Re: [PATCH 2/2] doc/http-backend: give some lighttpd config examples
W dniu 11.04.2013 19:02, Jeff King napisał: > On Thu, Apr 11, 2013 at 06:47:49PM +0200, Jakub Narębski wrote: >> W dniu 11.04.2013 05:36, Jeff King napisał: >> >>> +Note that unlike the similar setup with Apache, we can easily match the >>> +query string for receive-pack, catching the initial request from the >>> +client. This means that the server administrator does not have to worry >>> +about configuring `http.receivepack` for the repositories (the default >>> +value, which enables it only in the case of authentication, is >>> +sufficient). >> >> Perhaps it would be worth including for Apache2 beside basic setup that >> requires http.receivepack set to true, also one like for LigHTTPd, i.e. >> >> RewriteCond %{QUERY_STRING} =service=git-receive-pack [OR] >> RewriteCond %{REQUEST_URI} /git-receive-pack$ >> RewriteRule (.*) $1 [E=AUTHREQUIRED:yes] [...] >> And perhaps also adding it as test... > > That was the "I am not clever nor interested in Apache enough to figure > out how to do this..." part that I wrote. I have no clue if the above > works, but I'd be happy if you wanted to test it out and submit it as a > patch on top (I think it could even replace my 1/2, as making it just > work is a much better solution than having to explain the extra step in > the documentation). I don't know if short description of `http.receivepack`, suitable for a reference documentation, tells a new user how to configure web server for pushes. With `http.receivepack` unset git (git-http-backed?) will refuse unauthenthicated pushes but allow authenthicated ones (though it doesn't handle authorization). This makes it easy to configure web server for fetches (read-only) access via smart HTTP (and you can make it bulletproof by refusing pushes at all with `http.receivepack` false, isn't it?). But in this case (`http.receivepack` unset - the default) web server must be configured to request authorization for both steps of push: requesting references (for coming up with what repositories have in common), i.e. GET ...?service=git-receive-pack and actual sending of data and updating refs... POST .../git-receive-pack though only second part is actually writing. With `http.receivepack` set to true git (git-http-backend?) allows anonymous pushes, and it is responsibility of web server configuration to deny unauthorized pushes... but it is sufficient to do it only for writes i.e. POST .../git-receive-pack [Now to translate it to manpage or users-manual contents...] P.S. Do I understand it correctly that `http.receivepack` is three-state: true (allow all), unset (allow authenthicated) and false (deny all)? P.P.S. It would be better to accept both patches; I don't know when I would be able to test Apache config; I remember that I had problems with it... -- Jakub Narębski -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] doc/http-backend: give some lighttpd config examples
On Thu, Apr 11, 2013 at 06:47:49PM +0200, Jakub Narębski wrote: > W dniu 11.04.2013 05:36, Jeff King napisał: > > > +Note that unlike the similar setup with Apache, we can easily match the > > +query string for receive-pack, catching the initial request from the > > +client. This means that the server administrator does not have to worry > > +about configuring `http.receivepack` for the repositories (the default > > +value, which enables it only in the case of authentication, is > > +sufficient). > > Perhaps it would be worth including for Apache2 beside basic setup that > requires http.receivepack set to true, also one like for LigHTTPd, i.e. > > RewriteCond %{QUERY_STRING} =service=git-receive-pack [OR] > RewriteCond %{REQUEST_URI} /git-receive-pack$ > RewriteRule (.*) $1 [E=AUTHREQUIRED:yes] > > > Order Deny,Allow > Deny from env=AUTHREQUIRED > > AuthType Basic > AuthName "Git Access" > Require group committers > > Satisfy Any > > > And perhaps also adding it as test... That was the "I am not clever nor interested in Apache enough to figure out how to do this..." part that I wrote. I have no clue if the above works, but I'd be happy if you wanted to test it out and submit it as a patch on top (I think it could even replace my 1/2, as making it just work is a much better solution than having to explain the extra step in the documentation). -Peff > -- > Jakub Narębski -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] doc/http-backend: give some lighttpd config examples
W dniu 11.04.2013 05:36, Jeff King napisał: > +Note that unlike the similar setup with Apache, we can easily match the > +query string for receive-pack, catching the initial request from the > +client. This means that the server administrator does not have to worry > +about configuring `http.receivepack` for the repositories (the default > +value, which enables it only in the case of authentication, is > +sufficient). Perhaps it would be worth including for Apache2 beside basic setup that requires http.receivepack set to true, also one like for LigHTTPd, i.e. RewriteCond %{QUERY_STRING} =service=git-receive-pack [OR] RewriteCond %{REQUEST_URI} /git-receive-pack$ RewriteRule (.*) $1 [E=AUTHREQUIRED:yes] Order Deny,Allow Deny from env=AUTHREQUIRED AuthType Basic AuthName "Git Access" Require group committers Satisfy Any And perhaps also adding it as test... -- Jakub Narębski -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2/2] doc/http-backend: give some lighttpd config examples
The examples in the documentation are all for Apache. Let's at least cover the basics: an anonymous server, an authenticated server, and a "half auth" server with anonymous read and authenticated write. Signed-off-by: Jeff King --- I am by no means a lighttpd expert, so there may be better ways to do some of these. But I did test that they all work as expected. I was tempted for a moment to provide a mechanism for the t55* tests to use either lighttpd _or_ apache, so that these could get some automated testing. But I don't relish the thought of trying to keep both configs synchronized as people update one or the other. There are also some advanced setups in the apache part of the doc that I didn't translate here (e.g., dumb-http fallback, and static serving of dumb-http files). Mostly because I don't think they are that commonly used these days, and I do not know enough about lighttpd configuration to translate them easily. If somebody wants to make a patch on top, they can. Documentation/git-http-backend.txt | 55 ++ 1 file changed, 55 insertions(+) diff --git a/Documentation/git-http-backend.txt b/Documentation/git-http-backend.txt index f43980f..cad18ce 100644 --- a/Documentation/git-http-backend.txt +++ b/Documentation/git-http-backend.txt @@ -167,6 +167,61 @@ ScriptAlias /git/ /var/www/cgi-bin/gitweb.cgi/ ScriptAlias /git/ /var/www/cgi-bin/gitweb.cgi/ +Lighttpd:: + Ensure that `mod_cgi`, `mod_alias, `mod_auth`, `mod_setenv` are + loaded, then set `GIT_PROJECT_ROOT` appropriately and redirect + all requests to the CGI: ++ + +alias.url += ( "/git" => "/usr/lib/git-core/git-http-backend" ) +$HTTP["url"] =~ "^/git" { + cgi.assign = ("" => "") + setenv.add-environment = ( + "GIT_PROJECT_ROOT" => "/var/www/git", + "GIT_HTTP_EXPORT_ALL" => "" + ) +} + ++ +To enable anonymous read access but authenticated write access: ++ + +$HTTP["querystring"] =~ "service=git-receive-pack" { + include "git-auth.conf" +} +$HTTP["url"] =~ "^/git/.*/git-receive-pack$" { + include "git-auth.conf" +} + ++ +where `git-auth.conf` looks something like: ++ + +auth.require = ( + "/" => ( + "method" => "basic", + "realm" => "Git Access", + "require" => "valid-user" + ) +) +# ...and set up auth.backend here + ++ +Note that unlike the similar setup with Apache, we can easily match the +query string for receive-pack, catching the initial request from the +client. This means that the server administrator does not have to worry +about configuring `http.receivepack` for the repositories (the default +value, which enables it only in the case of authentication, is +sufficient). ++ +To require authentication for both reads and writes: ++ + +$HTTP["url"] =~ "^/git/private" { + include "git-auth.conf" +} + + ENVIRONMENT --- -- 1.8.2.rc0.33.gd915649 -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html