Block access to .git folders (allow if NGINX_ALLOW_GIT_FOLDERS is set) (#78)

* Refactor common config out of nginx templates.

* Block access to .git folders with ENV to allow.

See #76

docs/ENV.md

@@ -36,3 +36,4 @@ You can configure deployment settings by placing special variables in an `ENV` f
 * `NGINX_CLOUDFLARE_ACL` (boolean): activate an ACL allowing access only from Cloudflare IPs
 * `NGINX_STATIC_PATHS`: set an array of `/url:path` values
 * `NGINX_HTTPS_ONLY`: tell nginx to auto-redirect non-SSL traffic to SSL site
+* `NGINX_ALLOW_GIT_FOLDERS`: (boolean) allow access to `.git` folders (default: false, blocked)

piku.py

@@ -119,6 +119,8 @@ NGINX_COMMON_FRAGMENT = """
 
   $INTERNAL_NGINX_STATIC_MAPPINGS
 
+  $NGINX_BLOCK_GIT
+
   location    / {
     $INTERNAL_NGINX_UWSGI_SETTINGS
     proxy_http_version 1.1;
@@ -506,7 +508,7 @@ def spawn_app(app, deltas={}):
     # Load environment variables shipped with repo (if any)
     if exists(env_file):
         env.update(parse_settings(env_file, env))
-    
+
     # Override with custom settings (if any)
     if exists(settings):
         env.update(parse_settings(settings, env))
@@ -599,6 +601,8 @@ def spawn_app(app, deltas={}):
                     echo("-----> Could not retrieve CloudFlare IP ranges: {}".format(format_exc()), fg="red")
             env['NGINX_ACL'] = " ".join(acl)
 
+            env['NGINX_BLOCK_GIT'] = "" if env.get('NGINX_ALLOW_GIT_FOLDERS') else "location ~ /\.git { deny all; }"
+
             env['INTERNAL_NGINX_STATIC_MAPPINGS'] = ''
             
             # Get a mapping of /url:path1,/url2:path2