Setting up Git Server on Windows With git-http-backend.exe

Question

Hi all,

I am in the process of setting up a Git server (1.7.2.3) on a WS 2008 machine using Apache and git-http-backend.exe. I have been following a good tut here. I have the GUI working, I can annoymously clone and if I put the following in the config of a repo I can annoymously push:

[http]
 receivepack = true

I have added the following to the httpd.conf file:

SetEnv GIT_PROJECT_ROOT C:/GIT/Repositories
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAliasMatch \
        "(?x)^/(.*/(HEAD | \
                    info/refs | \
                    objects/(info/[^/]+ | \
                             [0-9a-f]{2}/[0-9a-f]{38} | \
                             pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
                    git-(upload|receive)-pack))$" \
                    "C:/Program Files (x86)/git/libexec/git-core/git-http-backend.exe/$1"

<Directory />
  Allow from all
</Directory>

<LocationMatch "^/git/.*/git-receive-pack$">
        AuthType Basic
        AuthName "Git Access"
  AuthUserFile C:/GIT/ApacheConfig/users
  AuthGroupFile  C:/GIT/ApacheConfig/groups
        Require group repogeneral        
</LocationMatch>

When I add the "LocationMatch" I can still clone annoymously or by specifying a name in the URL, git clone http://[email protected]

It will prompt for a password and clone.

but when I try to push back to the repo I get the following:

error: Cannot access URL http://[email protected]/newtestrepo.git/, return code 22 fatal: git-http-push failed

I have been looking at the http-backend.exe man page for examples but can not get them to work.

here is my groups file, (this is just testing out examples so nothing that would be used in prod):

admin: jon steve admin
webview: jon steve web
repogeneral: jon steve
testrepo: jon admin
testrepo2: jon steve web

here is the users file:

jon:$apr1$kEKVExYx$guIF9oYV8buGhFLZr16XN0
steve:$apr1$jvgjF9nv$PvWsHH.cSOBN5ymk6NT1B0
admin:$apr1$vzXgDskN$oszCei3tkHNUgtLj2HkHF/
web:$apr1$wS0do7hb$VA9tsc9c9LwY5PcjfhdwK0

I know the username jon works as if I put the directory requirement on the gui section I can login with the username jon no problem, (points at the same user and group files as the locationmatch does).

I am not sure what configuration I have missed off at this point, (assuming its a configuration issue).

Any advice on getting over this last hurdle would be fantastic.

EDIT

I have been playing some more and here is the information I have:

if I clone a repo with:

git clone http://[email protected]/remotetest.git

I can get the repository out, but when I try and push back with:

git push origin master

I get asked for my password, I enter it, then it asks for it again, then I get the following error:

C:\temp\remotetest\remotetest>git push origin master Password: Password: error: Cannot access URL http://[email protected]/remotetest.git/, return code 22 fatal: git-http-push failed

In my Apache access.log I get the following:

192.168.1.2 - - [29/Sep/2010:21:58:19 +0100] "GET /remotetest.git/info/refs?service=git-upload-pack HTTP/1.1" 200 38
192.168.1.2 - - [29/Sep/2010:21:58:51 +0100] "GET /remotetest.git/info/refs?service=git-receive-pack HTTP/1.1" 403 -
192.168.1.2 - - [29/Sep/2010:21:58:51 +0100] "GET /remotetest.git/info/refs HTTP/1.1" 200 -
192.168.1.2 - - [29/Sep/2010:21:58:51 +0100] "GET /remotetest.git/HEAD HTTP/1.1" 200 23

Interestingly when I clone with the username in the URL it doesn't matter what password I put in, it will still work. I am assuming this is because I should be able to pull anonymously. Not sure why it asks for a password at all at that point.

I also see this in the logs error:

[Wed Sep 29 22:33:00 2010] [error] [client 192.168.1.2] client denied by server configuration: C:/Program Files (x86)/Git/libexec/git-core/git-http-backend.exe
[Wed Sep 29 22:33:00 2010] [error] [client 192.168.1.2] client denied by server configuration: C:/Program Files (x86)/Git/libexec/git-core/git-http-backend.exe

EDIT 2

I tried recreating the password file by doing:

htpasswd -c -m C:/git/apacheconfig/users jon

but this didn't help.

EDIT 3

the PHP config in httpd.conf where it uses the same users file for basic auth:

<Directory "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs">
    AuthName "GitUsers"
    AuthType Basic
    AuthUserFile C:/GIT/ApacheConfig/users
AuthGroupFile  C:/GIT/ApacheConfig/groups

    require group webview
</Directory>

EDIT 4

OK so I can get to cloning and pushing in annoymous mode happily, but authentication fails for the push.

C:\temp\test2\temp\test>git push origin master
Password:
Password:
error: Cannot access URL http://[email protected]:8000/repositories/test.git/, return code 22
fatal: git-http-push failed

I changed the httpd.conf to use the following:

<VirtualHost *:80>
    SetEnv GIT_PROJECT_ROOT "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs/repositories"
    SetEnv GIT_HTTP_EXPORT_ALL

    <Directory "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs/repositories">
       Options Indexes FollowSymLinks MultiViews Includes ExecCGI
       AllowOverride None
       Order allow,deny
       Allow from all
    </Directory>

    <LocationMatch "^/repositories/.*/git-receive-pack$">
        AuthType Basic
        AuthName "Git Access"
        AuthUserFile "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs/repositories/.htpasswd"
        Require valid-user
    </LocationMatch>
    ScriptAliasMatch \
            "(?x)^/repositories/(.*/(HEAD | \
                            info/refs | \
                            objects/(info/[^/]+ | \
                                     [0-9a-f]{2}/[0-9a-f]{38} | \
                                     pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
                            git-(upload|receive)-pack))$" \
            "C:/Program Files (x86)/Git/libexec/git-core/git-http-backend/$1"

    ErrorLog C:/GIT/error_log
    CustomLog C:/GIT/access_log combined
</VirtualHost>

Interestingly, when I created a new repo (git init --bare newrepo.git) It didn't create a info/refs file. I had to do the "git update-server-info" command to create that.

The Apache Access logs have something interesting that could be a clue:

192.168.10.97 - - [05/Oct/2010:22:48:26 +0100] "GET /repositories/test.git/info/refs?service=git-receive-pack HTTP/1.1" 200 -
192.168.10.97 - - [05/Oct/2010:22:48:26 +0100] "GET /repositories/test.git/HEAD HTTP/1.1" 200 23
192.168.10.97 - - [05/Oct/2010:22:48:28 +0100] "PROPFIND /repositories/test.git/ HTTP/1.1" 405 248

That is when I was trying to "push" back to the repo, but they are GET commands and no POST. not sure what the PROPFIND is, not found much info on that yet. I think, (reading around), there might be some sort of rewrite going on, that is changing the POST to a GET and killing it, or something. I am out of my depth at this point though.

Thanks

Answer 1

If you are using AuthType Basic, that means, as this tutorial points out, that:

• you need to add users and passwords to the .htpasswd file (defined by the AuthUserFile directive, which doesn't seem to point to a file in your case)
• you have to add the same user and password on the client machine under ~/.netrc.

Note, if you upgrade to the very latest msysgit 1.7.3.1 (released 18 hours ago), its release notes mentions:

curl uses $HOME/_netrc instead of $HOME/.netrc.

So if you are using a _netrc with that "Git for Windows" version, it should be correctly taken into account (and not ask you anymore for your password).

The comments of the aforementioned tutorial are instructive as well (I am not sure if they are directly relevant to your case though). For instance:

Got clone to work. Should have paid more attention to the git-http-backend man page.
I added the file git-daemon-export-ok to /website.com/git/myproject.git and all went well.

Answer 2

OK, so hell has frozen over and I have finally got this working!

I believe there were two things that were fundamentally wrong with my setup.

1) The user was not getting authentication passed through, I found this helped:

SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER

Secondly I couldn't get the physical "Directory" to work.

<Directory "C:/GIT/Apache/repositories">
Options +ExecCGI
AuthType Basic
AuthName intranet
AuthUserFile "C:/GIT/Apache/config/users"
Require valid-user
</Directory>

To resolve this I used locationMatch for both the pull and push. This means you have to authenticate to pull and push. If you wanted annoy pulling you can remove the "git-upload-pack" section.

Hope this may help someone else.

Here is my final httpd.conf file:

DocumentRoot "C:/GIT/Apache/www"

<Directory />
Options +ExecCGI
Allow from all  
</Directory>

<Directory "C:/GIT/Apache/www">
  Allow from all
</Directory>

<Directory "C:/GIT/Apache/www/secure">
AuthType Basic
AuthName intranet
AuthUserFile "C:/GIT/Apache/config/users"
require valid-user
</Directory>

SetEnv GIT_PROJECT_ROOT C:/GIT/Apache/repositories
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER
ScriptAliasMatch \
    "(?x)^/(.*/(HEAD | \
                    info/refs | \
                    objects/(info/[^/]+ | \
                             [0-9a-f]{2}/[0-9a-f]{38} | \
                             pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
                    git-(upload|receive)-pack))$" \
                    "C:/Program Files/git/libexec/git-core/git-http-backend.exe/$1"


<LocationMatch "^/.*/git-receive-pack$">
Options +ExecCGI
AuthType Basic
AuthName intranet
AuthUserFile "C:/GIT/Apache/config/users"
Require valid-user
</LocationMatch>

<LocationMatch "^/.*/git-upload-pack$">
Options +ExecCGI
AuthType Basic
AuthName intranet
AuthUserFile "C:/GIT/Apache/config/users"
Require valid-user
</LocationMatch>