http auth does not work with TortoiseGit

Question

Every time I try to clone any repo with TortoiseGit from our remote gogs repo I get 401 (Unauthorized).

Using http://user:pw@ex.ample.com/user/repo.git as checkout url does not work either.
ssh is not an option. Everything works with http auth disabled.

simplified nginx config:

server {
        listen 80;
        listen [::]:80;
        server_name ex.ample.com;
                location / {
                        auth_basic "Restricted Content";
                        auth_basic_user_file /var/www/gogs/.htpasswd;
                        proxy_pass http://localhost:3000/;
                }
}

So my question would be: how do I configure TortoiseGit to send valid http auth?

Edit: seems to only affect private repos, public repos are accessible.
Edit2: pushing to public repos is not possible behind http auth aswell.

Solution: https with reverse proxy is behaving oddly, so repo url and push url have to be used with plain http. Probably some nginx tweeking needed here.

What URLs are you exactly using? `user:pw@ex.ample.com/user/repo.git` won't work, however, `http(s)://user:pw@ex.ample.com/user/repo.git` could work. Despite that, TortoiseGit should ask you for a username and password when required. — MrTux, May 02 '18 at 09:01
Yes, with the http host in front of the url. TortoiseGit does ask me for name & password, but only for one. It does not ask me for 2 as it is supposed to. (http auth and git account) — rndus2r, May 03 '18 at 00:25
Just to add, with user:pw in the url it does not ask me for any credentials at all. — rndus2r, May 03 '18 at 00:31
Why do you think it should ask for 2 passwords? That doesn't make sense. I assume you're serving this over a dumb http transport? If so, the web server needs to be allowed to modify the git repo. — John Szakmeister, May 03 '18 at 00:33
`http://localhost:3000/` does it also request user name and password? If so you can only get one username and password either for your nginx endpoint or your backend git endpoint, else you need to provide a authorization at your nginx config I believe — Tarun Lalwani, May 03 '18 at 04:13
If your gogs server already asks for credentials, why adding another layout of authenticarion? — MrTux, May 03 '18 at 05:51
@JohnSzakmeister Not sure if I'm understanding you. http auth and git user are different, thus, Tortoise should ask me for two auths, no? And yeah, since everything works with http auth disabled, that's fine. — rndus2r, May 04 '18 at 00:07
@MrTux gogs server does not ask for credentials, it's nginx basic auth and git user. — rndus2r, May 04 '18 at 00:09
Earlier your question mentioned that you expected it to ask for two passwords--that's what I was referring to. HTTP auth and the git user are two different things, yes, but if you're serving your repository over plain HTTP then Git is not involved. Moreover, the web server doesn't change users (in fact, it cannot since it doesn't have that privilege and for good reason). So you have to allow the web server read and write access to your repositories, which is generally done by changing the group, giving the group write permission, and making it sticky. — John Szakmeister, May 04 '18 at 00:24
You might want to take a look at this: https://stackoverflow.com/questions/6414227/how-to-serve-git-through-http-via-nginx-with-user-password — John Szakmeister, May 04 '18 at 00:24
WHat happens if you go to the git repo url using your browser on the `/info/refs` page? So `http://user:pw@ex.ample.com/user/repo.git/info/refs` — Ferrybig, May 04 '18 at 18:12
@JohnSzakmeister It's a private repo, so git is involved for auth. Cloning works for public repos, but pushing does not. See edit1 and 2 in the question. That's why I said it's fine with http auth disabled. This is certainly not a permission problem since everything works with http auth disabled (still serving over http). I will give your suggestion a try, thanks. — rndus2r, May 05 '18 at 14:29
@Ferrybig It gives me a confirmation popup "login in as http auth user on site" and afterwards asks me for my git credentials. — rndus2r, May 05 '18 at 14:29
@rndus2r If you fill in the git credentials, do you see a list of branches? If not, that means your configuration is never going to work, as it conflicts on HTTP level between the auth of the differend services — Ferrybig, May 05 '18 at 14:37
So after fiddling around for a bit more I found out that basic auth works well over HTTP, just not HTTPS. I guess from here on this question would suite Server Fault better than SO since this seems to be nginx related most likely unless someone comes up with something. — rndus2r, May 08 '18 at 00:42

MrTux · Accepted Answer · 2018-05-08T07:44:53.153

Git is a "stupid content tracker". It just tracks content and does not provide or require any authentication or authorization.

If you want any authentication and/or authorization you need to put it on top somehow.

If you use gogs, you need to configure authentication there or pass the username from your nginx proxy (cf. https://github.com/gogits/gogs/issues/165, https://github.com/gogits/gogs/issues/2170, https://github.com/gogits/gogs/pull/3785, ...).

For other approches to server Git using http see How to serve GIT through HTTP via NGINX with user/password? or http://gitolite.com/gitolite/http/.

Old answer:

With basic authentication there can only be one authentication not two or even more.

Only exception is proxy authentication (http status code 407 which is done using a different header).

You could try forward your basic auth credentials to your other server by proxying the credentials https://serverfault.com/q/511206/237109 or try to provide static credentials in your nginx config.

That was an important help in the solution aswell - needed to set git and basic auth user to the same creds and use the reverse proxy settings. — rndus2r, May 08 '18 at 00:59

http auth does not work with TortoiseGit

1 Answers1