Wednesday, April 1, 2009

Securing Gitweb

We will secure Gitweb using Apache Module mod_auth_digest.

This document is based on following assumtions
  1. Apache2 is running and installed at /etc/apache2 folder
  2. gitdomain.com is already present and serving gitweb files
Assuming ,


Apache2 is run from /etc/apache2/

  • Lets created passwd file in
sudo htdigest -c /etc/apache2/passwd/digest private user1
sudo htdigest /etc/apache2/passwd/digest private user2

Note : Omit the -c flag in order to add new user information to an existing password file.

  • Enable the auth-digest sudo a2enmod auth-digest
  • Edit the gitdomain.com as following

ServerName gitdomain.com
DocumentRoot "/var/www/gitdomain.com/cgi-bin"
DirectoryIndex gitweb.cgi
SetEnv GITWEB_CONFIG /etc/gitweb.conf

ScriptAlias /cgi-bin/ /var/www/gitdomain.com/cgi-bin

Options Indexes FollowSymlinks ExecCGI
AuthType Digest
AuthName "private"
AuthUserFile /etc/apache2/passwd/digest
Require valid-user


SetHandler cgi-script


RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^.* /gitweb.cgi/$0 [L,PT]



Allow from all


# To debug rewrite rules, which were very painful to figure out
RewriteLog /var/log/apache2/rewrite_log
RewriteLogLevel 9

ErrorLog /var/log/apache2/gitweb

  • sudo service apache2 restart
Test it with browser if authentication is working.


Suggested Reading
http://httpd.apache.org/docs/1.3/howto/auth.html