Git repository as a website

Hi, I am deploying my projects with Git. I know that the popular approach to Git deployment is: "to create bare repositories each checked out to a "working" area, which use a post-receive hook to update the actual files served by the website."

However, for some CMS websites, I need to include in the version control the changes made by the website users (for example, when they upload a picture).

What would be a good approach for this case?

What I did, is to set up a repo (no bare) in the ~/webapps/cms directory itself, so I can also commit the changes made there, but I'm wondering if that poses a security risk? since the special .git folder would be exposed in a web-accesible folder.

Any ideas and thoughts are appreciated.

security git

asked Oct 13 '12 at 10:47

teks
1●1

2 Answers:

oldest newest most voted

This sounds like a fine approach, although you are correct that exposing the .git directory is insecure. However, you can hide it similarly to how you would normally hide a .htaccess and .htpasswd file:

# hide .htaccess and .htpasswd:
<FilesMatch "^.ht">
order allow,deny
deny from all
</FilesMatch>

using something like this instead:

# hide entire .git directory
# place this in a .htaccess file *inside* the .git directory
order allow,deny
deny from all

Since you're hiding an entire directory, you would place this inside of .git/.htaccess instead of the root-level .htaccess file. Also, since you're using .htaccess, you would need to ensure that this is running under a "Static/CGI/PHP" application type rather than a "Static Only (no .htaccess)" application.

Hope that helps!

answered Oct 13 '12 at 19:31

ryans ♦♦
2936●1●4●20

edited Oct 13 '12 at 19:37

Thank you. The idea is good, but I'd rather not touch the inside of .git directory for things not related to the git system itself. I'm worried that there might be unexpected/silent consequences. Is there any way to setup something like this but on the app-root-level .htaccess file?

(Oct 14 '12 at 10:45) teks

You could maybe try the DirectoryMatch directive in a .htaccess in the app root directory.

http://httpd.apache.org/docs/2.2/mod/core.html#directorymatch

(Oct 14 '12 at 11:08) bmeyer71 ♦♦

Would you please give an usage example? I tried without luck (500 Internal Server Error) the following:

<DirectoryMatch \.git>
   Order allow,deny
   Deny from all
</DirectoryMatch>

And what about "Directory" directive?

(Oct 14 '12 at 14:47) teks

I believe what you have should work. Just change .git to "^/.git" don't forget the quotes.

(Oct 14 '12 at 14:51) bmeyer71 ♦♦

Hmm no. I tried "^/.git", "^/.git/", "^/\.git", and several combinations but I think I'm not just going to guess it... Regular expressions are not my thing:/

(Oct 14 '12 at 15:05) teks

Maybe open a support ticket so we can take a closer look at what you have. Please provide the url you are testing with in the ticket.

(Oct 14 '12 at 15:17) bmeyer71 ♦♦

showing 5 of 6 show all

I just wanted to let you know that I blocked/hide the .git folder using the following .htaccess code in the app root directory:

1	RewriteRule \.git - [R=403,L]

You can change it to R=404 if you want a discreet 404 instead. Of course, don't forget to add RewriteEngine On at the beginning.

I couldn't make DirectoryMatch work. It would be nice if some of you share a tested/working code of this, just to have one more alternative.

answered Mar 05 at 13:01

teks
1●1

Your answer

If you have an answer to the above question, then use the form below. Otherwise, use the appropriate 'add new comment' button above to post your feedback.

toggle preview

community wiki

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

git ×81
security ×42

Asked: Oct 13 '12 at 10:47

Seen: 571 times

Last updated: Mar 05 at 13:01

Git repository as a website

Follow this question

Got questions? We have answers!

Related questions