-
-
Save jaxbot/5748513 to your computer and use it in GitHub Desktop.
| location ~ /\.git { | |
| deny all; | |
| } | |
| # or, all . directories/files in general (including .htaccess, etc) | |
| location ~ /\. { | |
| deny all; | |
| } |
be sure not to exclude important dot files. use a negative regex for this, e.g.:
## Disable .htaccess and other hidden files
location ~ /\.(?!well-known).* {
deny all;
access_log off;
log_not_found off;
}
Cool!
thanks !
👍
cool
@rubo77 Thanks for the note!
instead deny all better use return 404
deny return 403 which is very interesting for attackers
404 is a more common code
I'm with @bsavelev - I hand back a 404, it is cleaner
location ~ /.git {
return 404
deny;
}
Sorry for the raw code, but If I tried to wrap it in a pair of tags I lose the layout?!
nice
Better don't spend resources for non-senses and return 444 that closes the connection, TCP RST is sent to the client, and all memory occupied by this socket is released.
location ~ /\. {
deny all;
return 444;
access_log off;
}
Worth noting that return 444; just drops the connection (as far as I know) so, as @bsavelev mentioned, it might be better to return 404; if you want it to look like .git doesn't exist on the server.
Yes. I think it will be good to return 404 HTTP status code to let client side know requested resources are not found.
404 makes it such as if the resource is not even there. While otherwise h@ck0rs could potentially find files or directories by just looking at the HTTP status codes. Therefore, I do like 404 as well here.
Unbelievable!