[英]Disabling access for git to specific Directory with Apache Basic Authentication
I have git setup with my Apache2 server and it serves git request just fine.我的 Apache2 服务器设置了 git,它可以很好地满足 git 请求。 Now I want to setup Basic Authentication for this, so not everybody can use every directory.
现在我想为此设置基本身份验证,所以不是每个人都可以使用每个目录。 My goal is that only the ADMIN group has access to the complete
/var/www/html/git
directory and my GITGROUP can access only /var/www/html/git/subdir
directories.我的目标是只有 ADMIN 组可以访问完整的
/var/www/html/git
目录,而我的 GITGROUP只能访问/var/www/html/git/subdir
目录。 However, while Apache is asking for credentials, with the setup (below) GITGROUP is still allowed to access all git directories.然而,虽然 Apache 要求提供凭据,但通过设置(如下)仍然允许 GITGROUP 访问所有git 目录。 What am I doing wrong?
我究竟做错了什么?
SetEnv GIT_PROJECT_ROOT /var/www/html/git
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
<Directory /usr/lib/git-core>
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/etc/apache2/.htpasswd"
AuthGroupFile "/etc/apache2/groups"
Require group ADMIN GITGROUP
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/html/git>
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/etc/apache2/.htpasswd"
AuthGroupFile "/etc/apache2/groups"
Require group ADMIN
Options -Indexes
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/html/git/subdir>
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/etc/apache2/.htpasswd"
AuthGroupFile "/etc/apache2/groups"
Require group ADMIN GITGROUP
Options -Indexes
Order allow,deny
Allow from all
</Directory>
EDIT:编辑:
Based on the answer by @jsvendsgaard I created two ScriptAlias lines for two symlinks to git-core.根据@jsvendsgaard 的回答,我为两个指向 git-core 的符号链接创建了两条 ScriptAlias 行。 After that it is only a matter of assigning the correct GIT_PROJECT_ROOT:
之后,只需分配正确的 GIT_PROJECT_ROOT:
ScriptAlias /gitdir1/ /var/www/html/gitdir1/git-core/git-http-backend/
ScriptAlias /gitdir2/ /var/www/html/gitdir2/git-core/git-http-backend/
<Directory "/var/www/html/gitdir1/git-core">
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/etc/apache2/.htpasswd"
AuthGroupFile "/etc/apache2/groups"
Require group ADMIN
Options +ExecCGI -MultiViews -Indexes
Order allow,deny
Allow from all
</Directory>
<Directory "/var/www/html/gitdir2/git-core">
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/etc/apache2/.htpasswd"
AuthGroupFile "/etc/apache2/groups"
Require group ADMIN GITGROUP
Options +ExecCGI -MultiViews -Indexes
Order allow,deny
Allow from all
</Directory>
<Location "/gitdir1/">
SetEnv GIT_PROJECT_ROOT /var/www/html/gitdir1
SetEnv GIT_HTTP_EXPORT_ALL
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/etc/apache2/.htpasswd"
AuthGroupFile "/etc/apache2/groups"
Require group ADMIN
</Location>
<Location "/gitdir2/">
SetEnv GIT_PROJECT_ROOT /var/www/html/gitdir2
SetEnv GIT_HTTP_EXPORT_ALL
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/etc/apache2/.htpasswd"
AuthGroupFile "/etc/apache2/groups"
Require group ADMIN GITGROUP
</Location>
I believe I had a similar need.我相信我也有类似的需求。 I was able to get my solution working on a RedHat server.
我能够让我的解决方案在 RedHat 服务器上运行。
Solution Using Apache 2.4使用 Apache 2.4 的解决方案
The problem I found is that the git-http-backend script really controls all access to the repositories.我发现的问题是 git-http-backend 脚本确实控制了对存储库的所有访问。 Additionally, ScriptAlias is configured as such that it will be routing all /git/ requests to git-http-backend, regardless of the rest of the path.
此外,ScriptAlias 配置为将所有 /git/ 请求路由到 git-http-backend,而不考虑路径的 rest。 And, because you have provided access to this script for GITGROUP, that group will have access to any repository starting with /git/ in the URL.
而且,由于您已为 GITGROUP 提供了对该脚本的访问权限,因此该组将有权访问 URL 中以 /git/ 开头的任何存储库。 As per the documentation,
根据文档,
https://git-scm.com/docs/git-http-backend https://git-scm.com/docs/git-http-backend
git-http-backend knows the location to each repository because Apache is providing it with an environment variable. git-http-backend 知道每个存储库的位置,因为 Apache 为它提供了一个环境变量。 I suspect this means that git-http-backend is the only process on the server that directly accesses your repositories, and then provides the response back to Apache.
我怀疑这意味着 git-http-backend 是服务器上唯一直接访问您的存储库的进程,然后将响应返回给 Apache。
My solution adds a few extra steps.我的解决方案增加了一些额外的步骤。 Essentially, you would force any access to git-http-backend to occur only after you have already authenticated to the location of your repository, not before.
本质上,您将强制对 git-http-backend 的任何访问仅在您已经对存储库的位置进行身份验证之后才会发生,而不是之前。 This is done by placing a link to the script in the repository directory itself, and then authenticating that location.
这是通过在存储库目录本身中放置脚本的链接,然后验证该位置来完成的。
NOTE: I've only done this with bare repositories (git init --bare).注意:我只使用裸存储库(git init --bare)完成此操作。 I suspect that if for some reason you need to use a non-bare repository, this solution would need some tweaking (Ideas on that at the end):
我怀疑如果由于某种原因您需要使用非裸存储库,则此解决方案需要进行一些调整(最后的想法):
In a nutshell:简而言之:
Details:细节:
ln -s /usr/libexec/git-core /var/www/html/git/subdir/git-core
ln -s /usr/libexec/git-core /var/www/html/git/subdir/git-core
ScriptAliasMatch \
"(?x)^/git/(.*/)((HEAD | \
info/refs | \
objects/(info/[^/]+ | \
[0-9a-f]{2}/[0-9a-f]{38} | \
pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
git-(upload|receive)-pack))$" \
"/var/www/html/git/$1/git-core/git-http-backend/$2"
<Location /git/subdir1.git> SetEnv GIT_PROJECT_ROOT /var/www/html/git/subdir1.git SetEnv GIT_HTTP_EXPORT_ALL AuthType Basic AuthName "Authorization Required"... <the rest of your authentication details here>... </Location> <Location /git/subdir2.git> SetEnv GIT_PROJECT_ROOT /var/www/html/git/subdir2.git SetEnv GIT_HTTP_EXPORT_ALL AuthType Basic AuthName "Authorization Required"... <the rest of your authentication details here>... </Location>
<Directory /var/www/html/git/subdir1.git/git-core> Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch -Indexes Allowoverride None </Directory> <Directory /var/www/html/git/subdir2.git/git-core> Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch -Indexes Allowoverride None </Directory>
If you're not using a bare repository:如果您不使用裸存储库:
I only use bare repositories on the git server, but I think that you might see an issue creating this symlink if you didn't have bare repositories.我只在 git 服务器上使用裸存储库,但我认为如果您没有裸存储库,您可能会看到创建此符号链接的问题。 What I'm worried is that someone could somehow add your link to the repository.
我担心的是有人会以某种方式将您的链接添加到存储库。 I'm not sure if this is possible, but a couple of ideas to get around it:
我不确定这是否可能,但有几个想法可以解决它:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.