We are a web development organization and have recently moved to using subversion for our version control system. Since executing an update is so much faster than doing an export and copying over the files, the developers want to be able to have the production server be a working copy.
The only concern I have with this is all of the .svn files littered across the system, and the fact that some enterprisey individual could, potentially, read the contents of the files in there, possibly giving them information we would rather they did not have.
What is the best/easiest way to prevent IIS from serving up any content from within those .svn directories?
Best Answer
"Don't do it that way" does not answer the question.
Practically, I like having a working copy on the production server, because that way I can make quick changes in production (who has never done that?) and check them back in. It depends on where you want your security/convenience slider, and in many cases this is a good place.
The standard solution in Apacheland is to leave the .svn files there but tell the web server to never serve them. Here's how to do that with IIS 5-7 on Windows 2000-2008.
Download and install ISAPI_Rewrite -- the Lite version will be enough for this purpose. Note extra system requirements for Win 2008. Warning-- the MSI installer stops and starts IIS.
Uncheck the "read only" box on the httpd.ini file's properties. If you used the MSI installer, therer's a shortcut to the httpd.ini file in the Start menu under Helicon->ISAPI_Rewrite
Add these lines to httpd.ini:
ISAPI_Rewrite directives in httpd.ini:
Now, any request for a .svn directory or its contents will result in a 404 Not Found from the server.