如何启用HTTP上的匿名读取权限(拉),但身份验证的写访问(推)到一个Git仓库? [英] How can I enable anonymous read access (pull) but authenticated write access (push) to a git repository over http?
问题描述
我想有git仓库通过提供智能的 HTTP 以只有我可以推,但任何人(或任何帐户)可以克隆/从获取。
在的git-HTTP后端(1)手册页可以找到Apache Web服务器下面的示例配置:
确保mod_cgi一样,启用mod_alias和mod_env启用,适当设置GIT_PROJECT_ROOT(或DocumentRoot的),并创建一个ScriptAlias指令到CGI:
SETENV GIT_PROJECT_ROOT在/ var / WWW /混帐
SETENV GIT_HTTP_EXPORT_ALL
ScriptAlias指令/ git的/的/ usr / libexec中/ git的核心/ GIT-HTTP后端/要启用匿名的读取权限,但身份验证的写访问,需要与LocationMatch指令授权:
< LocationMatch^ /混帐混帐/.*/ - 接收包$>
AuthType选项基本
AuthName指令混帐访问
要求组提交者
#...
< / LocationMatch>
不幸的是这种配置不起作用。我可以读取/存储库的克隆没有任何问题,而不需要authenthication,但推失败:
$混帐推主产地
错误:无法访问URL为http://localhost/git/test.git/,回报code 22
致命的:混帐-HTTP-推失败检查
error.log中Apache Web服务器的无助:
[...]未启用服务:'接收包'
[...]不支持请求:/var/www/git/test.git/的
的access.log告诉我们,混帐推首先使用GET ON/法?混帐/ test.git /信息/服务裁判=混帐收到包基于查询的URL,这是不包括LocationMatch指令:
[...]GET /git/test.git/info/refs?service=git-receive-pack HTTP / 1.1403 304 - 混帐/ 1.7.10.4
[...]GET /git/test.git/info/refs HTTP / 1.1200 267 - 混帐/ 1.7.10.4
[...]GET /git/test.git/HEAD HTTP / 1.1200 337 - 混帐/ 1.7.10.4
[...]PROPFIND /git/test.git/ HTTP / 1.1404 250 - 混帐/ 1.7.10.4(以下行即将回退到哑巴的WebDAV基于HTTP推 - ?是可以禁用此回退)。
现在我用以下解决方法:我需要从两个取和推送(使用修改后的配置身份验证读取和写入中的的git-HTTP后端(1)联机帮助页),并通过
$ p $限制推到单用户对接收通过检查<$ C勾 $ C> REMOTE_USER 环境变量。解决方案一个不那么复杂的选择是使用<一个href=\"http://stackoverflow.com/questions/10888300/gitosis-vs-gitolite/10888358#10888358\">gitolite除此之外,您的Apache的混帐设置的。结果
您可以将gitolite到Apache足够容易(无需SSH配置)。请参阅为例:的httpd.conf ,这个地方 gitolite安装脚本相结合。
您可以很容易声明阿帕奇登录写访问,而
@all读访问。I want to have git repository available via "smart" HTTP to which only I can push, but which anybody (or anybody with account) can clone / fetch from.
In the git-http-backend(1) manpage one can find the following example configuration for Apache web server:
Ensure mod_cgi, mod_alias, and mod_env are enabled, set GIT_PROJECT_ROOT (or DocumentRoot) appropriately, and create a ScriptAlias to the CGI:
SetEnv GIT_PROJECT_ROOT /var/www/git SetEnv GIT_HTTP_EXPORT_ALL ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/To enable anonymous read access but authenticated write access, require authorization with a LocationMatch directive:
<LocationMatch "^/git/.*/git-receive-pack$"> AuthType Basic AuthName "Git Access" Require group committers #... </LocationMatch>
Unfortunately this configuration doesn't work. I can fetch / clone repository without any problems, without requiring authenthication, but pushing fails:
$ git push origin master error: Cannot access URL http://localhost/git/test.git/, return code 22 fatal: git-http-push failedExamining
error.logof Apache web server doesn't help:[...] Service not enabled: 'receive-pack' [...] Request not supported: '/var/www/git/test.git/'The
access.logtells us thatgit pushfirst uses GET method on/git/test.git/info/refs?service=git-receive-packquery-based URL, which is not covered by LocationMatch directive:[...] "GET /git/test.git/info/refs?service=git-receive-pack HTTP/1.1" 403 304 "-" "git/1.7.10.4" [...] "GET /git/test.git/info/refs HTTP/1.1" 200 267 "-" "git/1.7.10.4" [...] "GET /git/test.git/HEAD HTTP/1.1" 200 337 "-" "git/1.7.10.4" [...] "PROPFIND /git/test.git/ HTTP/1.1" 404 250 "-" "git/1.7.10.4"(the following lines are about fallback to "dumb" WebDAV based HTTP push - is it possible to disable this fallback?).
For now I use the following workaround: I require valid user for both fetch and push (using modified configuration from "authentication for both reads and writes" example in git-http-backend(1) manpage), and restrict push to single user via
pre-receivehook by examiningREMOTE_USERenvironment variable.解决方案One not so complex alternative is to use gitolite in addition of your Apache-git setup.
You can plug gitolite to Apache easily enough (no ssh config required).See as an example: httpd.conf, combined with this local gitolite installation script.
You can then easily declare Apache logins for Write access, and
@allfor read access.这篇关于如何启用HTTP上的匿名读取权限(拉),但身份验证的写访问(推)到一个Git仓库?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
