Deny access to .git, deploy/, and deploy-pull.sh

Prevents leaking repo history, the docker-compose / nginx config, and the auto-pull script via the publicly served root. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 01:43:09 +08:00
parent 8ea175fa78
commit 08d253cdb6
1 changed files with 6 additions and 0 deletions
--- a/deploy/nginx.conf
+++ b/deploy/nginx.conf
@@ -7,6 +7,12 @@ server {

    charset utf-8;

+    # Deny access to repo metadata, deploy scripts/configs, and dotfiles
+    location ~ /\.git { deny all; return 404; }
+    location ~ /\.    { deny all; return 404; }
+    location ^~ /deploy/   { deny all; return 404; }
+    location = /deploy-pull.sh { deny all; return 404; }
+
    location = / {
        try_files /facere.html =404;
    }