1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 1:08 pm May 1, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Apache 2.4 and git-http-backend

serving git on apache 2.4

         

oswaldm

9:56 am on Oct 27, 2014 (gmt 0)

10+ Year Member



Hi there,

I am setting up a GIT repository on an Ubuntu LTS 14.04 machine with Apache 2.4.7 and can't get it to work with https. I must be missing something obvious, so any tips and ideas are welcome.

Apache config for the repository: 


SetEnv GIT_PROJECT_ROOT /var/www/html/git
SetEnv GIT_HTTP_EXPORT_ALL 1
SetEnv REMOTE_USER $REDIRECT_REMOTE_USER

<Directory "/usr/lib/git-core/">
 Options +ExecCGI +SymLinksIfOwnerMatch
 # Order allow,deny
 Require all granted
</Directory>


ScriptAliasMatch \
 "(?x)^/git/(.*/(HEAD | \    
 info/refs | \    
 objects/(info/[^/]+ | \    
  [0-9a-f]{2}/[0-9a-f]{38} | \   
  pack/pack-[0-9a-f]{40}\.(pack|idx)) | \   
 git-(upload|receive)-pack))$" \
 /usr/lib/git-core/git-http-backend/$1


<Location /git/Repository.git>
 AuthType Basic
 AuthName "Git Repository"
 AuthUserFile /etc/apache2/git_rep_passwd
 Require valid-user
 SSLRequireSSL
</Location>




If I do this and try to access /git/Repository.git/info/refs with a browser, after authentication I get a 404 Not Found with the following log: 


[Mon Oct 27 10:58:08.894128 2014] [core:info] [pid 32425] [client 194.138.12.166:15488] AH00130: File does not exist: /usr/lib/git-core/git-http-backend/DLR_SMCS.git/info/refs, referer: https://example.com/git/Repository.git/info/


So it seems it doesn't interpret git-http-backend as a CGI.

When I uncomment the "Order allow,deny" line in the Directory block above, the git-http-backend is obviously detected as CGI, but I get a Forbidden error: 

[Mon Oct 27 11:00:57.555363 2014] [authz_core:debug] [pid 32812] mod_authz_core.c(802): [client xxx:51894] AH01626: authorization result of <RequireAny>: granted, referer: https://example.com/git/Repository.git/
[Mon Oct 27 11:00:57.555583 2014] [deflate:debug] [pid 32812] mod_deflate.c(849): [client xxx:51894] AH01384: Zlib: Compressed 1172 to 475 : URL /git/Repository.git/info/, referer: https://example.com/git/Repository.git/
[Mon Oct 27 11:00:58.855353 2014] [access_compat:error] [pid 32812] [client xxx:51894] AH01797: client denied by server configuration: /usr/lib/git-core/git-http-backend, referer: https://example.com/git/Repository.git/info/



Now I'm confused. The Order allow,deny was said to be not needed for 2.4 in some upgrade guide, but without it, Apache does not recognize the CGI. When I add it, it does recognize the CGI, but access is forbidden.

/usr/lib/git-core/git-http-backend is owned by the www-data user from Apache.


What am I doing wrong?


lg,
Michael

lucy24

3:51 pm on Oct 27, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



The Order allow,deny was said to be not needed for 2.4 in some upgrade guide

Someone forgot to tell Apache, since it's still in the 2.4 docs [httpd.apache.org]. But note that Order... is under a different mod than in 2.2; in fact it's under mod_access_compat, the one that created the error you quote, no longer mod_authz-thingy (although the mod itself is still there).

Do you have an "Order" directive lurking about under some higher directory? "Allow,Deny" is the default -- meaning, in your case, that if there's no match, all requests are denied -- but the observed behavior makes it look as if there's a "Deny,Allow" somewhere further up the chain.

When I add it, it does recognize the CGI, but access is forbidden.

I'm not sure the conclusion follows from the premises. The server doesn't even look for a file until it has run through all mods and verified that the request is permitted. A 403 is served whether or not the file actually exists.

:: double-checking original question ::

Yup, that's a <Location> not a <Directory>. So the enclosed rules -- including "Allow,Deny" -- apply to an URL, whether or not there's a physical file involved.

oswaldm

4:21 pm on Oct 27, 2014 (gmt 0)

10+ Year Member




Do you have an "Order" directive lurking about under some higher directory? "Allow,Deny" is the default -- meaning, in your case, that if there's no match, all requests are denied -- but the observed behavior makes it look as if there's a "Deny,Allow" somewhere further up the chain.


No, just checked again. No other Order in the whole virtual host config.



Yup, that's a <Location> not a <Directory>. So the enclosed rules -- including "Allow,Deny" -- apply to an URL, whether or not there's a physical file involved.


Ok, thanks for the clarification. Still it's puzzling me. I can access all content of the repository from a web browser (after authentication), but all files, which should be handled by git-http-backend (e.g. info/refs) result in a 404 (with the error log as shown above).

I have also tried to add the ExecCGI option to the /git Location: 


<Location /git/>
 Options +ExecCGI +SymLinksIfOwnerMatch
 Require all granted
</Location>


No change. I am somewhat lost here.

lg,
Michael

lucy24

9:22 pm on Oct 27, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Sit tight. We have to wait for someone who speaks Apache (looking at you, phranque). I only do Regular Expressions. Luckily this covers at least 90% of the questions posted here, but you are the other 10%.

phranque

3:09 am on Oct 28, 2014 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



welcome to WebmasterWorld, oswaldm!


is there a .htccess file in any of the directories in the file path?

oswaldm

8:36 am on Oct 28, 2014 (gmt 0)

10+ Year Member



Hello phranque,

Not in the /git location. Parallel to /git is a /pydio and there is a .htaccess but not in the area of the git repositories.

lg,
Michael

phranque

11:37 am on Oct 28, 2014 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



you have to look in the requested directory and all of its parent directories.

oswaldm

11:44 am on Oct 28, 2014 (gmt 0)

10+ Year Member



Sorry. No there is no one. Checked up to /var/www and there is no .htaccess.

phranque

11:31 am on Oct 29, 2014 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



if you have access to the server configuration file, you might consider logging some of the relevant modules to better understand what's happening by using the LogLevel Directive:
http://httpd.apache.org/docs/2.4/mod/core.html#loglevel

oswaldm

4:49 pm on Oct 29, 2014 (gmt 0)

10+ Year Member



Ok, did raise the log level to debug for all modules. I get: 


[Wed Oct 29 17:56:50.992016 2014] [authz_core:debug] [pid 41505] mod_authz_core.c(802): [client xxx:14492] AH01626: authorization result of Require valid-user : granted, referer: https://example.com/git/Repository.git/info/
[Wed Oct 29 17:56:50.992025 2014] [authz_core:debug] [pid 41505] mod_authz_core.c(802): [client xxx:14492] AH01626: authorization result of <RequireAny>: granted, referer: https://example.com/git/Repository.git/info/
[Wed Oct 29 17:56:50.992058 2014] [core:info] [pid 41505] [client xxx:14492] AH00130: File does not exist: /usr/lib/git-core/git-http-backend/Repository.git/info/refs, referer: https://example.com/git/Repository.git/info/


I mean, if it says File does not exist with an URL I think Apache somehow does not recognize that git-http-backend is a CGI. But this is what ScriptAliasMatch should do, right? The directive is directly from the GIT documentation and is also identical to a lot of examples I found on the net.


lg,
Michael

gbitter

4:11 am on Jan 7, 2015 (gmt 0)

10+ Year Member



Apache requires mod_cgi to be loaded to actually check for cgi binaries within a path. So loading this module should solve your problem.

lammert

8:25 am on Jan 7, 2015 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Hi gbitter, thanks for your valuable input and Welcome to WebmasterWorld!
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 1:08 pm May 1, 2026