prevent apache from serving .git directory

How to Prevent Apache from Serving .git Directory

Apache is a popular web server used by millions of websites and applications. Often web development teams employ git version control system to manage their source code. They also set up Apache server to directory serve files and data from git repository’s directory. However, it is advisable to prevent unauthorized to the .git directory that is present in every git repository, since it contains sensitive information. In this article, we will learn how to prevent Apache from serving .git directory.

Why Block .git directory

Every git repository has a hidden .git directory that stores key information such as index, head, etc. Since Apache reads files from git repository’s folder, it is possible that it ends up serving contents of .git directory to general public users when they request a URL on your website. But .git directory is required only for repo management and it should not be visible via your website’s URLs. If unauthorized users get access to .git directory they can exploit vulnerabilities in your code base. In fact, if your .git directory contains user credentials then they can cause even more damage. So it is essential to either keep .git directory outside your website’s root directory or prevent Apache from serving .git directory. The second option is easy to implement and advisable.

How to Prevent Apache from Serving .git Directory

To proceed with the following steps, you need to modify .htaccess file of your Apache server. If you have not set up mod_rewrite/.htaccess on your Apache server yet, then follow step # 1 below, else skip to step #2.

1. Enable mod_rewrite

If you have already enabled mod_rewrite on your Apache server, you can skip this step. Otherwise, run the following commands as per your Linux distribution.

Ubuntu/Debian

$ sudo a2enmod rewrite

Redhat/CentOS/Fedora

Open Apache configuration file in a text editor.

$ sudo vi /etc/apache2/httpd.conf
OR
$ sudo vi /etc/httpd/httpd.conf

Look for the following line.

#LoadModule rewrite_module modules/mod_rewrite.so

Uncomment it by removing # at its beginning. If you don’t find this line, add it afresh.

Also look for the following Directory tag and change AllowOverride from None to All.

. . .
<Directory /var/www/html>
. . .
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride All
. . .
</Directory>
. . .

2. Open .htaccess file

Run the following command to open .htaccess file in your website’s root folder. If your website root is located somewhere else, then please update the file path below as per your requirement.

$ sudo vi /var/www/html/.htaccess

3. Prevent .git directory

Add the following lines to prevent .git directory from being served.

<Directorymatch "^/.*/\.git/">
  Order 'deny,allow'
  Deny from all
</Directorymatch>

Save and close the file. The above code matches all URLs where directory name starts with ‘.git’ and blocks it, by returning 403 Access Forbidden response. The URL matching is done by the regular expression and actual blocking is done by the ‘Deny from all’ directive.

We need to provide a regular expression in DirectoryMatch tag, that matches all URLs directed towards .git directory and its contents. Since we have used ‘/.*’ before .git in the above regular expression, it works even if .git is located in any of the subdirectories in web root folder. For example, it will work whether .git directory is accessible at https://example.com/.git or https://example.com/test/.git

If you want to allow access from a few trusted IP addresses, add an Allow directive, one per IP address, after the Deny directive as shown below. Here is an example to block access to .git directory from all IP addresses except 54.43.32.21.

<Directorymatch "^/.*/\.git/">
Order 'deny,allow'
Deny from all
Allow from 54.43.32.21
</Directorymatch>

Deny and Allow are powerful access control directives in Apache that help you allow and prevent access to URLs, files, directories, subdomains and domains.

Similarly, you can use this solution to block not just .git but also other sensitive directories such as .env.

<Directorymatch "^/.*/\.git/">
Order 'deny,allow'
Deny from all
</Directorymatch>

Please note, you can add DirectoryMatch either in Apache main configuration file httpd.conf or .htaccess file, depending on your convenience.

Alternatively, you can also add the following RedirectMatch directive to match and block URLs starting with .git. You can use response code as 404 (Page Not Found) or 403 (Access Forbidden) as per your requirement.

RedirectMatch 404 /.*/\.git

You can use RedirectMatch either in main Apache configuration file or .htaccess.

Please note, when you use deny directive in .htaccess, or return 403 response code, the user will get ‘Access Forbidden’ message. In this case, they will know that the URL exists but they do not have access to it. This may encourage them to try malicious tricks to gain access. So it is advisable to return 404:Page Not Found response. This way they will think that the page itself does not exist.

4. Restart Apache Server

Restart Apache server to apply changes.

$ sudo service apache2 restart

Conclusion

In this article, we have learnt how to prevent Apache server from serving .git directory. The key is to create a DirectoryMatch tag with regular expression that covers .git directory and all its contents. It is recommended to block access to all hidden and sensitive content on your website, not just .git directory, using this method. You can also customize this solution to prevent access from all IP addresses except a few trusted ones. Alternatively, you can use basic password authentication to prevent unauthorized access to .git and other directories with sensitive content.

Also read:

How to Check if String is Substring of Items in List
How to Check if Column is Empty or Null in MySQL
How to Modify MySQL Column to Allow Null
How to Schedule Multiple Cron Jobs in One Crontab
How to POST JSON Data in Python

Leave a Reply

Your email address will not be published. Required fields are marked *