使用Apache基本身份验证禁用git对特定目录的访问 [英] Disabling access for git to specific Directory with Apache Basic Authentication

问题描述

我在Apache2服务器上进行了git设置，它可以很好地满足git请求.现在，我想为此设置基本身份验证，因此并非每个人都可以使用每个目录.我的目标是只有ADMIN组才能访问完整的/var/www/html/git 目录，而我的GITGROUP只能访问 /var/www/html/git/subdir 目录.但是，尽管Apache要求提供凭据，但通过设置(如下)，GITGROUP仍然被允许访问 all git目录.我在做什么错了?

I have git setup with my Apache2 server and it serves git request just fine. Now I want to setup Basic Authentication for this, so not everybody can use every directory. My goal is that only the ADMIN group has access to the complete /var/www/html/git directory and my GITGROUP can access only /var/www/html/git/subdir directories. However, while Apache is asking for credentials, with the setup (below) GITGROUP is still allowed to access all git directories. What am I doing wrong?

SetEnv GIT_PROJECT_ROOT /var/www/html/git
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
<Directory /usr/lib/git-core>
    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    AuthType Basic
    AuthName "Authentication Required"
    AuthUserFile "/etc/apache2/.htpasswd"
    AuthGroupFile "/etc/apache2/groups"
    Require group ADMIN GITGROUP

    Order allow,deny
    Allow from all
</Directory>
<Directory /var/www/html/git>
    AuthType Basic
    AuthName "Authentication Required"
    AuthUserFile "/etc/apache2/.htpasswd"
    AuthGroupFile "/etc/apache2/groups"
    Require group ADMIN
    Options -Indexes

    Order allow,deny
    Allow from all
</Directory>
<Directory /var/www/html/git/subdir>
    AuthType Basic
    AuthName "Authentication Required"
    AuthUserFile "/etc/apache2/.htpasswd"
    AuthGroupFile "/etc/apache2/groups"
    Require group ADMIN GITGROUP
    Options -Indexes

    Order allow,deny
    Allow from all
</Directory>

基于@jsvendsgaard的回答，我为git-core的两个符号链接创建了两个ScriptAlias行.之后，只需分配正确的GIT_PROJECT_ROOT:

Based on the answer by @jsvendsgaard I created two ScriptAlias lines for two symlinks to git-core. After that it is only a matter of assigning the correct GIT_PROJECT_ROOT:

ScriptAlias /gitdir1/ /var/www/html/gitdir1/git-core/git-http-backend/
ScriptAlias /gitdir2/ /var/www/html/gitdir2/git-core/git-http-backend/
<Directory "/var/www/html/gitdir1/git-core">
    AuthType Basic
    AuthName "Authentication Required"
    AuthUserFile "/etc/apache2/.htpasswd"
    AuthGroupFile "/etc/apache2/groups"
    Require group ADMIN
    Options +ExecCGI -MultiViews -Indexes

    Order allow,deny
    Allow from all
</Directory>
<Directory "/var/www/html/gitdir2/git-core">
    AuthType Basic
    AuthName "Authentication Required"
    AuthUserFile "/etc/apache2/.htpasswd"
    AuthGroupFile "/etc/apache2/groups"
    Require group ADMIN GITGROUP
    Options +ExecCGI -MultiViews -Indexes

    Order allow,deny
    Allow from all
</Directory>
<Location "/gitdir1/">
    SetEnv GIT_PROJECT_ROOT /var/www/html/gitdir1
    SetEnv GIT_HTTP_EXPORT_ALL

    AuthType Basic
    AuthName "Authentication Required"
    AuthUserFile "/etc/apache2/.htpasswd"
    AuthGroupFile "/etc/apache2/groups"
    Require group ADMIN
</Location>
<Location "/gitdir2/">
    SetEnv GIT_PROJECT_ROOT /var/www/html/gitdir2
    SetEnv GIT_HTTP_EXPORT_ALL

    AuthType Basic
    AuthName "Authentication Required"
    AuthUserFile "/etc/apache2/.htpasswd"
    AuthGroupFile "/etc/apache2/groups"
    Require group ADMIN GITGROUP
</Location>

推荐答案

我相信我也有类似的需求.我能够使我的解决方案在RedHat服务器上工作.

I believe I had a similar need. I was able to get my solution working on a RedHat server.

使用Apache 2.4的解决方案

我发现的问题是git-http-backend脚本确实控制着对存储库的所有访问.另外，ScriptAlias配置为将所有/git/请求都路由到git-http-backend，而与路径的其余部分无关.并且，由于您已经为GITGROUP提供了对此脚本的访问权限，因此该组将有权访问URL中以/git/开头的任何存储库.根据文档，

The problem I found is that the git-http-backend script really controls all access to the repositories. Additionally, ScriptAlias is configured as such that it will be routing all /git/ requests to git-http-backend, regardless of the rest of the path. And, because you have provided access to this script for GITGROUP, that group will have access to any repository starting with /git/ in the URL. As per the documentation,

https://git-scm.com/docs/git-http-backend

git-http-backend知道每个存储库的位置，因为Apache正在为其提供环境变量.我怀疑这意味着git-http-backend是服务器上唯一直接访问您的存储库，然后将响应提供回Apache的进程.

git-http-backend knows the location to each repository because Apache is providing it with an environment variable. I suspect this means that git-http-backend is the only process on the server that directly accesses your repositories, and then provides the response back to Apache.

我的解决方案增加了一些额外的步骤.本质上，您将强制对git-http-backend的任何访问仅在您已经对存储库的位置进行身份验证之后才进行，而不是在此之前.这是通过在存储库目录本身中放置指向脚本的链接，然后对该位置进行身份验证来实现的.

My solution adds a few extra steps. Essentially, you would force any access to git-http-backend to occur only after you have already authenticated to the location of your repository, not before. This is done by placing a link to the script in the repository directory itself, and then authenticating that location.

注意:我仅使用裸仓库(git init --bare)来完成此操作.我怀疑如果出于某种原因需要使用非裸存储库，则此解决方案将需要进行一些调整(最后的想法):

NOTE: I've only done this with bare repositories (git init --bare). I suspect that if for some reason you need to use a non-bare repository, this solution would need some tweaking (Ideas on that at the end):

简而言之:

1. 在每个存储库中创建指向git-core的链接(这是我在这里怀疑如果您使用非裸机会遇到问题存储库，请参阅下面的想法)
2. 使用ScriptAliasMatch而不是ScriptAlias，以便您可以进行匹配将请求仅发送到请求的存储库，然后将请求定向到符号链接.
3. 创建< Location>每个存储库的指令，并设置GIT_PROJECT_ROOT变量分别针对那里的每个站点.这是因为apache不再提供正确的路径仓库到git.
4. 创建<目录>每个符号链接的指令.唯一的目的对我来说，这是设置目录的选项，例如-索引.您可以根据需要将此选项用于其他选项.

详细信息:

1. 链接.如果您的存储库为/var/www/html/git/subdir，而您的git-httpd-backend位于/usr/libexec/git-core中，则命令为:

ln -s/usr/libexec/git-core/var/www/html/git/subdir/git-core

ln -s /usr/libexec/git-core /var/www/html/git/subdir/git-core

1. 别名.这将使用一个带有两个反向引用的正则表达式，一个($ 1)获取存储库的路径，另一个($ 2)获取命令(git-upload-pack等).然后，将其别名为您在第一步中创建的符号链接.在我的正则表达式中，我还确保该请求是有效的git请求.假设对您网站的请求开始像https://yoursite/git/some_repo.git:

ScriptAliasMatch \
  "(?x)^/git/(.*/)((HEAD | \
    info/refs | \
    objects/(info/[^/]+ | \
    [0-9a-f]{2}/[0-9a-f]{38} | \
    pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
    git-(upload|receive)-pack))$" \
    "/var/www/html/git/$1/git-core/git-http-backend/$2"

1. 创建< Location>指令.您可以在此处为git设置存储库的路径，也可以在此处添加身份验证:

<Location /git/subdir1.git>
    SetEnv GIT_PROJECT_ROOT /var/www/html/git/subdir1.git
    SetEnv GIT_HTTP_EXPORT_ALL

    AuthType Basic
    AuthName "Authorization Required"
    ... <the rest of your authentication details here> ...
</Location>

<Location /git/subdir2.git>
    SetEnv GIT_PROJECT_ROOT /var/www/html/git/subdir2.git
    SetEnv GIT_HTTP_EXPORT_ALL

    AuthType Basic
    AuthName "Authorization Required"
    ... <the rest of your authentication details here> ...
</Location>

1. 创建< Directory>指示.对于每个存储库，为您在步骤A中创建的符号链接创建目录:

<Directory /var/www/html/git/subdir1.git/git-core>
    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch -Indexes
    Allowoverride None
</Directory>

<Directory /var/www/html/git/subdir2.git/git-core>
    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch -Indexes
    Allowoverride None
</Directory>

如果您不使用裸仓库:

我仅在git服务器上使用裸存储库，但是我认为如果没有裸存储库，则可能会在创建此符号链接时遇到问题.我担心的是有人会以某种方式将您的链接添加到存储库.我不确定是否可行，但是有一些解决方案:

I only use bare repositories on the git server, but I think that you might see an issue creating this symlink if you didn't have bare repositories. What I'm worried is that someone could somehow add your link to the repository. I'm not sure if this is possible, but a couple of ideas to get around it:

1. 为每个链接创建一个git-ignore，尽管回购用户可能是能够撤消此操作.
2. 在目录之外的其他目录中创建符号链接资料库目录.我能想到的唯一问题是现在，您可能需要添加第二层身份验证根据您的指令.

这篇关于使用Apache基本身份验证禁用git对特定目录的访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！