Welcome the company of trees

Git over apache2 https using git-http-backend with gitweb

Revision History
Revision 0.12011-01-26FU
First beta release

Git is a nice distributed version controll system. 2010 a smart http transport was developed for apache2. Much of the documentation relates to the old DAV method. When setting it up on debian the setup is slightly different from the man pages. Here follows a setup that works for me. Tricks and tips to improve the setup is welcomed.

Setting up a bare repository

The first step is to set up a bare repsitory on the server and configure it. Here we choose to place it in /srv/git but use a location of your choise.

cd /srv/git

mkdir [Project].git

cd [Project].git

git --bare init --shared

git config user.name '[Your Name]'

git config user.email '[Your email]'

git config gitweb.owner '[Your Name]'

echo "Project - Description of the project" > description

Set up apache2 to serve the repository

When configuring apache2 one do not need any dav modules for the git-http-backend to work. It runs with CGI. If something is not corectly configured the git-http-backend falls back to the old DAV method and error messages regarding DAV apears on the client.

Creating an SSL enabled site is covered by other tutorials on the web, and here we cover the git part of the configuration. In our case a VirtualHost named git.example.org. Gitweb is configured in this example using an adapted configuration from the git-http-backend man page, Accelerated static Apache 2.x including gitweb.

Warning

Newer versions of git have a problem with this configuration as discussed in the thread git no longer prompting for password on the git mail list. No resolution or update to the documentation at this stage. git version 1.7.10.4 show this behavior too. From further investigation a fix seems to have been merged into 1.7.11.7 with commit 7d9483c299. A version that not yet is available in debian 2013-02-06.

      
	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
		AllowOverride None
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</Directory>

	# Git configuration
	SetEnv GIT_PROJECT_ROOT /srv/git
	SetEnv GIT_HTTP_EXPORT_ALL
	SetEnv REMOTE_USER REDIRECT_REMOTE_USER
	Alias /gitweb.css /usr/share/gitweb/gitweb.css
	Alias /gitweb.js /usr/share/gitweb/gitweb.js
	Alias /git-favicon.png /usr/share/gitweb/git-favicon.png
	Alias /git-logo.png /usr/share/gitweb/git-logo.png

	AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$          $GIT_PROJECT_ROOT/$1
	AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ $GIT_PROJECT_ROOT/$1
	ScriptAliasMatch \
		"(?x)^/git/(.*/(HEAD | \
			info/refs | \
			objects/info/[^/]+ | \
			git-(upload|receive)-pack))$" \
		/usr/lib/git-core/git-http-backend/$1
	ScriptAlias /git /usr/lib/cgi-bin/gitweb.cgi

	# Git repository
	<LocationMatch "^/git/Project.git/git-receive-pack$">
		# Write access
		AuthType Basic
		AuthName "git repository"
		AuthUserFile /srv/git/git-w.htaccess
		Require valid-user
	</LocationMatch>
#        <Location /git/Project.git>
#               # Read access
#               AuthType Basic
#               AuthName "git repository"
#               AuthUserFile /srv/git/git-r.htaccess
#               Require valid-user
#	</Location>
      
    

Note the use of REDIRECT_REMOTE_USER. REMOTE_USER is in some instances not set on apache2 causing git to fallback to DAV mode, on commit when no user has authorized. Also the paths for the CGI scripts have been adapted.

The repository has been configured as public with protected write rights. If one wants to close the project the commented out section has to be used to protect read rights.

Lastly create the htaccess files for the users. Not that the username does not have to match your configured username in git. More to this in this section.

Set up gitweb to serve selected projects

Now your bare repository should be visisble at the site https://git.example.org/git. To remove protected projects from the website one needs to configure /etc/webgit.conf and add

      
 # Strict viewing
$strict_export = 1;

# Export enabler filename
$export_ok = "webgui-export-ok";
      
    

Now your project should have disapeared form the website again. To pubhlish the site go to the project directory /srv/git/Project.git and create a file webgit-export-ok:

touch
    webgit-export-ok

. Now the project should be visible agian.

Clone the project and push the first changeset

With all set up on the server side it is time to do some work. A git client running on a Debian machine uses the ca-certificate store to check the ssl certificate from the server. You need to install the ssl certificate on the client machine or the CA that was used to create the Apache2 certificate.

If you have a selfsigned certificate this is done like this :

sudo cp certificate.crt
    /usr/local/share/ca-certificates

Notice that the certivicate has to have the extention .crt. Then run

sudo
    update-ca-certificates

.

Now you should be able to clone the repository :

git
    clone https://git.example.com/git/Project.git

As our project is open to the public for reading it the checkout works well without password. Now we can add and change files, commit locally and push the changes back. As we need write rights to push we also need to supply a username to authenticate with.

git remote set-url --push origin
    https://username@git.example.org/git/Project.git

Now pusing changes to the origin

git push origin
    master

should prompt for password. That should be it. Congratulations, you have a https enabled git repository with gitweb.