prevent nginx from .git directory

How to Prevent NGINX from Serving .git directory

NGINX is a popular web server used by millions of organizations and web developers. It allows you to easily control access to files and directories that are served on your website. Web developers use this feature to prevent access to folders containing sensitive information on their website. Often they may need to prevent NGINX from serving .git directory and its contents. In this article, we will learn how to do this.

Why Block Access to .git directory

Git is a popular version control system used by many web developers and teams. Web developers use git version control system to manage their source code, also called git repository, and configure NGINX to directory serve files from this repository. Every git repository has a .git directory that is hidden and contains important information about the repository’s index, head, etc. It should not be exposed publicly by serving over a website. Otherwise, hackers will be able to get details about your repository. It should be accessed only via git clients to avoid contamination. In such cases, it is advisable to prevent NGINX from serving .git directory.

How to Prevent NGINX from Serving .git directory

NGINX provides several simple ways to easily deny access to one or more URLs on your website. Here are the steps to block access to .git directory in NGINX.

1. Open NGINX Configuration File

We need to add a location block to NGINX configuration file. Open terminal and run the following command to open NGINX configuration file in vi editor.

$ sudo vi /etc/nginx/nginx.conf

If you are running virtual hosts on your NGINX server, then open their configuration file in /etc/nginx/sites-available/ instead of the main NGINX configuration file.

2. Block Access to .git directory

We will use deny directive to prevent access to .git directory. Add the following code to deny access to .git directory.

location ~ /\.git {
  deny all;
}

The above code snippet will cause NGINX server to return 403 Access Forbidden response when someone tries to access .git directory from their web browser. The location statement matches all requests sent to .git directory.

Please note, this location block must be before all your other location blocks so that it can be evaluated first.

We have covered the most basic use case to prevent NGINX from serving .git files. Now we will look at some other common use cases.

Return Page Not Found Code

Alternatively, you may want to return 404 Page Not Found response instead of 403 Access Forbidden response. This will make the user think that the page itself does not exist, instead of knowing that the page exists but they do not have access to it. This will avoid future malicious attempts to exploit your website.

If you want to return 404 Page Not Found response when someone accesses .git directory, modify the above code snippet to return 404 response.

location ~ /\.git {
  return 404;
}

Deny Server Response

You may also return response code 444, that is, the NGINX server does not return any response to the client, like the server is not even responding.

location ~ /\.git {
return 444;
}

Prevent Serving All Hidden Directories

In fact, many projects also contain other hidden and important files such as .htaccess, .env, etc. whose filenames start with dot(.). It is advisable to completely block access to all of them using the following code. This will also block access to .git directory.

location ~ /\. {
deny all;
}

Prevent Serving .git Subdirectories

Also, please check if the above configuration works with subdirectories of .git as well. In some NGINX installations, the above code only blocks access to .git but not its subdirectories or files such as .git/config. If you face this problem, then try the following location block.

location ~ /\.(.*)/?(.*)? {
return 404;
}

In the above code, we use regular expression /.(.)/?(.)? to specify all requests starting with dot(.) such as /.git and containing any number of characters before / and any number of characters after it also, that is, for a sub directory.

Stop Serving .git located in Subdirectory

But the above location blocks work only if .git is located at your website’s root directory such as https://example.com/.git. But if it is located in a sub directory such as https://example.com/test/.git then you will need to modify your location block as shown below.

location ~ .*/\.git {
deny all;
}

OR

location ~ /\. {
deny all;
}

In the above location block, we have used the regular expression .*/\.git to indicate that .git can be at root directory such as example.com/.git or in any of the sub directories such as example.com/test/.git.

Please note, if your NGINX server hosts multiple virtual hosts, then you need to place any of the above location block inside each virtual host’s server block.

Save and close the NGINX configuration file.

3. Restart NGINX Server

Restart NGINX Server to apply changes.

$ service nginx restart

Conclusion

In this article, we have learnt how to prevent NGINX from serving .git directory. The key is to create a location block for .git with a ‘deny all’ directive and place it before other blocks so that it is processed before others are evaluated. You can use it to block access to .git directory. It is advisable to protect all sensitive and hidden files and directories on your website using this approach so that only authorized users can access them when required. Alternatively, you can add basic authentication for these files and directories so that they are password protected.

Also read:

How to Prevent Apache from Serving .git directory
How to Check if String is Substring of List Items
How to Check if Column is Empty or Null in MySQL
How to Modify MySQL Column to Allow Null
How to Schedule Multiple Cron Jobs in One Crontab

Leave a Reply

Your email address will not be published. Required fields are marked *