Despite all the links I've found on how to configure git/nginx to get my repos, I can't make them work.
I followed this tutorial, Git repository over HTTP WebDAV with nginx, but the user/password restriction doesnt' work. Anyone can clone the repository.
I'm from a configuration using SVN + Apache + DAV_SVN, with a file for password (created with htpasswd), and a file for the authz. I'd like to do the same, using git+nginx. How's that possible ?
Thanks for your help!
Take a look at the following article, http://www.toofishes.net/blog/git-smart-http-transport-nginx/
It provides a sample nginx config:
http {
...
server {
listen 80;
server_name git.mydomain.com;
location ~ /git(/.*) {
# fcgiwrap is set up to listen on this host:port
fastcgi_pass localhost:9001;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
# export all repositories under GIT_PROJECT_ROOT
fastcgi_param GIT_HTTP_EXPORT_ALL "";
fastcgi_param GIT_PROJECT_ROOT /srv/git;
fastcgi_param PATH_INFO $1;
}
}
}
What this does is pass your repo which is located after /git in the url, to /usr/lib/git-core/git-http-backend
. Example, http://git.mydomain.com/git/someapp
would point to the someapp
repository. This repo would be located in /srv/git/someapp
as defined in the fastcgi_param
of GIT_PROJECT_ROOT
and can be changed to fit your server.
This is very useful and you can apply HttpAuthBasicModule
to nginx to password protect your repo's access via HTTP.
Edit: If you are missing git-http-backend
, you can install the git-core
package on Ubuntu/Debian or on RPM based platforms look at How can git be installed on CENTOS 5.5?
Here is a full configuration for Git over HTTP, with TLS encryption, Basic Auth, and GitWeb (a very simple repositories viewer). I assume that the repositories' root is in /home/git.
# Remove this block if you don't want TLS
server {
listen 80;
server_name git.YOURDOMAIN.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl; # Replace 443 ssl by 80 if you don't want TLS
server_name git.YOURDOMAIN.com;
root /usr/share/gitweb; # Remove if you don't want Gitweb
error_log /home/git/nginx-error.log;
access_log /home/git/nginx-access.log;
# Remove ssl_* lines if you don't want TLS
ssl_certificate /etc/letsencrypt/live/git.YOURDOMAIN.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/git.YOURDOMAIN.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
# Remove auth_* if you don't want HTTP Basic Auth
auth_basic "YOURDOMAIN Git";
auth_basic_user_file /etc/nginx/.htpasswd;
# static repo files for cloning over https
location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))$ {
root /home/git/;
}
# requests that need to go to git-http-backend
location ~ ^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ {
root /home/git/;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
fastcgi_param PATH_INFO $uri;
fastcgi_param GIT_PROJECT_ROOT $document_root;
fastcgi_param GIT_HTTP_EXPORT_ALL "";
fastcgi_param REMOTE_USER $remote_user;
include fastcgi_params;
}
# Remove all conf beyond if you don't want Gitweb
try_files $uri @gitweb;
location @gitweb {
fastcgi_pass unix:/var/run/fcgiwrap.socket;
fastcgi_param SCRIPT_FILENAME /usr/share/gitweb/gitweb.cgi;
fastcgi_param PATH_INFO $uri;
fastcgi_param GITWEB_CONFIG /etc/gitweb.conf;
include fastcgi_params;
}
}
You have to install Git, Gitweb and FastCgiWrap :
sudo apt-get install git gitweb fcgiwrap
For TLS, I use Let's Encrypt free certificates.
sudo letsencrypt certonly -d git.YOURDOMAIN.com --rsa-key-size 4096
To access Gitweb, just browse to git.YOURDOMAIN.com. You will also need to configure it to set the repositories' root :
sudo vim /etc/gitweb.conf
In order to get HTTP Basic Auth, you have to use the htpasswd
command to add users to /etc/nginx/.htpasswd
:
sudo apt-get install apache2-utils
sudo htpasswd -c /etc/nginx/.htpasswd username
Remove the -c
switch the next time you run the command, because it only creates the file (Nginx doesn't have a .htpasswd file by default in its configuration directory).
If you want something more complex, powerful, GitHub-like, check Gitlab.