From 4c6d30a52c4e30027eb818db1b3d8934fc656f94 Mon Sep 17 00:00:00 2001
From: Brice Waegeneire <bwaegeneire+git@evolix.fr>
Date: Tue, 28 Dec 2021 16:11:20 +0100
Subject: [PATCH] apache: block access to .git* and .env* files

---
 apache/files/evolinux-defaults.conf | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/apache/files/evolinux-defaults.conf b/apache/files/evolinux-defaults.conf
index 5e3e4700..65c8c921 100644
--- a/apache/files/evolinux-defaults.conf
+++ b/apache/files/evolinux-defaults.conf
@@ -48,15 +48,23 @@ MaxKeepAliveRequests 10
     Deny from env=GoAway
 </Directory>
 
+<DirectoryMatch "/\.git">
+    # We don't want to let the client know a file exist on the server,
+    # so we return 404 "Not found" instead of 403 "Forbidden".
+    Redirect 404
+</DirectoryMatch>
 
-<Files ~ "\.(inc|bak)$">
-    Require all denied
-</Files>
+# File names starting with
+<FilesMatch "^\.(git|env)">
+    Redirect 404
+</FilesMatch>
 
+# File names ending with
+<FilesMatch "\.(inc|bak)$">
+    Redirect 404
+</FilesMatch>
 
 <LocationMatch "^/evolinux_fpm_status-.*">
     Require all denied
 </LocationMatch>
 
-# Block http request on /.git
-RedirectMatch 404 /\.git