Git server setup on linux using smart HTTP

After seeing a presentation from Linus Torvalds I decided to read more about git. After looking into git more a I have decided to slowly move to git. New projects will be using git instead of subversion and I will move some existing projects over to git when I get the chance.

The first question that arises in such a case is how to deploy it. Of course, there are free solutions available such as github, but this some disadvantages for me. First of all, the access will be slower compared to a solution that I host at home, and second, I also have private repositories and these are really private so I really don’t want them to be hosted on github (even if github protects the data). Apart from this, the distributed nature of git would allow me anyway to easily put source code for an open source project on github, should one of my projects ever become popular.

So the question remains on how to host it at home. Of course, I have my current infrastructure already consisting of a linux server running apache. Looking at the options for exposing GIT, there are several solutions:

Alternative Pros Cons
ssh
Remote access through ssh.
  • Zero setup time because ssh is already running
  • requires complete trust of a client. Possible version incompatibilities.
  • requires a system account for every user and additional configuration to prevent logins and other types of access.
  • (corporate) firewalls can block SSH making it inaccessible from there.
apache webdav
remote access through apache using webdav
  • easy to setup, simple apache configuration
  • uses proven apache stability and security
  • additional configuration required in git to make this work (git update-server-info).
  • requires complete trust of a client, same risk with version incompatibilities
  • definite performance impact.
apache smart http
remote access using apache with CGI based solution (basically using HTTP as transport for git).
  • easy to setup
  • uses proven apache stability and security
  • does not require trusting a particular client
  • some overhead of HTTP (alhough much less than with webdav)
git native
  • doesn’t require trusting a client.
  • most efficient solution
  • does not easily pass through firewalls
  • server code maturity
  • lack of authentication.

In the above table, the phrase “trusting a client” means trusting the client software. Allowing a client full control over the modification of the repository files is risky. There could be clients with bugs or clients using different versions of git and there could even be malicious clients that could corrupt a repository. This risk is not present with the native git and smart http approaches.

As is clear from the above, ssh is the most problematic of all. On the other end, git is the most efficient but lacks the requires security and requires me to open up yet another port on the firewall and run yet another service. Because of these reasons I decided on an HTTP based setup. In fact, I experimented early on with the webdav based approach simply because I didn’t find the smart http approach which is relatively new. The setup however did show that HTTP webdav is much slower than the smart http setup. In fact, I think smart http is also faster than subversion when pushing changes.

The setup of smart HTTP is quite easy, basically it is a CGI based approach where HTTP requests are delegated to a CGI helper program which does the work. In effect, this is the git protocol over HTTP. Standard apache features are used to implement authentication and authorization. The smart HTTP approach is described already quite well here and here, but I encountered some issues and would like to clarify what I did to get it working.

These are the steps I took to get it working on opensuse 11.3:

  • Setup the user accounts and groups that you need to authenticate against using htpasswd and put it in a file /etc/apache2/conf.d/git.passwd
  • Make sure that the cgi, alias, and env modules are enabled by checking the APACHE_MODULES setting in /etc/sysconfig/apache2.
  • Now we are going to edit the apache configuration file for the (virtual) domain we are using. In this example, I assume we have /data/git/public hosting public repositories (anonymous read and authenticated write) and /data/git/private hosting private repositories (authenticated read and write). Also the git repositories are going to be exposed under a /git context root.
    • by default export all repositories that are found
      SetEnv GIT_HTTP_EXPORT_ALL

      This can also be configured on a per repository basis, see the git-http-backend page for details.

    • Configure the CGI program used to handle requests for git.
      ScriptAlias /git/ /usr/lib/git/git-http-backend/

      This directive had me quite puzzled because the apache documentation mentions that the second ScriptAlias argument should be a directory, but in this case it is an executable and it works.

    • Set the root directory where git repositories reside
      SetEnv GIT_PROJECT_ROOT /data/git
    • By default, the git-http-backend allows push for authenticated
      users and this directive tells the backend when a user is authenticated.

      SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER

      I had to google a lot to find this one because it is not mentioned in the documentation. Without this, I had to configure “http.receivepack” to “true” for every repository to allow “git push”.

    • General CGI configuration allowing the execution of the CGI programs. This is more or less self explanatory
      <Directory "/usr/lib/git/">
        AllowOverride None
        Options +ExecCGI -Includes
        Order allow,deny
        Allow from all
      </Directory>
    • Next is the configuration of the public repositories
      <LocationMatch "^/git/public/.*/git-receive-pack$">
        AuthType Basic
        AuthName "Public Git Repositories on wamblee.org"
        AuthUserFile /etc/apache2/conf.d/git.passwd
        Require valid-user
      </LocationMatch>

      This requires an authenticated user for every push request. See the apache documentation for the various options such as requiring the user to belong to a group. In my setup, I simply use one global git.passwd file and any authenticated user has access to any repository.

    • Finally, there is the setup of the private repositories, which requires a valid user for any URL.
      <LocationMatch "^/git/private/.*$">
        AuthType Basic
        AuthName "Private Git Repositories on wamblee.org"
        AuthUserFile /etc/apache2/conf.d/git.passwd
        Require valid-user
      </LocationMatch>

      In this case I could have also used a “Location” element instead of “LocationMatch”.

    • Finally restart apache using
      /etc/init.d/apache restart

      or (“force-reload”) and try it out.

Hope this helps others setting up their git servers on linux. In my experience this setup is quite fast for both push and pull. I am currently working on one project that you can access by doing

  git clone https://wamblee.org/git/public/xmlrouter

A gitweb interface for browsing the public repositories is here.

Have a lot of fun!

This entry was posted in Devops/Linux. Bookmark the permalink.

9 Responses to Git server setup on linux using smart HTTP

  1. Pingback: How To Setup User Authentication in Apache - LINUX REVIEW – LINUX REVIEW

  2. Pingback: Code Bits » Armando un servidor de git

  3. Pingback: 在Linux上用Apache搭建Git服务器 | 版本控制学习

  4. AT says:

    Thanks a lot for posting this useful tutorial.

    I’ve a question … If we’ve more than one repositories on a server and every repository is to be protected with separate username/password then what is the best approach to achieve this?
    I think for each repository folder we would be maintaining diferent .httaccess file? can you advice where to put that .htaccess files and what changes would be required in apache config.

    Thanks

  5. admin says:

    My first setup would be to use separate LocationMatch directives for every repository. If you would use a lot of repositories then perhaps a second step would be to create a shell script to generate the apache directives and use a more compact definition of your git repositories with perhaps one line per git repository.

    • AT says:

      I didn’t think this way. Thank for the tip. Will give it a try.

      Best Regards,
      AT

      • Jeroen says:

        I’m going to attempt a MOD_AUTH_MYSQL approach. And hopefully setup a directory linked user structure. I’m really on the fence between git and svn because of usermanagememt/protocols beeing such a hassle.

  6. Mario Milani says:

    Hello,
    I have followed your step by step procedure,
    but I’am new on Git, so I need an help to create a new git repos on the server side.

    GIT_PROJECT_ROOT is /srv/git/

    So on the host server I did
    **Create a project folder
    hostname:/srv/git/foo-project.git# mkdir /srv/git/foo-project.git
    **Initialize Git repos
    hostname:/srv/git/foo-project.git # git –bare init
    **Set apache ownership to the repos
    hostname:/srv/git/foo-project.git # chown -R wwwrun:www /srv/git

    From the client I did execute:

    $ git init
    Initialized empty Git repository in c:/Temp/GIT_workspace/.git/

    $ touch readme.txt
    $ git add *
    $ git commit -m “My initial commit message”
    [master (root-commit) 59af4fe] My initial commit message
    1 file changed, 0 insertions(+), 0 deletions(-)
    create mode 100644 readme.txt

    $ git remote add origin http://10.151.9.113/git/public/foo_project.git
    $ git remote -v
    origin http://10.151.9.113/git/public/foo_project.git (fetch)
    origin http://10.151.9.113/git/public/foo_project.git (push)

    $ git push origin master
    fatal: repository ‘http://10.151.9.113/git/public/foo_project.git/’ not found

    What’s wrong?

    Thanks for your help
    Mario

  7. admin says:

    I would first examine your apache logs. Are you sure that /git/public in your url is mapped to /srv/git on the server side? Or is /git mapped to /srv/git. In my setup in the blog post, /git is mapped to /data/git and so /git/public/myrepo.git would point to the /data/git/public/myrepo.git

Leave a Reply to AT Cancel reply

Your email address will not be published. Required fields are marked *