diff options
author | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2015-11-09 16:54:30 +0000 |
---|---|---|
committer | Richard Ipsum <richard.ipsum@codethink.co.uk> | 2016-01-26 12:11:35 +0000 |
commit | eca82164d36504fb4dad9b6e0d62eef11d2a4aaf (patch) | |
tree | fca1c0baf430c3452c6fc16e9c746b1cbb098bb5 /ansible | |
parent | 4c1a02ebe6e5a65b6a1bf79e3320b42f33222f3b (diff) | |
download | trove-setup-eca82164d36504fb4dad9b6e0d62eef11d2a4aaf.tar.gz |
lighttpd: Only require HTTPS authentication for Gitano URLs
Previously the whole of git.baserock.org was effectively inaccessible
over HTTPS, because it would require a username and password for all
HTTPS requests. This was done to ensure that we don't make Trove
"insecure by default" by allowing access to hidden repos over anonymous
HTTPS.
Firstly, we only need to require auth for the actual Gitano URLs. The
other ones (cgit, lc-status.html, releases) are identical over HTTP and
HTTPS anyway, so there's no point in hiding them on one protocol but not
the other.
Also, I have now verified that Gitano's CGI scripts authenticate based
on the REMOTE_USER variable set by mod_auth, and if this isn't set they
treat the request as anonymous and correctly deny any requests that
the anonymous user doesn't have permissions for. This is noted in a
comment.
The behaviour of Gitano-over-HTTPS in Trove should be completely
unchanged by this commit, however.
Change-Id: Ie5dbc3bd3ab8d37ef3e5c08c9541c571944e1f58
Diffstat (limited to 'ansible')
-rw-r--r-- | ansible/roles/trove-setup/templates/lighttpd/git-httpd.conf | 33 |
1 files changed, 20 insertions, 13 deletions
diff --git a/ansible/roles/trove-setup/templates/lighttpd/git-httpd.conf b/ansible/roles/trove-setup/templates/lighttpd/git-httpd.conf index f2d61c9..be51358 100644 --- a/ansible/roles/trove-setup/templates/lighttpd/git-httpd.conf +++ b/ansible/roles/trove-setup/templates/lighttpd/git-httpd.conf @@ -26,8 +26,8 @@ $SERVER["socket"] == ":443" { index-file.names = ("index.html") cgi.assign = ("gitano-command.cgi" => "/usr/bin/lua5.1", - "gitano-smart-http.cgi" => "/usr/bin/lua5.1", - "cgit.cgi" => "" + "gitano-smart-http.cgi" => "/usr/bin/lua5.1", + "cgit.cgi" => "" ) cgi.execute-x-only = "enable" @@ -48,6 +48,15 @@ $HTTP["url"] =~ ".*/gitano-command.cgi$" { "HOME" => "/home/git", "GITANO_ROOT" => "/home/git/repos" ) + + $HTTP["scheme"] == "https" { + # gitano-command.cgi controls access over HTTP[S] according to + # the REMOTE_USER variable set by mod_auth and passed through + # the environment. If the web server doesn't set REMOTE_USER, + # then Gitano will treat the request as anonymous and deny + # access appropriately. + include "git-auth.conf" + } } $HTTP["url"] =~ "^/git/.*$" { @@ -60,6 +69,15 @@ $HTTP["url"] =~ "^/git/.*$" { "HOME" => "/home/git", "GITANO_ROOT" => "/home/git/repos" ) + + $HTTP["scheme"] == "https" { + # gitano-smart-http.cgi controls access over HTTP[S] according to + # the REMOTE_USER variable set by mod_auth and passed through + # the environment. If the web server doesn't set REMOTE_USER, + # then Gitano will treat the request as anonymous and deny + # access appropriately. + include "git-auth.conf" + } } # Avoid needlessly long cgit URLs. This must correspond with the @@ -75,14 +93,3 @@ $HTTP["url"] =~ "^/(baserock|delta)(/.*)?$" { url.redirect = ( "^/(.*)" => "/cgit/$1" ) } -$HTTP["scheme"] == "https" { - include "git-auth.conf" - - $HTTP["querystring"] =~ "service=git-receive-pack" { - include "git-auth.conf" - } - - $HTTP["url"] =~ "^/git/.*/git-receive-pack$" { - include "git-auth.conf" - } -} |