如何使用用户/密码通过NGINX通过HTTP提供GIT？

Question

尽管我已经找到了关于如何配置git/nginx以获取我的回购的所有链接,但我无法使它们工作.

我按照本教程,使用nginx在HTTP WebDAV上使用Git存储库,但用户/密码限制不起作用.任何人都可以克隆存储库.

我来自使用SVN + Apache + DAV_SVN的配置,带有密码文件(使用htpasswd创建)和authz文件.我想使用git + nginx做同样的事情.怎么可能？

谢谢你的帮助!

Answer 1

看看下面的文章,http://www.toofishes.net/blog/git-smart-http-transport-nginx/

它提供了一个示例nginx配置:

http {
    ...
    server {
        listen       80;
        server_name  git.mydomain.com;

        location ~ /git(/.*) {
            # fcgiwrap is set up to listen on this host:port
            fastcgi_pass  localhost:9001;
            include       fastcgi_params;
            fastcgi_param SCRIPT_FILENAME     /usr/lib/git-core/git-http-backend;
            # export all repositories under GIT_PROJECT_ROOT
            fastcgi_param GIT_HTTP_EXPORT_ALL "";
            fastcgi_param GIT_PROJECT_ROOT    /srv/git;
            fastcgi_param PATH_INFO           $1;
        }
    }
}

这样做是将你位于/ git后面的repo传递给url /usr/lib/git-core/git-http-backend.例如,http://git.mydomain.com/git/someapp将指向someapp存储库.此仓库将/srv/git/someapp按照其中的定义进行定位fastcgi_param,GIT_PROJECT_ROOT并且可以更改以适合您的服务器.

这非常有用,您可以HttpAuthBasicModule通过HTTP向nginx 申请密码保护您的repo访问权限.

编辑:如果您缺少git-http-backend,可以git-core在Ubuntu/Debian或基于RPM的平台上安装软件包,看看如何在CENTOS 5.5上安装git？

Answer 2

以下是Git over HTTP的完整配置,包括TLS加密,Basic Auth和GitWeb(一个非常简单的存储库查看器).我假设存储库的根位于/ home/git中.

# Remove this block if you don't want TLS
server {
    listen 80;
    server_name git.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen       443 ssl; # Replace 443 ssl by 80 if you don't want TLS
    server_name  git.example.com;
    root         /usr/share/gitweb; # Remove if you don't want Gitweb

    error_log  /home/git/nginx-error.log;
    access_log /home/git/nginx-access.log;

    # Remove ssl_* lines if you don't want TLS
    ssl_certificate           /etc/letsencrypt/live/git.example.com/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/git.example.com/privkey.pem;
    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers               'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

    # Remove auth_* if you don't want HTTP Basic Auth
    auth_basic "example Git";
    auth_basic_user_file /etc/nginx/.htpasswd;

    # static repo files for cloning over https
    location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))$ {
        root /home/git/;
    }

    # requests that need to go to git-http-backend
    location ~ ^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ {
        root /home/git/;

        fastcgi_pass  unix:/var/run/fcgiwrap.socket;
        fastcgi_param SCRIPT_FILENAME   /usr/lib/git-core/git-http-backend;
        fastcgi_param PATH_INFO         $uri;
        fastcgi_param GIT_PROJECT_ROOT  $document_root;
        fastcgi_param GIT_HTTP_EXPORT_ALL "";
        fastcgi_param REMOTE_USER $remote_user;
        include fastcgi_params;
    }

    # Remove all conf beyond if you don't want Gitweb
    try_files $uri @gitweb;
    location @gitweb {
        fastcgi_pass  unix:/var/run/fcgiwrap.socket;
        fastcgi_param SCRIPT_FILENAME   /usr/share/gitweb/gitweb.cgi;
        fastcgi_param PATH_INFO         $uri;
        fastcgi_param GITWEB_CONFIG     /etc/gitweb.conf;
        include fastcgi_params;
   }
}

你必须安装Git,Gitweb和FastCgiWrap:

sudo apt-get install git gitweb fcgiwrap

对于TLS,我使用Let的加密免费证书.

sudo letsencrypt certonly -d git.example.com --rsa-key-size 4096

要访问Gitweb,只需浏览git.YOURDOMAIN.com即可.您还需要将其配置为设置存储库的根目录:

sudo vim /etc/gitweb.conf

要获得HTTP Basic Auth,您必须使用该/home/git命令将用户添加到example.com:

sudo apt-get install apache2-utils
sudo htpasswd -c /etc/nginx/.htpasswd username

htpasswd下次运行该命令时删除该开关,因为它只创建该文件(Nginx默认情况下在其配置目录中没有.htpasswd文件).

如果你想要更复杂,更强大,类似GitHub的东西,请检查Gitlab.