views:

44

answers:

2

We're using Mercurial on our production servers for some smaller web projects to easily deploy applications by pushing changes to the server over SSH. The repositories reside in the public_html folders of their respective accounts.

Now if I do a

hg clone http://www.domain.com

I get

real URL is http://www.domain.com/
requesting all changes
adding changesets
adding manifests
transaction abort!
rollback completed
abort: empty or missing revlog for .htaccess

Fortunately, cloning doesn't seem to be possible without authentication, but I'd rather not let anyone know there is an hg repository available in the first place.

Does anybody know a way to completely hide a Mercurial repository from the public, even though it is in a public place like public_html/htdocs on webserver? I couldn't find any information on how to achieve that.

ETA: Apparently, I do not yet have enough reputation to vote any answers up. But thanks a lot to the both of you for your helpful answers. :)

+1  A: 

You can

  • make the .hg directory inaccessible to your web server
  • make .hg invisible by .htacces magic (assuming you use an apache httpd)
  • place the repositories outside of public_html and populate public_html with hg archive
Rudi
Sounds good. The .hg directory belongs to the account user which is the same user as the web server (shared hosting environment), so I don't know if I can make it inaccessible to the web server, but I'll definitely look into the second and third options. Thanks a lot!
Jürg Gutknecht
+2  A: 

In the repo's .hg/hgrc add this:

[web]
allowpull = false

That will error them out much earlier in the process, before they get any data (currently they're getting a lot of data if they want it before rollback). Note that allowpull has no underscore, unlike most other multi-word mercurial settings.

That's completely prevents them from getting the contents via mercurial, but they could still use wget, curl or a webbrowser to pick through http://www.domain.com/.hg/ manually.

To avoid that you can block any URL containing /.hg/ at the web server level. In Apache that would look like:

<Directory "/your/doc/root/.hg">
  Order deny,allow
  deny from all
</Directory>
Ry4an
This worked like a charm, thanks a lot! It was a matter of copying and pasting your instructions into the respective files.
Jürg Gutknecht