# GIT Authentication using smart HTTP



## tosaikiran (Oct 6, 2021)

Hi

I am trying to create a private GIT repo. Here's is VirtualHost Configuration in /usr/local/etc/apache24/httpd.conf file.

```
<VirtualHost    *:80>
   DocumentRoot "/home/git/repos"
   Alias /git /home/git/repos
   SetEnv GIT_PROJECT_ROOT /home/git/repos
   SetEnv GIT_HTTP_EXPORT_ALL
   ScriptAlias /git/ /usr/local/libexec/git-core/git-http-backend
   
   ScriptAliasMatch \
           "(?x)^/git/(.*/(HEAD | \
                           info/refs | \
                           objects/(info/[^/]+ | \
                                    [0-9a-f]{2}/[0-9a-f]{38} | \
                                    pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
                           git-(upload|receive)-pack))$" \
            /usr/local/libexec/git-core/git-http-backend/

    <Directory /home/git/repos/test.git>
          Options +ExecCGI +Indexes
          AuthType Basic
          AuthName "Git Authentication"
          AuthUserFile /home/git/repos/.htpasswd
          Require valid-user
          DirectoryIndex test.git
    </Directory>
</VirtualHost>
```
My git repos are present inside the folder: /home/git/repos/
test.git is a bare repository.
http.receivepack is set in the git config.

When I am trying to clone this repository, i.e, git clone http://my_ip:80/git/test.git, it asks for username and password. While pushing to the repo, I get the following error: 

```
error: Cannot access URL http://192.168.1.9:80/git/test.git/, return code 22
fatal: git-http-push failed
error: failed to push some refs to 'http://192.168.1.9:80/git/test.git/'
```

I have spent days trying to figure out, what could have been wrong, but with no luck. Can someone help me with this?

-Thanks
Sai Kiran.


----------



## SirDice (Oct 6, 2021)

tosaikiran said:


> Here's is VirtualHost Configuration in /usr/local/etc/apache24/httpd.conf file.


Save that VirtualHost config in /usr/local/etc/apache24/Includes/mysite.conf for example. That will make it much easier to configure multiple sites on the same host. The standard httpd.conf has a `Include etc/apache24/Includes/*.conf` at the end specifically for this.

As for the issue, I'd remove these:

```
DocumentRoot "/home/git/repos"
   Alias /git /home/git/repos
```

And this line seems to be missing a `$1` at the end:

```
/usr/local/libexec/git-core/git-http-backend/
```






						Git - git-http-backend Documentation
					






					git-scm.com


----------



## tosaikiran (Oct 7, 2021)

Hi,

Thanks for your reply. I have removed the two lines:

   DocumentRoot "/home/git/repos"
   Alias /git /home/git/repos

But, I get the following error
fatal: repository 'http://192.168.1.9:80/git/test.git/' not found. 

I have added $1 at the end of the line :  /usr/local/libexec/git-core/git-http-backend/, as well. What could be the issue?

Also, instead of http, if I use https, would it resolve the error? I feel git is not accepting the git-http-push requests, because it's not a secure connection. Maybe switching to https would work. I am not quite sure. Help me out here. And correct me if I am wrong.


----------



## astyle (Oct 7, 2021)

Specifying `:80` and `:443` is (usually) unnecessary for HTTP URL's.
Also: When setting up DocumentRoot, have a file you can test that with. It's helpful to run

```
service apache24 configtest
```
 to check for errors, and then to point your web browser to where you think the file should be found.


----------



## Tieks (Oct 7, 2021)

Adding to astyle, check /var/log/httpd-access.log to see if the incoming request will point to the file.
Do you have a scriptalias git and (another) alias git?


----------



## ShelLuser (Oct 7, 2021)

I can't help wonder why you're not relying on Apache's own authentication schemes or better yet: SSHd if you need more control over the whole thing?

Why try to relay back to Git's HTTP backend when Apache can handle all of this on its own? 

Unless you have a specific reason for all this my suggestion would be to dump the whole Git backend and just let Apache do its thing. Let Apache handle both the authentication as well as providing the repository, you don't need any Git backends for that. I'd even argue that they only provide unwanted overhead, especially if you're already using Apache.


----------



## D-FENS (Oct 7, 2021)

Why hassle with setting up Apache? There is an easier solution: www/gitea
It's quite easy to set up:

```
pkg install gitea
sysrc gitea_enable="YES"
```
Then you need to edit the config file according to your needs, it has a simple INI format.
If you need SSL, you can use the same certificates you created for your Apache site.

Once you have the site working, you log in via the web interface and manage your repositories in a very similar way to github.
In general, you install your SSH public key in the web interface, and then you clone the repositories always over SSH (not HTTPS). The authentication is done for you by gitea. Follow the documentation.

We use it productively for years, it's quite reliable!

Here is our configuration file, for your info. Some of the values are generated by a script, so adapt to your needs.

```
APP_NAME = $instanceName
RUN_USER = git
#RUN_MODE = prod
RUN_MODE = dev

[database]
DB_TYPE  = sqlite3
HOST     = 127.0.0.1:3306
NAME     = gitea
PASSWD   =
PATH     = /var/db/gitea/gitea.db
SSL_MODE = disable
USER     = root

[indexer]
ISSUE_INDEXER_PATH = /var/db/gitea/indexers/issues.bleve

[log]
ROOT_PATH = /var/log/gitea
MODE      = file
LEVEL     = Info

[mailer]
ENABLED = false

[picture]
AVATAR_UPLOAD_PATH      = /var/db/gitea/data/avatars
DISABLE_GRAVATAR        = true
ENABLE_FEDERATED_AVATAR = false

[repository]
ROOT = /var/db/gitea/gitea-repositories
# Gitea's default is 'bash', so if you have bash installed, you can comment
# this out.
SCRIPT_TYPE = sh

[repository.upload]
TEMP_PATH = /var/db/gitea/data/tmp/uploads

[security]
INSTALL_LOCK = true
INTERNAL_TOKEN = 1FFhAklka01JhgJTRUrFujWYiv4ijqcTIfXJ9o4n1fWxz+XVQdXhrqDTlsnD7fvz7gugdhgkx0FY2Lx6IBdPQw==
SECRET_KEY   = $(generateServerSecret)

[session]
PROVIDER = file
PROVIDER_CONFIG = /var/db/gitea/data/sessions

[server]
PROTOCOL     = https
DOMAIN       = $jailDnsName
HTTP_ADDR    = 0.0.0.0
HTTP_PORT    = 3000
ROOT_URL     = %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/
CERT_FILE    = $sslCrtFile
KEY_FILE     = $sslKeyFile
OFFLINE_MODE = false
APP_DATA_PATH = /var/db/gitea/data

DISABLE_SSH                = false
START_SSH_SERVER           = false
BUILTIN_SSH_SERVER_USER    =
SSH_DOMAIN                 = %(DOMAIN)s
SSH_LISTEN_HOST            =
SSH_PORT                   = 22
SSH_LISTEN_PORT            = %(SSH_PORT)s
SSH_ROOT_PATH              =
SSH_CREATE_AUTHORIZED_KEYS_FILE = true
SSH_SERVER_CIPHERS         = aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128
SSH_SERVER_KEY_EXCHANGES   = diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-sha256@libssh.org
SSH_SERVER_MACS            = hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1, hmac-sha1-96
SSH_KEY_TEST_PATH          =
SSH_KEYGEN_PATH            = ssh-keygen
SSH_BACKUP_AUTHORIZED_KEYS = true
SSH_EXPOSE_ANONYMOUS       = false

[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL     = false
DISABLE_REGISTRATION   = false
ENABLE_CAPTCHA         = false
REQUIRE_SIGNIN_VIEW    = false
```


----------



## tosaikiran (Oct 8, 2021)

ShelLuser said:


> I can't help wonder why you're not relying on Apache's own authentication schemes or better yet: SSHd if you need more control over the whole thing?
> 
> Why try to relay back to Git's HTTP backend when Apache can handle all of this on its own?
> 
> Unless you have a specific reason for all this my suggestion would be to dump the whole Git backend and just let Apache do its thing. Let Apache handle both the authentication as well as providing the repository, you don't need any Git backends for that. I'd even argue that they only provide unwanted overhead, especially if you're already using Apache.


I was following the GIT-SCM documentation to setup a private git repo and add some authentication. I was not aware that Git repos can be served, without using "git-http-backend". Are you sure that, without "git-http-backend", we can do git operations like git clone, pull, push?  I am not quite sure, how to do that. Can you point out to any resources that'll help in doing so or can you just briefly describe how it's done?

-Thanks


----------



## D-FENS (Oct 8, 2021)

tosaikiran said:


> I was following the GIT-SCM documentation to setup a private git repo and add some authentication. I was not aware that Git repos can be served, without using "git-http-backend". Are you sure that, without "git-http-backend", we can do git operations like git clone, pull, push?  I am not quite sure, how to do that. Can you point out to any resources that'll help in doing so or can you just briefly describe how it's done?
> 
> -Thanks



You can clone, push and pull from local directories containing a repo, no problem. Just do a `git init` in one directory, make some changes, commit. Then do a `git clone` to a new directory. Git does not care about what kind of transport you use to connect to your remotes, as long as they are reachable.
And, git repos can be served via different protocols, not only HTTP. In my last post I gave an example with www/gitea, with which the repos are served over SSH, but they are managed via a web interface.


----------

