Wednesday, April 1, 2009

Securing Gitweb

We will secure Gitweb using Apache Module mod_auth_digest.

This document is based on following assumtions
  1. Apache2 is running and installed at /etc/apache2 folder
  2. is already present and serving gitweb files
Assuming ,

Apache2 is run from /etc/apache2/

  • Lets created passwd file in
sudo htdigest -c /etc/apache2/passwd/digest private user1
sudo htdigest /etc/apache2/passwd/digest private user2

Note : Omit the -c flag in order to add new user information to an existing password file.

  • Enable the auth-digest sudo a2enmod auth-digest
  • Edit the as following

DocumentRoot "/var/www/"
DirectoryIndex gitweb.cgi
SetEnv GITWEB_CONFIG /etc/gitweb.conf

ScriptAlias /cgi-bin/ /var/www/

Options Indexes FollowSymlinks ExecCGI
AuthType Digest
AuthName "private"
AuthUserFile /etc/apache2/passwd/digest
Require valid-user

SetHandler cgi-script

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^.* /gitweb.cgi/$0 [L,PT]

Allow from all

# To debug rewrite rules, which were very painful to figure out
RewriteLog /var/log/apache2/rewrite_log
RewriteLogLevel 9

ErrorLog /var/log/apache2/gitweb

  • sudo service apache2 restart
Test it with browser if authentication is working.

Suggested Reading