Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #31195 Apply nginx `auth_request` strategy to git http access
    Actions
    Infos
    #31195
    Manuel Vacelet (vaceletm)
    2023-03-24 10:49
    2023-03-24 10:49
    32783
    Details
    Apply nginx `auth_request` strategy to git http access

    Current implementation of git http access is brittle because it relies on a php wrapper around gitolite/git-http-backend. When the amount of data to transfer is big, the php part can be killed due to over memory usage.

    In request #26407 we introduced a new mechanism to deal with user authentication for subversion to get rid off (in)famous Tuleap.pm. This use the auth_request feature of nginx.

    We should be able to re-use a similar strategy for git http access. Except it's a bit harder there:

    • We cannot blindly forward requests to gitolite as we have to manage git-http-backend when repositories are accessible to anonymous
    • Gitolite access requires sudo because http is ran by the application user and ssh accesses are done with gitolite user

    One possible strategy would be to:

    • Move all the permission check in auth_request and deal with both user authentication and permission check here
    • Always serve traffic directly with git-http-backend
    SCM/Git
    Empty
    Empty
    • [x] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    New
    Empty
    Attachments
    Artifact links
    Empty
    Empty
    References
    Referenced by request #31195

    Artifact Tracker v5

    request #26407 De-duplicate authz/authn code used for SVN accesses