How to prevent serving .git directory on web

Recently while working on a web based project which runs on apache2 on EC2 Linux server, PHP, MySQL, using git as a source version control system(VCS), i was able to access the .git repository from browser like http://example.com/.git/

Why is it bad to keep .git folder on server and accessible on production servers?

When deploying any web based application, we simply clone the repository. Most VCS create a meta folder in the root directory of the project. Like git creates .git folder.

Out of those 1.5m sites, 2,402 have their .git folder exposed and downloadable. That’s 1 in 600 decent respectable sites, or 0.16% of the internet, that is dangerously exposed.

http://www.jamiembrown.com/blog/one-in-every-600-websites-has-git-exposed/

If it is accessible from web, any user can download the complete source code and see all the revision history and past file modifications, also able to see all configuration files if there is any on the server. It gives an attacker ample understanding of code-base and can know about the security flaws or find some severe issues.

How to disallow access to .git directory from website

There are several ways of fixing this problem, listing few of them below

  • Delete the .git folder from root directory.
  • Move the .git folder to some other location from where it can’t be accessed from browser.
  • Don’t allow access to any files that start with DOT using .htaccess file

I choose to go ahead with the last option to not allow access to any hidden files from browser because i don’t want to loose the advantage of git, like simply switching branch or taking updates or doing other related stuff. So i want to keep the .git directory but let user not access it from browser.

In the Linux operating system, a hidden file is any file that begins with a “.”. When a file is hidden it can not been seen with the bare ls command or an un-configured file manager. In most cases you won’t need to see those hidden files as much of them are configuration files/directories for your desktop.

Ideally no hidden file should be accessible from browser, so is git folder as it is`.git`

I was using apache 2, so did it following

  1. Apache modification
    • Enable mode_rewrite in apache, ignore if already enabled.
    • Locate httpd.conf file, in my case its located at `/etc/httpd/conf/httpd.con`
    • Locate the directory configuration in httpd.conf file, in my case i located for `<Directory “/var/www/html”>` because my source code exist under this folder
    • Make sure `AllowOverride All` is set for the directory, to override the configuration using .htaccess file
    • Restart the apache server to reflect the changes `sudo service httpd restart`
  2. Create .htaccess file in project root directory and add below lines.
RewriteEngine On
RewriteRule (^|/)\.([^/]+)(/|$) - [L,F]
RewriteRule (^|/)([^/]+)~(/|$) - [L,F]

Great! That’s all. Try to access any hidden file folder from browser. it will give forbidden now.

References:

http://www.askapache.com/htaccess/

http://jafty.com/blog/enable-mod_rewrite-on-apache-ec2-linux-server/

https://medium.freecodecamp.com/understanding-git-for-real-by-exploring-the-git-directory-1e079c15b807

 

 

Advertisements

How To Set Up Apache Virtual Host on Ubuntu

Apache web server is the most common and popular in web arena. It has an awesome feature of customization and running websites using virtualhosts.

In this article we will know how to setup virtualhost on apache on Ubuntu(14.04 currently i am using). We will setup “test.com” which will actually point to “/home/<username>/sites/test.com/index.html”

Before we start we assume you have root access, if necessary. <username> is basically your system user directory.

Step 1: First create a directory where you put all your source code under your home directory(most common place)


sudo mkdir /home/&lt;username&gt;/sites/test.com

Add an index.html(with some content) file under test.com
Step 2: Create a new virtualhost file copying existing file under directory “/etc/apache2/sites-available”

cd /etc/apache2/sites-available
cp 000-default.conf test.com.conf

Set at-least “ServerName” and “DocumentRoot” variable as below

 ServerName test.com
 DocumentRoot /home/&lt;username&gt;/sites/test.com

Step 3: Add a host entry into your host file locate under “/etc/hosts”

 

sudo vim /etc/hosts

add a line as below
127.0.0.1 test.com

Step 4: Now enable VitrualHost using below command and restart apache

 sudo a2ensite test.com.conf
sudo apachectl restart

Step 5: Open your web browser and hit the url

http://test.com

In case if you get message like “You don’t have permission to access / on this server. “, Please ensure that “test.com” directory permission is set to 0777. Grant the required permission if necessary.