Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I hide directories in Apache, specifically source-control?

Tags:

svn

apache

I want to keep my website/s in version control (Subversion specifically) and use svn co to update it when there are stable versions to update, but I'm concerned about the security of doing so, as all the .svn folders will be public, and these include all sorts of private data, not least of which is complete source code to my website!

Is there anything I can I do to prevent this?

like image 264
Matthew Scharley Avatar asked Oct 18 '08 10:10

Matthew Scharley


People also ask

How do I make Apache more secure by hiding a folder?

conf file for this site in /etc/apache2/sites-available (and linked it to /etc/apache2/sites-enabled). Open that . conf file in your favorite editor and in the Directory section change AllowOverride None to AllowOverride All. Save and close the file.


2 Answers

Two things:

  1. Do not use IfModule for functionality you need to be present. It's okay to do it for the autoindex because it might not be present and is not crucial to the scheme. But you are counting on rewrite being present to protect your content. Thus, it's better to remove the IfModule directive and let apache tell you when rewrite is not present for you to enable it (or at least know that you won't be 'protected' and consciously comment the lines)

  2. No need to use rewrite there if you have access to main configuration files, much easier would be one of

    <DirectoryMatch \.svn>    Order allow,deny    Deny from all </DirectoryMatch> 

which will generate 403 Forbidden (which is better from HTTP compliance point of view) or, if you want to take the security by obscurity route, use AliasMatch

    AliasMatch \.svn /non-existant-page 

If you don't have access to main configuration files you're left with hoping mod_rewrite is enabled for usage in .htaccess.

like image 195
Vinko Vrsalovic Avatar answered Oct 14 '22 10:10

Vinko Vrsalovic


In the same situation, I used RedirectMatch, for two reasons. Primarily, it was the only method I could find that was allowed in .htaccess on that server with a fairly restrictive config that I couldn't modify. Also I consider it cleanest, because it allows me to tell Apache that yes, there's a file there, but just pretend it's not when serving, so return 404 (as opposed to 403 which would expose things that website viewers shouldn't be aware of).

I now consider the following as a standard part of my .htaccess files:

 ## Completely hide some files and directories. RedirectMatch 404 "(?:.*)/(?:[.#].*)$" RedirectMatch 404 "(?:.*)~$" RedirectMatch 404 "(?:.*)/(?:CVS|RCS|_darcs)(?:/.*)?$" 
like image 41
Gilles 'SO- stop being evil' Avatar answered Oct 14 '22 09:10

Gilles 'SO- stop being evil'