I want to keep my website/s in version control (Subversion specifically) and use svn co to update it when there are stable versions to update, but I'm concerned about the security of doing so, as all the .svn folders will be public, and these include all sorts of private data, not least of which is complete source code to my website!
我想保持我的网站版本控制(特别是Subversion)并使用svn co来更新它,当有稳定的版本要更新时,但是我担心这样做的安全性,因为所有的.svn文件夹都是public,这些包括各种私人数据,其中至少是我网站的完整源代码!
Is there anything I can I do to prevent this?
我有什么办法可以防止这种情况发生吗?
7 个解决方案
#1
38
Two things:
-
Do not use IfModule for functionality you need to be present. It's okay to do it for the autoindex because it might not be present and is not crucial to the scheme. But you are counting on rewrite being present to protect your content. Thus, it's better to remove the IfModule directive and let apache tell you when rewrite is not present for you to enable it (or at least know that you won't be 'protected' and consciously comment the lines)
不要使用IfModule来实现您需要的功能。可以将其用于自动索引,因为它可能不存在并且对于该方案不是至关重要的。但是你依靠重写存在来保护你的内容。因此,最好删除IfModule指令,并让apache告诉你何时不存在重写以启用它(或者至少知道你不会被“保护”并有意识地评论这些行)
-
No need to use rewrite there if you have access to main configuration files, much easier would be one of
如果您可以访问主配置文件,则无需使用重写,更容易使用
<DirectoryMatch \.svn> Order allow,deny Deny from all </DirectoryMatch>
which will generate 403 Forbidden (which is better from HTTP compliance point of view) or, if you want to take the security by obscurity route, use AliasMatch
这将生成403 Forbidden(从HTTP合规性角度来看更好),或者,如果您想通过默认路由获取安全性,请使用AliasMatch
AliasMatch \.svn /non-existant-page
If you don't have access to main configuration files you're left with hoping mod_rewrite is enabled for usage in .htaccess.
如果您无法访问主配置文件,那么您希望在.htaccess中启用mod_rewrite。
#2
7
This can be achieved server-wide (recommended), on a single virtual-host basis, or even inside .htaccess files if your server is somewhat permissive with what is allowed in them. The specific configuration you need is:
这可以在服务器范围内(推荐),在单个虚拟主机的基础上实现,或者甚至在.htaccess文件内实现,如果您的服务器对它们允许的内容有些宽容。您需要的具体配置是:
RewriteEngine On
RewriteRule /\.svn /some-non-existant-404-causing-page
<IfModule autoindex_module>
IndexIgnore .svn
</IfModule>
The first section requires mod_rewrite. It forces any requests with "/.svn" in them (ie. any request for the directory, or anything inside the directory) to be internally redirected to a non-existant page on your website. This is completely transparent to the end-user and undetectable. It also forces a 404 error, as if your .svn folders just disappeared.
第一部分需要mod_rewrite。它会强制任何带有“/.svn”的请求(即对目录的任何请求,或目录中的任何内容)在内部重定向到您网站上不存在的页面。这对最终用户完全透明且不可检测。它还会强制产生404错误,就像您的.svn文件夹刚刚消失一样。
The second section is purely cosmetic, and will hide the .svn folders from the autoindex module if it is activated. This is a good idea too, just to keep curious souls from getting any ideas.
第二部分纯粹是装饰性的,如果激活了自动索引模块,它将隐藏.svn文件夹。这也是一个好主意,只是为了让好奇的灵魂得不到任何想法。
#3
7
In the same situation, I used RedirectMatch, for two reasons. Primarily, it was the only method I could find that was allowed in .htaccess on that server with a fairly restrictive config that I couldn't modify. Also I consider it cleanest, because it allows me to tell Apache that yes, there's a file there, but just pretend it's not when serving, so return 404 (as opposed to 403 which would expose things that website viewers shouldn't be aware of).
在同样的情况下,我使用RedirectMatch,原因有两个。首先,它是我能找到的唯一方法,在该服务器上的.htaccess中允许使用相当严格的配置,我无法修改。另外我认为它最干净,因为它允许我告诉Apache是的,那里有一个文件,但只是假装它不是在服务时,所以返回404(而不是403会暴露网站浏览者不应该知道的东西) )。
I now consider the following as a standard part of my .htaccess files:
我现在将以下内容视为我的.htaccess文件的标准部分:
## Completely hide some files and directories. RedirectMatch 404 "(?:.*)/(?:[.#].*)$" RedirectMatch 404 "(?:.*)~$" RedirectMatch 404 "(?:.*)/(?:CVS|RCS|_darcs)(?:/.*)?$"
#4
5
I use the following which returns a simple 404 to the user, not revealing that the source control directory actually exists:
我使用以下命令向用户返回一个简单的404,而不是显示源控件目录实际存在:
RedirectMatch 404 /\.(svn|git)(/|$)
RedirectMatch 404 /\。(svn | git)(/|)
#5
4
There is an interesting approach I use: the checkout (and update) is done on a completely separate directory (possibly on a completely separate machine), and then the code is copied to where the webserver will read it with rsync. An --exclude rule on the rsync command line is used to make it not copy any .svn (and CVS) diretories, while a --delete-excluded makes sure they will be removed even if they were copied before.
我使用了一种有趣的方法:checkout(和更新)在一个完全独立的目录上完成(可能在一个完全独立的机器上),然后将代码复制到webserver将用rsync读取的位置。 rsync命令行上的--exclude规则用于使其不复制任何.svn(和CVS)指令,而--delete-excluded确保它们将被删除,即使它们之前已被复制。
Since both svn update and rsync do incremental transfers, this is quite fast even for larger sites. It also allows you to have your repository behind a firewall. The only caveat is that you must move all directories with files generated on the server (such as the files/ directory on Drupal) to a place outside the rsync target directory (rsync will overwrite everything when used this way), and the symlink to it must be created in the rsync source directory. The rsync source directory can have other non-versioned files too (like machine-specific configuration files).
由于svn update和rsync都进行增量传输,因此即使对于较大的站点也是如此。它还允许您将您的存储库置于防火墙之后。唯一需要注意的是,必须将服务器上生成的文件(例如Drupal上的files /目录)的所有目录移动到rsync目标目录之外的位置(rsync将以这种方式覆盖所有内容),并对其进行符号链接必须在rsync源目录中创建。 rsync源目录也可以包含其他非版本化文件(如机器特定的配置文件)。
The full set of rsync parameters I use is
我使用的全套rsync参数是
rsync -vv --rsh='ssh -l username' -rltzpy --exclude .svn/ --exclude CVS/ --exclude Attic/ --delete-after --delete-excluded --chmod=og-w,Fa-x
Even then, for redundancy, I still have a configuration rule to prevent .svn from being accessed, copied from a Debian default rule which prevents .ht* (.htaccess, .htpasswd) from being accesed.
即便如此,为了实现冗余,我仍然有一个配置规则来阻止.svn被访问,从Debian默认规则复制,该规则阻止.ht *(。htaccess,.htpasswd)被接收。
#6
3
Hiding the directories as Vinko says should work. But it would probably be simpler to use svn export instead of svn co. This should not generate the .svn directories.
像Vinko说的那样隐藏目录应该可行。但是使用svn export而不是svn co可能更简单。这不应该生成.svn目录。
#7
3
Consider deploying live code using your operating system's package management tools, rather than directly from your VCS. This will let you ensure your live packages don't contain metadata directories, or other potentially sensitive tools and data.
考虑使用操作系统的软件包管理工具部署实时代码,而不是直接从VCS部署。这将使您确保您的实时包不包含元数据目录或其他可能敏感的工具和数据。
#1
38
Two things:
-
Do not use IfModule for functionality you need to be present. It's okay to do it for the autoindex because it might not be present and is not crucial to the scheme. But you are counting on rewrite being present to protect your content. Thus, it's better to remove the IfModule directive and let apache tell you when rewrite is not present for you to enable it (or at least know that you won't be 'protected' and consciously comment the lines)
不要使用IfModule来实现您需要的功能。可以将其用于自动索引,因为它可能不存在并且对于该方案不是至关重要的。但是你依靠重写存在来保护你的内容。因此,最好删除IfModule指令,并让apache告诉你何时不存在重写以启用它(或者至少知道你不会被“保护”并有意识地评论这些行)
-
No need to use rewrite there if you have access to main configuration files, much easier would be one of
如果您可以访问主配置文件,则无需使用重写,更容易使用
<DirectoryMatch \.svn> Order allow,deny Deny from all </DirectoryMatch>
which will generate 403 Forbidden (which is better from HTTP compliance point of view) or, if you want to take the security by obscurity route, use AliasMatch
这将生成403 Forbidden(从HTTP合规性角度来看更好),或者,如果您想通过默认路由获取安全性,请使用AliasMatch
AliasMatch \.svn /non-existant-page
If you don't have access to main configuration files you're left with hoping mod_rewrite is enabled for usage in .htaccess.
如果您无法访问主配置文件,那么您希望在.htaccess中启用mod_rewrite。
#2
7
This can be achieved server-wide (recommended), on a single virtual-host basis, or even inside .htaccess files if your server is somewhat permissive with what is allowed in them. The specific configuration you need is:
这可以在服务器范围内(推荐),在单个虚拟主机的基础上实现,或者甚至在.htaccess文件内实现,如果您的服务器对它们允许的内容有些宽容。您需要的具体配置是:
RewriteEngine On
RewriteRule /\.svn /some-non-existant-404-causing-page
<IfModule autoindex_module>
IndexIgnore .svn
</IfModule>
The first section requires mod_rewrite. It forces any requests with "/.svn" in them (ie. any request for the directory, or anything inside the directory) to be internally redirected to a non-existant page on your website. This is completely transparent to the end-user and undetectable. It also forces a 404 error, as if your .svn folders just disappeared.
第一部分需要mod_rewrite。它会强制任何带有“/.svn”的请求(即对目录的任何请求,或目录中的任何内容)在内部重定向到您网站上不存在的页面。这对最终用户完全透明且不可检测。它还会强制产生404错误,就像您的.svn文件夹刚刚消失一样。
The second section is purely cosmetic, and will hide the .svn folders from the autoindex module if it is activated. This is a good idea too, just to keep curious souls from getting any ideas.
第二部分纯粹是装饰性的,如果激活了自动索引模块,它将隐藏.svn文件夹。这也是一个好主意,只是为了让好奇的灵魂得不到任何想法。
#3
7
In the same situation, I used RedirectMatch, for two reasons. Primarily, it was the only method I could find that was allowed in .htaccess on that server with a fairly restrictive config that I couldn't modify. Also I consider it cleanest, because it allows me to tell Apache that yes, there's a file there, but just pretend it's not when serving, so return 404 (as opposed to 403 which would expose things that website viewers shouldn't be aware of).
在同样的情况下,我使用RedirectMatch,原因有两个。首先,它是我能找到的唯一方法,在该服务器上的.htaccess中允许使用相当严格的配置,我无法修改。另外我认为它最干净,因为它允许我告诉Apache是的,那里有一个文件,但只是假装它不是在服务时,所以返回404(而不是403会暴露网站浏览者不应该知道的东西) )。
I now consider the following as a standard part of my .htaccess files:
我现在将以下内容视为我的.htaccess文件的标准部分:
## Completely hide some files and directories. RedirectMatch 404 "(?:.*)/(?:[.#].*)$" RedirectMatch 404 "(?:.*)~$" RedirectMatch 404 "(?:.*)/(?:CVS|RCS|_darcs)(?:/.*)?$"
#4
5
I use the following which returns a simple 404 to the user, not revealing that the source control directory actually exists:
我使用以下命令向用户返回一个简单的404,而不是显示源控件目录实际存在:
RedirectMatch 404 /\.(svn|git)(/|$)
RedirectMatch 404 /\。(svn | git)(/|)
#5
4
There is an interesting approach I use: the checkout (and update) is done on a completely separate directory (possibly on a completely separate machine), and then the code is copied to where the webserver will read it with rsync. An --exclude rule on the rsync command line is used to make it not copy any .svn (and CVS) diretories, while a --delete-excluded makes sure they will be removed even if they were copied before.
我使用了一种有趣的方法:checkout(和更新)在一个完全独立的目录上完成(可能在一个完全独立的机器上),然后将代码复制到webserver将用rsync读取的位置。 rsync命令行上的--exclude规则用于使其不复制任何.svn(和CVS)指令,而--delete-excluded确保它们将被删除,即使它们之前已被复制。
Since both svn update and rsync do incremental transfers, this is quite fast even for larger sites. It also allows you to have your repository behind a firewall. The only caveat is that you must move all directories with files generated on the server (such as the files/ directory on Drupal) to a place outside the rsync target directory (rsync will overwrite everything when used this way), and the symlink to it must be created in the rsync source directory. The rsync source directory can have other non-versioned files too (like machine-specific configuration files).
由于svn update和rsync都进行增量传输,因此即使对于较大的站点也是如此。它还允许您将您的存储库置于防火墙之后。唯一需要注意的是,必须将服务器上生成的文件(例如Drupal上的files /目录)的所有目录移动到rsync目标目录之外的位置(rsync将以这种方式覆盖所有内容),并对其进行符号链接必须在rsync源目录中创建。 rsync源目录也可以包含其他非版本化文件(如机器特定的配置文件)。
The full set of rsync parameters I use is
我使用的全套rsync参数是
rsync -vv --rsh='ssh -l username' -rltzpy --exclude .svn/ --exclude CVS/ --exclude Attic/ --delete-after --delete-excluded --chmod=og-w,Fa-x
Even then, for redundancy, I still have a configuration rule to prevent .svn from being accessed, copied from a Debian default rule which prevents .ht* (.htaccess, .htpasswd) from being accesed.
即便如此,为了实现冗余,我仍然有一个配置规则来阻止.svn被访问,从Debian默认规则复制,该规则阻止.ht *(。htaccess,.htpasswd)被接收。
#6
3
Hiding the directories as Vinko says should work. But it would probably be simpler to use svn export instead of svn co. This should not generate the .svn directories.
像Vinko说的那样隐藏目录应该可行。但是使用svn export而不是svn co可能更简单。这不应该生成.svn目录。
#7
3
Consider deploying live code using your operating system's package management tools, rather than directly from your VCS. This will let you ensure your live packages don't contain metadata directories, or other potentially sensitive tools and data.
考虑使用操作系统的软件包管理工具部署实时代码,而不是直接从VCS部署。这将使您确保您的实时包不包含元数据目录或其他可能敏感的工具和数据。