How to block .git Folder serverwide on NGINX?

Question

I have a question about blocking the .git folders server wide on a NGINX system. At the moment I'm playing around a little with NGINX, I actually use Apache. In Apache, it's actually no problem to block all requests to a .git folder server wide. Is there any setting for NGINX as well? If so, where do I need to put it, or do I have to do that with every site hosted on the server?

Thanks a lot guys, have a great weekend.

score 3 · Answer 1 · answered Aug 09 '23 at 08:56

3

You might want to block all locations starting with a dot on any level, i.e. .env, .git, .htaccess, etc. and make it look like there is no such location at all instead of confirming its existence to potential attackers.

location ~ /\. {
    return 404;
}

Another option is return 444; which makes nginx not send anything, as if the server is not even responding.

answered Aug 09 '23 at 08:56

Aleksei Novikov

31
2

In addition, if you have a domain name hosted with CloudFlare, using `return 444` may cause some pages of the website to be rendered differently from other pages, which will make the attacker realize that there is something special here. – LianSheng Aug 23 '23 at 05:05

score 0 · Answer 2 · answered Mar 21 '22 at 01:37

0

A location block like this should do what you want:

location /.git {
  deny all;
}

That will return a 403 response.

answered Mar 21 '22 at 01:37

Moshe Katz

3,112
5
28
43

How to block .git Folder serverwide on NGINX?

2 Answers2