4

I need to set up Git repositories on a Windows server. Requirements are:

  • Git running on Windows with Apache 2.2 (because this Apache was already there and has been used for serving Subversion already)
  • Allow to create various Git repositories
  • Repositories are not public. Must be able to define access per project. Users with access to a repository always have full access (both pull and push).

I've done a standard Git installation and added these lines to Apache's httpd.conf file:

SetEnv GIT_PROJECT_ROOT "D:/srv/git" SetEnv GIT_HTTP_EXPORT_ALL ScriptAlias /git/ "C:/Program Files/Git/mingw64/libexec/git-core/git-http-backend/" <Location "/git/testproject.git"> AuthType Basic require group developers AuthName "Git test project" AuthUserFile D:/srv/gitauth/auth.txt AuthGroupFile D:/srv/gitauth/groups.txt </Location>

"C:/Program Files/Git/mingw64/libexec/git-core/git-http-backend/" is the place where I found the git-http-backend executable on Windows. auth.txt is a file created with htpasswd containing a username/password for my user, and groups.txt contains a line defining that my user is in a group named developers.

For testing I've set up a repository in D:/srv/git/testproject.git.

From my client computer, I tried to clone this repository and got this error:

git clone https://[serverurl]/git/testproject.git Cloning into 'testproject'... fatal: unable to access 'https://[serverurl]/git/testproject.git/': The requested URL returned error: 403

Apache's error.log has this error message:

[Wed Aug 23 18:39:10 2017] [error] [client 192.168.130.80] client denied by server configuration: C:/Program Files/Git/mingw64/libexec/git-core/git-http-backend

I did not find a way to make this work. I'm also not very familiar with Apache, unfortunately.

Is this configuration correct? I'm not even sure if the SetEnv and ScriptAlias commands are good in httpd.conf or if they should be placed somewhere else. I've read various tutorials and blog posts, most suggesting different places which do not exist on my Apache installation (maybe the Windows environment is different...?).

Any help would be greatly appreciated!

Improve this question

2 Answers 2

Reset to default
6

After some more hours of research and testing, I finally got it running and managed to set it up to meet my requirements.

Here's what I had to add to Apache's configuration to make this work:

# 1. allow access to CGI directory, where git-http-backend.exe is located <Directory "C:/Progra~1/Git/mingw64/libexec/git-core/"> Options +ExecCGI Allow From All </Directory> # 2. Define where GIT projects are located and create /git/ script alias SetEnv GIT_PROJECT_ROOT "D:/srv/git" SetEnv GIT_HTTP_EXPORT_ALL ScriptAlias /git/ "C:/Progra~1/Git/mingw64/libexec/git-core/git-http-backend.exe/" # 3. Restricting access to /git/ root, otherwise not yet defined projects could be read # without restriction. <Location "/git/"> AuthType Basic AuthName "git" AuthUserFile D:/srv/auth_files/htpasswd.txt Require all denied </Location> # 4. For every project a section like this must be created in order to allow access to it. <Location "/git/testproject.git/"> AuthType Basic AuthName "git test repository" AuthUserFile D:/srv/auth_files/htpasswd.txt AuthGroupFile D:/srv/auth_files/git_groups.txt Require group developers </Location> <Location "/git/other_project.git/"> AuthType Basic AuthName "git test repository" AuthUserFile D:/srv/auth_files/htpasswd.txt AuthGroupFile D:/srv/auth_files/git_groups.txt Require group developers managers Require user sky AuthzGroupFileAuthoritative Off </Location>

Some Notes

  • Part (1) seems to be necessary on Windows only. Without this directive Apache would not execute the git-http-backend.exe file as CGI script.
  • Part (3) was necessary because without it, Apache allowed access to every project which is not explicitly defined later on in the configuration.
  • Part (4) project other_project.git allows two groups and a user to have access. Apache 2.2 has the AuthzGroupFileAuthoritative Off setting, to make this work properly. Without this only user sky in groups developers or managers would have access. In Apache 2.4 this could be done in a nicer way with a <RequireAny> block.
  • Example for cloning one of these repos: git clone https://[serverurl]/git/testproject.git
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

my final configuration is # START : GIT Configuration <Directory "/apache-vcs/git/libexec/git-core/"> Options +ExecCGI Allow From All </Directory> SetEnv GIT_PROJECT_ROOT "/apache-vcs/git" SetEnv GIT_HTTP_EXPORT_ALL ScriptAlias /git/ "/apache-vcs/git/libexec/git-core/git-http-backend.exe/" <Location /git> Allow from All </Location> <Location "/git/repos/main.git"> AuthType Basic AuthName "git main repository" AuthUserFile "/apache-vcs/git/repos/htpasswd" Require valid-user </Location> # # END : GIT Configuration #
1

a working example is as follows

my final configuration is 

############################################################################### # START : GIT Configuration ############################################################################### <Directory "/apache-vcs/git/libexec/git-core/"> Options +ExecCGI Allow From All </Directory> SetEnv GIT_PROJECT_ROOT "/apache-vcs/git" SetEnv GIT_HTTP_EXPORT_ALL ScriptAlias /git/ "/apache-vcs/git/libexec/git-core/git-http-backend.exe/" <Location /git> Allow from All </Location> <Location "/git/repos/main.git"> AuthType Basic AuthName "git main repository" AuthUserFile "/apache-vcs/git/repos/htpasswd" Require valid-user </Location> ############################################################################### # END : GIT Configuration ###############################################################################

and initialised a bare repository using

cd /apache-vcs/git/repos git init --bare main.git

hope that also helps

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.