Score:0

How to block .git Folder serverwide on NGINX?

bo flag

I have a question about blocking the .git folders server wide on a NGINX system. At the moment I'm playing around a little with NGINX, I actually use Apache. In Apache, it's actually no problem to block all requests to a .git folder server wide. Is there any setting for NGINX as well? If so, where do I need to put it, or do I have to do that with every site hosted on the server?

Thanks a lot guys, have a great weekend.

Score:3
bq flag

You might want to block all locations starting with a dot on any level, i.e. .env, .git, .htaccess, etc. and make it look like there is no such location at all instead of confirming its existence to potential attackers.

location ~ /\. {
    return 404;
}

Another option is return 444; which makes nginx not send anything, as if the server is not even responding.

LianSheng avatar
in flag
In addition, if you have a domain name hosted with CloudFlare, using `return 444` may cause some pages of the website to be rendered differently from other pages, which will make the attacker realize that there is something special here.
Score:0
pl flag

A location block like this should do what you want:

location /.git {
  deny all;
}

That will return a 403 response.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.