On Tue, Apr 09, 2013 at 02:24:26PM +0200, Jakub Narębski wrote: > On 09.04.2013, Magnus Therning wrote: > > > I've been trying to set up git-http-backend+lighttpd. I've managed to > > set up anonymous read-only access, and I then successfully configured > > authentication for both read and write. Then I get stuck. The > > man-page for git-http-backend says that the following snippet can be > > used for Apache 2.x: > > > > <LocationMatch "^/git/.*/git-receive-pack$"> > > AuthType Basic > > AuthName "Git Access" > > Require group committers > > ... > > </LocationMatch> > > > > However, when I put in this match on location in my lighty config and > > try to push I'm not asked for a password, instead I'm greeted with > > > > % git push > > error: The requested URL returned error: 403 Forbidden while > > accessing > http://magnus@tracsrv.local/git/foo.git/info/refs?service=git-receive-pack > > > > AFAICS this means the man-page is wrong, and that I instead ought to > > match on the "service=git-receive-pack" part. Is that a correct > > conclusion? > > Yes, it is. > > I have tried to do the same anonymous read and authenticated write > in "smart HTTP" access in Apache. There are some proposals[1], > all I think which use mod_rewrite (as LocationMatch doesn't take > query string into account, unfortunately), but I haven't been able > to make it work. > > The problem is that both POST *and GET* (to get refs) must be authethicated. > > Nb. I thought that it was corrected... which git version do you use? 1.8.2 on the server, though 1.8.2.1 is available for the distro I'm using. The discussion you refer to took place in 2010, I doubt any improvement has been made to this in that point release, or am I wrong? > [1]: http://paperlined.org/apps/git/SmartHTTP_Ubuntu.html > > > In the end I have worked around this by allowing all registered users to > read with "require valid-user" (which in my situation might be even more > correct solution; the case being repositories for Computer Science class > lab work), and restricting write via pre-receive hook which checks > REMOTE_USER. I *really* want anonymous RO access so the CI server doesn't need any credentials. I could of course set up git-http-backend to be served on two different URLs, but that's just ugly ;) Luckily I did find a working configuration, which I posted in another email in this thread. /M -- Magnus Therning OpenPGP: 0xAB4DFBA4 email: magnus@xxxxxxxxxxxx jabber: magnus@xxxxxxxxxxxx twitter: magthe http://therning.org/magnus Perl is another example of filling a tiny, short-term need, and then being a real problem in the longer term. -- Alan Kay
Attachment:
pgpzSUZyo7lSp.pgp
Description: PGP signature