Git commands via HTTP Basic Auth

Question

I'm using Gitlab 7 via Nginx+Unicorn. Once I had enabled HTTP Basic Auth, git commands like "git push" or "git pull" stopped working. Without HTTP Basic Auth all working well. How I may fix it? I need to enable the HTTP Basic Auth without any damage for developers. My nginx conf-file for gitlab:

upstream gitlab {
server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;
}
server {
  listen *:80 default_server;
  server_name gitlab.delfit.com;
  server_tokens off;
  root /home/git/gitlab/public;

  client_max_body_size 300m;

  # individual nginx logs for this gitlab vhost
  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;

  location / {
    # serve static files from defined root folder;.
    # @gitlab is a named location for the upstream fallback, see below
    try_files $uri $uri/index.html $uri.html @gitlab;
  }

  # if a file, which is not found in the root folder is requested,
  # then the proxy pass the request to the upsteam (gitlab unicorn)
  location @gitlab {
    proxy_read_timeout 300;
    proxy_connect_timeout 300;
    proxy_redirect     off;

    proxy_set_header   X-Forwarded-Proto $scheme;
    proxy_set_header   Host              $http_host;
    proxy_set_header   X-Real-IP         $remote_addr;
    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;

#    auth_basic "Restricted";
#    auth_basic_user_file /home/git/gitlab/.htpasswd;    

    proxy_pass http://gitlab;
  }

  error_page 502 /502.html;
}

The error after enabling basic auth is:

user@machine:~/git/myproject$ git push
fatal: Authentication failed for 'http://gitlab.myorg.com/user/repo.git'

Thanks in advance!

Answer 1

So you've managed to add two layers of authentication. One at the nginx layer, then Gitlab has it's own when you push/pull repositories.

Here's the flow you've created. When someone pushes code, they are attempting to authenticate against the nginx authentication, and not against Gitlab. Once the user is authenticated against nginx, they'll have to authenticate against Gitlab. Then you'll authenticate against gitlab, but that will unauthenticate you against nginx because HTTP can only hold one set of credentials.

I'd personally just let Gitlab's built in authentication do it's job. But if you really have to have authentication at nginx, I see two options. Switch pushing and pulling from Gitlab to SSH, and don't use HTTP to push and pull repositories. Or, put a conditional statement in nginx to not prompt for authentication when the URL matches {repo}.git or similar format. But to be warned, if is evil in nginx .