Git over apache2 https using git-http-backend with gitweb
Revision History | ||
---|---|---|
Revision 0.1 | 2011-01-26 | FU |
First beta release |
Git is a nice distributed version controll system. 2010 a smart http transport was developed for apache2. Much of the documentation relates to the old DAV method. When setting it up on debian the setup is slightly different from the man pages. Here follows a setup that works for me. Tricks and tips to improve the setup is welcomed.
Setting up a bare repository
The first step is to set up a bare repsitory on the server and
configure it. Here we choose to place it in /srv/git
but use a location of your
choise.
cd /srv/git
mkdir [Project].git
cd [Project].git
git --bare init --shared
git config user.name '[Your Name]'
git config user.email '[Your email]'
git config gitweb.owner '[Your Name]'
echo "Project - Description of the project" > description
Set up apache2 to serve the repository
When configuring apache2 one do not need any dav modules for the git-http-backend to work. It runs with CGI. If something is not corectly configured the git-http-backend falls back to the old DAV method and error messages regarding DAV apears on the client.
Creating an SSL enabled site is covered by other tutorials on the web, and here we cover the git part of the configuration. In our case a VirtualHost named git.example.org. Gitweb is configured in this example using an adapted configuration from the git-http-backend man page, Accelerated static Apache 2.x including gitweb.
Warning
Newer versions of git have a problem with this configuration as discussed in the thread git no longer prompting for password on the git mail list. No resolution or update to the documentation at this stage. git version 1.7.10.4 show this behavior too. From further investigation a fix seems to have been merged into 1.7.11.7 with commit 7d9483c299. A version that not yet is available in debian 2013-02-06.
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> # Git configuration SetEnv GIT_PROJECT_ROOT /srv/git SetEnv GIT_HTTP_EXPORT_ALL SetEnv REMOTE_USER REDIRECT_REMOTE_USER Alias /gitweb.css /usr/share/gitweb/gitweb.css Alias /gitweb.js /usr/share/gitweb/gitweb.js Alias /git-favicon.png /usr/share/gitweb/git-favicon.png Alias /git-logo.png /usr/share/gitweb/git-logo.png AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ $GIT_PROJECT_ROOT/$1 AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ $GIT_PROJECT_ROOT/$1 ScriptAliasMatch \ "(?x)^/git/(.*/(HEAD | \ info/refs | \ objects/info/[^/]+ | \ git-(upload|receive)-pack))$" \ /usr/lib/git-core/git-http-backend/$1 ScriptAlias /git /usr/lib/cgi-bin/gitweb.cgi # Git repository <LocationMatch "^/git/Project.git/git-receive-pack$"> # Write access AuthType Basic AuthName "git repository" AuthUserFile /srv/git/git-w.htaccess Require valid-user </LocationMatch> # <Location /git/Project.git> # # Read access # AuthType Basic # AuthName "git repository" # AuthUserFile /srv/git/git-r.htaccess # Require valid-user # </Location>
Note the use of
REDIRECT_REMOTE_USER
. REMOTE_USER
is
in some instances not set on apache2 causing git to fallback to
DAV mode, on commit when no user has authorized.
Also the paths for the CGI scripts have been adapted.
The repository has been configured as public with protected write rights. If one wants to close the project the commented out section has to be used to protect read rights.
Lastly create the htaccess files for the users. Not that the username does not have to match your configured username in git. More to this in this section.
Set up gitweb to serve selected projects
Now your bare repository should be visisble at the site https://git.example.org/git. To remove protected
projects from the website one needs to configure
/etc/webgit.conf
and add
# Strict viewing $strict_export = 1; # Export enabler filename $export_ok = "webgui-export-ok";
Now your project should have disapeared form the website again.
To pubhlish the site go to the project directory /srv/git/Project.git
and create a
file webgit-export-ok
:
touch
webgit-export-ok
. Now the project should be visible agian.
Clone the project and push the first changeset
With all set up on the server side it is time to do some work. A git client running on a Debian machine uses the ca-certificate store to check the ssl certificate from the server. You need to install the ssl certificate on the client machine or the CA that was used to create the Apache2 certificate.
If you have a selfsigned certificate this is done like this :
sudo cp certificate.crt
/usr/local/share/ca-certificates
Notice that the
certivicate has to have the extention .crt
. Then run
sudo
update-ca-certificates
.
Now you should be able to clone the repository :
git
clone https://git.example.com/git/Project.git
As our project is open to the public for reading it the checkout works well without password. Now we can add and change files, commit locally and push the changes back. As we need write rights to push we also need to supply a username to authenticate with.
git remote set-url --push origin
https://username@git.example.org/git/Project.git
Now pusing changes to the origin
git push origin
master
should prompt for password. That should be it. Congratulations, you have a https enabled git repository with gitweb.