After seeing a presentation from Linus Torvalds I decided to read more about git. After looking into git more a I have decided to slowly move to git. New projects will be using git instead of subversion and I will move some existing projects over to git when I get the chance.
The first question that arises in such a case is how to deploy it. Of course, there are free solutions available such as github, but this some disadvantages for me. First of all, the access will be slower compared to a solution that I host at home, and second, I also have private repositories and these are really private so I really don’t want them to be hosted on github (even if github protects the data). Apart from this, the distributed nature of git would allow me anyway to easily put source code for an open source project on github, should one of my projects ever become popular.
So the question remains on how to host it at home. Of course, I have my current infrastructure already consisting of a linux server running apache. Looking at the options for exposing GIT, there are several solutions:
Alternative | Pros | Cons |
ssh Remote access through ssh. |
|
|
apache webdav remote access through apache using webdav |
|
|
apache smart http remote access using apache with CGI based solution (basically using HTTP as transport for git). |
|
|
git native |
|
|
In the above table, the phrase “trusting a client” means trusting the client software. Allowing a client full control over the modification of the repository files is risky. There could be clients with bugs or clients using different versions of git and there could even be malicious clients that could corrupt a repository. This risk is not present with the native git and smart http approaches.
As is clear from the above, ssh is the most problematic of all. On the other end, git is the most efficient but lacks the requires security and requires me to open up yet another port on the firewall and run yet another service. Because of these reasons I decided on an HTTP based setup. In fact, I experimented early on with the webdav based approach simply because I didn’t find the smart http approach which is relatively new. The setup however did show that HTTP webdav is much slower than the smart http setup. In fact, I think smart http is also faster than subversion when pushing changes.
The setup of smart HTTP is quite easy, basically it is a CGI based approach where HTTP requests are delegated to a CGI helper program which does the work. In effect, this is the git protocol over HTTP. Standard apache features are used to implement authentication and authorization. The smart HTTP approach is described already quite well here and here, but I encountered some issues and would like to clarify what I did to get it working.
These are the steps I took to get it working on opensuse 11.3:
- Setup the user accounts and groups that you need to authenticate against using htpasswd and put it in a file /etc/apache2/conf.d/git.passwd
- Make sure that the cgi, alias, and env modules are enabled by checking the APACHE_MODULES setting in /etc/sysconfig/apache2.
- Now we are going to edit the apache configuration file for the (virtual) domain we are using. In this example, I assume we have /data/git/public hosting public repositories (anonymous read and authenticated write) and /data/git/private hosting private repositories (authenticated read and write). Also the git repositories are going to be exposed under a /git context root.
- by default export all repositories that are found
SetEnv GIT_HTTP_EXPORT_ALL
This can also be configured on a per repository basis, see the git-http-backend page for details.
- Configure the CGI program used to handle requests for git.
ScriptAlias /git/ /usr/lib/git/git-http-backend/
This directive had me quite puzzled because the apache documentation mentions that the second ScriptAlias argument should be a directory, but in this case it is an executable and it works.
- Set the root directory where git repositories reside
SetEnv GIT_PROJECT_ROOT /data/git
- By default, the git-http-backend allows push for authenticated
users and this directive tells the backend when a user is authenticated.SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER
I had to google a lot to find this one because it is not mentioned in the documentation. Without this, I had to configure “http.receivepack” to “true” for every repository to allow “git push”.
- General CGI configuration allowing the execution of the CGI programs. This is more or less self explanatory
<Directory "/usr/lib/git/"> AllowOverride None Options +ExecCGI -Includes Order allow,deny Allow from all </Directory>
- Next is the configuration of the public repositories
<LocationMatch "^/git/public/.*/git-receive-pack$"> AuthType Basic AuthName "Public Git Repositories on wamblee.org" AuthUserFile /etc/apache2/conf.d/git.passwd Require valid-user </LocationMatch>
This requires an authenticated user for every push request. See the apache documentation for the various options such as requiring the user to belong to a group. In my setup, I simply use one global git.passwd file and any authenticated user has access to any repository.
- Finally, there is the setup of the private repositories, which requires a valid user for any URL.
<LocationMatch "^/git/private/.*$"> AuthType Basic AuthName "Private Git Repositories on wamblee.org" AuthUserFile /etc/apache2/conf.d/git.passwd Require valid-user </LocationMatch>
In this case I could have also used a “Location” element instead of “LocationMatch”.
- Finally restart apache using
/etc/init.d/apache restart
or (“force-reload”) and try it out.
- by default export all repositories that are found
Hope this helps others setting up their git servers on linux. In my experience this setup is quite fast for both push and pull. I am currently working on one project that you can access by doing
git clone https://wamblee.org/git/public/xmlrouter
A gitweb interface for browsing the public repositories is here.
Have a lot of fun!
Pingback: How To Setup User Authentication in Apache - LINUX REVIEW – LINUX REVIEW
Pingback: Code Bits » Armando un servidor de git
Pingback: 在Linux上用Apache搭建Git服务器 | 版本控制学习
Thanks a lot for posting this useful tutorial.
I’ve a question … If we’ve more than one repositories on a server and every repository is to be protected with separate username/password then what is the best approach to achieve this?
I think for each repository folder we would be maintaining diferent .httaccess file? can you advice where to put that .htaccess files and what changes would be required in apache config.
Thanks
My first setup would be to use separate LocationMatch directives for every repository. If you would use a lot of repositories then perhaps a second step would be to create a shell script to generate the apache directives and use a more compact definition of your git repositories with perhaps one line per git repository.
I didn’t think this way. Thank for the tip. Will give it a try.
Best Regards,
AT
I’m going to attempt a MOD_AUTH_MYSQL approach. And hopefully setup a directory linked user structure. I’m really on the fence between git and svn because of usermanagememt/protocols beeing such a hassle.
Hello,
I have followed your step by step procedure,
but I’am new on Git, so I need an help to create a new git repos on the server side.
GIT_PROJECT_ROOT is /srv/git/
So on the host server I did
**Create a project folder
hostname:/srv/git/foo-project.git# mkdir /srv/git/foo-project.git
**Initialize Git repos
hostname:/srv/git/foo-project.git # git –bare init
**Set apache ownership to the repos
hostname:/srv/git/foo-project.git # chown -R wwwrun:www /srv/git
From the client I did execute:
$ git init
Initialized empty Git repository in c:/Temp/GIT_workspace/.git/
$ touch readme.txt
$ git add *
$ git commit -m “My initial commit message”
[master (root-commit) 59af4fe] My initial commit message
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 readme.txt
$ git remote add origin http://10.151.9.113/git/public/foo_project.git
$ git remote -v
origin http://10.151.9.113/git/public/foo_project.git (fetch)
origin http://10.151.9.113/git/public/foo_project.git (push)
$ git push origin master
fatal: repository ‘http://10.151.9.113/git/public/foo_project.git/’ not found
What’s wrong?
Thanks for your help
Mario
I would first examine your apache logs. Are you sure that /git/public in your url is mapped to /srv/git on the server side? Or is /git mapped to /srv/git. In my setup in the blog post, /git is mapped to /data/git and so /git/public/myrepo.git would point to the /data/git/public/myrepo.git