diff options
Diffstat (limited to 'Documentation/git-http-backend.txt')
-rw-r--r-- | Documentation/git-http-backend.txt | 32 |
1 files changed, 24 insertions, 8 deletions
diff --git a/Documentation/git-http-backend.txt b/Documentation/git-http-backend.txt index cad18ceb9d..e3bcdb50e3 100644 --- a/Documentation/git-http-backend.txt +++ b/Documentation/git-http-backend.txt @@ -80,7 +80,30 @@ ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/ ---------------------------------------------------------------- + To enable anonymous read access but authenticated write access, -require authorization with a LocationMatch directive: +require authorization for both the initial ref advertisement (which we +detect as a push via the service parameter in the query string), and the +receive-pack invocation itself: ++ +---------------------------------------------------------------- +RewriteCond %{QUERY_STRING} service=git-receive-pack [OR] +RewriteCond %{REQUEST_URI} /git-receive-pack$ +RewriteRule ^/git/ - [E=AUTHREQUIRED:yes] + +<LocationMatch "^/git/"> + Order Deny,Allow + Deny from env=AUTHREQUIRED + + AuthType Basic + AuthName "Git Access" + Require group committers + Satisfy Any + ... +</LocationMatch> +---------------------------------------------------------------- ++ +If you do not have `mod_rewrite` available to match against the query +string, it is sufficient to just protect `git-receive-pack` itself, +like: + ---------------------------------------------------------------- <LocationMatch "^/git/.*/git-receive-pack$"> @@ -207,13 +230,6 @@ auth.require = ( # ...and set up auth.backend here ---------------------------------------------------------------- + -Note that unlike the similar setup with Apache, we can easily match the -query string for receive-pack, catching the initial request from the -client. This means that the server administrator does not have to worry -about configuring `http.receivepack` for the repositories (the default -value, which enables it only in the case of authentication, is -sufficient). -+ To require authentication for both reads and writes: + ---------------------------------------------------------------- |