1

I want to deny the access to .git directory (I personally changed the .git folder location so it created a .git file that has a path to the .git folder).

I am using Apache 2.4.18. This is what I added to the apache2.conf at the bottom of the file

# Include my personal config
Include personal.conf

And inside personal.conf I wrote:

<DirectoryMatch "^\.git">
    Require all denied
</DirectoryMatch>

<FilesMatch "^\.git">
    Require all denied
</FilesMatch>

So, this will deny access to that file/directory starting with .git in any location that the user via URL can.
Am I right? I mean by this, if a user try to access www.example.com/.git* or www.example.com/---/---/---/---/---/.gitsomething

Will this work for any virtualhost ? Any recommendations ?

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
matiaslauriti
  • 7,065
  • 4
  • 31
  • 43

1 Answers1

11

The actual Directorymatch expression should be:

<Directorymatch "^/.*/\.git/">
  Order deny,allow
  Deny from all
</Directorymatch>

But this is not the standard best practice:

RedirectMatch 404 /\.git

Not only this deny .git access, but the user is not even aware of the existence of a git repo.

aimme
  • 6,385
  • 7
  • 48
  • 65
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Yes, I saw that was giving a Forbidden showing that file exists. Two questions, the first one about directorymatch, the expression start with /.*/ to tell that ANY FOLDER, right ? And the second, the redirectmatch should go in the conf I wrote ? thanks ! – matiaslauriti Aug 15 '16 at 17:06
  • @P0lT10n Actually, if it is OK with you, I will close it as duplicate of http://stackoverflow.com/q/6142437/6309. Yes to your first question, and "in an .htaccess file at the root of your web server" – VonC Aug 15 '16 at 17:07
  • It is not an exact duplicate because I want to use apache conf, not .htacess, because I am testing this in my own ubuntu server for development, not production, so it is easier for me to write it in an apache conf and automatically apply it to all posible virtualhosts, but if you want, close it as duplicated. Thanks – matiaslauriti Aug 15 '16 at 17:09
  • @P0lT10n yes, the RedirectMatch is easier, best practice, and should be valid for all VirtualHost. – VonC Aug 15 '16 at 17:10
  • Have I to write it in a single line in my `personal.conf` as you wrote it, right ? I know how to use it in .htaccess but not in apache configuration. – matiaslauriti Aug 15 '16 at 17:12
  • @P0lT10n if your personnal config is included in the main apache2.conf one, that should work just fine. To be tested though. – VonC Aug 15 '16 at 17:15
  • RedirectMatch 404 /\.git Working in global (personal) server .conf. Tested on Apache 2.4.6 – miralong Oct 27 '18 at 13:12