Git server setup on linux using smart HTTP

After seeing a presentation from Linus Torvalds I decided to read more about git. After looking into git more a I have decided to slowly move to git. New projects will be using git instead of subversion and I will move some existing projects over to git when I get the chance.

The first question that arises in such a case is how to deploy it. Of course, there are free solutions available such as github, but this some disadvantages for me. First of all, the access will be slower compared to a solution that I host at home, and second, I also have private repositories and these are really private so I really don’t want them to be hosted on github (even if github protects the data). Apart from this, the distributed nature of git would allow me anyway to easily put source code for an open source project on github, should one of my projects ever become popular.

So the question remains on how to host it at home. Of course, I have my current infrastructure already consisting of a linux server running apache. Looking at the options for exposing GIT, there are several solutions:

Alternative Pros Cons
ssh

Remote access through ssh.
  • Zero setup time because ssh is already running
  • requires complete trust of a client. Possible version incompatibilities.
  • requires a system account for every user and additional configuration to prevent logins and other types of access.
  • (corporate) firewalls can block SSH making it inaccessible from there.
apache webdav

remote access through apache using webdav
  • easy to setup, simple apache configuration
  • uses proven apache stability and security
  • additional configuration required in git to make this work (git update-server-info).
  • requires complete trust of a client, same risk with version incompatibilities
  • definite performance impact.
apache smart http

remote access using apache with CGI based solution (basically using HTTP as transport for git).
  • easy to setup
  • uses proven apache stability and security
  • does not require trusting a particular client
  • some overhead of HTTP (alhough much less than with webdav)
git native
  • doesn’t require trusting a client.
  • most efficient solution
  • does not easily pass through firewalls
  • server code maturity
  • lack of authentication.

In the above table, the phrase “trusting a client” means trusting the client software. Allowing a client full control over the modification of the repository files is risky. There could be clients with bugs or clients using different versions of git and there could even be malicious clients that could corrupt a repository. This risk is not present with the native git and smart http approaches.

As is clear from the above, ssh is the most problematic of all. On the other end, git is the most efficient but lacks the requires security and requires me to open up yet another port on the firewall and run yet another service. Because of these reasons I decided on an HTTP based setup. In fact, I experimented early on with the webdav based approach simply because I didn’t find the smart http approach which is relatively new. The setup however did show that HTTP webdav is much slower than the smart http setup. In fact, I think smart http is also faster than subversion when pushing changes.

The setup of smart HTTP is quite easy, basically it is a CGI based approach where HTTP requests are delegated to a CGI helper program which does the work. In effect, this is the git protocol over HTTP. Standard apache features are used to implement authentication and authorization. The smart HTTP approach is described already quite well here and here, but I encountered some issues and would like to clarify what I did to get it working.

These are the steps I took to get it working on opensuse 11.3:

  • Setup the user accounts and groups that you need to authenticate against using htpasswd and put it in a file /etc/apache2/conf.d/git.passwd
  • Make sure that the cgi, alias, and env modules are enabled by checking the APACHE_MODULES setting in /etc/sysconfig/apache2.
  • Now we are going to edit the apache configuration file for the (virtual) domain we are using. In this example, I assume we have /data/git/public hosting public repositories (anonymous read and authenticated write) and /data/git/private hosting private repositories (authenticated read and write). Also the git repositories are going to be exposed under a /git context root.
    • by default export all repositories that are found
      SetEnv GIT_HTTP_EXPORT_ALL

      This can also be configured on a per repository basis, see the git-http-backend page for details.

    • Configure the CGI program used to handle requests for git.
      ScriptAlias /git/ /usr/lib/git/git-http-backend/

      This directive had me quite puzzled because the apache documentation mentions that the second ScriptAlias argument should be a directory, but in this case it is an executable and it works.

    • Set the root directory where git repositories reside
      SetEnv GIT_PROJECT_ROOT /data/git
    • By default, the git-http-backend allows push for authenticated
      users and this directive tells the backend when a user is authenticated.
      SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER

      I had to google a lot to find this one because it is not mentioned in the documentation. Without this, I had to configure “http.receivepack” to “true” for every repository to allow “git push”.

    • General CGI configuration allowing the execution of the CGI programs. This is more or less self explanatory
      <Directory "/usr/lib/git/">
        AllowOverride None
        Options +ExecCGI -Includes
        Order allow,deny
        Allow from all
      </Directory>
    • Next is the configuration of the public repositories
      <LocationMatch "^/git/public/.*/git-receive-pack$">
        AuthType Basic
        AuthName "Public Git Repositories on wamblee.org"
        AuthUserFile /etc/apache2/conf.d/git.passwd
        Require valid-user
      </LocationMatch>

      This requires an authenticated user for every push request. See the apache documentation for the various options such as requiring the user to belong to a group. In my setup, I simply use one global git.passwd file and any authenticated user has access to any repository.

    • Finally, there is the setup of the private repositories, which requires a valid user for any URL.
      <LocationMatch "^/git/private/.*$">
        AuthType Basic
        AuthName "Private Git Repositories on wamblee.org"
        AuthUserFile /etc/apache2/conf.d/git.passwd
        Require valid-user
      </LocationMatch>

      In this case I could have also used a “Location” element instead of “LocationMatch”.

    • Finally restart apache using
      /etc/init.d/apache restart

      or (“force-reload”) and try it out.

Hope this helps others setting up their git servers on linux. In my experience this setup is quite fast for both push and pull. I am currently working on one project that you can access by doing

  git clone https://wamblee.org/git/public/xmlrouter

A gitweb interface for browsing the public repositories is here.

Have a lot of fun!

This entry was posted in Server/LAN. Bookmark the permalink.

3 Responses to Git server setup on linux using smart HTTP

  1. Pingback: How To Setup User Authentication in Apache - LINUX REVIEW – LINUX REVIEW

  2. Pingback: Code Bits » Armando un servidor de git

  3. Pingback: 在Linux上用Apache搭建Git服务器 | 版本控制学习

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>