Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Block nginx from serving .git directories
location ~ /\.git {
deny all;
# or, all . directories/files in general (including .htaccess, etc)
location ~ /\. {
deny all;
Copy link

higkoo commented Jan 20, 2014

Good !

Copy link

sunzhongwei commented Apr 8, 2017


Copy link

FireController1847 commented Feb 27, 2018

Thanks! Works great!

Copy link

KJlmfe commented Mar 31, 2018


Copy link

hxmwr commented Aug 16, 2018


Copy link

rubo77 commented Aug 26, 2018

be sure not to exclude important dot files. use a negative regex for this, e.g.:

## Disable .htaccess and other hidden files
location ~ /\.(?!well-known).* {
    deny all;
    access_log off;
    log_not_found off;


Copy link

aklyk commented Oct 21, 2018


Copy link

aamsur commented Nov 16, 2018

thanks !

Copy link

gsiotas commented Nov 29, 2018


Copy link

mperadze commented Dec 14, 2018


Copy link

catchmareck commented Apr 5, 2019

@rubo77 Thanks for the note!

Copy link

bsavelev commented Jun 24, 2019

instead deny all better use return 404
deny return 403 which is very interesting for attackers
404 is a more common code

Copy link

lukewest commented Oct 30, 2019

I'm with @bsavelev - I hand back a 404, it is cleaner

location ~ /.git {
return 404

Sorry for the raw code, but If I tried to wrap it in a pair of tags I lose the layout?!

Copy link

pruyas-simplex commented Mar 3, 2020


Copy link

Garistar commented Apr 7, 2020

Better don't spend resources for non-senses and return 444 that closes the connection, TCP RST is sent to the client, and all memory occupied by this socket is released.

location ~ /\. {
        deny all;
        return 444;
        access_log off;

Copy link

gennyble commented Jan 27, 2021

Worth noting that return 444; just drops the connection (as far as I know) so, as @bsavelev mentioned, it might be better to return 404; if you want it to look like .git doesn't exist on the server.

Copy link

peter279k commented Jan 27, 2021

Yes. I think it will be good to return 404 HTTP status code to let client side know requested resources are not found.

Copy link

danger89 commented Nov 19, 2021

404 makes it such as if the resource is not even there. While otherwise h@ck0rs could potentially find files or directories by just looking at the HTTP status codes. Therefore, I do like 404 as well here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment