Nginx – How to make git push work with nginx (basic auth) behind nginx reverse proxy (HTTPS)

githttpsnginxPROXY

I like to have a git server on a computer (backend) without direct internet access. There should be basic authentication. The access should be available by means of a reverse proxy (frontend) on another computer, that does SSL/HTTPS. Both are running Debian 7 stable (wheezy + wheezy-backports for nginx and git).

So far everything (= git clone) works but git push:

$ git push --set-upstream origin master
Username for 'https://myfrontend:443': myusername
Password for 'https://myusername@myfrontend:443': 
error: Cannot access URL https://myserver:443/git/gittest.git/, return code 22
fatal: git-http-push failed

The error message in the backend nginx log is:

2014/04/01 01:00:00 [error] 27000#0: *7 no user/password was provided for
basic authentication, client: myfrontend, server: mybackend, request:
"PROPFIND /git/gittest.git/ HTTP/1.0", host: "myfrontend"

It seems that the basic auth works for clone, but not for push.

The nginx config of the frontend is:

server {
    listen 443;
    server_name myfrontend;
    resolver 127.0.0.1;
    charset UTF-8;
    #
    root /var/www/;
    index index.html;
    #
    ssl on;
    ssl_certificate /etc/ssl/certs/myfronted.crt;
    ssl_certificate_key /etc/ssl/private/myfrontend.key;
    #
    ssl_session_timeout 5m;
    #
    ssl_protocols SSLv3 TLSv1;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
    ssl_prefer_server_ciphers on;
    #
    location ~ /git(/.*) {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_pass http://mybackend:8081/git$1;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header REMOTE_USER $remote_user;
    }
}

The nginx config for the backend is:

server {
    listen 8081;
    server_name mybackend;
    root /var/www;
    charset UTF-8;
    #
    location ~ /git(/.*) {
        auth_basic "Restricted";
        auth_basic_user_file /var/lib/git/.htpasswd;
        dav_methods PUT DELETE MKCOL COPY MOVE;
        dav_ext_methods PROPFIND OPTIONS;
        create_full_put_path on;
        #
        fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
        fastcgi_param GIT_HTTP_EXPORT_ALL "";
        fastcgi_param GIT_PROJECT_ROOT /var/lib/git;
        fastcgi_param PATH_INFO $1;
        fastcgi_param DOCUMENT_ROOT /usr/lib/git-core/;
        fastcgi_pass unix:/var/run/fcgiwrap.socket;
        include fastcgi_params;
    }
}

The git config on the backend server is:

[core]
repositoryformatversion = 0
filemode = true
bare = true
[http]
receivepack = true
[gitweb]
    owner = My Name

Is there another, maybe simpler way to serve git on the backend side? Maybe without nginx or without fcgiwrap? I would, however, like to survive without Apache…

Many thanks in advance!

Best Answer

The problem was in the frontend syntax. I had to change:

proxy_pass http://mybackend:8081/git$1;

to the correct:

proxy_pass http://mybackend:8081/git$1$is_args$args;

or alternatively:

proxy_pass http://mybackend:8081$request_uri;

Thanks, Will!

Related Topic