I'd like to offer up read-only access to my GIT repos for everyone (i.e. no username/password required), but require authentication for writing. The git-http-backend
man page suggests this is possible by matching against the location ^/git/.*/git-receive-pack$
. For Apache 2.x it'd look like this:
<LocationMatch "^/git/.*/git-receive-pack$">
AuthType Basic
AuthName "Git Access"
Require group committers
...
</LocationMatch>
Now, I'm using lighttpd, but translating the above shouldn't cause a problem. Except that my access log suggests that the above wouldn't work anyway. This is what I see when I perform a git push
:
192.168.1.84 tracsrv.local - [06/Apr/2013:20:00:20 +0200] "GET /git/foo.git/info/refs?service=git-receive-pack HTTP/1.1" 403 5 "-" "git/1.8.2"
So it looks like I need to match on the query string. For lighty I tried this:
$HTTP["querystring"] =~ "service=git-receive-pack" {
$HTTP["url"] =~ "^/git" {
cgi.assign = ( "" => "" )
setenv.add-environment = (
"GIT_PROJECT_ROOT" => "/srv/git",
"GIT_HTTP_EXPORT_ALL" => ""
)
auth.backend = "plain"
auth.backend.plain.userfile = "/srv/tracprjs/trac.plain"
auth.require = (
"/" => (
"method" => "basic",
"realm" => "trac",
"require" => "valid-user"
)
)
}
}
$HTTP["url"] =~ "^/git" {
cgi.assign = ( "" => "" )
setenv.add-environment = (
"GIT_PROJECT_ROOT" => "/srv/git",
"GIT_HTTP_EXPORT_ALL" => ""
)
}
No password is required for git fetch
and it is required for git push
. However, the git push
doesn't actually succeed. Any pointers on how to achieve this?