1GIT-HTTP-BACKEND(1) Git Manual GIT-HTTP-BACKEND(1)
2
3
4
6 git-http-backend - Server side implementation of Git over HTTP
7
9 git http-backend
10
12 A simple CGI program to serve the contents of a Git repository to Git
13 clients accessing the repository over http:// and https:// protocols.
14 The program supports clients fetching using both the smart HTTP
15 protocol and the backwards-compatible dumb HTTP protocol, as well as
16 clients pushing using the smart HTTP protocol.
17
18 It verifies that the directory has the magic file
19 "git-daemon-export-ok", and it will refuse to export any Git directory
20 that hasn’t explicitly been marked for export this way (unless the
21 GIT_HTTP_EXPORT_ALL environmental variable is set).
22
23 By default, only the upload-pack service is enabled, which serves git
24 fetch-pack and git ls-remote clients, which are invoked from git fetch,
25 git pull, and git clone. If the client is authenticated, the
26 receive-pack service is enabled, which serves git send-pack clients,
27 which is invoked from git push.
28
30 These services can be enabled/disabled using the per-repository
31 configuration file:
32
33 http.getanyfile
34 This serves Git clients older than version 1.6.6 that are unable to
35 use the upload pack service. When enabled, clients are able to read
36 any file within the repository, including objects that are no
37 longer reachable from a branch but are still present. It is enabled
38 by default, but a repository can disable it by setting this
39 configuration item to false.
40
41 http.uploadpack
42 This serves git fetch-pack and git ls-remote clients. It is enabled
43 by default, but a repository can disable it by setting this
44 configuration item to false.
45
46 http.receivepack
47 This serves git send-pack clients, allowing push. It is disabled by
48 default for anonymous users, and enabled by default for users
49 authenticated by the web server. It can be disabled by setting this
50 item to false, or enabled for all users, including anonymous users,
51 by setting it to true.
52
54 To determine the location of the repository on disk, git http-backend
55 concatenates the environment variables PATH_INFO, which is set
56 automatically by the web server, and GIT_PROJECT_ROOT, which must be
57 set manually in the web server configuration. If GIT_PROJECT_ROOT is
58 not set, git http-backend reads PATH_TRANSLATED, which is also set
59 automatically by the web server.
60
62 All of the following examples map http://$hostname/git/foo/bar.git to
63 /var/www/git/foo/bar.git.
64
65 Apache 2.x
66 Ensure mod_cgi, mod_alias, and mod_env are enabled, set
67 GIT_PROJECT_ROOT (or DocumentRoot) appropriately, and create a
68 ScriptAlias to the CGI:
69
70 SetEnv GIT_PROJECT_ROOT /var/www/git
71 SetEnv GIT_HTTP_EXPORT_ALL
72 ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
73
74 To enable anonymous read access but authenticated write access,
75 require authorization for both the initial ref advertisement (which
76 we detect as a push via the service parameter in the query string),
77 and the receive-pack invocation itself:
78
79 RewriteCond %{QUERY_STRING} service=git-receive-pack [OR]
80 RewriteCond %{REQUEST_URI} /git-receive-pack$
81 RewriteRule ^/git/ - [E=AUTHREQUIRED:yes]
82
83 <LocationMatch "^/git/">
84 Order Deny,Allow
85 Deny from env=AUTHREQUIRED
86
87 AuthType Basic
88 AuthName "Git Access"
89 Require group committers
90 Satisfy Any
91 ...
92 </LocationMatch>
93
94 If you do not have mod_rewrite available to match against the query
95 string, it is sufficient to just protect git-receive-pack itself,
96 like:
97
98 <LocationMatch "^/git/.*/git-receive-pack$">
99 AuthType Basic
100 AuthName "Git Access"
101 Require group committers
102 ...
103 </LocationMatch>
104
105 In this mode, the server will not request authentication until the
106 client actually starts the object negotiation phase of the push,
107 rather than during the initial contact. For this reason, you must
108 also enable the http.receivepack config option in any repositories
109 that should accept a push. The default behavior, if
110 http.receivepack is not set, is to reject any pushes by
111 unauthenticated users; the initial request will therefore report
112 403 Forbidden to the client, without even giving an opportunity for
113 authentication.
114
115 To require authentication for both reads and writes, use a Location
116 directive around the repository, or one of its parent directories:
117
118 <Location /git/private>
119 AuthType Basic
120 AuthName "Private Git Access"
121 Require group committers
122 ...
123 </Location>
124
125 To serve gitweb at the same url, use a ScriptAliasMatch to only
126 those URLs that git http-backend can handle, and forward the rest
127 to gitweb:
128
129 ScriptAliasMatch \
130 "(?x)^/git/(.*/(HEAD | \
131 info/refs | \
132 objects/(info/[^/]+ | \
133 [0-9a-f]{2}/[0-9a-f]{38} | \
134 pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
135 git-(upload|receive)-pack))$" \
136 /usr/libexec/git-core/git-http-backend/$1
137
138 ScriptAlias /git/ /var/www/cgi-bin/gitweb.cgi/
139
140 To serve multiple repositories from different gitnamespaces(7) in a
141 single repository:
142
143 SetEnvIf Request_URI "^/git/([^/]*)" GIT_NAMESPACE=$1
144 ScriptAliasMatch ^/git/[^/]*(.*) /usr/libexec/git-core/git-http-backend/storage.git$1
145
146 Accelerated static Apache 2.x
147 Similar to the above, but Apache can be used to return static files
148 that are stored on disk. On many systems this may be more efficient
149 as Apache can ask the kernel to copy the file contents from the
150 file system directly to the network:
151
152 SetEnv GIT_PROJECT_ROOT /var/www/git
153
154 AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /var/www/git/$1
155 AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /var/www/git/$1
156 ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
157
158 This can be combined with the gitweb configuration:
159
160 SetEnv GIT_PROJECT_ROOT /var/www/git
161
162 AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /var/www/git/$1
163 AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /var/www/git/$1
164 ScriptAliasMatch \
165 "(?x)^/git/(.*/(HEAD | \
166 info/refs | \
167 objects/info/[^/]+ | \
168 git-(upload|receive)-pack))$" \
169 /usr/libexec/git-core/git-http-backend/$1
170 ScriptAlias /git/ /var/www/cgi-bin/gitweb.cgi/
171
172 Lighttpd
173 Ensure that mod_cgi, mod_alias, mod_auth, mod_setenv are loaded,
174 then set GIT_PROJECT_ROOT appropriately and redirect all requests
175 to the CGI:
176
177 alias.url += ( "/git" => "/usr/lib/git-core/git-http-backend" )
178 $HTTP["url"] =~ "^/git" {
179 cgi.assign = ("" => "")
180 setenv.add-environment = (
181 "GIT_PROJECT_ROOT" => "/var/www/git",
182 "GIT_HTTP_EXPORT_ALL" => ""
183 )
184 }
185
186 To enable anonymous read access but authenticated write access:
187
188 $HTTP["querystring"] =~ "service=git-receive-pack" {
189 include "git-auth.conf"
190 }
191 $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
192 include "git-auth.conf"
193 }
194
195 where git-auth.conf looks something like:
196
197 auth.require = (
198 "/" => (
199 "method" => "basic",
200 "realm" => "Git Access",
201 "require" => "valid-user"
202 )
203 )
204 # ...and set up auth.backend here
205
206 To require authentication for both reads and writes:
207
208 $HTTP["url"] =~ "^/git/private" {
209 include "git-auth.conf"
210 }
211
213 git http-backend relies upon the CGI environment variables set by the
214 invoking web server, including:
215
216 • PATH_INFO (if GIT_PROJECT_ROOT is set, otherwise PATH_TRANSLATED)
217
218 • REMOTE_USER
219
220 • REMOTE_ADDR
221
222 • CONTENT_TYPE
223
224 • QUERY_STRING
225
226 • REQUEST_METHOD
227
228 The GIT_HTTP_EXPORT_ALL environmental variable may be passed to
229 git-http-backend to bypass the check for the "git-daemon-export-ok"
230 file in each repository before allowing export of that repository.
231
232 The GIT_HTTP_MAX_REQUEST_BUFFER environment variable (or the
233 http.maxRequestBuffer config variable) may be set to change the largest
234 ref negotiation request that git will handle during a fetch; any fetch
235 requiring a larger buffer will not succeed. This value should not
236 normally need to be changed, but may be helpful if you are fetching
237 from a repository with an extremely large number of refs. The value can
238 be specified with a unit (e.g., 100M for 100 megabytes). The default is
239 10 megabytes.
240
241 The backend process sets GIT_COMMITTER_NAME to $REMOTE_USER and
242 GIT_COMMITTER_EMAIL to ${REMOTE_USER}@http.${REMOTE_ADDR}, ensuring
243 that any reflogs created by git-receive-pack contain some identifying
244 information of the remote user who performed the push.
245
246 All CGI environment variables are available to each of the hooks
247 invoked by the git-receive-pack.
248
250 Part of the git(1) suite
251
252
253
254Git 2.31.1 2021-03-26 GIT-HTTP-BACKEND(1)