How do I hide directories in Apache, specifically source-control?
I want to keep my website/s in version control (Subversion specifically) and use svn co to update it when there are stable versions to update, but I\'m concerne
-
Hiding the directories as Vinko says should work. But it would probably be simpler to use svn export instead of svn co. This should not generate the .svn directories.
讨论(0) -
There is an interesting approach I use: the checkout (and update) is done on a completely separate directory (possibly on a completely separate machine), and then the code is copied to where the webserver will read it with rsync. An --exclude rule on the rsync command line is used to make it not copy any .svn (and CVS) diretories, while a --delete-excluded makes sure they will be removed even if they were copied before.
Since both svn update and rsync do incremental transfers, this is quite fast even for larger sites. It also allows you to have your repository behind a firewall. The only caveat is that you must move all directories with files generated on the server (such as the files/ directory on Drupal) to a place outside the rsync target directory (rsync will overwrite everything when used this way), and the symlink to it must be created in the rsync source directory. The rsync source directory can have other non-versioned files too (like machine-specific configuration files).
The full set of rsync parameters I use is
rsync -vv --rsh='ssh -l username' -rltzpy --exclude .svn/ --exclude CVS/ --exclude Attic/ --delete-after --delete-excluded --chmod=og-w,Fa-xEven then, for redundancy, I still have a configuration rule to prevent .svn from being accessed, copied from a Debian default rule which prevents .ht* (.htaccess, .htpasswd) from being accesed.
讨论(0) -
I use the following which returns a simple 404 to the user, not revealing that the source control directory actually exists:
RedirectMatch 404 /\.(svn|git)(/|$)
讨论(0) -
Consider deploying live code using your operating system's package management tools, rather than directly from your VCS. This will let you ensure your live packages don't contain metadata directories, or other potentially sensitive tools and data.
讨论(0) -
This can be achieved server-wide (recommended), on a single virtual-host basis, or even inside
.htaccessfiles if your server is somewhat permissive with what is allowed in them. The specific configuration you need is:RewriteEngine On RewriteRule /\.svn /some-non-existant-404-causing-page <IfModule autoindex_module> IndexIgnore .svn </IfModule>The first section requires
mod_rewrite. It forces any requests with "/.svn" in them (ie. any request for the directory, or anything inside the directory) to be internally redirected to a non-existant page on your website. This is completely transparent to the end-user and undetectable. It also forces a 404 error, as if your.svnfolders just disappeared.The second section is purely cosmetic, and will hide the
.svnfolders from the autoindex module if it is activated. This is a good idea too, just to keep curious souls from getting any ideas.讨论(0) -
Two things:
Do not use IfModule for functionality you need to be present. It's okay to do it for the autoindex because it might not be present and is not crucial to the scheme. But you are counting on rewrite being present to protect your content. Thus, it's better to remove the IfModule directive and let apache tell you when rewrite is not present for you to enable it (or at least know that you won't be 'protected' and consciously comment the lines)
No need to use rewrite there if you have access to main configuration files, much easier would be one of
<DirectoryMatch \.svn> Order allow,deny Deny from all </DirectoryMatch>
which will generate 403 Forbidden (which is better from HTTP compliance point of view) or, if you want to take the security by obscurity route, use AliasMatch
AliasMatch \.svn /non-existant-pageIf you don't have access to main configuration files you're left with hoping mod_rewrite is enabled for usage in .htaccess.
讨论(0)
加载中...
- 热议问题