Apache-2.2

git-http-backend 和 LDAP 身份驗證,推送錯誤:請求的 URL 返回錯誤:401 需要授權

  • December 12, 2014

我的設置

  • 作業系統:debian
  • 混帳:v 1.7.10
  • apache(啟用了 suexec 模式)配置與 git-http-backend 和對 git repos 的 LDAP 授權,它適用於複製操作,但不適用於推送,這就是問題所在。我使用 HTTPS 作為我的 git 伺服器的通信協議。

這是我的配置:

虛擬主機配置:

<IfModule mod_ssl.c>
<VirtualHost _default_:443>

   DocumentRoot /git/myrepos

   <Directory "/git/myrepos">
   Allow from All
   Options +ExecCGI
   AllowOverride All
   </Directory>

ScriptAlias /git /git/myrepos/bin/suexec-wrapper.sh
SSLEngine on
SSLCertificateFile    /etc/ssl/git.crt
SSLCertificateKeyFile /etc/ssl/git.key

<FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars
   </FilesMatch>
   <Directory /usr/lib/cgi-bin>
       SSLOptions +StdEnvVars
   </Directory>

/git/myrepos/bin/suexec-wrapper.sh:

#!/bin/bash
PATH_INFO=$SCRIPT_URL
GIT_PROJECT_ROOT=/git/myrepos
REMOTE_USER=$REDIRECT_REMOTE_USER
export GIT_HTTP_EXPORT_ALL=true
/usr/lib/git-core/git-http-backend

複製 repos 可以正常工作(例如git clone https://192.168.0.1/repo1.git)。它接受 ldap 使用者的憑據並複製 repo。

並且在推送回購(例如git push origin master)時,它會要求提供憑據,接受它們然後拋出錯誤:

error: Cannot access URL https://192.168.0.1/repo1.git/, return code 22
fatal: git-http-push failed

當以詳細模式 ( ) 執行 push 時GIT_CURL_VERBOSE=1 git push origin master,它會要求提供憑據,接受它們並(輸出的尾部):

* STATE: DO => DO_DONE handle 0x1cdd270; (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x1cdd270; (connection #0)
* STATE: WAITPERFORM => PERFORM handle 0x1cdd270; (connection #0)
* additional stuff not fine transfer.c:1037: 0 0
* The requested URL returned error: 401
* Closing connection #0
* Expire cleared
error: Cannot access URL https://192.168.0.1/repo1.git/, return code 22
fatal: git-http-push failed
  • 我是否正確配置了 apache git-http-backend(使用 wrap 腳本?)?
  • 什麼會導致推送操作出現問題?
  • 如何調試它更詳細的方式?

任何建議都非常感謝!

經過多次嘗試,我找到了解決方案。問題在於 git-http-backend 的 VirtualHost 配置不正確。

這是我的工作配置:

<IfModule mod_ssl.c>
<VirtualHost _default_:443>

       DocumentRoot /git/myrepos

       SetEnv GIT_PROJECT_ROOT /git/myrepos
       SetEnv GIT_HTTP_EXPORT_ALL
       ScriptAlias /myrepos/ /usr/lib/git-core/git-http-backend
       AliasMatch ^/myrepos/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /git/myrepos/$1
       AliasMatch ^/repos/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /git/myrepos/$1

       ScriptAliasMatch "(?x)^/(.*/(HEAD | info/refs | objects/(info/[^/]+ | [0-9a-f]{2}/[0-9a-f]{38} | pack/pack-[0-9a-f]{40}\.(pack|idx)) | git-(upload|receive)-pack))$" /usr/lib/git-core/git-http-backend/$1

       <Directory "/usr/lib/git-core/">
       Options +ExecCGI
       Allow From All
       </Directory>

       ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
       <Directory "/usr/lib/cgi-bin">
               AllowOverride None
               Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
               Order allow,deny
               Allow from all
       </Directory>

       ErrorLog ${APACHE_LOG_DIR}/error.log
       LogLevel warn
       CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

       SSLEngine on
       SSLCertificateFile    /etc/ssl/git.crt
       SSLCertificateKeyFile /etc/ssl/git.key

       <FilesMatch "\.(cgi|shtml|phtml|php)$">
               SSLOptions +StdEnvVars
       </FilesMatch>
       <Directory /usr/lib/cgi-bin>
               SSLOptions +StdEnvVars
       </Directory>

       BrowserMatch "MSIE [2-6]" \
               nokeepalive ssl-unclean-shutdown \
               downgrade-1.0 force-response-1.0
       BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown


<Location /repo1.git>
Order deny,allow
Deny from all
Allow from all
AuthName "GIT Authentication"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPBindDN domain\user
AuthLDAPBindPassword passwd
AuthLDAPURL ldap://ldap.server:389/ou=git,DC=domain?sAMAccountName
Require ldap-group cn=git_repo1,ou=git,dc=domain
</Location>

</VirtualHost>
</IfModule>

現在所有 git 操作都可以通過 https 和 ldap 授權與 git-http-backend 一起正常工作:)

也許它對某人有用。

引用自:https://serverfault.com/questions/651858