How do I prevent apache from serving the .git directory?

Question

I have started using git for deployment of websites for testing. How do I prevent apache from serving the .git directory contents?

I tried

<Directorymatch "^/.*/\.svn/">
Order deny,allow
Deny from all
</Directorymatch>

with no success.

I know that I can create a .htaccess file in each .git directory and deny access, but I wanted something I could put into the main config file that makes this global across all websites.

Bennett McElwee · Accepted Answer · 2014-03-09T09:17:36.207

205

This has the same effect as many of the other answers but is much simpler:

RedirectMatch 404 /\.git

This can go into .htaccess or your server config file. It hides any file or directory whose name begins with .git (e.g. a .git directory or .gitignore file) by returning a 404. So not only are the contents of your Git repo hidden, its very existence is hidden too.

edited Mar 09 '14 at 09:17

answered Aug 01 '13 at 10:19

Bennett McElwee

2,166

score 82 · Answer 2 · edited Aug 27 '20 at 12:19

82

It's not working because you have 'svn' instead of 'git' in the rule. All you have to do is to replace the 'svn' with 'git'.

<Directorymatch "^/.*/\.git/">
  Order 'deny,allow'
  Deny from all
</Directorymatch>

edited Aug 27 '20 at 12:19

Manuel

3

answered Mar 31 '10 at 12:45

sinping

2,090
14
13

score 18 · Answer 3 · answered Mar 23 '11 at 19:21

18

If you're on a shared hosting service and don't have access to apache.conf, you can still do it in your .htaccess file, like this:

RewriteEngine On
RewriteRule "^(.*/)?\.git/" - [F,L]

answered Mar 23 '11 at 19:21

danorton

735

score 16 · Answer 4 · answered Aug 28 '12 at 21:49

If you don't use .htaccess files but instead want to use /etc/apache2/httpd.conf (or whatever your server's master conf file is) to hide both .git directories and .gitignore files, you can use the following. I found the answer above for master conf setting did not hide the gitignore file.

# do not allow .git version control files to be issued
<Directorymatch "^/.*/\.git+/">
  Order deny,allow
  Deny from all
</Directorymatch>
<Files ~ "^\.git">
    Order allow,deny
    Deny from all 
</Files>

score 8 · Answer 5 · answered May 26 '13 at 10:08

### never deliver .git folders, .gitIgnore
RewriteRule ^(.*/)?\.git+ - [R=404,L]

# 2nd line of defense (if no mod_rewrite)
RedirectMatch 404 ^(.*/)?\.git+

This works in .htaccess, no http.conf access required. Include this as the first of rewrite rules. Prepend Rewrite On if needed.

From a security angle, I prefer a bogus 404 over an 403, more informative to the attacker. Comment one of the two out, to ensure, the other works for you, too.

Btw, good changes are, your lithmus test for the two are:

http://localhost/.gitignore
http://localhost/.git/HEAD

score 6 · Answer 6 · answered Oct 28 '11 at 22:04

6

To protect both the .git directory as well as other files such as .gitignore and .gitmodules using .htaccess, use:

RewriteEngine On
RewriteRule ^(.*/)?\.git+ - [F,L]
ErrorDocument 403 "Access Forbidden"

answered Oct 28 '11 at 22:04

scribu

337

score 4 · Answer 7 · answered Mar 18 '16 at 15:48

4

I always add the following line into vhost template

RedirectMatch 404 /\\.(svn|git|hg|bzr|cvs)(/|$)

Just to be sure that no one can access VCS specific data. Works perfect.

answered Mar 18 '16 at 15:48

ALex_hha

7,415

score 2 · Answer 8 · answered Dec 11 '12 at 15:09

Assuming your webserver is using a different user than the one you use to access the .git repository, you could disable the execute bit for others on the .git directory.

This should work with other webservers and doesn't rely on performance-consuming .htaccess files.

score 2 · Answer 9 · answered Nov 14 '17 at 00:23

For those looking to simply deny all "hidden" files and directories on a Linux distribution (generally all files beginning with a "."), here's what works on Apache 2.4 when placed in server conf context:

<FilesMatch "^\.(.*)$">
    Require all denied
</FilesMatch>
<DirectoryMatch "/\.(.*)">
    Require all denied
</DirectoryMatch>

And here's the older Apache 2.2 style (same regex, just different auth directives):

<FilesMatch "^\.(.*)$">
    Order deny,allow
    Deny from all
</FilesMatch>
<DirectoryMatch "/\.(.*)">
    Order deny,allow
    Deny from all
</DirectoryMatch>

Then you don't have to worry about .git or .svn specifically. That would also match things like .htaccess and .htpasswd inherently.

Personally, I like issuing 403s for such requests instead of 404s, but you could easily use a RewriteRule instead of auth denial, like so:

<FilesMatch "^\.(.*)$">
    RewriteRule "^(.*)$" - [R=404,L]
</FilesMatch>
<DirectoryMatch "/\.(.*)">
    RewriteRule "^(.*)$" - [R=404,L]
</DirectoryMatch>

score 1 · Answer 10 · answered Apr 09 '19 at 18:20

This is a little late but my answer is a slightly different so I thought I would add it. This must go in the httpd.conf file. The <Files "*"> nested inside the <Directory> tag will block all files in the directory.

# GitHub Directory
<Directory /var/www/html/yoursite/.git>
   Order Deny,Allow
   Deny from all
   <Files "*">
     Order Deny,Allow
     Deny from all
   </Files>
</Directory>
# GitHub files
<Files .gitignore>
  order Deny,Allow
  Deny from all
</Files>

score 0 · Answer 11 · answered Mar 14 '23 at 07:03

0

Ubuntu's apache2 package has a security.conf file that suggests

<DirectoryMatch "/\.svn">
   Require all denied
</DirectoryMatch>

(or change .svn to .git to block access to git, or use both )

answered Mar 14 '23 at 07:03

Guss

3,080

score 0 · Answer 12 · answered Mar 18 '16 at 14:36

0

You probably want to deny serving .gitignore as well.

Files starting with a dot are hidden in linux.

Therefore, just 404 anything that begins with a dot:

RedirectMatch 404 /\.

answered Mar 18 '16 at 14:36

Val Kornea

186
1
6

How do I prevent apache from serving the .git directory?

12 Answers12