How do I hide directories in Apache, specifically source-control?
Two things:
Do not use IfModule for functionality you need to be present. It's okay to do it for the autoindex because it might not be present and is not crucial to the scheme. But you are counting on rewrite being present to protect your content. Thus, it's better to remove the IfModule directive and let apache tell you when rewrite is not present for you to enable it (or at least know that you won't be 'protected' and consciously comment the lines)
No need to use rewrite there if you have access to main configuration files, much easier would be one of
<DirectoryMatch \.svn> Order allow,deny Deny from all</DirectoryMatch>
which will generate 403 Forbidden (which is better from HTTP compliance point of view)or, if you want to take the security by obscurity route, use AliasMatch
AliasMatch \.svn /non-existant-page
If you don't have access to main configuration files you're left with hoping mod_rewrite is enabled for usage in .htaccess.
In the same situation, I used RedirectMatch
, for two reasons. Primarily, it was the only method I could find that was allowed in .htaccess
on that server with a fairly restrictive config that I couldn't modify. Also I consider it cleanest, because it allows me to tell Apache that yes, there's a file there, but just pretend it's not when serving, so return 404 (as opposed to 403 which would expose things that website viewers shouldn't be aware of).
I now consider the following as a standard part of my .htaccess
files:
## Completely hide some files and directories.RedirectMatch 404 "(?:.*)/(?:[.#].*)$"RedirectMatch 404 "(?:.*)~$"RedirectMatch 404 "(?:.*)/(?:CVS|RCS|_darcs)(?:/.*)?$"
This can be achieved server-wide (recommended), on a single virtual-host basis, or even inside .htaccess
files if your server is somewhat permissive with what is allowed in them. The specific configuration you need is:
RewriteEngine OnRewriteRule /\.svn /some-non-existant-404-causing-page<IfModule autoindex_module> IndexIgnore .svn</IfModule>
The first section requires mod_rewrite
. It forces any requests with "/.svn" in them (ie. any request for the directory, or anything inside the directory) to be internally redirected to a non-existant page on your website. This is completely transparent to the end-user and undetectable. It also forces a 404 error, as if your .svn
folders just disappeared.
The second section is purely cosmetic, and will hide the .svn
folders from the autoindex module if it is activated. This is a good idea too, just to keep curious souls from getting any ideas.