GitBlit deployment - virtual host, AJP, BASIC authentication
Pavel Horal
first I want to thank you for this nice and simple git server stack. I
was very close to throwing my computer out of a window after one week
trying to understand how Apache/Suexec/Gitolite should be configured
properly. I am a Java developer and advanced Linux user (unfortunately
not an advanced Linux administrator).
We are trying to migrate from SVN to GIT in our company. I am
responsible for this migration and after a long search, I've decided
we will go for GitBlit. The main reason is simplicity and pure Java
stack, which is our "home land". Also we might be able to contribute
with some useful functionality in the future (right now I am thinking
about LDAP integration).
----
Now for the subject of this message... the deployment scheme we want
to have is:
* Debian as the OS
* Apache Tomcat running multiple applications, where GitBlit is one
of them (so standard context /gitblit)
* Apache HTTP server with virtual host git.ourserver.com and
ProxyPass over AJP protocol to the Tomcat
I don't want to have 'gitblit' in the GIT URL's so the proxy directive
is
ProxyPass / ajp://localhost/gitblit
In this way the repositories have URL https://git.ourserver.com/git/foo.git
. However GitBlit is using its real context path (/gitblit) on many
places. So my question is, whether there is some simple way how to
make my configuration work.
----
The second topic (maybe it should be another thread?) is about the
caveats mentioned on the GitBlit homepage. I understand that it is
mainly a formal warning, but still - my colleagues can read it and we
are concerned about security and data safety. So we are trying to
deploy GitBlit in a way, where we will introduce multiple mechanisms
to prevent bad things from happening.
A) SECURITY: we want to introduce BASIC authentication made by Apache
HTTP server and also basic path based access rules. With BASIC
authentication we need GitBlit to accept it, however the IUserService
interface does not have HTTP request object available. I don't know
how Wicket works, so the question is whether there is some thread
local context with the request available.
B) DATA SAFETY: as far as I understand GIT, it has a pretty nice
consistency checking through its commit identifiers. So if we will
backup the GIT data on a daily basis and check consistency we can be
pretty sure everything is ok. Is this assumption correct?
Please understand these two points as a reaction to "caveats"
mentioned on your homepage. We want to use GitBlit. Introducing some
"double check" mechanism will make us just more happy and safe.
----
Thank you,
Pavel Horal
[1] http://groups.google.com/group/gitblit/browse_thread/thread/dca18471d26689e0
James Moger
I'm now developing mostly on Debian and I regularly use Apache with
GO's (upcoming) built-in AJP connector. I am not an Apache expert,
however. I specify the context path as part of the ProxyPass because
I could not get it to work without doing that. I was unaware that
this restriction is lifted if you use a virtual host configuration.
If you paste me your virtual host config then perhaps I can tweak then
text release of Gitblit so that your URLs will work. And of course a
variation on that config will end up in the documentation.
Security/Safety. That is just a CYA message. Gitblit is an Apache
licensed app 99% written by me by standing on the shoulders of others.
The underlying Eclipse JGit library is very mature, is based on Git's
design, and is used heavily by a great many organizations. I have
100% confidence in it but on the chance that Something Bad happens
somewhere in the stack, you get what you pay for. You might consider
using the Federation feature of Gitblit to setup a redundant Gitblit
instance somewhere else and have that redundant Gitblit mirror your
primary Gitblit. I use that myself - which is why I wrote it. :)
Authentication. Gitblit handles all of its own authentication because
I think the realms part of the Servlet spec sucks. I can adjust
Gitblit's Wicket UI to look for the Authorization header in the
request - open an issue for me. I will be doing something similar for
issue 68.
-J
Pavel Horal
I've managed to get it working by following the official Tomcat
virtual host configuration [1].
I've introduced another <Host> into Tomcat's server and deployed
GitBlit as ROOT application.
Now the simple Apache's ProxyPass / ajp://localhost:8009/ works like a
charm (so I did not
have to tamper with removing the context).
I understand that it is CYA message (nice abbreviation by the way - I
had to google it). We
just want to be extra cautious and make sure some anonymous user won't
be able to
download our projects.
I will look more into security possibilities, check the source code
and make the issue if
necessary.
Thank you for the quick reply. I am looking forward to using the
application.
Regards,
Pavel
[1] http://tomcat.apache.org/tomcat-7.0-doc/virtual-hosting-howto.html