Mercurial > hg > Blog

view content/SCM/http-auth-hgwebdir.md @ 94:b952a0ea1aaa

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
add some comments
author Dirk Olmes <dirk@xanthippe.ping.de>
date Thu, 14 Feb 2019 17:53:37 +0100
parents 4cd9b65e10e4
children
line wrap: on
line source

Title: HTTP auth for hgwebdir.cgi
Tags: Mercurial
Date: 2009-01-16
Lang: en

The easiest way to publish your [Mercurial](http://www.selenic.com/mercurial/wiki/) repository via HTTP is probably the use of `hgwebdir.cgi`.

There are quite a number of HOWTOs out there on how to configure hgwebdir.cgi on the web, e.g. [this one](http://www.selenic.com/mercurial/wiki/index.cgi/PublishingRepositories): it talks about configuring hgwebdir.cgi and how to set up "nicer" URLs and authentication for the repository.

While following that instruction I stumbled upon a possible leak in all of the HOWTOs I found out there: they protect the rewritten, "nice" URL to the repository but still allow unauthenticated acces to `/cgi-bin/hgwebdir.cgi`.

The following configuration circumvents this bug:

Step 1: configure nice repository URLs:
<div class="highlight"><pre>
ScriptAliasMatch ^/hg(.*) /where/ever/cgi-bin/hgwebdir.cgi$1
</pre></div>

Step2: use the *LocationMatch* directive to protect all possible accesses to the repository:
<div class="highlight"><pre>
&lt;LocationMatch /(cgi-bin/hgwebdir.cgi|hg)/myhgrepository&gt;
    AuthType Basic
    ....
&lt;/LocationMatch&gt;
</pre></div>

Now you can use either `http://myhost/hg/myhgrepository` or `http://myhost/cgi-bin/hgwebdir.cgi/myhgrepository` to access the repo and you'll get the auth prompt on either URL.