I am trying to set up a git repository over my Apache 2.2 on a CentOS 6 box, with git installed. I have tried following many different directions, and I am at a loss. My current situation comprises of being able to clone normally, but being completely unable to push.
It seems as though I am incapable of getting the authentication bit to work properly, as I can normally perform the push while setting http.receivepack to true.
I have installed AuthzUnixGroup as well as mod_authz_external.
I went to /var/www/git and created a repo named my-repo.git and did a git init --bare inside it.
Then I set up my git.conf file inside /etc/httpd/conf.d/ as follows:
<VirtualHost "*:80">
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv GIT_PROJECT_ROOT /var/www/git
SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER
ScriptAlias /git /usr/libexec/git-core/git-http-backend
AddExternalAuth pwauth /usr/local/libexec/pwauth
SetExternalAuthMethod pwauth pipe
<Directory "/usr/libexec/git-core/">
AllowOverride None
Options +ExecCGI -Includes
Order allow,deny
Allow from all
</Directory>
<Location "/git">
AuthzUnixGroup on
AuthType Basic
AuthName "Git repository"
AuthBasicProvider external
AuthExternal pwauth
Require group git
</Location>
</VirtualHost>
Pointing my web browser to mysite/git nicely shows me the HTTP basic login dialog, which works perfectly. I have added myself to the group git, and doing a groups on my shell returns:
naseri sudo git
which is as expected.
When I do git clone http://mysite/git/my-repo.git I get the following from the access_log file for httpd under /var/logs/httpd/access_log:
2.177.130.21 - - [11/Jun/2014:18:51:07 +0000] "GET /git/my-repo.git/info/refs?service=git-upload-pack HTTP/1.1" 401 480 "-" "git/1.8.5.2 (Apple Git-48)"
2.177.130.21 - - [11/Jun/2014:18:51:08 +0000] "GET /git/my-repo.git/info/refs?service=git-upload-pack HTTP/1.1" 401 480 "-" "git/1.8.5.2 (Apple Git-48)"
2.177.130.21 - naseri [11/Jun/2014:18:51:08 +0000] "GET /git/my-repo.git/info/refs?service=git-upload-pack HTTP/1.1" 200 256 "-" "git/1.8.5.2 (Apple Git-48)"
2.177.130.21 - naseri [11/Jun/2014:18:51:09 +0000] "POST /git/my-repo.git/git-upload-pack HTTP/1.1" 200 368 "-" "git/1.8.5.2 (Apple Git-48)"
On the client, the cloneing works properly. I change stuff around, then try to push after a commit by git pushing the content.
This is what I get on the server side log:
2.177.130.21 - - [11/Jun/2014:18:53:26 +0000] "GET /git/my-repo.git/info/refs?service=git-receive-pack HTTP/1.1" 401 480 "-" "git/1.8.5.2 (Apple Git-48)"
2.177.130.21 - naseri [11/Jun/2014:18:53:27 +0000] "GET /git/my-repo.git/info/refs?service=git-receive-pack HTTP/1.1" 401 480 "-" "git/1.8.5.2 (Apple Git-48)"
2.177.130.21 - naseri [11/Jun/2014:18:53:30 +0000] "GET /git/my-repo.git/info/refs?service=git-receive-pack HTTP/1.1" 403 - "-" "git/1.8.5.2 (Apple Git-48)"
I can see that my "Authentication Required" response is being sent back by Apache on the first line of response (401) but the client shows me:
fatal: unable to access 'http://mysite/git/my-repo.git/': The requested URL returned error: 403
I am clueless as to the problem, as pointing my browser to the same URL properly brings up authentication and it even works right.
This older answer
git-http-backendis returning a 403/Forbidden code when the client asks to use the git-receive-pack method.
It then falls back to WebDAV, but using WebDAV is not necessary.I had the same problem; in my case this was due to
REMOTE_USERnot being set
Since any of my Apache config uses an '=' when setting a variable, check if this works better:
SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
(no '-' between the two variables)
Check also if not (re)defining REMOTE_USER works too (because it might already been defined, while REDIRECT_REMOTE_USER might not): try without that line.
I never have to define it in my Apache Git config.
Note: with Git 2.21 (Q1 2019, 5+ years later), Git should be more robust.
I have been in situation like this, and found that trying to use Apache to serve git is anything but easy or simple.
Instead, I would recommend installing Gerrit - it allows to host multiple repositories, and most importantly has extremely flexible user/group management and permission model. As a nice bonus, it also happens to be very powerful code review engine, but it is completely optional - you don't have to use code review features if you don't want to.
Other known solutions for this are Gitlab and Gitolite - you might want to look into them as well.
来源:https://stackoverflow.com/questions/24170537/git-http-backend-with-authzunixgroup-not-working-properly