• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question Deny access to .git/config (and other existing Files)

futureweb

futureweb

Regular Pleskian
Hey there,

lately there was an Articel labeled "Massive security problems due to open Git repositories" (Google Translate)
I tried to open some .git/ExistingFile Files on Plesk Hostings on our Servers ... and guess what - all are openly accessible ... (i.e.: https://www.domain.tld/.git/config)

Can we Server-Wide disable accessing Files within .git Directory?
On our non-Plesk Servers I normally got

Code: 
<DirectoryMatch "^/.*/\.git/">
  Require all denied
</DirectoryMatch>

in Apache Config ... but what's the "Best Practice approach" on Plesk Servers on this?

thx
Andreas
 
Last edited:
I wonder why do you have a .git folder in your domain public folder ?

Best practice for the past 10 years or so [for PHP apps at least] is to keep /vendor folder and other important folders and files outside public folder
 
JulianDot said:
I wonder why do you have a .git folder in your domain public folder ?
Click to expand...

Not quite an answer to the question, but well ... we are a Hosting Provider with several Plesk Servers hosting thousands of Customers, we can't control what and where our Customers store their Data on their Hostings (or force them using Plesk GIT Features ...) - but always trying to minimize potential targets on our Servers / trying to keep our customers as safe as possible ...
 
Last edited:
Well, ok then

This remind me of the same situation related to .svn folders years ago
and the solution was the same:
in global Apache config deny all for any .svn folders
 
You must log in or register to reply here.

Similar threads

malisaeed
Issue write (github.com): Connection refused: port 22
Replies
0
Views
2K
malisaeed
malisaeed
D
Forwarded to devs GIT extension 2.5.2 does not save token
Replies
8
Views
2K
Sebahat.hadzhi
Sebahat.hadzhi
M
Question How to set up and actually use existing SSH Keys for Plesk Accounts
Replies
2
Views
478
MHC_1
M
S
Issue Getting 404 Not Found NGINX error, not able to access plesk and website went down after update
Replies
2
Views
2K
Dave W
Dave W
K
Issue Dovecot too many SNI ssl certificate config files Max open files
Replies
19
Views
3K
kevinjansen
K
Back
Top