diff options
Diffstat (limited to 'etc/httpd/conf.d')
| -rw-r--r-- | etc/httpd/conf.d/git-http-apcf.conf | 27 | ||||
| -rw-r--r-- | etc/httpd/conf.d/git-http-cf.conf | 26 | ||||
| -rw-r--r-- | etc/httpd/conf.d/git-http-p.conf | 35 | ||||
| -rw-r--r-- | etc/httpd/conf.d/git-http-pcf.conf | 42 |
4 files changed, 130 insertions, 0 deletions
diff --git a/etc/httpd/conf.d/git-http-apcf.conf b/etc/httpd/conf.d/git-http-apcf.conf new file mode 100644 index 0000000..d781aea --- /dev/null +++ b/etc/httpd/conf.d/git-http-apcf.conf @@ -0,0 +1,27 @@ +# +# +# Git Smart HTTP Support (authenticated read/write) +# git push, clone, fetch — ALL authenticated + +SetEnv GIT_PROJECT_ROOT /srv/git +SetEnv GIT_HTTP_EXPORT_ALL 1 + +# Expose all of the endpoints. +ScriptAliasMatch "^(/.+/(git-upload-pack|git-receive-pack|info/refs))$" \ + /usr/libexec/git-core/git-http-backend$1 + +# Globally authenticate for each endpoint. +<LocationMatch "^/.+/(git-upload-pack|git-receive-pack|info/refs)$"> + AuthType Basic + AuthName "Git Access" + AuthUserFile ${GIT_HTTP_AUTH_FILE} + Require valid-user +</LocationMatch> + +# info/refs strictly scoped +<LocationMatch "^/.+/info/refs$"> + <RequireAny> + Require expr %{QUERY_STRING} == "service=git-upload-pack" + Require expr %{QUERY_STRING} == "service=git-receive-pack" + </RequireAny> +</LocationMatch> diff --git a/etc/httpd/conf.d/git-http-cf.conf b/etc/httpd/conf.d/git-http-cf.conf new file mode 100644 index 0000000..0d4302e --- /dev/null +++ b/etc/httpd/conf.d/git-http-cf.conf @@ -0,0 +1,26 @@ +# +# +# Git Smart HTTP Support (readonly) +# clone/fetch ONLY + +SetEnv GIT_PROJECT_ROOT /srv/git +SetEnv GIT_HTTP_EXPORT_ALL 1 + +# Expose git-upload-pack and info/refs. +ScriptAliasMatch "^(/.+/(git-upload-pack|info/refs))$" \ + /usr/libexec/git-core/git-http-backend$1 + +# No authentication needed for git clone/fetch. +<LocationMatch "^/.+/git-upload-pack$"> + Require all granted +</LocationMatch> + +# Only allow info/refs for git clone/fetch. +<LocationMatch "^/.+/info/refs$"> + Require expr %{QUERY_STRING} == "service=git-upload-pack" +</LocationMatch> + +# Explicitly deny git push just in case. +<LocationMatch "^/.+/git-receive-pack$"> + Require all denied +</LocationMatch> diff --git a/etc/httpd/conf.d/git-http-p.conf b/etc/httpd/conf.d/git-http-p.conf new file mode 100644 index 0000000..b30ad47 --- /dev/null +++ b/etc/httpd/conf.d/git-http-p.conf @@ -0,0 +1,35 @@ +# +# +# Git Smart HTTP Support +# git push ONLY + +SetEnv GIT_PROJECT_ROOT /srv/git +SetEnv GIT_HTTP_EXPORT_ALL 1 + +# Expose git-receive-pack and info/refs. +ScriptAliasMatch "^(/.+/(git-receive-pack|info/refs))$" \ + /usr/libexec/git-core/git-http-backend$1 + +# Authenticate against git push. +<LocationMatch "^/.+/(git-receive-pack)$"> + AuthType Basic + AuthName "Git Push Access" + AuthUserFile ${GIT_HTTP_AUTH_FILE} + Require valid-user +</LocationMatch> + +# Deny info/refs push unless it's for git push. +<LocationMatch "^/.+/info/refs$"> + AuthType Basic + AuthName "Git Push Access" + AuthUserFile ${GIT_HTTP_AUTH_FILE} + <RequireAll> + Require expr %{QUERY_STRING} == "service=git-receive-pack" + Require valid-user + </RequireAll> +</LocationMatch> + +# Explicitly deny git clone/fetch just in case. +<LocationMatch "^/.+/git-upload-pack$"> + Require all denied +</LocationMatch> diff --git a/etc/httpd/conf.d/git-http-pcf.conf b/etc/httpd/conf.d/git-http-pcf.conf new file mode 100644 index 0000000..d343443 --- /dev/null +++ b/etc/httpd/conf.d/git-http-pcf.conf @@ -0,0 +1,42 @@ +# +# +# Git Smart HTTP Support (read/write) +# git push, clone and fetch allowed + +SetEnv GIT_PROJECT_ROOT /srv/git +SetEnv GIT_HTTP_EXPORT_ALL 1 + +# Expose git-upload/receive-pack and info/refs. +ScriptAliasMatch "^(/.+/(git-upload-pack|git-receive-pack|info/refs))$" \ + /usr/libexec/git-core/git-http-backend$1 + +# Authenticate against git push. +<LocationMatch "^/.+/git-receive-pack$"> + AuthType Basic + AuthName "Git Push Access" + AuthUserFile ${GIT_HTTP_AUTH_FILE} + Require valid-user +</LocationMatch> + +# Only allow git-upload-pack or git-receive-pack services and nothing else. +<LocationMatch "^/.+/info/refs$"> + AuthType Basic + AuthName "Git Push Access" + AuthUserFile ${GIT_HTTP_AUTH_FILE} + + <RequireAny> + # git clone/fetch, no auth + Require expr %{QUERY_STRING} == "service=git-upload-pack" + + # git push, authenticated + <RequireAll> + Require expr %{QUERY_STRING} == "service=git-receive-pack" + Require valid-user + </RequireAll> + </RequireAny> +</LocationMatch> + +# Allow git clone/fetch w/o auth. +<LocationMatch "^/.+/git-upload-pack$"> + Require all granted +</LocationMatch>
\ No newline at end of file |