I wish to keep my website/s in version control (Subversion particularly) and employ
svn co to update it when you will find stable versions to update, but I am worried about the safety of doing this, as all of the
.svn folders is going to be public, for example a variety of private data, most famously which is complete source code to my website!
Can there be anything I'm able to I actually do to avoid this?
A couple of things:
Don't use IfModule for functionality you have to be present. It's okay to get it done for that autoindex because may possibly not show up and isn't essential to the plan. But you're relying on rewrite being give safeguard your articles. Thus, it's easier to take away the IfModule directive and let apache let you know when rewrite isn't present that you should enable it (or at best realize that you will not be 'protected' and purposely comment the lines)
You don't need to use rewrite there if you can get primary configuration files, much simpler could be among
<DirectoryMatch .svn> Order allow, deny Deny all </DirectoryMatch>
that will generate 403 Forbidden (what's best from HTTP compliance perspective) or, if you wish to go ahead and take security by obscurity route, use AliasMatch
AliasMatch .svn /non-existant-page
Without having use of primary configuration files you are playing wishing mod_rewrite is enabled for usage inshtaccess.
This is often accomplished server-wide (suggested), on one virtual-host basis, as well as inside
.htaccess files in case your server is sort of permissive using what is permitted inside them. The particular configuration you'll need is:
RewriteEngine On RewriteRule /.svn /some-non-existant-404-leading to-page <IfModule autoindex_module> IndexIgnore .svn </IfModule>
The very first section requires
mod_rewrite. It forces any demands with "/.svn" inside them (ie. any request your directory, or anything within the directory) to become internally rerouted to some non-existant page in your website. This really is completely transparent towards the finish-user and undetected. Additionally, it forces a 404 error, as though your
.svn folders just disappeared.
The 2nd section is purely cosmetic, and can hide the
.svn folders in the autoindex module if it's triggered. This is an excellent idea too, simply to keep curious souls from getting any ideas.
There's a fascinating approach I personally use: the checkout (increase) is performed on the completely separate directory (possibly on the completely separate machine), and so the code is replicated to in which the webserver will see clearly with rsync. An --exclude rule around the rsync command lines are used to really make it not copy any .svn (and Resumes) diretories, while a --remove-excluded ensures they'll be removed even when these were replicated before.
Since both svn update and rsync do incremental transfers, this really is quite fast for bigger sites. Additionally, it enables you to definitely have your repository behind a firewall. The only real caveat is you must move all sites with files produced around the server (like the files/ directory on Drupal) to some place outdoors the rsync target directory (rsync will overwrite everything when used by doing this), and also the symlink to it should be produced within the rsync source directory. The rsync source directory might have other non-versioned files too (like machine-specific configuration files).
The entire group of rsync parameters I personally use is
rsync -vv --rsh='ssh -l username' -rltzpy --exclude .svn/ --exclude Resumes/ --exclude Loft/ --remove-after --remove-excluded --chmod=og-w,Fa-x
Even so, for redundancy, I have a configuration rule to avoid .svn from being utilized, replicated from the Debian default rule which prevents .ht* (.htaccess, .htpasswd) from being accesed.
Consider implementing live code making use of your operating system's package management tools, instead of from your VCS. Where you can be sure that your live packages don't contain metadata sites, or any other potentially sensitive tools and data.
Hiding the sites as Vinko states should work. However it would most likely be better to use svn export rather than svn co. This will not create the .svn sites.