On 25/08/12 21:39, Jeff King wrote:
> I think your regex is the culprit. The first request comes in with:
>
>>> GET /git/test.git/info/refs?service=git-receive-pack HTTP/1.1
>
> The odd URL is because we are probing to see if the server even supports
> smart-http. But note that it does not match your regex above, which
> requires "/git-receive-pack". It looks like that is pulled straight from
> the git-http-backend manpage. I think the change in v1.7.8 broke people
> using that configuration.
Yes, it was lifted straight out of the manpage, albeit a couple of years
ago now and there have been additions to the manpage since then.
I did check, and the basic config is identical in the current manpage.
I can't be the only one using a config that's based on the example in
the manpage surely ? So I'm surprised this hasn't come up previously.
> I tend to think the right thing is to fix the configuration (both on
> your system and in the documentation), but we should probably also fix
> git to handle this situation more gracefully, since it used to work and
> has been advertised in the documentation for a long time.
So after some head scratching trying to work out how to do the equivalent of
LocationMatch but on the query string I came up with the following:
ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
<Directory /usr/libexec/git-core>
Require ip 10.44.0.0/16
<If "%{THE_REQUEST} =~ /git-receive-pack/">
AuthType Basic
AuthUserFile /data/git/htpasswd
AuthGroupfile /data/git/groups
AuthName "Git Access"
Require group committers
</If>
</Directory>
and I've removed the LocationMatch section completely.
So for accesses to git-http-backend I require auth if anything in the request
includes git-receive-pack and that causes a prompt for the username/password
as required, while at the same time it still allows anonymous pull.
It appears that the clone operation uses
GET /git/test.git/info/refs?service=git-upload-pack HTTP/1.1
to probe for smart-http ? So this would be ok ?
I'm not sure this is ideal, I don't really know enough about the protocol to know
if I'll see git-receive-pack elsewhere. Possibly if someone includes it in the
name of a repo it'll blow up in my face.
I can always change it to match only on QUERY_STRING and put the LocationMatch
back in if that happens.
If that's all that's required, I'm fine with an easy change to httpd.conf
Thanks for the help Jeff.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html