1 files changed, 20 insertions, 13 deletions

diff --git a/ansible/roles/trove-setup/templates/lighttpd/git-httpd.conf b/ansible/roles/trove-setup/templates/lighttpd/git-httpd.conf
index f2d61c9..be51358 100644
--- a/ansible/roles/trove-setup/templates/lighttpd/git-httpd.conf
+++ b/ansible/roles/trove-setup/templates/lighttpd/git-httpd.conf
@@ -26,8 +26,8 @@ $SERVER["socket"] == ":443" {
 index-file.names = ("index.html")
 
 cgi.assign = ("gitano-command.cgi" => "/usr/bin/lua5.1",
-	"gitano-smart-http.cgi" => "/usr/bin/lua5.1",
-	"cgit.cgi" => ""
+        "gitano-smart-http.cgi" => "/usr/bin/lua5.1",
+        "cgit.cgi" => ""
 )
 cgi.execute-x-only = "enable"
 
@@ -48,6 +48,15 @@ $HTTP["url"] =~ ".*/gitano-command.cgi$" {
                 "HOME" => "/home/git",
                 "GITANO_ROOT" => "/home/git/repos"
         )
+
+        $HTTP["scheme"] == "https" {
+                # gitano-command.cgi controls access over HTTP[S] according to
+                # the REMOTE_USER variable set by mod_auth and passed through
+                # the environment. If the web server doesn't set REMOTE_USER,
+                # then Gitano will treat the request as anonymous and deny
+                # access appropriately.
+                include "git-auth.conf"
+        }
 }
 
 $HTTP["url"] =~ "^/git/.*$" {
@@ -60,6 +69,15 @@ $HTTP["url"] =~ "^/git/.*$" {
                 "HOME" => "/home/git",
                 "GITANO_ROOT" => "/home/git/repos"
         )
+
+        $HTTP["scheme"] == "https" {
+                # gitano-smart-http.cgi controls access over HTTP[S] according to
+                # the REMOTE_USER variable set by mod_auth and passed through
+                # the environment. If the web server doesn't set REMOTE_USER,
+                # then Gitano will treat the request as anonymous and deny
+                # access appropriately.
+                include "git-auth.conf"
+        }
 }
 
 # Avoid needlessly long cgit URLs. This must correspond with the
@@ -75,14 +93,3 @@ $HTTP["url"] =~ "^/(baserock|delta)(/.*)?$" {
     url.redirect = ( "^/(.*)" => "/cgit/$1" )
 }
 
-$HTTP["scheme"] == "https" {
-        include "git-auth.conf"
-
-        $HTTP["querystring"] =~ "service=git-receive-pack" {
-                include "git-auth.conf"
-        }
-
-        $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
-                include "git-auth.conf"
-        }
-}