Deny access to .svn directories with IIS
I like using Subversion to deploy web content to production servers. I check in everything while I’m working on the development copy, then check out onto the server when it’s ready.
Subversion creates a
.svn directory contain readable copies of all your files, which is bad for server-processed files like .php or .aspx that you don’t want readable by, say, Google Hackers.
I have thought about this before but when I went to do it I couldn’t find any clear guides online. I did find this question at Server Fault, which is a newish sister of Stack Overflow, which reminds me kind of Experts Exchange but without the suck. Except that in this case the answers sucked. So I figured it out and added my answer and am posting it here too:
“Don’t do it that way” does not answer the question.
Practically, I like having a working copy on the production server, because that way I can make quick changes in production (who has never done that?) and check them back in. It depends on where you want your security/convenience slider, and in many cases this is a good place.
The standard solution in Apacheland is to leave the .svn files there but tell the web server to never serve them. Here’s how to do that with IIS 5 through 7 on Windows NT4 through 2008.
Download and install ISAPI_Rewrite — the Lite version will be enough for this purpose. There are two versions, version 2 and 3. Use ISAPI_Rewrite3 unless you need to support NT4. Also, note the extra IIS features you need to enable for Win 2008.
Warning— the MSI installer may stop and start IIS.
Launch the Helicon->ISAPI_Rewrite3->ISAPI_Rewrite Manager app from the Start Menu. It makes editing the config file (installed in C:\Program Files\Helicon\ISAPI_Rewrite3\httpd.conf by default) easier, but you can also do it by hand. note, the config file in ISAPI_Rewrite2 is named httpd.ini and is read-only by default.
Add these lines to httpd.conf:
# Deny access to Subversion working copy administrative # directories (.svn) and their contents RewriteRule .*/\.svn\b.* . [F,I,O]
Now, any request for a .svn directory or its contents will result in a 404 Not Found from the server.