Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
README.md

README.md

Deny web access to .git directories on WHM/cPanel

The problem

I use git for deployment to staging and production WHM/cPanel servers.

I've recently discovered that the .git folder inside of the web root directory was web accessible, thereby exposing my wordpress installs, database username & passwords etc.:(

The solution

Reconfigure Apache to deny access to any directories or files starting with .git.

This can be done on a site by site basis by creating a .htaccess file that denies access to the .git directory.

However, I don't like that as it's too easy to forget when creating / cloning a repo.

I'd much rather do it on a global level by modifying the httpd.conf

Modifying WHM / cPanel Apache httpd.conf

WHM doesn't have a single httpd.conf that we can modify. Instead it builds the main apache.conf from a bunch of templates documented here:

EasyApache documentation

The specific documentation we want is how to modify the VirtualHost directives for each website.

Changes Contained Within A Virutal Host Directive

We need to make a copy of the default template files renaming them with the .local extension:

cp /var/cpanel/templates/apache2/vhost.default /var/cpanel/templates/apache2/vhost.local 
cp /var/cpanel/templates/apache2/ssl_vhost.default /var/cpanel/templates/apache2/ssl_vhost.local 

Edit each file and add the following into the directive.

I do it after ServerAdmin

# do not allow .git version control files to be issued
<Directorymatch "^/.*/\.git+/">
  Order deny,allow
  Deny from all
</Directorymatch>
<Files ~ "^\.git">
    Order allow,deny
    Deny from all 
</Files>

Next, make a backup of /usr/local/apache/conf/http.conf just in case anything goes wrong so you can immediately restore it.

Then run:

/scripts/rebuildhttpdconf
service http restart

Test access to a .git directory on a ssl and non ssl site.

If you have any problems, restore /usr/local/apache/conf/httpd.conf from your backup and restart httpd, then re-edit the vhost.local and ssl_vhost.local templates you created.

From the EasyApache Documentation:

Custom templates that will apply to all virtual hosts when rebuilding an existing Apache configuration
To create custom template files that affect all virtual hosts:
Create a copy of one or more of the following files:
Apache 1 without SSL — /var/cpanel/templates/apache1/vhost.default
Apache 2 without SSL — /var/cpanel/templates/apache2/vhost.default
Apache 1 with SSL — /var/cpanel/templates/apache1/ssl_vhost.default
Apache 2 with SSL — /var/cpanel/templates/apache2/ssl_vhost.default
Rename the copied file to one of the following:
vhost.local — use this if you copied vhost.default.
ssl_vhost.local — use this if you copied ssl_vhost.default.
Edit the *.local files to make the changes you would like to your virtual host configuration.
PICK Important: This method affects all of your virtual hosts as the .local file(s) will be used in place of the .default file(s).
Something went wrong with that request. Please try again.