git, apache, smart-http, ubuntu, convert from SSH access, does not ask for user, password

212 views Asked by At

In the process of converting a ubuntu private git repo from ssh access to smart http via apache.

Currently client .git/config contains:

url = https://some-domain/git/my-project.git

When assessed via:

git remote -v show origin

The server reports:

.../apache2/error.log
AH00027: No authentication done but request not allowed without authentication for /git/my-project.git/info/refs. Authentication not configured?
.../apache2/access.log
"GET /git/my-project.git/info/refs?service=git-upload-pack HTTP/1.1" 500 5387 "-" "git/2.30.0"

Apache configuration git relevant parts:

SetEnv GIT_PROJECT_ROOT /path-to-repo
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
Alias /git /path-to-repo
RewriteRule ^/repo-root/ - [E=AUTHREQUIRED:yes]
<Directory "/path-to-repo/">
    AuthType Basic
    AuthName "Private Git Access"
    AuthUserFile /path-to-auth-file
    Require valid-user
</Directory>
<Directory /usr/lib/git-core>
    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    AllowOverride None
    AuthUserFile /path-to-auth-file
    Require valid-user
</Directory>

The auth file exists and is world-readable.

Questions:

  1. Why doesn't it prompt for a user and pw?
  2. What is the difference between requiring a valid user for the git repo directory, and the git-core directory? Are both needed?
  3. If validated by apache, will the credentials be passed to git?
  4. The "Require valid-user" directives are requiring authentication for access to the apache server; but if I want to use a git credential helper, should the apache access be to allow any?
2

There are 2 answers

0
Gary Aitken On

Ok, my solution, arrived at thanks to help from VonC above, just so it's a little clearer for others:

In the case where the git repository is not in the normal apache web page tree, this is what is required:

SetEnv GIT_PROJECT_ROOT /path-to-git-repo
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
Alias /git /path-to-git-repo
<Location "/git">
    AuthType Basic
    AuthName "git-developers-private"
    AuthUserFile /path-to-auth-file
    Require valid-user
</Location>
6
VonC On

To complement my previous answer, the AuthUserFile I usually set up is in a Location directive, for /git, not Directory /path-to-repo.

See this as an example.

<Location /git>
  AuthType Basic
  AuthName "Private Git Access"
  AuthUserFile "/etc/git-auth-file"
  Require valid-user
</Location>