Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Configuring Git with Apache on a Windows Server

Tags:

git

apache

I need to set up Git repositories on a Windows server. Requirements are:

  • Git running on Windows with Apache 2.2 (because this Apache was already there and has been used for serving Subversion already)
  • Allow to create various Git repositories
  • Repositories are not public. Must be able to define access per project. Users with access to a repository always have full access (both pull and push).

I've done a standard Git installation and added these lines to Apache's httpd.conf file:

SetEnv GIT_PROJECT_ROOT "D:/srv/git"
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git/ "C:/Program Files/Git/mingw64/libexec/git-core/git-http-backend/"

<Location "/git/testproject.git">
  AuthType Basic
  require group developers
  AuthName "Git test project"
  AuthUserFile D:/srv/gitauth/auth.txt
  AuthGroupFile D:/srv/gitauth/groups.txt
</Location>

"C:/Program Files/Git/mingw64/libexec/git-core/git-http-backend/" is the place where I found the git-http-backend executable on Windows. auth.txt is a file created with htpasswd containing a username/password for my user, and groups.txt contains a line defining that my user is in a group named developers.

For testing I've set up a repository in D:/srv/git/testproject.git.

From my client computer, I tried to clone this repository and got this error:

git clone https://[serverurl]/git/testproject.git
Cloning into 'testproject'...
fatal: unable to access 'https://[serverurl]/git/testproject.git/': The requested URL returned error: 403

Apache's error.log has this error message:

[Wed Aug 23 18:39:10 2017] [error] [client 192.168.130.80] client denied by server configuration: C:/Program Files/Git/mingw64/libexec/git-core/git-http-backend

I did not find a way to make this work. I'm also not very familiar with Apache, unfortunately.

Is this configuration correct? I'm not even sure if the SetEnv and ScriptAlias commands are good in httpd.conf or if they should be placed somewhere else. I've read various tutorials and blog posts, most suggesting different places which do not exist on my Apache installation (maybe the Windows environment is different...?).

Any help would be greatly appreciated!

like image 567
Sky Avatar asked Mar 08 '23 06:03

Sky


1 Answers

After some more hours of research and testing, I finally got it running and managed to set it up to meet my requirements.

Here's what I had to add to Apache's configuration to make this work:

# 1. allow access to CGI directory, where git-http-backend.exe is located
<Directory "C:/Progra~1/Git/mingw64/libexec/git-core/">
    Options +ExecCGI
    Allow From All
</Directory>

# 2. Define where GIT projects are located and create /git/ script alias
SetEnv GIT_PROJECT_ROOT "D:/srv/git"
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git/ "C:/Progra~1/Git/mingw64/libexec/git-core/git-http-backend.exe/"

# 3. Restricting access to /git/ root, otherwise not yet defined projects could be read
#    without restriction.
<Location "/git/">
    AuthType Basic
    AuthName "git"
    AuthUserFile D:/srv/auth_files/htpasswd.txt
    Require all denied
</Location>

# 4. For every project a section like this must be created in order to allow access to it.
<Location "/git/testproject.git/">
   AuthType Basic
   AuthName "git test repository"
   AuthUserFile D:/srv/auth_files/htpasswd.txt
   AuthGroupFile D:/srv/auth_files/git_groups.txt
   Require group developers
</Location>

<Location "/git/other_project.git/">
   AuthType Basic
   AuthName "git test repository"
   AuthUserFile D:/srv/auth_files/htpasswd.txt
   AuthGroupFile D:/srv/auth_files/git_groups.txt
   Require group developers managers
   Require user sky
   AuthzGroupFileAuthoritative Off
</Location>

Some Notes

  • Part (1) seems to be necessary on Windows only. Without this directive Apache would not execute the git-http-backend.exe file as CGI script.
  • Part (3) was necessary because without it, Apache allowed access to every project which is not explicitly defined later on in the configuration.
  • Part (4) project other_project.git allows two groups and a user to have access. Apache 2.2 has the AuthzGroupFileAuthoritative Off setting, to make this work properly. Without this only user sky in groups developers or managers would have access. In Apache 2.4 this could be done in a nicer way with a <RequireAny> block.
  • Example for cloning one of these repos: git clone https://[serverurl]/git/testproject.git
like image 128
Sky Avatar answered Mar 19 '23 09:03

Sky