Geekflare
In Apache HTTP , Nginx and Security  |  Last updated:
Share on:
Cloudways offers managed cloud hosting for any size business to host a website or complex web applications.

How to Block .git in Apache, Nginx and Cloudflare?

By

Don’t expose the .git folder, which may contain sensitive information.

When you initialize and deploy your application through Git, it creates a .git folder that contains necessary information. If .git folder is accessible through a webserver or frontend over the Internet, it can potentially leak sensitive data.

Worse, if you have credentials stored in some configuration file.

Use these tools to find credentials in the GitHub repository.

If you are not sure if you have .git somewhere on your web applications, you can use a security vulnerability scanner like OpenVAS, Gitjacker, or other mentioned here.

Gitjacker is more than detecting the .git directory. It downloads the entire directory.

There are multiple ways to handle this.

You may choose not to keep .git folder on the server or block any request. Blocking the request is pretty straightforward, and this is how you can achieve depending on the webserver you use.

Nginx

If you are using Nginx, you can add the following location directive in nginx.conf file

location ~ /\.git {
  deny all;
}

The above would instruct Nginx to throw 403 like below whenever there is a request containing .git

Alternatively, you can return 404 if you don’t want an attacker to assume that you have .git on the server.

location ~ /\.git {
  return 404;
}

And this would return the HTTP status code as 404 as below.

Whatever you choose, don’t forget to restart the Nginx after making the configuration change.

service nginx restart

Apache HTTP

Let’s see how to block .git in the Apache webserver. You can use RedirectMatch or DirectoryMatch to achieve this.

Using RedirectMatch is probably the easiest one. You just need to add the following in httpd.conf  or .htaccess file.

RedirectMatch 404 /\.git

The above would throw 404 when someone accesses .git, and the following will show 403.

RedirectMatch 403 /\.git

Next, let’s try using the DirectoryMatch rule by adding the following in httpd.conf file.

<DirectoryMatch "^/.*/\.git/">
  Deny from all
</Directorymatch>

Restart the Apache and access the URL, including .git; it will show 403 Forbidden error.

Cloudflare

This is my favorite. Block the request at the edge!

But, as you can guess, this will only work if your site is accelerated through the Cloudflare network.

  • Login to Cloudflare
  • Go to the Firewall tab >> Firewall Rules >> Create a Firewall rule

  • Give a rule name – Block GIT
  • Select field – URI
  • Operator – contains
  • Value – .git
  • Choose an action – Block and save

It will take around 1 minute to propagate the rule across all Cloudflare datacenters. Once done, Cloudflare will do the rest.

One thing to note, when implementing the Cloudflare firewall rule to block, you have to ensure the origin is not exposed. Otherwise, an attacker can bypass Cloudflare to access .git files.

Conclusion

I hope the above helps you to mitigate the risk of exposing the .git directory.

Share on:
  • Chandan Kumar
    Author
    Chandan Kumar is a seasoned technology enthusiast and entrepreneur passionate about empowering businesses and individuals globally. As the founder of Geekflare, a leading technology publication, Chandan has spearheaded the development…
Posted in

Thanks to our Sponsors

More great readings on Apache HTTP

Power Your Business

Some of the tools and services to help your business grow.
  • Murf AI

    The text-to-speech tool that uses AI to generate realistic human-like voices.

    Try Murf AI
  • Brightdata

    Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.

    Try Brightdata
  • Monday.com

    Monday.com is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.

    Try Monday
  • Intruder

    Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.

    Try Intruder