•  
      request #31195 Apply nginx `auth_request` strategy to git http access
    Infos
    #31195
    Manuel Vacelet (vaceletm)
    2023-03-24 10:49
    2023-03-24 10:49
    32799
    Details
    Apply nginx `auth_request` strategy to git http access

    Current implementation of git http access is brittle because it relies on a php wrapper around gitolite/git-http-backend. When the amount of data to transfer is big, the php part can be killed due to over memory usage.

    In request #26407 we introduced a new mechanism to deal with user authentication for subversion to get rid off (in)famous Tuleap.pm. This use the auth_request feature of nginx.

    We should be able to re-use a similar strategy for git http access. Except it's a bit harder there:

    • We cannot blindly forward requests to gitolite as we have to manage git-http-backend when repositories are accessible to anonymous
    • Gitolite access requires sudo because http is ran by the application user and ssh accesses are done with gitolite user

    One possible strategy would be to:

    • Move all the permission check in auth_request and deal with both user authentication and permission check here
    • Always serve traffic directly with git-http-backend
    SCM/Git
    Empty
    Empty
    • [x] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    New
    Empty
    Attachments
    Empty
    References
    Referenced by request #31195