Mercurial > hg > Blog
comparison content/SCM/http-auth-hgwebdir.md @ 0:4cd9b65e10e4
initial import of the pelican based blog
| author | Dirk Olmes <dirk@xanthippe.ping.de> |
|---|---|
| date | Fri, 28 Jun 2013 08:48:58 +0200 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| -1:000000000000 | 0:4cd9b65e10e4 |
|---|---|
| 1 Title: HTTP auth for hgwebdir.cgi | |
| 2 Tags: Mercurial | |
| 3 Date: 2009-01-16 | |
| 4 Lang: en | |
| 5 | |
| 6 The easiest way to publish your [Mercurial](http://www.selenic.com/mercurial/wiki/) repository via HTTP is probably the use of `hgwebdir.cgi`. | |
| 7 | |
| 8 There are quite a number of HOWTOs out there on how to configure hgwebdir.cgi on the web, e.g. [this one](http://www.selenic.com/mercurial/wiki/index.cgi/PublishingRepositories): it talks about configuring hgwebdir.cgi and how to set up "nicer" URLs and authentication for the repository. | |
| 9 | |
| 10 While following that instruction I stumbled upon a possible leak in all of the HOWTOs I found out there: they protect the rewritten, "nice" URL to the repository but still allow unauthenticated acces to `/cgi-bin/hgwebdir.cgi`. | |
| 11 | |
| 12 The following configuration circumvents this bug: | |
| 13 | |
| 14 Step 1: configure nice repository URLs: | |
| 15 <div class="highlight"><pre> | |
| 16 ScriptAliasMatch ^/hg(.*) /where/ever/cgi-bin/hgwebdir.cgi$1 | |
| 17 </pre></div> | |
| 18 | |
| 19 Step2: use the *LocationMatch* directive to protect all possible accesses to the repository: | |
| 20 <div class="highlight"><pre> | |
| 21 <LocationMatch /(cgi-bin/hgwebdir.cgi|hg)/myhgrepository> | |
| 22 AuthType Basic | |
| 23 .... | |
| 24 </LocationMatch> | |
| 25 </pre></div> | |
| 26 | |
| 27 Now you can use either `http://myhost/hg/myhgrepository` or `http://myhost/cgi-bin/hgwebdir.cgi/myhgrepository` to access the repo and you'll get the auth prompt on either URL. |