6 git-http-backend - Server side implementation of Git over HTTP
15 A simple CGI program to serve the contents of a Git repository to Git
16 clients accessing the repository over http:// and https:// protocols.
17 The program supports clients fetching using both the smart HTTP protocol
18 and the backwards-compatible dumb HTTP protocol, as well as clients
19 pushing using the smart HTTP protocol.
21 It verifies that the directory has the magic file
22 "git-daemon-export-ok", and it will refuse to export any Git directory
23 that hasn't explicitly been marked for export this way (unless the
24 GIT_HTTP_EXPORT_ALL environmental variable is set).
26 By default, only the `upload-pack` service is enabled, which serves
27 'git fetch-pack' and 'git ls-remote' clients, which are invoked from
28 'git fetch', 'git pull', and 'git clone'. If the client is authenticated,
29 the `receive-pack` service is enabled, which serves 'git send-pack'
30 clients, which is invoked from 'git push'.
34 These services can be enabled/disabled using the per-repository
38 This serves Git clients older than version 1.6.6 that are unable to use the
39 upload pack service. When enabled, clients are able to read
40 any file within the repository, including objects that are
41 no longer reachable from a branch but are still present.
42 It is enabled by default, but a repository can disable it
43 by setting this configuration item to `false`.
46 This serves 'git fetch-pack' and 'git ls-remote' clients.
47 It is enabled by default, but a repository can disable it
48 by setting this configuration item to `false`.
51 This serves 'git send-pack' clients, allowing push. It is
52 disabled by default for anonymous users, and enabled by
53 default for users authenticated by the web server. It can be
54 disabled by setting this item to `false`, or enabled for all
55 users, including anonymous users, by setting it to `true`.
59 To determine the location of the repository on disk, 'git http-backend'
60 concatenates the environment variables PATH_INFO, which is set
61 automatically by the web server, and GIT_PROJECT_ROOT, which must be set
62 manually in the web server configuration. If GIT_PROJECT_ROOT is not
63 set, 'git http-backend' reads PATH_TRANSLATED, which is also set
64 automatically by the web server.
68 All of the following examples map `http://$hostname/git/foo/bar.git`
69 to `/var/www/git/foo/bar.git`.
72 Ensure mod_cgi, mod_alias, and mod_env are enabled, set
73 GIT_PROJECT_ROOT (or DocumentRoot) appropriately, and
74 create a ScriptAlias to the CGI:
76 ----------------------------------------------------------------
77 SetEnv GIT_PROJECT_ROOT /var/www/git
78 SetEnv GIT_HTTP_EXPORT_ALL
79 ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
80 ----------------------------------------------------------------
82 To enable anonymous read access but authenticated write access,
83 require authorization for both the initial ref advertisement (which we
84 detect as a push via the service parameter in the query string), and the
85 receive-pack invocation itself:
87 ----------------------------------------------------------------
88 RewriteCond %{QUERY_STRING} service=git-receive-pack [OR]
89 RewriteCond %{REQUEST_URI} /git-receive-pack$
90 RewriteRule ^/git/ - [E=AUTHREQUIRED:yes]
92 <LocationMatch "^/git/">
94 Deny from env=AUTHREQUIRED
98 Require group committers
102 ----------------------------------------------------------------
104 If you do not have `mod_rewrite` available to match against the query
105 string, it is sufficient to just protect `git-receive-pack` itself,
108 ----------------------------------------------------------------
109 <LocationMatch "^/git/.*/git-receive-pack$">
111 AuthName "Git Access"
112 Require group committers
115 ----------------------------------------------------------------
117 In this mode, the server will not request authentication until the
118 client actually starts the object negotiation phase of the push, rather
119 than during the initial contact. For this reason, you must also enable
120 the `http.receivepack` config option in any repositories that should
121 accept a push. The default behavior, if `http.receivepack` is not set,
122 is to reject any pushes by unauthenticated users; the initial request
123 will therefore report `403 Forbidden` to the client, without even giving
124 an opportunity for authentication.
126 To require authentication for both reads and writes, use a Location
127 directive around the repository, or one of its parent directories:
129 ----------------------------------------------------------------
130 <Location /git/private>
132 AuthName "Private Git Access"
133 Require group committers
136 ----------------------------------------------------------------
138 To serve gitweb at the same url, use a ScriptAliasMatch to only
139 those URLs that 'git http-backend' can handle, and forward the
142 ----------------------------------------------------------------
144 "(?x)^/git/(.*/(HEAD | \
146 objects/(info/[^/]+ | \
147 [0-9a-f]{2}/[0-9a-f]{38} | \
148 pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
149 git-(upload|receive)-pack))$" \
150 /usr/libexec/git-core/git-http-backend/$1
152 ScriptAlias /git/ /var/www/cgi-bin/gitweb.cgi/
153 ----------------------------------------------------------------
155 To serve multiple repositories from different linkgit:gitnamespaces[7] in a
158 ----------------------------------------------------------------
159 SetEnvIf Request_URI "^/git/([^/]*)" GIT_NAMESPACE=$1
160 ScriptAliasMatch ^/git/[^/]*(.*) /usr/libexec/git-core/git-http-backend/storage.git$1
161 ----------------------------------------------------------------
163 Accelerated static Apache 2.x::
164 Similar to the above, but Apache can be used to return static
165 files that are stored on disk. On many systems this may
166 be more efficient as Apache can ask the kernel to copy the
167 file contents from the file system directly to the network:
169 ----------------------------------------------------------------
170 SetEnv GIT_PROJECT_ROOT /var/www/git
172 AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /var/www/git/$1
173 AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /var/www/git/$1
174 ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
175 ----------------------------------------------------------------
177 This can be combined with the gitweb configuration:
179 ----------------------------------------------------------------
180 SetEnv GIT_PROJECT_ROOT /var/www/git
182 AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /var/www/git/$1
183 AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /var/www/git/$1
185 "(?x)^/git/(.*/(HEAD | \
187 objects/info/[^/]+ | \
188 git-(upload|receive)-pack))$" \
189 /usr/libexec/git-core/git-http-backend/$1
190 ScriptAlias /git/ /var/www/cgi-bin/gitweb.cgi/
191 ----------------------------------------------------------------
194 Ensure that `mod_cgi`, `mod_alias`, `mod_auth`, `mod_setenv` are
195 loaded, then set `GIT_PROJECT_ROOT` appropriately and redirect
196 all requests to the CGI:
198 ----------------------------------------------------------------
199 alias.url += ( "/git" => "/usr/lib/git-core/git-http-backend" )
200 $HTTP["url"] =~ "^/git" {
201 cgi.assign = ("" => "")
202 setenv.add-environment = (
203 "GIT_PROJECT_ROOT" => "/var/www/git",
204 "GIT_HTTP_EXPORT_ALL" => ""
207 ----------------------------------------------------------------
209 To enable anonymous read access but authenticated write access:
211 ----------------------------------------------------------------
212 $HTTP["querystring"] =~ "service=git-receive-pack" {
213 include "git-auth.conf"
215 $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
216 include "git-auth.conf"
218 ----------------------------------------------------------------
220 where `git-auth.conf` looks something like:
222 ----------------------------------------------------------------
226 "realm" => "Git Access",
227 "require" => "valid-user"
230 # ...and set up auth.backend here
231 ----------------------------------------------------------------
233 To require authentication for both reads and writes:
235 ----------------------------------------------------------------
236 $HTTP["url"] =~ "^/git/private" {
237 include "git-auth.conf"
239 ----------------------------------------------------------------
244 'git http-backend' relies upon the CGI environment variables set
245 by the invoking web server, including:
247 * PATH_INFO (if GIT_PROJECT_ROOT is set, otherwise PATH_TRANSLATED)
254 The GIT_HTTP_EXPORT_ALL environmental variable may be passed to
255 'git-http-backend' to bypass the check for the "git-daemon-export-ok"
256 file in each repository before allowing export of that repository.
258 The backend process sets GIT_COMMITTER_NAME to '$REMOTE_USER' and
259 GIT_COMMITTER_EMAIL to '$\{REMOTE_USER}@http.$\{REMOTE_ADDR\}',
260 ensuring that any reflogs created by 'git-receive-pack' contain some
261 identifying information of the remote user who performed the push.
263 All CGI environment variables are available to each of the hooks
264 invoked by the 'git-receive-pack'.
268 Part of the linkgit:git[1] suite