Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #8292 Hide git http URL for end users
    Actions
    Infos
    #8292
    Ahmed HOSNI (hosniah)
    2015-08-07 17:07
    2015-07-29 18:14
    8415
    Details
    Hide git http URL for end users
    I'm running a tuleap server and bound a gerrit server that replicates over https.
    Only the user performing replication (forge_gerrit_1) should is allowed to use git over https (we setup the restriction within httpd config file).

    I need to hide the missleading http clone url that is displayed on git plugin UI for end user.
    For this purposen, we'll add a boolean config param within git plugin config file and check visibility before the display of https clone url.
    SCM/Git
    Empty
    CentOS 6
    • [x] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2015-08-07
    Attachments
    Empty
    References
    References list is empty
    Display settings

    Follow-ups

    User avatar
    Manuel Vacelet (vaceletm)2015-08-07 17:07
    I close the request and abandonned the patchset
    • Status changed from New to Closed
    • Close date set to 2015-08-07
    User avatar
    Ahmed HOSNI (hosniah)2015-08-07 16:01
    Hello Manuel,

    Indeed, the contrib does not make sens. Hiding the "$git_http_url" variable within plugin conf will hide the clone URL wile replication over http works like a charm.

    I'll set the contrib "abandoned" in gerrit.

    Thanks and best regards,
    Ahmed
    User avatar
    Manuel Vacelet (vaceletm)2015-08-05 10:08
    Ok, I undestand the use case but I don't understand why you need a specific patch, just uncommenting the variable or setting it to an empty string already hide the entry
    User avatar
    Ahmed HOSNI (hosniah)2015-08-03 12:11
    Hello Manuel,

    On a daily basis, we are facing a Huge CPU load on Codex due to high system usage. When troubleshooting such issue, it's always related to git.
    We already set up few rules for memory usage, we didn't yet faced issues with disk I/O...

    Apache as system component, is our single point of failure (SPOF), which would upon failure renders most of our Tuleap stack unavailable / unreliable.
    We are trying to mitigate this SPOF by disabling git http transport for our users.

    Even if we isolate git transport, the high usage git over ssh://would impact other non git users when server reach limits...For a better proactive protection for tuleap, we need then to blacklist "attacker's IP" using Fail2ban:

    Having git available only via ssh:// would be good to setup an sshd jail configured to ban any polling user / ACI (given their IPs) for a moment; Only git/ssh access would be blocked, other Tuleap services will be available for those blacklisted IPs.


    Regards,
    Ahmed
    User avatar
    Manuel Vacelet (vaceletm)2015-08-03 09:54
    I don't understand why end users shouldn't be allowed to see and use the http route.

    I undestand the specific point of your gerrit setup but why is that an issue if other users are relying on http route for doing their git operations ?
    User avatar
    Ahmed HOSNI (hosniah)2015-07-30 11:47
    Hello Tuleap Integrators,

    Could you please take a llok to gerrit# 4284 ?

    Best regards,
    Ahmed