Skip to content

Instantly share code, notes, and snippets.

@Kreijstal

Kreijstal/git_server.md

Created March 27, 2025 21:09
Show Gist options
  • Save Kreijstal/28fc987270b71849505bbc89b3f2d90a to your computer and use it in GitHub Desktop.
Save Kreijstal/28fc987270b71849505bbc89b3f2d90a to your computer and use it in GitHub Desktop.
Download ZIP
How to set up git with nginx
Raw
git_server.md

Setting Up Git with Nginx for Anonymous HTTP Access

This guide explains how to configure a Git repository to be served anonymously over HTTP using Nginx and git-http-backend. This setup allows users to clone and fetch repositories without authentication, and optionally push if configured. It’s ideal for public repositories or simple internal use cases.

Prerequisites

  • A Linux server with:
    • Git installed (sudo apt install git)
    • Nginx installed (sudo apt install nginx)
    • fcgiwrap installed (sudo apt install fcgiwrap) to bridge Nginx and git-http-backend
  • Basic familiarity with command-line tools and Nginx configuration

Step 1: Set Up the Git Repository

  1. Create a Repository Directory: Choose a directory to store your Git repositories. For example:

    sudo mkdir -p /srv/git
sudo chmod -R 755 /srv/git

  2. Initialize a Bare Repository: Create a bare Git repository (one without a working directory, suitable for remote access):

    cd /srv/git
git init --bare myrepo.git

  3. Enable Anonymous Access: By default, git-http-backend requires repositories to be explicitly marked as exportable. Create an empty file named git-daemon-export-ok in the repository:

    touch myrepo.git/git-daemon-export-ok

    Alternatively, you can configure Nginx to bypass this requirement (see Step 3).

  4. Adjust Permissions: Ensure the web server user (typically www-data on Debian-based systems) has read access to the repository:

    sudo chown -R www-data:www-data /srv/git/myrepo.git
sudo chmod -R g+rX /srv/git/myrepo.git

    If the repository is owned by another user (e.g., your account), see Step 5 for handling ownership mismatches.

Step 2: Install and Configure fcgiwrap

fcgiwrap acts as a FastCGI wrapper to run git-http-backend with Nginx.

  1. Verify fcgiwrap is Running: After installation, ensure the fcgiwrap service is active:

    sudo systemctl start fcgiwrap
sudo systemctl enable fcgiwrap

    Check the socket:

    ls -l /var/run/fcgiwrap.socket

    It should be owned by www-data or accessible by the Nginx user.

  2. Adjust Permissions (if needed): If Nginx can’t access the socket:

    sudo chown www-data:www-data /var/run/fcgiwrap.socket
sudo chmod g+w /var/run/fcgiwrap.socket

Step 3: Configure Nginx

Edit your Nginx site configuration (e.g., /etc/nginx/sites-available/default) to serve Git repositories.

  1. Basic Configuration: Add a server block to handle HTTP requests:

    server {
    listen 80;
    server_name your-domain.com; # Replace with your domain or IP

    # Define the root directory for non-Git content (optional)
    root /var/www/html;
    index index.html;

    # Directory for Git repositories
    set $git_root /srv/git;

    # Serve Git repositories under /git/
    location ~ ^/git/([^/]+\.git)(/.*)?$ {
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
        fastcgi_param GIT_PROJECT_ROOT $git_root;
        fastcgi_param GIT_HTTP_EXPORT_ALL "1"; # Allow access without git-daemon-export-ok
        fastcgi_param PATH_INFO /$1$2; # Repo name + subpath (e.g., /myrepo.git/info/refs)
        fastcgi_param REQUEST_METHOD $request_method;
        fastcgi_param QUERY_STRING $query_string;
        fastcgi_pass unix:/var/run/fcgiwrap.socket;
    }
}

  2. Key Settings Explained:

    • GIT_PROJECT_ROOT: Points to the parent directory of your repositories (/srv/git).
    • GIT_HTTP_EXPORT_ALL "1": Allows anonymous access to all repositories under $git_root, bypassing the need for git-daemon-export-ok.
    • PATH_INFO /$1$2: Captures the repository name (e.g., myrepo.git) and subpath (e.g., /info/refs), ensuring git-http-backend processes requests correctly.

  3. Test and Reload Nginx:

    sudo nginx -t
sudo systemctl reload nginx

Step 4: Test Anonymous Access

  1. Clone the Repository: From another machine or locally:

    git clone http://your-domain.com/git/myrepo.git

    This should succeed without authentication.

  2. Verify with curl: Check the Git protocol response:

    curl -v "http://your-domain.com/git/myrepo.git/info/refs?service=git-upload-pack"

    Expect a 200 OK response with Git protocol data (e.g., 001e# service=git-upload-pack).

Step 5: Handle Ownership Mismatches (Optional)

If the repository files are owned by a user other than www-data (e.g., your personal account), Git might refuse to operate due to security restrictions introduced in Git 2.35.2+. You’ll see errors like fatal: unsafe repository.

To fix this globally:

sudo git config --system --add safe.directory '*'
  • This adds safe.directory = * to /etc/gitconfig, trusting all directories for all users.
  • Caution: This is a broad setting; for better security, specify the exact path: 
    sudo git config --system --add safe.directory /srv/git/myrepo.git

Alternatively, change ownership to www-data (as in Step 1) to avoid this step.

Step 6: Enable Pushing (Optional)

By default, this setup only allows fetching/cloning. To enable anonymous pushing:

  1. Add Push Support in Nginx: Update the location block:

    location ~ ^/git/([^/]+\.git)(/.*)?$ {
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
    fastcgi_param GIT_PROJECT_ROOT $git_root;
    fastcgi_param GIT_HTTP_EXPORT_ALL "1";
    fastcgi_param PATH_INFO /$1$2;
    fastcgi_param REQUEST_METHOD $request_method;
    fastcgi_param QUERY_STRING $query_string;
    fastcgi_param GIT_HTTP_RECEIVE_PACK "1"; # Enable pushing
    fastcgi_pass unix:/var/run/fcgiwrap.socket;
}

  2. Grant Write Permissions: Ensure www-data can write to the repository:

    sudo chown -R www-data:www-data /srv/git/myrepo.git
sudo chmod -R g+rwX /srv/git/myrepo.git

  3. Test Pushing:

    cd myrepo
echo "test" > test.txt
git add test.txt
git commit -m "Test push"
git push origin main

    Note: Anonymous pushing is insecure for public servers. Consider adding authentication (see below) if this is a concern.

Step 7: Add Directory Browsing (Optional)

To browse the /git/ directory (e.g., list all repositories):

  1. Add a Specific Location: Update the Nginx config:

    server {
    listen 80;
    server_name your-domain.com;

    root /var/www/html;
    index index.html;

    set $git_root /srv/git;

    # Directory listing for /git/
    location = /git/ {
        root /srv; # Points to /srv/git/
        autoindex on;
        autoindex_exact_size off;
        autoindex_localtime on;
    }

    # Git repository handling
    location ~ ^/git/([^/]+\.git)(/.*)?$ {
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
        fastcgi_param GIT_PROJECT_ROOT $git_root;
        fastcgi_param GIT_HTTP_EXPORT_ALL "1";
        fastcgi_param PATH_INFO /$1$2;
        fastcgi_param REQUEST_METHOD $request_method;
        fastcgi_param QUERY_STRING $query_string;
        fastcgi_pass unix:/var/run/fcgiwrap.socket;
    }
}

  2. Test Browsing:

    curl -v "http://your-domain.com/git/"

    You should see an HTML directory listing of /srv/git/.

Step 8: Secure with Authentication (Optional)

For controlled access (e.g., restrict pushing):

  1. Create an .htpasswd File:

    sudo htpasswd -c /etc/nginx/.htpasswd gituser

  2. Add Authentication to Nginx:

    location ~ ^/git/([^/]+\.git)(/.*)?$ {
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
    fastcgi_param GIT_PROJECT_ROOT $git_root;
    fastcgi_param GIT_HTTP_EXPORT_ALL "1";
    fastcgi_param PATH_INFO /$1$2;
    fastcgi_param REQUEST_METHOD $request_method;
    fastcgi_param QUERY_STRING $query_string;
    fastcgi_param GIT_HTTP_RECEIVE_PACK "1";
    fastcgi_pass unix:/var/run/fcgiwrap.socket;
    auth_basic "Git Access";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

  3. Test with Credentials:

    git clone http://gituser:[email protected]/git/myrepo.git

Troubleshooting

  • 500 Internal Server Error: Check /var/log/nginx/error.log for details (e.g., permissions, fcgiwrap issues).
  • "unsafe repository": Ensure safe.directory is set or ownership matches www-data.
  • "Service not enabled": Verify GIT_HTTP_RECEIVE_PACK for pushing.
  • "aliased" Error: Ensure PATH_INFO starts with a slash and matches the repo path.

With this setup, you’ve got a fully functional anonymous Git server over HTTP using Nginx! Adjust paths and settings as needed for your environment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment