.(.*)$">
Order deny,allow
Deny from all
</FilesMatch>
<DirectoryMatch "/.(.*)">
Order deny,allow
Deny from all
</DirectoryMatch>
Then you don't have to worry about .git or .svn specifically. That would also match things like .htaccess and .htpasswd inherently.
Personally, I like issuing 403s for such requests instead of 404s, but you could easily use a RewriteRule instead of auth denial, like so:
<FilesMatch "^.(.*)$">
RewriteRule "^(.*)$" - [R=404,L]
</FilesMatch>
<DirectoryMatch "/.(.*)">
RewriteRule "^(.*)$" - [R=404,L]
</DirectoryMatch>
answered Nov 14 '17 at 0:23
ldennisonldennison
1187
add a comment |
You probably want to deny serving .gitignore as well.
Files starting with a dot are hidden in linux.
Therefore, just 404 anything that begins with a dot:
RedirectMatch 404 /.
answered Mar 18 '16 at 14:36
Vladimir KorneaVladimir Kornea
1766
add a comment |
This is a little late but my answer is a slightly different so I thought I would add it. This must go in the httpd.conf file. The <Files "*"> nested inside the <Directory> tag will block all files in the directory.
# GitHub Directory
<Directory /var/www/html/yoursite/.git>
Order Deny,Allow
Deny from all
<Files "*">
Order Deny,Allow
Deny from all
</Files>
</Directory>
# GitHub files
<Files .gitignore>
order Deny,Allow
Deny from all
</Files>
answered Apr 9 at 18:20
rippledjrippledj
1058
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f128069%2fhow-do-i-prevent-apache-from-serving-the-git-directory%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
11 Answers
11
active
oldest
votes
11 Answers
11
active
oldest
votes
active
oldest
votes
active
oldest
votes
It's not working because you have 'svn' and not 'git' in the rule.
All you have to do is to replace the 'svn' with 'git'.
<Directorymatch "^/.*/.git/">
Order deny,allow
Deny from all
</Directorymatch>
edited Oct 25 '18 at 18:18
Wale Adeniji
33
answered Mar 31 '10 at 12:45
sinpingsinping
1,7271212
1
When I create a .htaccess containing only your code, I get the error: "<DirectoryMatch not allowed here"
– Shoan
Jul 27 '10 at 19:03
2
It has to be in the Apache conf. See: httpd.apache.org/docs/1.3/mod/core.html#directorymatch
– sinping
Jul 28 '10 at 12:45
2
The simplest regex is<DirectoryMatch /.git/>
– Bachsau
Apr 5 '17 at 18:00
Check this for perfect solution magento.stackexchange.com/questions/202840/…
– Pratik Kamani
Nov 23 '17 at 5:25
1st, thanks to singping/OP. Note that in Apache 2.4 the "Order,deny" and next line have been replaced by "Require all denied". Also, many installations the file called "Apache conf" above is named "httpd.conf" --- singping's usage was just a casual statement, so don't search for that literal name (should probably go without saying, but you never know how people might read it).
– Kevin_Kinsey
Sep 14 '18 at 21:44
add a comment |
It's not working because you have 'svn' and not 'git' in the rule.
All you have to do is to replace the 'svn' with 'git'.
<Directorymatch "^/.*/.git/">
Order deny,allow
Deny from all
</Directorymatch>
edited Oct 25 '18 at 18:18
Wale Adeniji
33
answered Mar 31 '10 at 12:45
sinpingsinping
1,7271212
1
When I create a .htaccess containing only your code, I get the error: "<DirectoryMatch not allowed here"
– Shoan
Jul 27 '10 at 19:03
2
It has to be in the Apache conf. See: httpd.apache.org/docs/1.3/mod/core.html#directorymatch
– sinping
Jul 28 '10 at 12:45
2
The simplest regex is<DirectoryMatch /.git/>
– Bachsau
Apr 5 '17 at 18:00
Check this for perfect solution magento.stackexchange.com/questions/202840/…
– Pratik Kamani
Nov 23 '17 at 5:25
1st, thanks to singping/OP. Note that in Apache 2.4 the "Order,deny" and next line have been replaced by "Require all denied". Also, many installations the file called "Apache conf" above is named "httpd.conf" --- singping's usage was just a casual statement, so don't search for that literal name (should probably go without saying, but you never know how people might read it).
– Kevin_Kinsey
Sep 14 '18 at 21:44
add a comment |
It's not working because you have 'svn' and not 'git' in the rule.
All you have to do is to replace the 'svn' with 'git'.
<Directorymatch "^/.*/.git/">
Order deny,allow
Deny from all
</Directorymatch>
edited Oct 25 '18 at 18:18
Wale Adeniji
33
answered Mar 31 '10 at 12:45
sinpingsinping
1,7271212
It's not working because you have 'svn' and not 'git' in the rule.
All you have to do is to replace the 'svn' with 'git'.
<Directorymatch "^/.*/.git/">
Order deny,allow
Deny from all
</Directorymatch>
edited Oct 25 '18 at 18:18
Wale Adeniji
33
answered Mar 31 '10 at 12:45
sinpingsinping
1,7271212
edited Oct 25 '18 at 18:18
Wale Adeniji
33
edited Oct 25 '18 at 18:18
Wale Adeniji
33
edited Oct 25 '18 at 18:18
Wale Adeniji
33
33
answered Mar 31 '10 at 12:45
sinpingsinping
1,7271212
answered Mar 31 '10 at 12:45
sinpingsinping
1,7271212
answered Mar 31 '10 at 12:45
sinpingsinping
1,7271212
1,7271212
1
When I create a .htaccess containing only your code, I get the error: "<DirectoryMatch not allowed here"
– Shoan
Jul 27 '10 at 19:03
2
It has to be in the Apache conf. See: httpd.apache.org/docs/1.3/mod/core.html#directorymatch
– sinping
Jul 28 '10 at 12:45
2
The simplest regex is<DirectoryMatch /.git/>
– Bachsau
Apr 5 '17 at 18:00
Check this for perfect solution magento.stackexchange.com/questions/202840/…
– Pratik Kamani
Nov 23 '17 at 5:25
1st, thanks to singping/OP. Note that in Apache 2.4 the "Order,deny" and next line have been replaced by "Require all denied". Also, many installations the file called "Apache conf" above is named "httpd.conf" --- singping's usage was just a casual statement, so don't search for that literal name (should probably go without saying, but you never know how people might read it).
– Kevin_Kinsey
Sep 14 '18 at 21:44
add a comment |
1
When I create a .htaccess containing only your code, I get the error: "<DirectoryMatch not allowed here"
– Shoan
Jul 27 '10 at 19:03
2
It has to be in the Apache conf. See: httpd.apache.org/docs/1.3/mod/core.html#directorymatch
– sinping
Jul 28 '10 at 12:45
2
The simplest regex is<DirectoryMatch /.git/>
– Bachsau
Apr 5 '17 at 18:00
Check this for perfect solution magento.stackexchange.com/questions/202840/…
– Pratik Kamani
Nov 23 '17 at 5:25
1st, thanks to singping/OP. Note that in Apache 2.4 the "Order,deny" and next line have been replaced by "Require all denied". Also, many installations the file called "Apache conf" above is named "httpd.conf" --- singping's usage was just a casual statement, so don't search for that literal name (should probably go without saying, but you never know how people might read it).
– Kevin_Kinsey
Sep 14 '18 at 21:44
1
1
When I create a .htaccess containing only your code, I get the error: "<DirectoryMatch not allowed here"
– Shoan
Jul 27 '10 at 19:03
When I create a .htaccess containing only your code, I get the error: "<DirectoryMatch not allowed here"
– Shoan
Jul 27 '10 at 19:03
2
2
It has to be in the Apache conf. See: httpd.apache.org/docs/1.3/mod/core.html#directorymatch
– sinping
Jul 28 '10 at 12:45
It has to be in the Apache conf. See: httpd.apache.org/docs/1.3/mod/core.html#directorymatch
– sinping
Jul 28 '10 at 12:45
2
2
The simplest regex is
<DirectoryMatch /.git/>– Bachsau
Apr 5 '17 at 18:00
The simplest regex is
<DirectoryMatch /.git/>– Bachsau
Apr 5 '17 at 18:00
Check this for perfect solution magento.stackexchange.com/questions/202840/…
– Pratik Kamani
Nov 23 '17 at 5:25
Check this for perfect solution magento.stackexchange.com/questions/202840/…
– Pratik Kamani
Nov 23 '17 at 5:25
1st, thanks to singping/OP. Note that in Apache 2.4 the "Order,deny" and next line have been replaced by "Require all denied". Also, many installations the file called "Apache conf" above is named "httpd.conf" --- singping's usage was just a casual statement, so don't search for that literal name (should probably go without saying, but you never know how people might read it).
– Kevin_Kinsey
Sep 14 '18 at 21:44
1st, thanks to singping/OP. Note that in Apache 2.4 the "Order,deny" and next line have been replaced by "Require all denied". Also, many installations the file called "Apache conf" above is named "httpd.conf" --- singping's usage was just a casual statement, so don't search for that literal name (should probably go without saying, but you never know how people might read it).
– Kevin_Kinsey
Sep 14 '18 at 21:44
add a comment |
This has the same effect as many of the other answers but is much simpler:
RedirectMatch 404 /.git
This can go into .htaccess or your server config file. It hides any file or directory whose name begins with .git (e.g. a .git directory or .gitignore file) by returning a 404. So not only are the contents of your Git repo hidden, its very existence is hidden too.
answered Aug 1 '13 at 10:19
Bennett McElweeBennett McElwee
1,3912108
2
I really like this solution. It's simple and elegant.
– Shoan
Mar 8 '14 at 9:02
2
Putting this in the root htdocs directory does a global job, too.
– jor
Feb 27 '15 at 14:19
4
Love this option the best as well. Seems to me that it is more secure to return a 404 for requests like /.git or /.gitignore so that the fact that git is even being used can't be determined from the outside.
– Ezra Free
Sep 6 '15 at 2:54
1
Be aware that with if you have directory listings enabled, the.gitfolders will still be visible, but you'll get the 404 when you try to access them.
– Andy Madge
Feb 4 '16 at 15:21
1
@BennettMcElwee yep agreed, there's almost never a good reason to have directory listing enabled globally on a production server. Just thought it deserved a mention in case it catches someone out.
– Andy Madge
Feb 4 '16 at 21:01
|
show 5 more comments
This has the same effect as many of the other answers but is much simpler:
RedirectMatch 404 /.git
This can go into .htaccess or your server config file. It hides any file or directory whose name begins with .git (e.g. a .git directory or .gitignore file) by returning a 404. So not only are the contents of your Git repo hidden, its very existence is hidden too.
answered Aug 1 '13 at 10:19
Bennett McElweeBennett McElwee
1,3912108
2
I really like this solution. It's simple and elegant.
– Shoan
Mar 8 '14 at 9:02
2
Putting this in the root htdocs directory does a global job, too.
– jor
Feb 27 '15 at 14:19
4
Love this option the best as well. Seems to me that it is more secure to return a 404 for requests like /.git or /.gitignore so that the fact that git is even being used can't be determined from the outside.
– Ezra Free
Sep 6 '15 at 2:54
1
Be aware that with if you have directory listings enabled, the.gitfolders will still be visible, but you'll get the 404 when you try to access them.
– Andy Madge
Feb 4 '16 at 15:21
1
@BennettMcElwee yep agreed, there's almost never a good reason to have directory listing enabled globally on a production server. Just thought it deserved a mention in case it catches someone out.
– Andy Madge
Feb 4 '16 at 21:01
|
show 5 more comments
This has the same effect as many of the other answers but is much simpler:
RedirectMatch 404 /.git
This can go into .htaccess or your server config file. It hides any file or directory whose name begins with .git (e.g. a .git directory or .gitignore file) by returning a 404. So not only are the contents of your Git repo hidden, its very existence is hidden too.
answered Aug 1 '13 at 10:19
Bennett McElweeBennett McElwee
1,3912108
This has the same effect as many of the other answers but is much simpler:
RedirectMatch 404 /.git
This can go into .htaccess or your server config file. It hides any file or directory whose name begins with .git (e.g. a .git directory or .gitignore file) by returning a 404. So not only are the contents of your Git repo hidden, its very existence is hidden too.
answered Aug 1 '13 at 10:19
Bennett McElweeBennett McElwee
1,3912108
edited Mar 9 '14 at 9:17
answered Aug 1 '13 at 10:19
Bennett McElweeBennett McElwee
1,3912108
answered Aug 1 '13 at 10:19
Bennett McElweeBennett McElwee
1,3912108
answered Aug 1 '13 at 10:19
Bennett McElweeBennett McElwee
1,3912108
1,3912108
2
I really like this solution. It's simple and elegant.
– Shoan
Mar 8 '14 at 9:02
2
Putting this in the root htdocs directory does a global job, too.
– jor
Feb 27 '15 at 14:19
4
Love this option the best as well. Seems to me that it is more secure to return a 404 for requests like /.git or /.gitignore so that the fact that git is even being used can't be determined from the outside.
– Ezra Free
Sep 6 '15 at 2:54
1
Be aware that with if you have directory listings enabled, the.gitfolders will still be visible, but you'll get the 404 when you try to access them.
– Andy Madge
Feb 4 '16 at 15:21
1
@BennettMcElwee yep agreed, there's almost never a good reason to have directory listing enabled globally on a production server. Just thought it deserved a mention in case it catches someone out.
– Andy Madge
Feb 4 '16 at 21:01
|
show 5 more comments
2
I really like this solution. It's simple and elegant.
– Shoan
Mar 8 '14 at 9:02
2
Putting this in the root htdocs directory does a global job, too.
– jor
Feb 27 '15 at 14:19
4
Love this option the best as well. Seems to me that it is more secure to return a 404 for requests like /.git or /.gitignore so that the fact that git is even being used can't be determined from the outside.
– Ezra Free
Sep 6 '15 at 2:54
1
Be aware that with if you have directory listings enabled, the.gitfolders will still be visible, but you'll get the 404 when you try to access them.
– Andy Madge
Feb 4 '16 at 15:21
1
@BennettMcElwee yep agreed, there's almost never a good reason to have directory listing enabled globally on a production server. Just thought it deserved a mention in case it catches someone out.
– Andy Madge
Feb 4 '16 at 21:01
2
2
I really like this solution. It's simple and elegant.
– Shoan
Mar 8 '14 at 9:02
I really like this solution. It's simple and elegant.
– Shoan
Mar 8 '14 at 9:02
2
2
Putting this in the root htdocs directory does a global job, too.
– jor
Feb 27 '15 at 14:19
Putting this in the root htdocs directory does a global job, too.
– jor
Feb 27 '15 at 14:19
4
4
Love this option the best as well. Seems to me that it is more secure to return a 404 for requests like /.git or /.gitignore so that the fact that git is even being used can't be determined from the outside.
– Ezra Free
Sep 6 '15 at 2:54
Love this option the best as well. Seems to me that it is more secure to return a 404 for requests like /.git or /.gitignore so that the fact that git is even being used can't be determined from the outside.
– Ezra Free
Sep 6 '15 at 2:54
1
1
Be aware that with if you have directory listings enabled, the
.git folders will still be visible, but you'll get the 404 when you try to access them.– Andy Madge
Feb 4 '16 at 15:21
Be aware that with if you have directory listings enabled, the
.git folders will still be visible, but you'll get the 404 when you try to access them.– Andy Madge
Feb 4 '16 at 15:21
1
1
@BennettMcElwee yep agreed, there's almost never a good reason to have directory listing enabled globally on a production server. Just thought it deserved a mention in case it catches someone out.
– Andy Madge
Feb 4 '16 at 21:01
@BennettMcElwee yep agreed, there's almost never a good reason to have directory listing enabled globally on a production server. Just thought it deserved a mention in case it catches someone out.
– Andy Madge
Feb 4 '16 at 21:01
|
show 5 more comments
If you don't use .htaccess files but instead want to use /etc/apache2/httpd.conf (or whatever your server's master conf file is) to hide both .git directories and .gitignore files, you can use the following. I found the answer above for master conf setting did not hide the gitignore file.
# do not allow .git version control files to be issued
<Directorymatch "^/.*/.git+/">
Order deny,allow
Deny from all
</Directorymatch>
<Files ~ "^.git">
Order allow,deny
Deny from all
</Files>
answered Aug 28 '12 at 21:49
Kyle SloanKyle Sloan
13912
1
Dosn't block thewww.example.com/.git/configfile in Apache httpd 2.4.27.
– ilhan
Sep 18 '17 at 12:09
add a comment |
If you don't use .htaccess files but instead want to use /etc/apache2/httpd.conf (or whatever your server's master conf file is) to hide both .git directories and .gitignore files, you can use the following. I found the answer above for master conf setting did not hide the gitignore file.
# do not allow .git version control files to be issued
<Directorymatch "^/.*/.git+/">
Order deny,allow
Deny from all
</Directorymatch>
<Files ~ "^.git">
Order allow,deny
Deny from all
</Files>
answered Aug 28 '12 at 21:49
Kyle SloanKyle Sloan
13912
1
Dosn't block thewww.example.com/.git/configfile in Apache httpd 2.4.27.
– ilhan
Sep 18 '17 at 12:09
add a comment |
If you don't use .htaccess files but instead want to use /etc/apache2/httpd.conf (or whatever your server's master conf file is) to hide both .git directories and .gitignore files, you can use the following. I found the answer above for master conf setting did not hide the gitignore file.
# do not allow .git version control files to be issued
<Directorymatch "^/.*/.git+/">
Order deny,allow
Deny from all
</Directorymatch>
<Files ~ "^.git">
Order allow,deny
Deny from all
</Files>
answered Aug 28 '12 at 21:49
Kyle SloanKyle Sloan
13912
If you don't use .htaccess files but instead want to use /etc/apache2/httpd.conf (or whatever your server's master conf file is) to hide both .git directories and .gitignore files, you can use the following. I found the answer above for master conf setting did not hide the gitignore file.
# do not allow .git version control files to be issued
<Directorymatch "^/.*/.git+/">
Order deny,allow
Deny from all
</Directorymatch>
<Files ~ "^.git">
Order allow,deny
Deny from all
</Files>
answered Aug 28 '12 at 21:49
Kyle SloanKyle Sloan
13912
answered Aug 28 '12 at 21:49
Kyle SloanKyle Sloan
13912
answered Aug 28 '12 at 21:49
Kyle SloanKyle Sloan
13912
answered Aug 28 '12 at 21:49
Kyle SloanKyle Sloan
13912
13912
1
Dosn't block thewww.example.com/.git/configfile in Apache httpd 2.4.27.
– ilhan
Sep 18 '17 at 12:09
add a comment |
1
Dosn't block thewww.example.com/.git/configfile in Apache httpd 2.4.27.
– ilhan
Sep 18 '17 at 12:09
1
1
Dosn't block the
www.example.com/.git/config file in Apache httpd 2.4.27.– ilhan
Sep 18 '17 at 12:09
Dosn't block the
www.example.com/.git/config file in Apache httpd 2.4.27.– ilhan
Sep 18 '17 at 12:09
add a comment |
If you're on a shared hosting service and don't have access to apache.conf, you can still do it in your .htaccess file, like this:
RewriteEngine On
RewriteRule "^(.*/)?.git/" - [F,L]
answered Mar 23 '11 at 19:21
danortondanorton
555623
thanks this worked for me in a shared hosting situation where the top answer didn't
– Plato
Oct 1 '14 at 23:34
add a comment |
If you're on a shared hosting service and don't have access to apache.conf, you can still do it in your .htaccess file, like this:
RewriteEngine On
RewriteRule "^(.*/)?.git/" - [F,L]
answered Mar 23 '11 at 19:21
danortondanorton
555623
thanks this worked for me in a shared hosting situation where the top answer didn't
– Plato
Oct 1 '14 at 23:34
add a comment |
If you're on a shared hosting service and don't have access to apache.conf, you can still do it in your .htaccess file, like this:
RewriteEngine On
RewriteRule "^(.*/)?.git/" - [F,L]
answered Mar 23 '11 at 19:21
danortondanorton
555623
If you're on a shared hosting service and don't have access to apache.conf, you can still do it in your .htaccess file, like this:
RewriteEngine On
RewriteRule "^(.*/)?.git/" - [F,L]
answered Mar 23 '11 at 19:21
danortondanorton
555623
answered Mar 23 '11 at 19:21
danortondanorton
555623
answered Mar 23 '11 at 19:21
danortondanorton
555623
answered Mar 23 '11 at 19:21
danortondanorton
555623
555623
thanks this worked for me in a shared hosting situation where the top answer didn't
– Plato
Oct 1 '14 at 23:34
add a comment |
thanks this worked for me in a shared hosting situation where the top answer didn't
– Plato
Oct 1 '14 at 23:34
thanks this worked for me in a shared hosting situation where the top answer didn't
– Plato
Oct 1 '14 at 23:34
thanks this worked for me in a shared hosting situation where the top answer didn't
– Plato
Oct 1 '14 at 23:34
add a comment |
### never deliver .git folders, .gitIgnore
RewriteRule ^(.*/)?.git+ - [R=404,L]
# 2nd line of defense (if no mod_rewrite)
RedirectMatch 404 ^(.*/)?.git+
This works in .htaccess, no http.conf access required. Include this as the first of rewrite rules. Prepend Rewrite On if needed.
From a security angle, I prefer a bogus 404 over an 403, more informative to the attacker.
Comment one of the two out, to ensure, the other works for you, too.
Btw, good changes are, your lithmus test for the two are:
http://localhost/.gitignore
http://localhost/.git/HEAD
answered May 26 '13 at 10:08
Frank NockeFrank Nocke
381414
Why have both rules? The simpler RedirectMatch suffices on its own. (Also, the regexes don't seem quite right -- why the plus on the end?)
– Bennett McElwee
Aug 1 '13 at 10:20
Personal Paranoia / doubled security. If RewriteEngine happens to get turned off (central config changes, poor team communication, unlucky server "update",... you name it :-) The + is obsolete or should be a $, good point! (no time for testing, sorry.)
– Frank Nocke
Aug 2 '13 at 12:24
If you're worried that RewriteEngine might be off, just putRewriteEngine Onbefore your RewriteRule. But anyhow it is tautological and redundant because the simpler RedirectMatch suffices on its own. Though even that could be simplified. Basically I am recommending my answer instead. :)
– Bennett McElwee
Aug 3 '13 at 4:51
+1 for the litmus test.
– user172409
Jul 15 '14 at 14:58
add a comment |
### never deliver .git folders, .gitIgnore
RewriteRule ^(.*/)?.git+ - [R=404,L]
# 2nd line of defense (if no mod_rewrite)
RedirectMatch 404 ^(.*/)?.git+
This works in .htaccess, no http.conf access required. Include this as the first of rewrite rules. Prepend Rewrite On if needed.
From a security angle, I prefer a bogus 404 over an 403, more informative to the attacker.
Comment one of the two out, to ensure, the other works for you, too.
Btw, good changes are, your lithmus test for the two are:
http://localhost/.gitignore
http://localhost/.git/HEAD
answered May 26 '13 at 10:08
Frank NockeFrank Nocke
381414
Why have both rules? The simpler RedirectMatch suffices on its own. (Also, the regexes don't seem quite right -- why the plus on the end?)
– Bennett McElwee
Aug 1 '13 at 10:20
Personal Paranoia / doubled security. If RewriteEngine happens to get turned off (central config changes, poor team communication, unlucky server "update",... you name it :-) The + is obsolete or should be a $, good point! (no time for testing, sorry.)
– Frank Nocke
Aug 2 '13 at 12:24
If you're worried that RewriteEngine might be off, just putRewriteEngine Onbefore your RewriteRule. But anyhow it is tautological and redundant because the simpler RedirectMatch suffices on its own. Though even that could be simplified. Basically I am recommending my answer instead. :)
– Bennett McElwee
Aug 3 '13 at 4:51
+1 for the litmus test.
– user172409
Jul 15 '14 at 14:58
add a comment |
### never deliver .git folders, .gitIgnore
RewriteRule ^(.*/)?.git+ - [R=404,L]
# 2nd line of defense (if no mod_rewrite)
RedirectMatch 404 ^(.*/)?.git+
This works in .htaccess, no http.conf access required. Include this as the first of rewrite rules. Prepend Rewrite On if needed.
From a security angle, I prefer a bogus 404 over an 403, more informative to the attacker.
Comment one of the two out, to ensure, the other works for you, too.
Btw, good changes are, your lithmus test for the two are:
http://localhost/.gitignore
http://localhost/.git/HEAD
answered May 26 '13 at 10:08
Frank NockeFrank Nocke
381414
### never deliver .git folders, .gitIgnore
RewriteRule ^(.*/)?.git+ - [R=404,L]
# 2nd line of defense (if no mod_rewrite)
RedirectMatch 404 ^(.*/)?.git+
This works in .htaccess, no http.conf access required. Include this as the first of rewrite rules. Prepend Rewrite On if needed.
From a security angle, I prefer a bogus 404 over an 403, more informative to the attacker.
Comment one of the two out, to ensure, the other works for you, too.
Btw, good changes are, your lithmus test for the two are:
http://localhost/.gitignore
http://localhost/.git/HEAD
answered May 26 '13 at 10:08
Frank NockeFrank Nocke
381414
answered May 26 '13 at 10:08
Frank NockeFrank Nocke
381414
answered May 26 '13 at 10:08
Frank NockeFrank Nocke
381414
answered May 26 '13 at 10:08
Frank NockeFrank Nocke
381414
381414
Why have both rules? The simpler RedirectMatch suffices on its own. (Also, the regexes don't seem quite right -- why the plus on the end?)
– Bennett McElwee
Aug 1 '13 at 10:20
Personal Paranoia / doubled security. If RewriteEngine happens to get turned off (central config changes, poor team communication, unlucky server "update",... you name it :-) The + is obsolete or should be a $, good point! (no time for testing, sorry.)
– Frank Nocke
Aug 2 '13 at 12:24
If you're worried that RewriteEngine might be off, just putRewriteEngine Onbefore your RewriteRule. But anyhow it is tautological and redundant because the simpler RedirectMatch suffices on its own. Though even that could be simplified. Basically I am recommending my answer instead. :)
– Bennett McElwee
Aug 3 '13 at 4:51
+1 for the litmus test.
– user172409
Jul 15 '14 at 14:58
add a comment |
Why have both rules? The simpler RedirectMatch suffices on its own. (Also, the regexes don't seem quite right -- why the plus on the end?)
– Bennett McElwee
Aug 1 '13 at 10:20
Personal Paranoia / doubled security. If RewriteEngine happens to get turned off (central config changes, poor team communication, unlucky server "update",... you name it :-) The + is obsolete or should be a $, good point! (no time for testing, sorry.)
– Frank Nocke
Aug 2 '13 at 12:24
If you're worried that RewriteEngine might be off, just putRewriteEngine Onbefore your RewriteRule. But anyhow it is tautological and redundant because the simpler RedirectMatch suffices on its own. Though even that could be simplified. Basically I am recommending my answer instead. :)
– Bennett McElwee
Aug 3 '13 at 4:51
+1 for the litmus test.
– user172409
Jul 15 '14 at 14:58
Why have both rules? The simpler RedirectMatch suffices on its own. (Also, the regexes don't seem quite right -- why the plus on the end?)
– Bennett McElwee
Aug 1 '13 at 10:20
Why have both rules? The simpler RedirectMatch suffices on its own. (Also, the regexes don't seem quite right -- why the plus on the end?)
– Bennett McElwee
Aug 1 '13 at 10:20
Personal Paranoia / doubled security. If RewriteEngine happens to get turned off (central config changes, poor team communication, unlucky server "update",... you name it :-) The + is obsolete or should be a $, good point! (no time for testing, sorry.)
– Frank Nocke
Aug 2 '13 at 12:24
Personal Paranoia / doubled security. If RewriteEngine happens to get turned off (central config changes, poor team communication, unlucky server "update",... you name it :-) The + is obsolete or should be a $, good point! (no time for testing, sorry.)
– Frank Nocke
Aug 2 '13 at 12:24
If you're worried that RewriteEngine might be off, just put
RewriteEngine On before your RewriteRule. But anyhow it is tautological and redundant because the simpler RedirectMatch suffices on its own. Though even that could be simplified. Basically I am recommending my answer instead. :)– Bennett McElwee
Aug 3 '13 at 4:51
If you're worried that RewriteEngine might be off, just put
RewriteEngine On before your RewriteRule. But anyhow it is tautological and redundant because the simpler RedirectMatch suffices on its own. Though even that could be simplified. Basically I am recommending my answer instead. :)– Bennett McElwee
Aug 3 '13 at 4:51
+1 for the litmus test.
– user172409
Jul 15 '14 at 14:58
+1 for the litmus test.
– user172409
Jul 15 '14 at 14:58
add a comment |
To protect both the .git directory as well as other files such as .gitignore and .gitmodules using .htaccess, use:
RewriteEngine On
RewriteRule ^(.*/)?.git+ - [F,L]
ErrorDocument 403 "Access Forbidden"
answered Oct 28 '11 at 22:04
scribuscribu
2771310
4
Does work for me, however the trailing ErrorDocument has no impact. From a security angle, I'd fancy a bogus 404 over an informative 403 to the attacker...
– Frank Nocke
May 26 '13 at 10:01
1
This is a bad idea, because it discloses information to hackers. A 403 means it's there, a 404 means it's not. Every fact on a server's setup is usefull to a hacker. I'd consider revising this.
– GerardJP
Dec 10 '14 at 10:25
add a comment |
To protect both the .git directory as well as other files such as .gitignore and .gitmodules using .htaccess, use:
RewriteEngine On
RewriteRule ^(.*/)?.git+ - [F,L]
ErrorDocument 403 "Access Forbidden"
answered Oct 28 '11 at 22:04
scribuscribu
2771310
4
Does work for me, however the trailing ErrorDocument has no impact. From a security angle, I'd fancy a bogus 404 over an informative 403 to the attacker...
– Frank Nocke
May 26 '13 at 10:01
1
This is a bad idea, because it discloses information to hackers. A 403 means it's there, a 404 means it's not. Every fact on a server's setup is usefull to a hacker. I'd consider revising this.
– GerardJP
Dec 10 '14 at 10:25
add a comment |
To protect both the .git directory as well as other files such as .gitignore and .gitmodules using .htaccess, use:
RewriteEngine On
RewriteRule ^(.*/)?.git+ - [F,L]
ErrorDocument 403 "Access Forbidden"
answered Oct 28 '11 at 22:04
scribuscribu
2771310
To protect both the .git directory as well as other files such as .gitignore and .gitmodules using .htaccess, use:
RewriteEngine On
RewriteRule ^(.*/)?.git+ - [F,L]
ErrorDocument 403 "Access Forbidden"
answered Oct 28 '11 at 22:04
scribuscribu
2771310
answered Oct 28 '11 at 22:04
scribuscribu
2771310
answered Oct 28 '11 at 22:04
scribuscribu
2771310
answered Oct 28 '11 at 22:04
scribuscribu
2771310
2771310
4
Does work for me, however the trailing ErrorDocument has no impact. From a security angle, I'd fancy a bogus 404 over an informative 403 to the attacker...
– Frank Nocke
May 26 '13 at 10:01
1
This is a bad idea, because it discloses information to hackers. A 403 means it's there, a 404 means it's not. Every fact on a server's setup is usefull to a hacker. I'd consider revising this.
– GerardJP
Dec 10 '14 at 10:25
add a comment |
4
Does work for me, however the trailing ErrorDocument has no impact. From a security angle, I'd fancy a bogus 404 over an informative 403 to the attacker...
– Frank Nocke
May 26 '13 at 10:01
1
This is a bad idea, because it discloses information to hackers. A 403 means it's there, a 404 means it's not. Every fact on a server's setup is usefull to a hacker. I'd consider revising this.
– GerardJP
Dec 10 '14 at 10:25
4
4
Does work for me, however the trailing ErrorDocument has no impact. From a security angle, I'd fancy a bogus 404 over an informative 403 to the attacker...
– Frank Nocke
May 26 '13 at 10:01
Does work for me, however the trailing ErrorDocument has no impact. From a security angle, I'd fancy a bogus 404 over an informative 403 to the attacker...
– Frank Nocke
May 26 '13 at 10:01
1
1
This is a bad idea, because it discloses information to hackers. A 403 means it's there, a 404 means it's not. Every fact on a server's setup is usefull to a hacker. I'd consider revising this.
– GerardJP
Dec 10 '14 at 10:25
This is a bad idea, because it discloses information to hackers. A 403 means it's there, a 404 means it's not. Every fact on a server's setup is usefull to a hacker. I'd consider revising this.
– GerardJP
Dec 10 '14 at 10:25
add a comment |
I always add the following line into vhost template
RedirectMatch 404 /\.(svn|git|hg|bzr|cvs)(/|$)
Just to be sure that no one can access VCS specific data. Works perfect.
answered Mar 18 '16 at 15:48
ALex_hhaALex_hha
5,65011732
add a comment |
I always add the following line into vhost template
RedirectMatch 404 /\.(svn|git|hg|bzr|cvs)(/|$)
Just to be sure that no one can access VCS specific data. Works perfect.
answered Mar 18 '16 at 15:48
ALex_hhaALex_hha
5,65011732
add a comment |
I always add the following line into vhost template
RedirectMatch 404 /\.(svn|git|hg|bzr|cvs)(/|$)
Just to be sure that no one can access VCS specific data. Works perfect.
answered Mar 18 '16 at 15:48
ALex_hhaALex_hha
5,65011732
I always add the following line into vhost template
RedirectMatch 404 /\.(svn|git|hg|bzr|cvs)(/|$)
Just to be sure that no one can access VCS specific data. Works perfect.
answered Mar 18 '16 at 15:48
ALex_hhaALex_hha
5,65011732
answered Mar 18 '16 at 15:48
ALex_hhaALex_hha
5,65011732
answered Mar 18 '16 at 15:48
ALex_hhaALex_hha
5,65011732
answered Mar 18 '16 at 15:48
ALex_hhaALex_hha
5,65011732
5,65011732
add a comment |
add a comment |
Assuming your webserver is using a different user than the one you use to access the .git repository, you could disable the execute bit for others on the .git directory.
This should work with other webservers and doesn't rely on performance-consuming .htaccess files.
answered Dec 11 '12 at 15:09
MartijnMartijn
236513
add a comment |
Assuming your webserver is using a different user than the one you use to access the .git repository, you could disable the execute bit for others on the .git directory.
This should work with other webservers and doesn't rely on performance-consuming .htaccess files.
answered Dec 11 '12 at 15:09
MartijnMartijn
236513
add a comment |
Assuming your webserver is using a different user than the one you use to access the .git repository, you could disable the execute bit for others on the .git directory.
This should work with other webservers and doesn't rely on performance-consuming .htaccess files.
answered Dec 11 '12 at 15:09
MartijnMartijn
236513
Assuming your webserver is using a different user than the one you use to access the .git repository, you could disable the execute bit for others on the .git directory.
This should work with other webservers and doesn't rely on performance-consuming .htaccess files.
answered Dec 11 '12 at 15:09
MartijnMartijn
236513
answered Dec 11 '12 at 15:09
MartijnMartijn
236513
answered Dec 11 '12 at 15:09
MartijnMartijn
236513
answered Dec 11 '12 at 15:09
MartijnMartijn
236513
236513
add a comment |
add a comment |
For those looking to simply deny all "hidden" files and directories on a Linux distribution (generally all files beginning with a "."), here's what works on Apache 2.4 when placed in server conf context:
<FilesMatch "^.(.*)$">
Require all denied
</FilesMatch>
<DirectoryMatch "/.(.*)">
Require all denied
</DirectoryMatch>
And here's the older Apache 2.2 style (same regex, just different auth directives):
<FilesMatch "^.(.*)$">
Order deny,allow
Deny from all
</FilesMatch>
<DirectoryMatch "/.(.*)">
Order deny,allow
Deny from all
</DirectoryMatch>
Then you don't have to worry about .git or .svn specifically. That would also match things like .htaccess and .htpasswd inherently.
Personally, I like issuing 403s for such requests instead of 404s, but you could easily use a RewriteRule instead of auth denial, like so:
<FilesMatch "^.(.*)$">
RewriteRule "^(.*)$" - [R=404,L]
</FilesMatch>
<DirectoryMatch "/.(.*)">
RewriteRule "^(.*)$" - [R=404,L]
</DirectoryMatch>
answered Nov 14 '17 at 0:23
ldennisonldennison
1187
add a comment |
For those looking to simply deny all "hidden" files and directories on a Linux distribution (generally all files beginning with a "."), here's what works on Apache 2.4 when placed in server conf context:
<FilesMatch "^.(.*)$">
Require all denied
</FilesMatch>
<DirectoryMatch "/.(.*)">
Require all denied
</DirectoryMatch>
And here's the older Apache 2.2 style (same regex, just different auth directives):
<FilesMatch "^.(.*)$">
Order deny,allow
Deny from all
</FilesMatch>
<DirectoryMatch "/.(.*)">
Order deny,allow
Deny from all
</DirectoryMatch>
Then you don't have to worry about .git or .svn specifically. That would also match things like .htaccess and .htpasswd inherently.
Personally, I like issuing 403s for such requests instead of 404s, but you could easily use a RewriteRule instead of auth denial, like so:
<FilesMatch "^.(.*)$">
RewriteRule "^(.*)$" - [R=404,L]
</FilesMatch>
<DirectoryMatch "/.(.*)">
RewriteRule "^(.*)$" - [R=404,L]
</DirectoryMatch>
answered Nov 14 '17 at 0:23
ldennisonldennison
1187
add a comment |
For those looking to simply deny all "hidden" files and directories on a Linux distribution (generally all files beginning with a "."), here's what works on Apache 2.4 when placed in server conf context:
<FilesMatch "^.(.*)$">
Require all denied
</FilesMatch>
<DirectoryMatch "/.(.*)">
Require all denied
</DirectoryMatch>
And here's the older Apache 2.2 style (same regex, just different auth directives):
<FilesMatch "^.(.*)$">
Order deny,allow
Deny from all
</FilesMatch>
<DirectoryMatch "/.(.*)">
Order deny,allow
Deny from all
</DirectoryMatch>
Then you don't have to worry about .git or .svn specifically. That would also match things like .htaccess and .htpasswd inherently.
Personally, I like issuing 403s for such requests instead of 404s, but you could easily use a RewriteRule instead of auth denial, like so:
<FilesMatch "^.(.*)$">
RewriteRule "^(.*)$" - [R=404,L]
</FilesMatch>
<DirectoryMatch "/.(.*)">
RewriteRule "^(.*)$" - [R=404,L]
</DirectoryMatch>
answered Nov 14 '17 at 0:23
ldennisonldennison
1187
For those looking to simply deny all "hidden" files and directories on a Linux distribution (generally all files beginning with a "."), here's what works on Apache 2.4 when placed in server conf context:
<FilesMatch "^.(.*)$">
Require all denied
</FilesMatch>
<DirectoryMatch "/.(.*)">
Require all denied
</DirectoryMatch>
And here's the older Apache 2.2 style (same regex, just different auth directives):
<FilesMatch "^.(.*)$">
Order deny,allow
Deny from all
</FilesMatch>
<DirectoryMatch "/.(.*)">
Order deny,allow
Deny from all
</DirectoryMatch>
Then you don't have to worry about .git or .svn specifically. That would also match things like .htaccess and .htpasswd inherently.
Personally, I like issuing 403s for such requests instead of 404s, but you could easily use a RewriteRule instead of auth denial, like so:
<FilesMatch "^.(.*)$">
RewriteRule "^(.*)$" - [R=404,L]
</FilesMatch>
<DirectoryMatch "/.(.*)">
RewriteRule "^(.*)$" - [R=404,L]
</DirectoryMatch>
answered Nov 14 '17 at 0:23
ldennisonldennison
1187
answered Nov 14 '17 at 0:23
ldennisonldennison
1187
answered Nov 14 '17 at 0:23
ldennisonldennison
1187
answered Nov 14 '17 at 0:23
ldennisonldennison
1187
1187
add a comment |
add a comment |
You probably want to deny serving .gitignore as well.
Files starting with a dot are hidden in linux.
Therefore, just 404 anything that begins with a dot:
RedirectMatch 404 /.
answered Mar 18 '16 at 14:36
Vladimir KorneaVladimir Kornea
1766
add a comment |
You probably want to deny serving .gitignore as well.
Files starting with a dot are hidden in linux.
Therefore, just 404 anything that begins with a dot:
RedirectMatch 404 /.
answered Mar 18 '16 at 14:36
Vladimir KorneaVladimir Kornea
1766
add a comment |
You probably want to deny serving .gitignore as well.
Files starting with a dot are hidden in linux.
Therefore, just 404 anything that begins with a dot:
RedirectMatch 404 /.
answered Mar 18 '16 at 14:36
Vladimir KorneaVladimir Kornea
1766
You probably want to deny serving .gitignore as well.
Files starting with a dot are hidden in linux.
Therefore, just 404 anything that begins with a dot:
RedirectMatch 404 /.
answered Mar 18 '16 at 14:36
Vladimir KorneaVladimir Kornea
1766
answered Mar 18 '16 at 14:36
Vladimir KorneaVladimir Kornea
1766
answered Mar 18 '16 at 14:36
Vladimir KorneaVladimir Kornea
1766
answered Mar 18 '16 at 14:36
Vladimir KorneaVladimir Kornea
1766
1766
add a comment |
add a comment |
This is a little late but my answer is a slightly different so I thought I would add it. This must go in the httpd.conf file. The <Files "*"> nested inside the <Directory> tag will block all files in the directory.
# GitHub Directory
<Directory /var/www/html/yoursite/.git>
Order Deny,Allow
Deny from all
<Files "*">
Order Deny,Allow
Deny from all
</Files>
</Directory>
# GitHub files
<Files .gitignore>
order Deny,Allow
Deny from all
</Files>
answered Apr 9 at 18:20
rippledjrippledj
1058
add a comment |
This is a little late but my answer is a slightly different so I thought I would add it. This must go in the httpd.conf file. The <Files "*"> nested inside the <Directory> tag will block all files in the directory.
# GitHub Directory
<Directory /var/www/html/yoursite/.git>
Order Deny,Allow
Deny from all
<Files "*">
Order Deny,Allow
Deny from all
</Files>
</Directory>
# GitHub files
<Files .gitignore>
order Deny,Allow
Deny from all
</Files>
answered Apr 9 at 18:20
rippledjrippledj
1058
add a comment |
This is a little late but my answer is a slightly different so I thought I would add it. This must go in the httpd.conf file. The <Files "*"> nested inside the <Directory> tag will block all files in the directory.
# GitHub Directory
<Directory /var/www/html/yoursite/.git>
Order Deny,Allow
Deny from all
<Files "*">
Order Deny,Allow
Deny from all
</Files>
</Directory>
# GitHub files
<Files .gitignore>
order Deny,Allow
Deny from all
</Files>
answered Apr 9 at 18:20
rippledjrippledj
1058
This is a little late but my answer is a slightly different so I thought I would add it. This must go in the httpd.conf file. The <Files "*"> nested inside the <Directory> tag will block all files in the directory.
# GitHub Directory
<Directory /var/www/html/yoursite/.git>
Order Deny,Allow
Deny from all
<Files "*">
Order Deny,Allow
Deny from all
</Files>
</Directory>
# GitHub files
<Files .gitignore>
order Deny,Allow
Deny from all
</Files>
answered Apr 9 at 18:20
rippledjrippledj
1058
answered Apr 9 at 18:20
rippledjrippledj
1058
answered Apr 9 at 18:20
rippledjrippledj
1058
answered Apr 9 at 18:20
rippledjrippledj
1058
1058
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f128069%2fhow-do-i-prevent-apache-from-serving-the-git-directory%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
3
Once you've prevented apache from serving the directory you may also need to hide the .git directory with "IndexIgnore .git" if you have Indexes enabled on your directory.
– Ryan
Jul 21 '15 at 18:17