Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 26 Mar 2019 14:39:13 -0600
From: Assaf Gordon <>
Subject: Re: Supporting git access via smart HTTPS protocol for musl-libc


I might be able to suggest few pointers on setting up git/http CGI access.

The git package contains 'git-http-backend' (typically in /usr/lib/git-core)
which is a cgi backend meant for smart/dump git cloning.

On GNU Savannah we use NGINX with the following configuration:

  location = /r { return 302 $request_uri/; }
  location /r/ {
    autoindex on;
    alias /srv/git/;
    location ~ ^/r(/.*/(info/refs|git-upload-pack)$) {
      gzip off;
      include fastcgi_params;
      fastcgi_pass unix:/var/run/fcgiwrap.socket;
      fastcgi_param SCRIPT_FILENAME /usr/local/sbin/git-http-backend;
      fastcgi_param PATH_INFO $1;
      fastcgi_param GIT_HTTP_EXPORT_ALL true;
      fastcgi_param GIT_PROJECT_ROOT /srv/git;
      client_max_body_size 0;

(You made your opinion on nginx clear, but this is just for reference for
a working configuration).


To run the backend manually, try variations of the following:

    GIT_PROJECT_ROOT=/home/gordon/projects/ PATH_INFO=/musl/.git/HEAD \

  Content-Length: 23
  Content-Type: text/plain
  ref: refs/heads/master

(running 'man git-http-bckend' will give more details about GIT_PROJECT_ROOT


To run under busybox's httpd, I used the following contrived setup:

    mkdir www
    mkdir www/cgi-bin
    echo "hello world" > www/index.html
    echo "Content-type: text/html"
    echo ""
    echo "Hello CGI World"
    chmod a+x ./www/cgi-bin/

    busybox httpd -v -f -p 9999 -h ./www

This will start the busybox httpd server, serving files from ./www folder.
Assuming busybox/httpd was compiled with CGI support, the script in the
'cgi-bin' directory should "just work". Test with:

    $ curl http://localhost:9999/
    hello world

    $ curl http://localhost:9999/cgi-bin/
    Hello CGI World

If the above worked, the CGI setup is fine and we can move on the git.


Create the following wrapper in ./www/cgi-bin/ (any file name would work,
but a file name without extension 'looks' better, e.g. 'view'):

    export GIT_HTTP_EXPORT_ALL=true
    export GIT_PROJECT_ROOT=/home/gordon/projects/
    exec /usr/lib/git-core/git-http-backend

and make it executable with "chmod a+x ./www/cgi-bin/view".

This setup will serve ANY repository under the 'GIT_PROJECT_ROOT'.
You can of course adjust as needed.
In my case, I have '/home/gordon/projects/musl/',
which is tested below like so:

    $ curl -D /dev/stderr http://localhost:9999/cgi-bin/view/musl/HEAD
    HTTP/1.0 200 OK
    Content-Length: 23
    Content-Type: text/plain

    ref: refs/heads/master

The above curl command executed the 'view' script with PATH_INFO being
'/musl/HEAD' - which is a request git-http-backend knows how to handle.

If the above worked, cloning 'should work' as well:

    $ git clone http://localhost:9999/cgi-bin/view/musl
    Cloning into 'musl'...
    remote: Counting objects: 31250, done.
    remote: Compressing objects: 100% (9126/9126), done.
    remote: Total 31250 (delta 22523), reused 30465 (delta 21759)
    Receiving objects: 100% (31250/31250), 4.78 MiB | 0 bytes/s, done.
    Resolving deltas: 100% (22523/22523), done.


Others in this thread talked about URL re-routing/aliasing.
This would be useful to hide the "cgi-bin" part of the URL, but busybox's
httpd doesn't support it. Having it in the URL isn't the end of the world
if one insist on using a minimalistic web server.


I haven't used thttpd, but it should work very similarly.

Hope this helps,
 - assaf

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.