I have website that is under version control. To make it easy to deploy it to the server i am thinking about cloning the repo to the server and whenever i want to update the pages just pull changes from the server. From security point of view is this a bad idea to leave .git folder lying around on the webserver ?
+3
A:
You can place arbitrary files in .git, such as a .htaccess file which would prevent any access through the web server.
If you want an extra security layer (in case you forget to put the .htaccess there while recloning the repository for example), you can have your web server refuse to serve any URL with .git/ in it by using mod_rewrite (provided you use Apache, other web servers will use other mechanisms).
Samuel Tardieu
2009-05-26 18:19:35
if the repo also includes a htdocs or public dir, that is the base DOCUMENT_ROOT from where the site starts, no-one would be able to access ./git from the outside world anyway.
Alister Bulman
2009-05-26 19:04:56
The problem here is that ".git/" is located right *under* the document root.
Samuel Tardieu
2009-05-27 13:23:16
+1
A:
Use something like git --git-dir=... checkout . This enables you to have the .git directory outside the html tree. You can even use a bare repo by adding --work-tree:
git --git-dir=... --work-tree=... checkout
Using a bare repo avoids having a redundant copy of the tree, and is better for pushing into.
The same can be specified using environment variables, too. The git man page has the details.
Neil Mayhew
2010-07-02 06:38:10
You would of course have to run this command, somehow. A cron job is one obvious way; it could perhaps be done from a post-commit hook, but I haven't checked this.If you're pulling into the server repo, as you suggested, rather than pushing, the command could of course be run manually, or you can set the core.worktree variable to always put the tree somewhere else.
Neil Mayhew
2010-07-02 06:43:44