Is it bad to store Apache conf files on github?

Question

I'm working on a project that when deployed will need to modify an existing Apache config. Currently the conf files are are not included in the github repository, I would like to add them which would let me make the changes required in the branch I'm working on.

The current maintainer and I are unsure if including these files is a security risk? What is considered best practice in this regard?

Public site + publc GitHub == public sees everything == bad IMHO. — Nic3500, Nov 06 '20 at 04:14

score 1 · Accepted Answer · answered Nov 06 '20 at 08:13

What is better is to store an httpd.conf.tpl template file with placeholder values in it.

That allows you to generate the right httpd.conf file locally, and to do so automatically on git clone/git checkout.

The generation script will:

search the right values for any sensitive data from an external secure referential (like a vault)
replace the placeholder value in httpd.conf.tpl to generate the right httpd.conf (that can be ignored by Git)

For that, do register (in a .gitattributes declaration) a content filter driver.

^{(image from "Customizing Git - Git Attributes", from "Pro Git book")}

The smudge script will generate (automatically, on git checkout or git switch) the actual httpd.conf file as mentioned above.
Again, the generated actual httpd.conf file remains ignored (by the .gitignore).

See a complete example at "git smudge/clean filter between branches".

Is it bad to store Apache conf files on github?

1 Answers1

Linked