From 00dffa8cf5cac8322cb47f2222e424d3960e7939 Mon Sep 17 00:00:00 2001 From: RATDAD Date: Sat, 13 Dec 2025 21:00:08 -0500 Subject: Added Git Smart HTTP Support --- etc/httpd/conf.d/git-http-apcf.conf | 27 +++++++++++++ etc/httpd/conf.d/git-http-cf.conf | 26 +++++++++++++ etc/httpd/conf.d/git-http-p.conf | 35 +++++++++++++++++ etc/httpd/conf.d/git-http-pcf.conf | 42 ++++++++++++++++++++ etc/httpd/conf/httpd.conf | 76 +++++++++++++++++++++++++++---------- 5 files changed, 185 insertions(+), 21 deletions(-) create mode 100644 etc/httpd/conf.d/git-http-apcf.conf create mode 100644 etc/httpd/conf.d/git-http-cf.conf create mode 100644 etc/httpd/conf.d/git-http-p.conf create mode 100644 etc/httpd/conf.d/git-http-pcf.conf (limited to 'etc/httpd') diff --git a/etc/httpd/conf.d/git-http-apcf.conf b/etc/httpd/conf.d/git-http-apcf.conf new file mode 100644 index 0000000..d781aea --- /dev/null +++ b/etc/httpd/conf.d/git-http-apcf.conf @@ -0,0 +1,27 @@ +# +# +# Git Smart HTTP Support (authenticated read/write) +# git push, clone, fetch — ALL authenticated + +SetEnv GIT_PROJECT_ROOT /srv/git +SetEnv GIT_HTTP_EXPORT_ALL 1 + +# Expose all of the endpoints. +ScriptAliasMatch "^(/.+/(git-upload-pack|git-receive-pack|info/refs))$" \ + /usr/libexec/git-core/git-http-backend$1 + +# Globally authenticate for each endpoint. + + AuthType Basic + AuthName "Git Access" + AuthUserFile ${GIT_HTTP_AUTH_FILE} + Require valid-user + + +# info/refs strictly scoped + + + Require expr %{QUERY_STRING} == "service=git-upload-pack" + Require expr %{QUERY_STRING} == "service=git-receive-pack" + + diff --git a/etc/httpd/conf.d/git-http-cf.conf b/etc/httpd/conf.d/git-http-cf.conf new file mode 100644 index 0000000..0d4302e --- /dev/null +++ b/etc/httpd/conf.d/git-http-cf.conf @@ -0,0 +1,26 @@ +# +# +# Git Smart HTTP Support (readonly) +# clone/fetch ONLY + +SetEnv GIT_PROJECT_ROOT /srv/git +SetEnv GIT_HTTP_EXPORT_ALL 1 + +# Expose git-upload-pack and info/refs. +ScriptAliasMatch "^(/.+/(git-upload-pack|info/refs))$" \ + /usr/libexec/git-core/git-http-backend$1 + +# No authentication needed for git clone/fetch. + + Require all granted + + +# Only allow info/refs for git clone/fetch. + + Require expr %{QUERY_STRING} == "service=git-upload-pack" + + +# Explicitly deny git push just in case. + + Require all denied + diff --git a/etc/httpd/conf.d/git-http-p.conf b/etc/httpd/conf.d/git-http-p.conf new file mode 100644 index 0000000..b30ad47 --- /dev/null +++ b/etc/httpd/conf.d/git-http-p.conf @@ -0,0 +1,35 @@ +# +# +# Git Smart HTTP Support +# git push ONLY + +SetEnv GIT_PROJECT_ROOT /srv/git +SetEnv GIT_HTTP_EXPORT_ALL 1 + +# Expose git-receive-pack and info/refs. +ScriptAliasMatch "^(/.+/(git-receive-pack|info/refs))$" \ + /usr/libexec/git-core/git-http-backend$1 + +# Authenticate against git push. + + AuthType Basic + AuthName "Git Push Access" + AuthUserFile ${GIT_HTTP_AUTH_FILE} + Require valid-user + + +# Deny info/refs push unless it's for git push. + + AuthType Basic + AuthName "Git Push Access" + AuthUserFile ${GIT_HTTP_AUTH_FILE} + + Require expr %{QUERY_STRING} == "service=git-receive-pack" + Require valid-user + + + +# Explicitly deny git clone/fetch just in case. + + Require all denied + diff --git a/etc/httpd/conf.d/git-http-pcf.conf b/etc/httpd/conf.d/git-http-pcf.conf new file mode 100644 index 0000000..d343443 --- /dev/null +++ b/etc/httpd/conf.d/git-http-pcf.conf @@ -0,0 +1,42 @@ +# +# +# Git Smart HTTP Support (read/write) +# git push, clone and fetch allowed + +SetEnv GIT_PROJECT_ROOT /srv/git +SetEnv GIT_HTTP_EXPORT_ALL 1 + +# Expose git-upload/receive-pack and info/refs. +ScriptAliasMatch "^(/.+/(git-upload-pack|git-receive-pack|info/refs))$" \ + /usr/libexec/git-core/git-http-backend$1 + +# Authenticate against git push. + + AuthType Basic + AuthName "Git Push Access" + AuthUserFile ${GIT_HTTP_AUTH_FILE} + Require valid-user + + +# Only allow git-upload-pack or git-receive-pack services and nothing else. + + AuthType Basic + AuthName "Git Push Access" + AuthUserFile ${GIT_HTTP_AUTH_FILE} + + + # git clone/fetch, no auth + Require expr %{QUERY_STRING} == "service=git-upload-pack" + + # git push, authenticated + + Require expr %{QUERY_STRING} == "service=git-receive-pack" + Require valid-user + + + + +# Allow git clone/fetch w/o auth. + + Require all granted + \ No newline at end of file diff --git a/etc/httpd/conf/httpd.conf b/etc/httpd/conf/httpd.conf index 3b6da71..675241d 100644 --- a/etc/httpd/conf/httpd.conf +++ b/etc/httpd/conf/httpd.conf @@ -16,7 +16,14 @@ LoadModule dir_module modules/mod_dir.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule alias_module modules/mod_alias.so LoadModule mpm_prefork_module modules/mod_mpm_prefork.so - +LoadModule env_module modules/mod_env.so +LoadModule headers_module modules/mod_headers.so +LoadModule expires_module modules/mod_expires.so +# And Basic Auth Modules +LoadModule auth_basic_module modules/mod_auth_basic.so +LoadModule authn_core_module modules/mod_authn_core.so +LoadModule authn_file_module modules/mod_authn_file.so +LoadModule authz_user_module modules/mod_authz_user.so # Load CGI Module LoadModule cgid_module modules/mod_cgid.so @@ -25,41 +32,68 @@ LoadModule mpm_prefork_module modules/mod_mpm_prefork.so LoadModule cgi_module modules/mod_cgi.so -# And Basic Auth Modules -LoadModule auth_basic_module modules/mod_auth_basic.so -LoadModule authn_core_module modules/mod_authn_core.so -LoadModule authn_file_module modules/mod_authn_file.so -LoadModule authz_user_module modules/mod_authz_user.so - # # Server config -Listen 0.0.0.0:80 +Listen 80 ServerName localhost -ServerAdmin root@localhost EnableSendFile on AddDefaultCharset UTF-8 TypesConfig /etc/mime.types MIMEMagicFile conf/magic AddHandler cgi-script .cgi +# +# Log Config +LogLevel warn +LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%h %l %u %t \"%r\" %>s %b" common +ErrorLog "logs/error_log" +ScriptLog logs/git-http-debug.log +CustomLog "logs/access_log" combined + +# +# Git Smart HTTP Support (if enabled) +PassEnv GIT_HTTP_AUTH_FILE +IncludeOptional conf.d/git-http.conf + +# # Always wear protection. - Require all denied + Require all granted -# NOTE: Alias matcher MUST end in /, not /cgit.cgi. It WILL break otherwise. -# ALSO: "cgitrc must have a virtual-root=/". -# Remove /cgit.cgi/ from url paths. -ScriptAlias "/" "/srv/www/htdocs/cgit/cgit.cgi/" - - DirectoryIndex cgit.cgi - AllowOverride None - Options +ExecCGI +FollowSymLinks - SetHandler cgi-script +# +# ALSO: cgitrc must have this: virtual-root=/ +DocumentRoot "/srv/www/htdocs/cgit" + Require all granted + # -Indexes here is not strictly necessary; + # Added for good hygiene + Options +ExecCGI -Indexes + DirectoryIndex cgit.cgi + AllowOverride All + + RewriteEngine On + + # Hard stop: never rewrite Git HTTP requests. + RewriteRule ^.+/(git-upload-pack|git-receive-pack|info/refs)$ - [END] + + # Serve static files directly. + RewriteCond %{REQUEST_FILENAME} -f + RewriteRule ^ - [END] + + # Let cgit handle everything else (and stay off my url). + RewriteRule ^(.*)$ cgit.cgi/$1 [END] + + # Cache static assets + ExpiresActive On + + ExpiresDefault "access plus 30 days" + Header set Cache-Control "public, max-age=2592000, immutable" + -# Deny access to .htaccess/.htpasswd +# Deny access to .htaccess/.htpasswd. Require all denied - \ No newline at end of file + -- cgit v1.2.3-70-g09d2