how can I have a remote git repo which is accessible via http but only for cloning?
Maybe with the help of nginx (already running) and git-http-backend
(git-http-fetch
?).
问题:
回答1:
NOTE: I assume that you meant anonymous read-only access; there is no way to distinguish between clone and fetch in git, I think.
Do you want to set up "smart" HTTP (recommended), or "dumb" HTTP one?
For "dumb" HTTP it is enough to forbid (or just do not set up) WebDAV - this is how pushes come with "dumb" HTTP (no git on server side).
For "smart" HTTP follow directions for anonymous read access but authenticated write access in git-http-backend manpage, translating it from Apache to nginx, and modifying slightly. Note that documentation for anonymous read but authenticated write might be incomplete, but you do not worry about authenthicated write (push) access succeding anyway, isn't it?
回答2:
Maybe this is what you are looking for git daemon
: Git serve: I would like it that simple
There are many interesting answers on that page but none specifically for nginx.
You could then add a proxy pass in nginx like so:
location / {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:9418; # Port 9418 is the default git daemon port
}
I don't know of a way of allowing only cloning... but the git daemon
command is already read-only. So it should do it's job.
I hope this helps !
回答3:
In his answer, Jakub Narębski suggests:
For "smart" HTTP follow directions for anonymous read access but authenticated write access in git-http-backend manpage, translating it from Apache to nginx, and modifying slightly.
Following his suggestion, I configured nginx and git-http-backend
to enable anonymous read access but authenticated write access by using a combination of if
, $arg
, and rewrite
to differentiate between Git read and write operations before invoking git-http-backend
:
# /etc/nginx/sites-available/git
server {
listen 80;
server_name myhostname;
access_log /var/log/nginx/git.access.log;
error_log /var/log/nginx/git.error.log;
gzip off;
location ~ /git(/.*) {
if ($arg_service = git-receive-pack) {
rewrite /git(/.*) /git_write$1 last;
}
if ($uri ~ ^/git/.*/git-receive-pack$) {
rewrite /git(/.*) /git_write$1 last;
}
if ($arg_service = git-upload-pack) {
rewrite /git(/.*) /git_read$1 last;
}
if ($uri ~ ^/git/.*/git-upload-pack$) {
rewrite /git(/.*) /git_read$1 last;
}
}
location ~ /git_read(/.*) {
include git-http-backend.conf;
}
location ~ /git_write(/.*) {
auth_basic "Pushing to Git repositories is restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
include git-http-backend.conf;
}
}
Configuration file /etc/nginx/git-http-backend.conf
contains the common fastcgi
directives that prepare the environment for fastcgi
to invoke git-http-backend
:
# /etc/nginx/git-http-backend.conf
fastcgi_pass unix:/var/run/fcgiwrap.socket;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
fastcgi_param GIT_HTTP_EXPORT_ALL "";
fastcgi_param GIT_PROJECT_ROOT /data/git;
fastcgi_param PATH_INFO $1;
fastcgi_param REMOTE_USER $remote_user;