On Tue, Apr 09, 2013 at 07:45:53AM +0200, Magnus Therning wrote:
> I've been trying to set up git-http-backend+lighttpd. I've managed to
> set up anonymous read-only access, and I then successfully configured
> authentication for both read and write. Then I get stuck. The
> man-page for git-http-backend says that the following snippet can be
> used for Apache 2.x:
> <LocationMatch "^/git/.*/git-receive-pack$">
> AuthType Basic
> AuthName "Git Access"
> Require group committers
> However, when I put in this match on location in my lighty config and
> try to push I'm not asked for a password, instead I'm greeted with
> % git push
> error: The requested URL returned error: 403 Forbidden while accessing
Something in your config is blocking access to info/refs there. It
should not be the block shown above, which handles only the actual POST
of the data. The sequence of http requests made is:
1. GET $repo/info/refs?service=git-receive-pack
This makes initial contact and gets the ref information which push
uses to decide what it is going to push. So it is read-only, and in
an anonymous-read setup, does not need to be protected.
2. POST $repo/git-receive-pack
This actually pushes up the objects and updates the refs, and
must be protected.
The setup listed above does work with apache; it is tested as part of
our test suite (you can see the actual config in t/lib-httpd/apache.conf).
So what in lighttpd is giving us the 403? Can you share your whole
> AFAICS this means the man-page is wrong, and that I instead ought to
> match on the "service=git-receive-pack" part. Is that a correct
No. It is not a bad idea to _also_ match on info/refs, but I think it's
a little trickier (you need to reliably match the query string to
differentiate it from a fetch, which IIRC is a little hard in apache, at
But if you drop the protections on "/git-receive-pack$", then an
attacker can just POST whatever they want into your repository.
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html