Coming right on the heels of my need to set up a git repository on shared hosts, I next wanted to see if I could use HTTP authentication for such a repository. Of course, HTTP authentication is an extremely insecure protocol, but it typically is enough to dissuade the casual user (such as Googlebot) from peeking at things you don’t want available on the public Internet, so it has its uses.
Note that with the set up described in the above-linked previous post, you can only pull over HTTP. This is usually what you want. If you want to be able to push over HTTP as well, git must be compiled with the
This is, as it turns out, because
git seems to use
curl for its HTTP operations, which also obviously means you must have
curl installed on your workstation if you don’t already and it also implies that it’s
git which you need to configure. In other words, accessing a git repository that is behind HTTP authentication is exactly the same as accessing one without it, and so is publishing a git repository to an HTTP server. The rest of this short tutorial assumes you have published your repository at
http://example.com/git/public-repo.git and are using the Apache web server.
Step 1: Create an HTTP Basic Authentication username and password file
First, you’ll need to create a file that lists the usernames who are permitted to access your repository over HTTP Basic authentication. This is easily accomplished with the
htpasswd utility (or your host’s custom web UI, if one is provided). Let’s create a file called
.git-htpasswd to store these usernames and passwords.
From your shell, run the following command:
htpasswd -c /path/to/DOCUMENT_ROOT/.git-htpasswd username
where /path/to/DOCUMENT_ROOT is the full path to the root directory of your web site and username is the username you want to add. If you want to add subsequent users to this file, run the same command again without the
-c, like this:
htpasswd /path/to/DOCUMENT_ROOT/.git-htpasswd another_username
You’ll then be prompted to enter a password, and then prompted again to verify that you’ve typed it correctly.
Step 2: Configure HTTP Basic Authentication on Apache
Next, configure standard HTTP Basic Authentication on Apache. In most shared hosting environments, you’ll be allowed to configure per-directory passwords using
.htaccess files. Some hosts provide web UI interfaces for creating “protected folders,” which is basically the same thing. Make certain that the kind of protection you select is “Basic,” because
curl will require that.
To do that, create a new file named
.htaccess in your
DOCUMENT_ROOT/git directory if one does not already exist with the following contents:
AuthType Basic AuthName "Git" AuthUserFile /path/to/DOCUMENT_ROOT/.git-htpasswd Require valid-user
This tells Apache to look for usernames and passwords in the file named
.git-htpasswd we created in step 1.
If everything is set up correctly, you should now be able to access
http://example.com/git/public-repo.git in your Web browser and you should be presented with a login dialogue box.
Step 3: Configure
curl on your (client) workstation computer
Next, configure your local
git-pull will call
curl with its
--netrc-optional switch for HTTP operations. This means
curl will look for a file named
.netrc in your home directory and will read authentication configurations from that file. The format of this file is incredibly simple:
machine yourserver.example.com username your_username password your_password
To check if this is working correctly, run
curl yourself to access the current
HEAD of the public repository and see if you get the expected result:
curl --netrc --location -v http://example.com/git/public-repo.git/HEAD | grep 'ref: refs/heads'
If you see a line of output then you know this is working, otherwise you should double check your work.
Step 4: There is no step four
You’re done. With this configuration, you can
git-pull as you normally would, and
git will automatically use your
.netrc file to enable
curl‘s HTTP authentication schemes.