How to prevent serving .git directory on web

Recently while working on a web based project which runs on apache2 on EC2 Linux server, PHP, MySQL, using git as a source version control system(VCS), i was able to access the .git repository from browser like http://example.com/.git/

Why is it bad to keep .git folder on server and accessible on production servers?

When deploying any web based application, we simply clone the repository. Most VCS create a meta folder in the root directory of the project. Like git creates .git folder.

Out of those 1.5m sites, 2,402 have their .git folder exposed and downloadable. That’s 1 in 600 decent respectable sites, or 0.16% of the internet, that is dangerously exposed.

http://www.jamiembrown.com/blog/one-in-every-600-websites-has-git-exposed/

If it is accessible from web, any user can download the complete source code and see all the revision history and past file modifications, also able to see all configuration files if there is any on the server. It gives an attacker ample understanding of code-base and can know about the security flaws or find some severe issues.

How to disallow access to .git directory from website

There are several ways of fixing this problem, listing few of them below

  • Delete the .git folder from root directory.
  • Move the .git folder to some other location from where it can’t be accessed from browser.
  • Don’t allow access to any files that start with DOT using .htaccess file

I choose to go ahead with the last option to not allow access to any hidden files from browser because i don’t want to loose the advantage of git, like simply switching branch or taking updates or doing other related stuff. So i want to keep the .git directory but let user not access it from browser.

In the Linux operating system, a hidden file is any file that begins with a “.”. When a file is hidden it can not been seen with the bare ls command or an un-configured file manager. In most cases you won’t need to see those hidden files as much of them are configuration files/directories for your desktop.

Ideally no hidden file should be accessible from browser, so is git folder as it is`.git`

I was using apache 2, so did it following

  1. Apache modification
    • Enable mode_rewrite in apache, ignore if already enabled.
    • Locate httpd.conf file, in my case its located at `/etc/httpd/conf/httpd.con`
    • Locate the directory configuration in httpd.conf file, in my case i located for `<Directory “/var/www/html”>` because my source code exist under this folder
    • Make sure `AllowOverride All` is set for the directory, to override the configuration using .htaccess file
    • Restart the apache server to reflect the changes `sudo service httpd restart`
  2. Create .htaccess file in project root directory and add below lines.
RewriteEngine On
RewriteRule (^|/)\.([^/]+)(/|$) - [L,F]
RewriteRule (^|/)([^/]+)~(/|$) - [L,F]

Great! That’s all. Try to access any hidden file folder from browser. it will give forbidden now.

References:

http://www.askapache.com/htaccess/

http://jafty.com/blog/enable-mod_rewrite-on-apache-ec2-linux-server/

https://medium.freecodecamp.com/understanding-git-for-real-by-exploring-the-git-directory-1e079c15b807

 

 

Advertisements

How to kill a frozen screen in Ubuntu 16.04

I am using Ubuntu now full-time, after formatting my machine and getting rid of windows or dual boot. While using it suddenly my Google Chrome screen was frozen and none of the controls were working. I tried killing it from task bar by right clicking on the icon -> Quit but it was not working at all.

So i decided to google it for solutions, Like how to kill a program(forcefully) and i came up with an interesting utility which is already there in Ubuntu/Linux machines Xkill.

What is Xkill?

Xkill is a utility for forcing the X server to close connections to clients. This program is very dangerous, but is useful for aborting programs that have displayed undesired windows on a user’s screen. If no resource identifier is given with -id, xkill will display a special cursor as a prompt for the user to select a window to be killed. If a pointer button is pressed over a non-root window, the server will close its connection to the client that created the window.

Command:

➜ ~ xkill
Select the window whose client you wish to kill with button 1....
xkill: killing creator of resource 0x4200001

When you enter xkill command on terminal without any parameter it will ask you to choose the window/client to kill, so simply switch tab, go to the client that you want to close and click on the client. It will forcefully close the client.

Happy sharing! Loving Ubuntu(Linux)! Command rocks! 🙂

Gulpjs – A quick Walkthrough

Today i came across with some amazing and powerful features of Gulp.js(Open source). Its a task runner and a powerful feature of nodejs. Gulp uses node.js streams. Its easy to use and have some useful api.

What is Gulp?

Its is a fast and intuitive streaming build tool built on Node.js. Gulp is a Task / Build runner. It uses node.js streams. Its easy to use and have some useful api, and is efficient. Gulp.js makes use of pipes for streaming data that needs to be processed.

How is it useful

Automating common/tedious task while building product(specially fronted) so that you can focus on more important task. There are loads of plugins available here which does various task and help us achieve almost everything. Few common task that i preferably use:

and many more…

Lets go to playground to have some fun.

Prerequisites:

Since it part of node module so we need to install nodejs first. I run on Ubuntu 14.04 OS.

Open the terminal and first install the node.

sudo apt-get update
sudo apt-get install nodejs

Now you need to install the npm which is Node.js package manager, from which one can install modules and packages to use with Node.js.

sudo apt-get install npm

So node is installed by now, you can check it by issuing nodejs -v and npm -v

Installing Gulp:

sudo npm install -g gulp

Then go to your project directory or create a new one, For me my project root directory is `/home/bishwanath/sites/gulp-demo` and run the following command, which will install it locally to the project also make sure you have already created a package.json files at root level. so that all downloaded plugins will be automatically added under  devDependencies because we use --save-dev flag

npm install --save-dev gulp

Start playing with gulp:

Lets create a file gulpfile.js in your project root directory. where we will create tasks and will run then using gulp command

Here is my initial gulpfile.js look like, just for testing purpose, added a default task which log to console 🙂

var gulp = require('gulp');
gulp.task('default', function() {
   console.log("I have configured a gulpfile"); // This will print on console as output
});

Now run this file using below command, make sure you are into your project dir.

# Lets go to the project directory
bishwanath@bishwanath-jha:~$ cd /home/bishwanath/sites/gulp-demo/

# Files in my project root
bishwanath@bishwanath-jha:~/sites/gulp-demo$ ls -all
total 32
drwxrwxr-x 3 bishwanath bishwanath  4096 Feb 19 01:24 .
drwxrwxrwx 9 bishwanath bishwanath  4096 Feb 18 23:44 ..
-rw-rw-r-- 1 bishwanath bishwanath   126 Feb 18 23:48 gulpfile.js
drwxrwxr-x 4 bishwanath bishwanath  4096 Feb 19 01:17 node_modules
-rw-rw-r-- 1 bishwanath bishwanath   131 Feb 19 01:17 package.json

# Lets execute/run gulpfile
bishwanath@bishwanath-jha:~/sites/gulp-demo$ gulp

# Here is the output
[01:31:23] Using gulpfile ~/sites/gulp-demo/gulpfile.js
[01:31:23] Starting 'default'...
I have configured a gulpfile
[01:31:23] Finished 'default' after 90 μs

In case you get below error, please run the fix as i got this on Ubuntu 14.04 and found the fix here


$ gulp

/usr/bin/env: node: No such file or directory

// Fix:run below command

ln -s /usr/bin/nodejs /usr/bin/node

How Gulp Works:

Gulp allows you to input your source file(s), pipe them through a bunch of plugins and get an output at the end, Let’s take a look at an example of what a basic JS uglifying and concating all js files into single js file called app.js with the help of gulp task.

Lets first install gulp plugin called gulp-uglify and gulp-concat


sudo npm install --save-dev gulp-uglify
sudo npm install --save-dev gulp-concat

Then modify the gulpfile as look like as below now


// Load gulp
var gulp = require('gulp');

// Load gulp plugins
var uglify  = require('gulp-uglify');
var concat  = require('gulp-concat');

// Defining a task as JS uglify
gulp.task('uglification', function() {
return gulp.src('./src/js/*.js') // It loads all .js files under /src/js
.pipe(concat('app.js')) // it further concat all files(currently we have three files check git repo below) contents into app.js
.pipe(uglify()) // it further Minify my JavaScript files/removing-spaces or compressing
.pipe(gulp.dest('./build')) // finally place that app.js file into /build directory
});

// Setting default task to run
gulp.task('default', ['uglification']);

Code Description:

The src() method let’s me specify where to find the JavaScript files.

The pipe() method takes the source stream derived from the src() method and passes it to the specific plugin concat(), so concat would receive the source stream and append all files into app.js

The pipe() method takes the source stream derived from the concat() method and passes it to the specific plugin uglify(), so it would receive the file app.js as stream and minify/compress app.js code.

Finally, using Gulp’s dest() method, all.js is written/created to my target folder. The process if very clear and very readable.

Output:

Now run gulpfile again, it will result into a single app.js(combining all js file mentioned in path into one) file under ./build directory. which will contain concatenated and compressed file of all js files under /src/js/.

bishwanath@bishwanath-jha:~/sites/gulp-demo$ gulp
[02:08:01] Using gulpfile ~/sites/gulp-demo/gulpfile.js
[02:08:01] Starting 'uglification'...
[02:08:01] Finished 'uglification' after 92 ms
[02:08:01] Starting 'default'...
[02:08:01] Finished 'default' after 7.48 μs

This is just one use case, we have may other examples use case. will be covering them into other posts, git repository.

Find the source code here on github : https://github.com/bishwanathjha/gulp-demo

How To Set Up Apache Virtual Host on Ubuntu

Apache web server is the most common and popular in web arena. It has an awesome feature of customization and running websites using virtualhosts.

In this article we will know how to setup virtualhost on apache on Ubuntu(14.04 currently i am using). We will setup “test.com” which will actually point to “/home/<username>/sites/test.com/index.html”

Before we start we assume you have root access, if necessary. <username> is basically your system user directory.

Step 1: First create a directory where you put all your source code under your home directory(most common place)


sudo mkdir /home/&lt;username&gt;/sites/test.com

Add an index.html(with some content) file under test.com
Step 2: Create a new virtualhost file copying existing file under directory “/etc/apache2/sites-available”

cd /etc/apache2/sites-available
cp 000-default.conf test.com.conf

Set at-least “ServerName” and “DocumentRoot” variable as below

 ServerName test.com
 DocumentRoot /home/&lt;username&gt;/sites/test.com

Step 3: Add a host entry into your host file locate under “/etc/hosts”

 

sudo vim /etc/hosts

add a line as below
127.0.0.1 test.com

Step 4: Now enable VitrualHost using below command and restart apache

 sudo a2ensite test.com.conf
sudo apachectl restart

Step 5: Open your web browser and hit the url

http://test.com

In case if you get message like “You don’t have permission to access / on this server. “, Please ensure that “test.com” directory permission is set to 0777. Grant the required permission if necessary.