1

In the process of converting a ubuntu private git repo from ssh access to smart http via apache.

Currently client .git/config contains:

url = https://some-domain/git/my-project.git

When assessed via:

git remote -v show origin

The server reports:

.../apache2/error.log
AH00027: No authentication done but request not allowed without authentication for /git/my-project.git/info/refs. Authentication not configured?
.../apache2/access.log
"GET /git/my-project.git/info/refs?service=git-upload-pack HTTP/1.1" 500 5387 "-" "git/2.30.0"

Apache configuration git relevant parts:

SetEnv GIT_PROJECT_ROOT /path-to-repo
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
Alias /git /path-to-repo
RewriteRule ^/repo-root/ - [E=AUTHREQUIRED:yes]
<Directory "/path-to-repo/">
    AuthType Basic
    AuthName "Private Git Access"
    AuthUserFile /path-to-auth-file
    Require valid-user
</Directory>
<Directory /usr/lib/git-core>
    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    AllowOverride None
    AuthUserFile /path-to-auth-file
    Require valid-user
</Directory>

The auth file exists and is world-readable.

Questions:

  1. Why doesn't it prompt for a user and pw?
  2. What is the difference between requiring a valid user for the git repo directory, and the git-core directory? Are both needed?
  3. If validated by apache, will the credentials be passed to git?
  4. The "Require valid-user" directives are requiring authentication for access to the apache server; but if I want to use a git credential helper, should the apache access be to allow any?
Gary Aitken
  • 233
  • 2
  • 12
  • Note that this is all happening within apache, long before Git ever gets involved. Git doesn't get used until apache itself runs `git upload-pack`. There's no authorization at all on the Git end: it just runs (or doesn't if apache doesn't authenticate you first), and then obeys its input. – torek Mar 14 '22 at 07:45

2 Answers2

1

To complement my previous answer, the AuthUserFile I usually set up is in a Location directive, for /git, not Directory /path-to-repo.

See this as an example.

<Location /git>
  AuthType Basic
  AuthName "Private Git Access"
  AuthUserFile "/etc/git-auth-file"
  Require valid-user
</Location>
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • https://httpd.apache.org/docs/2.4/sections.html – Gary Aitken Mar 14 '22 at 03:40
  • Thanks, I was trying to follow the advice on the apache page regarding "what to use when": https://httpd.apache.org/docs/2.4/sections.html. I thought the alias directive was just that, similar to a shell alias; I see after reading the apache description that it is not. Thanks. – Gary Aitken Mar 14 '22 at 03:55
  • It appears that neither the RewriteRule, the , nor the parts are necessary. That is, it's working with only the ScriptAlias, Alias, and directives. Does that make sense, or do I have something else (a security hole?) messed up? The /git directory is outside of the normal web root. – Gary Aitken Mar 14 '22 at 04:38
  • @GaryAitken Location /git is not about a folder, but the path in the URL. (https://serverfault.com/a/196964/783) – VonC Mar 14 '22 at 06:42
  • That was a typo, I meant . The question remains: if the git repo is outside of the normal http data hierarchy, is all that is needed the ScriptAlias, Alias, and directives? That appears to be the case in my installation, but I want to make sure I'm not overlooking something. – Gary Aitken Mar 14 '22 at 16:25
  • @GaryAitken to my knowledge, yes, alias and location are enough. – VonC Mar 14 '22 at 17:13
1

Ok, my solution, arrived at thanks to help from VonC above, just so it's a little clearer for others:

In the case where the git repository is not in the normal apache web page tree, this is what is required:

SetEnv GIT_PROJECT_ROOT /path-to-git-repo
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
Alias /git /path-to-git-repo
<Location "/git">
    AuthType Basic
    AuthName "git-developers-private"
    AuthUserFile /path-to-auth-file
    Require valid-user
</Location>
Gary Aitken
  • 233
  • 2
  • 12