Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Block nginx from serving .git directories
location ~ /\.git {
deny all;
}
# or, all . directories/files in general (including .htaccess, etc)
location ~ /\. {
deny all;
}
@higkoo
Copy link

higkoo commented Jan 20, 2014

Good !

@sunzhongwei
Copy link

sunzhongwei commented Apr 8, 2017

Nice!

@FireController1847
Copy link

FireController1847 commented Feb 27, 2018

Thanks! Works great!

@KJlmfe
Copy link

KJlmfe commented Mar 31, 2018

Cool

@hxmwr
Copy link

hxmwr commented Aug 16, 2018

Unbelievable!

@rubo77
Copy link

rubo77 commented Aug 26, 2018

be sure not to exclude important dot files. use a negative regex for this, e.g.:

## Disable .htaccess and other hidden files
location ~ /\.(?!well-known).* {
    deny all;
    access_log off;
    log_not_found off;
}

see https://serverfault.com/a/849537/128892

@aklyk
Copy link

aklyk commented Oct 21, 2018

Cool!

@aamsur
Copy link

aamsur commented Nov 16, 2018

thanks !

@gsiotas
Copy link

gsiotas commented Nov 29, 2018

👍

@mperadze
Copy link

mperadze commented Dec 14, 2018

cool

@catchmareck
Copy link

catchmareck commented Apr 5, 2019

@rubo77 Thanks for the note!

@bsavelev
Copy link

bsavelev commented Jun 24, 2019

instead deny all better use return 404
deny return 403 which is very interesting for attackers
404 is a more common code

@lukewest
Copy link

lukewest commented Oct 30, 2019

I'm with @bsavelev - I hand back a 404, it is cleaner

location ~ /.git {
return 404
deny;
}

Sorry for the raw code, but If I tried to wrap it in a pair of tags I lose the layout?!

@pruyas-simplex
Copy link

pruyas-simplex commented Mar 3, 2020

nice

Copy link

ghost commented Apr 7, 2020

Better don't spend resources for non-senses and return 444 that closes the connection, TCP RST is sent to the client, and all memory occupied by this socket is released.

location ~ /\. {
        deny all;
        return 444;
        access_log off;
}

@gennyble
Copy link

gennyble commented Jan 27, 2021

Worth noting that return 444; just drops the connection (as far as I know) so, as @bsavelev mentioned, it might be better to return 404; if you want it to look like .git doesn't exist on the server.

@peter279k
Copy link

peter279k commented Jan 27, 2021

Yes. I think it will be good to return 404 HTTP status code to let client side know requested resources are not found.

@danger89
Copy link

danger89 commented Nov 19, 2021

404 makes it such as if the resource is not even there. While otherwise h@ck0rs could potentially find files or directories by just looking at the HTTP status codes. Therefore, I do like 404 as well here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment