In this third part of a five-part series on deploying an ecommerce application with Ruby on Rails, you will learn how to configure access to the application so that it is properly secured, and more. This article is excerpted from chapter 12 of the book Practical Rails Projects, written by Eldon Alameda (Apress; ISBN: 1590597818).
Secure Application Deployment with Ruby on Rails (Page 1 of 4 )
Access Configuration
Letting your web server blindly serve all files will most likely cause security problems in a production environment. Your web server might serve files containing sensitive information like backups created by vi and emacs or files used by Subversion. To deny access to these files, the configuration file (Listing 12-1) defines two rules usingurl.access-deny: one for backups, as defined in the LightTPD template, and one for Subversion files.
Later in this chapter, we will use Capistrano to deploy the application to production. By default, Capistrano uses the Subversioncheckoutcommand when deploying the application to the production machine. Using the Subversioncheckoutcommand, instead of theexportcommand, means that the deployment directory will contain.svndirectories, which could be served by your web server, if someone is smart enough to request them. Here is an example of the information that can be found in.svn/entries:
As highlighted in the example, a hacker can find out the URL of your Subversion server and the user that updated the file.
You can prevent access to all files and folders named.svnusing the following rule in thelighttpdconfiguration file (as described inhttp://hivelogic.com/articles/2006/04/30/ preventing_svn_exposure):
Ruby-on-Rails 
Introducing the Rails Framework
