Git through apache, anonymous pull but authenticated push

Posted on January 11, 2012 by tommi

I have been having this annoying issue where I needed to open ssh up to the internet in order to allow authenticated push with a centralized git server. After hours and hours of trying to master anonymous pull and authenticated push over http I finally made it, here goes:

Set the project root, where your git repositories are and you want to export everything:

SetEnv GIT_PROJECT_ROOT /var/www/git
SetEnv GIT_HTTP_EXPORT_ALL

Next we have to map the git http backend to a URL

# Enable git-http-backend
ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/

Get mod_rewrite to set a environment variable on push

# Enable mod_rewrite
RewriteEngine On

# Detect git push
RewriteCond %{QUERY_STRING} service=git-receive-pack [OR,NC]
RewriteCond %{REQUEST_URI} ^/git/.*/git-receive-pack$ [NC]
RewriteRule .* - [E=AUTHREQUIRED:yes]

Demand auth on /git when pushing through Location

<Location /git>
        # If any deny clause matches, if authrequired is set
        Order Allow,Deny
        Deny from env=AUTHREQUIRED
        Allow from all
        # Satisfy either Allow/Deny or Require valid-user
        Satisfy Any
        # Auth info
        AuthType Basic
        AuthName "Git Access"
        # Password file created with htpasswd
        AuthUserFile /etc/httpd/conf.d/passwd
        Require valid-user
</Location>

Happy git push’ing!

Share
This entry was posted in Open Source, open source and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

In an effort to prevent automatic filling, you should perform a task displayed below.