--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/content/SCM/http-auth-hgwebdir.md	Fri Jun 28 08:48:58 2013 +0200
@@ -0,0 +1,27 @@
+Title: HTTP auth for hgwebdir.cgi
+Tags: Mercurial
+Date: 2009-01-16
+Lang: en
+
+The easiest way to publish your [Mercurial](http://www.selenic.com/mercurial/wiki/) repository via HTTP is probably the use of `hgwebdir.cgi`.
+
+There are quite a number of HOWTOs out there on how to configure hgwebdir.cgi on the web, e.g. [this one](http://www.selenic.com/mercurial/wiki/index.cgi/PublishingRepositories): it talks about configuring hgwebdir.cgi and how to set up "nicer" URLs and authentication for the repository.
+
+While following that instruction I stumbled upon a possible leak in all of the HOWTOs I found out there: they protect the rewritten, "nice" URL to the repository but still allow unauthenticated acces to `/cgi-bin/hgwebdir.cgi`.
+
+The following configuration circumvents this bug:
+
+Step 1: configure nice repository URLs:
+<div class="highlight"><pre>
+ScriptAliasMatch ^/hg(.*) /where/ever/cgi-bin/hgwebdir.cgi$1
+</pre></div>
+
+Step2: use the *LocationMatch* directive to protect all possible accesses to the repository:
+<div class="highlight"><pre>
+&lt;LocationMatch /(cgi-bin/hgwebdir.cgi|hg)/myhgrepository&gt;
+    AuthType Basic
+    ....
+&lt;/LocationMatch&gt;
+</pre></div>
+
+Now you can use either `http://myhost/hg/myhgrepository` or `http://myhost/cgi-bin/hgwebdir.cgi/myhgrepository` to access the repo and you'll get the auth prompt on either URL.