Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20190326220225.GE23599@brightrain.aerifal.cx>
Date: Tue, 26 Mar 2019 18:02:25 -0400
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: Supporting git access via smart HTTPS protocol for
 musl-libc

On Tue, Mar 26, 2019 at 02:39:13PM -0600, Assaf Gordon wrote:
> Hello,
> 
> I might be able to suggest few pointers on setting up git/http CGI access.
> 
> The git package contains 'git-http-backend' (typically in /usr/lib/git-core)
> which is a cgi backend meant for smart/dump git cloning.
> 
> On GNU Savannah we use NGINX with the following configuration:
> 
>   location = /r { return 302 $request_uri/; }
>   location /r/ {
>     autoindex on;
>     alias /srv/git/;
>     location ~ ^/r(/.*/(info/refs|git-upload-pack)$) {
>       gzip off;
>       include fastcgi_params;
>       fastcgi_pass unix:/var/run/fcgiwrap.socket;
>       fastcgi_param SCRIPT_FILENAME /usr/local/sbin/git-http-backend;
>       fastcgi_param PATH_INFO $1;
>       fastcgi_param GIT_HTTP_EXPORT_ALL true;
>       fastcgi_param GIT_PROJECT_ROOT /srv/git;
>       client_max_body_size 0;
>     }
>   }
> 
> (You made your opinion on nginx clear, but this is just for reference for
> a working configuration).
> 
> -----
> 
> To run the backend manually, try variations of the following:
> 
>   $ REQUEST_METHOD=GET GIT_HTTP_EXPORT_ALL=true \
>     GIT_PROJECT_ROOT=/home/gordon/projects/ PATH_INFO=/musl/.git/HEAD \
>     /usr/lib/git-core/git-http-backend
> 
>   Content-Length: 23
>   Content-Type: text/plain
>   ref: refs/heads/master
> 
> (running 'man git-http-bckend' will give more details about GIT_PROJECT_ROOT
> etc.).
> 
> ----
> 
> To run under busybox's httpd, I used the following contrived setup:
> 
>     mkdir www
>     mkdir www/cgi-bin
>     echo "hello world" > www/index.html
>     cat<<EOF>www/cgi-bin/test.sh
>     #!/bin/sh
>     echo "Content-type: text/html"
>     echo ""
>     echo "Hello CGI World"
>     EOF
>     chmod a+x ./www/cgi-bin/test.sh
> 
>     busybox httpd -v -f -p 9999 -h ./www
> 
> This will start the busybox httpd server, serving files from ./www folder.
> Assuming busybox/httpd was compiled with CGI support, the script in the
> 'cgi-bin' directory should "just work". Test with:
> 
>     $ curl http://localhost:9999/
>     hello world
> 
>     $ curl http://localhost:9999/cgi-bin/test.sh
>     Hello CGI World
> 
> If the above worked, the CGI setup is fine and we can move on the git.
> 
> ---
> 
> Create the following wrapper in ./www/cgi-bin/ (any file name would work,
> but a file name without extension 'looks' better, e.g. 'view'):
> 
>     #!/bin/sh
>     export GIT_HTTP_EXPORT_ALL=true
>     export GIT_PROJECT_ROOT=/home/gordon/projects/
>     export HTTP_CONTENT_ENCODING=gzip
>     exec /usr/lib/git-core/git-http-backend
> 
> and make it executable with "chmod a+x ./www/cgi-bin/view".
> 
> This setup will serve ANY repository under the 'GIT_PROJECT_ROOT'.
> You can of course adjust as needed.
> In my case, I have '/home/gordon/projects/musl/',
> which is tested below like so:
> 
>     $ curl -D /dev/stderr http://localhost:9999/cgi-bin/view/musl/HEAD
>     HTTP/1.0 200 OK
>     Content-Length: 23
>     Content-Type: text/plain
> 
>     ref: refs/heads/master
> 
> The above curl command executed the 'view' script with PATH_INFO being
> '/musl/HEAD' - which is a request git-http-backend knows how to handle.
> 
> If the above worked, cloning 'should work' as well:
> 
>     $ git clone http://localhost:9999/cgi-bin/view/musl
>     Cloning into 'musl'...
>     remote: Counting objects: 31250, done.
>     remote: Compressing objects: 100% (9126/9126), done.
>     remote: Total 31250 (delta 22523), reused 30465 (delta 21759)
>     Receiving objects: 100% (31250/31250), 4.78 MiB | 0 bytes/s, done.
>     Resolving deltas: 100% (22523/22523), done.
> 
> ----
> 
> Others in this thread talked about URL re-routing/aliasing.
> This would be useful to hide the "cgi-bin" part of the URL, but busybox's
> httpd doesn't support it. Having it in the URL isn't the end of the world
> if one insist on using a minimalistic web server.
> 
> ----
> 
> I haven't used thttpd, but it should work very similarly.

Thanks for the info. I've been playing with it, but haven't been able
to get it to work yet. I suspect thttpd is doing something broken with
the POST request since the git clone breaks during that. Going to look
at it in more detail later.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.