1GIT-HTTP-BACKEND(1) Git Manual GIT-HTTP-BACKEND(1)
2
3
4
6 git-http-backend - Server side implementation of Git over HTTP
7
9 git http-backend
10
11
13 A simple CGI program to serve the contents of a Git repository to Git
14 clients accessing the repository over http:// and https:// protocols.
15 The program supports clients fetching using both the smart HTTP
16 protocol and the backwards-compatible dumb HTTP protocol, as well as
17 clients pushing using the smart HTTP protocol.
18
19 It verifies that the directory has the magic file
20 "git-daemon-export-ok", and it will refuse to export any Git directory
21 that hasn’t explicitly been marked for export this way (unless the
22 GIT_HTTP_EXPORT_ALL environmental variable is set).
23
24 By default, only the upload-pack service is enabled, which serves git
25 fetch-pack and git ls-remote clients, which are invoked from git fetch,
26 git pull, and git clone. If the client is authenticated, the
27 receive-pack service is enabled, which serves git send-pack clients,
28 which is invoked from git push.
29
31 These services can be enabled/disabled using the per-repository
32 configuration file:
33
34 http.getanyfile
35 This serves Git clients older than version 1.6.6 that are unable to
36 use the upload pack service. When enabled, clients are able to read
37 any file within the repository, including objects that are no
38 longer reachable from a branch but are still present. It is enabled
39 by default, but a repository can disable it by setting this
40 configuration item to false.
41
42 http.uploadpack
43 This serves git fetch-pack and git ls-remote clients. It is enabled
44 by default, but a repository can disable it by setting this
45 configuration item to false.
46
47 http.receivepack
48 This serves git send-pack clients, allowing push. It is disabled by
49 default for anonymous users, and enabled by default for users
50 authenticated by the web server. It can be disabled by setting this
51 item to false, or enabled for all users, including anonymous users,
52 by setting it to true.
53
55 To determine the location of the repository on disk, git http-backend
56 concatenates the environment variables PATH_INFO, which is set
57 automatically by the web server, and GIT_PROJECT_ROOT, which must be
58 set manually in the web server configuration. If GIT_PROJECT_ROOT is
59 not set, git http-backend reads PATH_TRANSLATED, which is also set
60 automatically by the web server.
61
63 All of the following examples map http://$hostname/git/foo/bar.git to
64 /var/www/git/foo/bar.git.
65
66 Apache 2.x
67 Ensure mod_cgi, mod_alias, and mod_env are enabled, set
68 GIT_PROJECT_ROOT (or DocumentRoot) appropriately, and create a
69 ScriptAlias to the CGI:
70
71 SetEnv GIT_PROJECT_ROOT /var/www/git
72 SetEnv GIT_HTTP_EXPORT_ALL
73 ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
74
75 To enable anonymous read access but authenticated write access,
76 require authorization for both the initial ref advertisement (which
77 we detect as a push via the service parameter in the query string),
78 and the receive-pack invocation itself:
79
80 RewriteCond %{QUERY_STRING} service=git-receive-pack [OR]
81 RewriteCond %{REQUEST_URI} /git-receive-pack$
82 RewriteRule ^/git/ - [E=AUTHREQUIRED:yes]
83
84 <LocationMatch "^/git/">
85 Order Deny,Allow
86 Deny from env=AUTHREQUIRED
87
88 AuthType Basic
89 AuthName "Git Access"
90 Require group committers
91 Satisfy Any
92 ...
93 </LocationMatch>
94
95 If you do not have mod_rewrite available to match against the query
96 string, it is sufficient to just protect git-receive-pack itself,
97 like:
98
99 <LocationMatch "^/git/.*/git-receive-pack$">
100 AuthType Basic
101 AuthName "Git Access"
102 Require group committers
103 ...
104 </LocationMatch>
105
106 In this mode, the server will not request authentication until the
107 client actually starts the object negotiation phase of the push,
108 rather than during the initial contact. For this reason, you must
109 also enable the http.receivepack config option in any repositories
110 that should accept a push. The default behavior, if
111 http.receivepack is not set, is to reject any pushes by
112 unauthenticated users; the initial request will therefore report
113 403 Forbidden to the client, without even giving an opportunity for
114 authentication.
115
116 To require authentication for both reads and writes, use a Location
117 directive around the repository, or one of its parent directories:
118
119 <Location /git/private>
120 AuthType Basic
121 AuthName "Private Git Access"
122 Require group committers
123 ...
124 </Location>
125
126 To serve gitweb at the same url, use a ScriptAliasMatch to only
127 those URLs that git http-backend can handle, and forward the rest
128 to gitweb:
129
130 ScriptAliasMatch \
131 "(?x)^/git/(.*/(HEAD | \
132 info/refs | \
133 objects/(info/[^/]+ | \
134 [0-9a-f]{2}/[0-9a-f]{38} | \
135 pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
136 git-(upload|receive)-pack))$" \
137 /usr/libexec/git-core/git-http-backend/$1
138
139 ScriptAlias /git/ /var/www/cgi-bin/gitweb.cgi/
140
141 To serve multiple repositories from different gitnamespaces(7) in a
142 single repository:
143
144 SetEnvIf Request_URI "^/git/([^/]*)" GIT_NAMESPACE=$1
145 ScriptAliasMatch ^/git/[^/]*(.*) /usr/libexec/git-core/git-http-backend/storage.git$1
146
147
148 Accelerated static Apache 2.x
149 Similar to the above, but Apache can be used to return static files
150 that are stored on disk. On many systems this may be more efficient
151 as Apache can ask the kernel to copy the file contents from the
152 file system directly to the network:
153
154 SetEnv GIT_PROJECT_ROOT /var/www/git
155
156 AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /var/www/git/$1
157 AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /var/www/git/$1
158 ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
159
160 This can be combined with the gitweb configuration:
161
162 SetEnv GIT_PROJECT_ROOT /var/www/git
163
164 AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /var/www/git/$1
165 AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /var/www/git/$1
166 ScriptAliasMatch \
167 "(?x)^/git/(.*/(HEAD | \
168 info/refs | \
169 objects/info/[^/]+ | \
170 git-(upload|receive)-pack))$" \
171 /usr/libexec/git-core/git-http-backend/$1
172 ScriptAlias /git/ /var/www/cgi-bin/gitweb.cgi/
173
174
175 Lighttpd
176 Ensure that mod_cgi, mod_alias, mod_auth, mod_setenv are loaded,
177 then set GIT_PROJECT_ROOT appropriately and redirect all requests
178 to the CGI:
179
180 alias.url += ( "/git" => "/usr/lib/git-core/git-http-backend" )
181 $HTTP["url"] =~ "^/git" {
182 cgi.assign = ("" => "")
183 setenv.add-environment = (
184 "GIT_PROJECT_ROOT" => "/var/www/git",
185 "GIT_HTTP_EXPORT_ALL" => ""
186 )
187 }
188
189 To enable anonymous read access but authenticated write access:
190
191 $HTTP["querystring"] =~ "service=git-receive-pack" {
192 include "git-auth.conf"
193 }
194 $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
195 include "git-auth.conf"
196 }
197
198 where git-auth.conf looks something like:
199
200 auth.require = (
201 "/" => (
202 "method" => "basic",
203 "realm" => "Git Access",
204 "require" => "valid-user"
205 )
206 )
207 # ...and set up auth.backend here
208
209 To require authentication for both reads and writes:
210
211 $HTTP["url"] =~ "^/git/private" {
212 include "git-auth.conf"
213 }
214
215
217 git http-backend relies upon the CGI environment variables set by the
218 invoking web server, including:
219
220 · PATH_INFO (if GIT_PROJECT_ROOT is set, otherwise PATH_TRANSLATED)
221
222 · REMOTE_USER
223
224 · REMOTE_ADDR
225
226 · CONTENT_TYPE
227
228 · QUERY_STRING
229
230 · REQUEST_METHOD
231
232 The GIT_HTTP_EXPORT_ALL environmental variable may be passed to
233 git-http-backend to bypass the check for the "git-daemon-export-ok"
234 file in each repository before allowing export of that repository.
235
236 The GIT_HTTP_MAX_REQUEST_BUFFER environment variable (or the
237 http.maxRequestBuffer config variable) may be set to change the largest
238 ref negotiation request that git will handle during a fetch; any fetch
239 requiring a larger buffer will not succeed. This value should not
240 normally need to be changed, but may be helpful if you are fetching
241 from a repository with an extremely large number of refs. The value can
242 be specified with a unit (e.g., 100M for 100 megabytes). The default is
243 10 megabytes.
244
245 The backend process sets GIT_COMMITTER_NAME to $REMOTE_USER and
246 GIT_COMMITTER_EMAIL to ${REMOTE_USER}@http.${REMOTE_ADDR}, ensuring
247 that any reflogs created by git-receive-pack contain some identifying
248 information of the remote user who performed the push.
249
250 All CGI environment variables are available to each of the hooks
251 invoked by the git-receive-pack.
252
254 Part of the git(1) suite
255
256
257
258Git 2.24.1 12/10/2019 GIT-HTTP-BACKEND(1)