Skip to content

Instantly share code, notes, and snippets.

@kawaki-san

kawaki-san/Smart HTTP Git and CGIT on Nginx server with Auth on push

Last active May 19, 2023 23:04
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Installing Git and Cgit to Debian NGINX server (with smart http and authentication on push)
Raw
Smart HTTP Git and CGIT on Nginx server with Auth on push
# Just some notes on enabling smart http with nginx as well as authentication on push for repos
# install git, cgit and apache2-utils (for authentication)
apt install git cgit apache2-utils fcgiwrap
# create a git user
adduser git
su git
cd
mkdir .ssh && chmod 700 .ssh
touch .ssh/authorized_keys && chmod 600 .ssh/authorized_keys
# append ssh keys to the authorized keys file
# change back to root user
exit
# As root, create location to store repos and change permissions
mkdir -p /srv/git
ln -s /srv/git /git # optional but I like it so the repos are available on /git if you're ssh cloning
cd /srv
chown -R git:git git/
# Configuring nginx
# /etc/nginx/git-http-backend.conf
fastcgi_pass unix:/run/fcgiwrap.socket;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
fastcgi_param GIT_HTTP_EXPORT_ALL "";
fastcgi_param GIT_PROJECT_ROOT /srv/git;
fastcgi_param PATH_INFO $1;
fastcgi_param REMOTE_USER $remote_user;
# /etc/nginx/sites-available/git.domain.com
server {
server_name git.domain.com www.git.domain.com;
access_log /var/log/nginx/cgit-access.log;
error_log /var/log/nginx/cgit-error.log debug;
root /usr/share/cgit;
try_files $uri @cgit;
location @cgit {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi;
fastcgi_param DOCUMENT_ROOT /usr/lib/git-core;
fastcgi_pass unix:/run/fcgiwrap.socket;
fastcgi_param PATH_INFO $uri;
fastcgi_param QUERY_STRING $args;
fastcgi_param HTTP_HOST $server_name;
fastcgi_param GIT_HTTP_EXPORT_ALL "";
fastcgi_param GIT_PROJECT_ROOT /srv/git;
if ($arg_service = git-receive-pack) {
rewrite (/.*) /git_write/$1 last;
}
if ($uri ~ ^/.*/git-receive-pack$) {
rewrite (/.*) /git_write/$1 last;
}
if ($arg_service = git-upload-pack) {
rewrite (/.*) /git_read/$1 last;
}
if ($uri ~ ^/.*/git-upload-pack$) {
rewrite (/.*) /git_read/$1 last;
}
}
listen [::]:80 ;
listen 80 ;
location ~ /git_read/(.*) {
include git-http-backend.conf;
}
# require auth to upload
location ~ /git_write/(.*) {
auth_basic "Pushing to Git repositories is restricted";
auth_basic_user_file /etc/nginx/htpasswd;
include git-http-backend.conf;
}
}
# enable the configuration
ln -s /etc/nginx/sites-available/git.domain.com /etc/nginx/sites-enabled/
# Create an http user (with write access)
htpasswd -c /etc/nginx/htpasswd username # where username is the username you want to use for auth
# configure cgit accordingly at
# /etc/cgitrc
css=/cgit.css
logo=/cgit.png
virtual-root=/
scan-path=/srv/git
# Create your repository
su git
cd /srv/git
mkdir myrepo.git
cd myrepo.git
git init --bare
# As root update permissions to be able to push via http
chown -R git:www-data /srv/git/
chmod -R ug+rwX /srv/git/
# To configure the git:// protocol
# /etc/systemd/system/git-daemon.service
[Unit]
Description=Start Git Daemon
[Service]
ExecStart=/usr/bin/git daemon --reuseaddr --base-path=/srv/git/ /srv/git/
Restart=always
RestartSec=500ms
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=git-daemon
User=git
Group=git
[Install]
WantedBy=multi-user.target
# enable and start the unit
systemctl enable --now git-daemon.service
# You will then want to create a git-daemon-export-ok file inside all of the repos you want git-daemon to check
cd /srv/git/myrepo.git/
touch git-daemon-export-ok
# Finally, allow port 9418 for git:// protocol (as root)
ufw allow 9418
@RobbiNespu
Copy link

This is good! Thanks!

@kawaki-san
Copy link
Author

@RobbiNespu Thank you! I hope it was useful for you

@DejavuMoe
Copy link

Thanks, it helps me a lot. 😘

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment