Mercurial > hg > Blog
view content/SCM/http-auth-hgwebdir.md @ 109:ee048ed76ea1
Datums- und Syntex Fix
author | Dirk Olmes <dirk.olmes@codedo.de> |
---|---|
date | Fri, 18 Jun 2021 07:24:04 +0200 |
parents | 4cd9b65e10e4 |
children |
line wrap: on
line source
Title: HTTP auth for hgwebdir.cgi Tags: Mercurial Date: 2009-01-16 Lang: en The easiest way to publish your [Mercurial](http://www.selenic.com/mercurial/wiki/) repository via HTTP is probably the use of `hgwebdir.cgi`. There are quite a number of HOWTOs out there on how to configure hgwebdir.cgi on the web, e.g. [this one](http://www.selenic.com/mercurial/wiki/index.cgi/PublishingRepositories): it talks about configuring hgwebdir.cgi and how to set up "nicer" URLs and authentication for the repository. While following that instruction I stumbled upon a possible leak in all of the HOWTOs I found out there: they protect the rewritten, "nice" URL to the repository but still allow unauthenticated acces to `/cgi-bin/hgwebdir.cgi`. The following configuration circumvents this bug: Step 1: configure nice repository URLs: <div class="highlight"><pre> ScriptAliasMatch ^/hg(.*) /where/ever/cgi-bin/hgwebdir.cgi$1 </pre></div> Step2: use the *LocationMatch* directive to protect all possible accesses to the repository: <div class="highlight"><pre> <LocationMatch /(cgi-bin/hgwebdir.cgi|hg)/myhgrepository> AuthType Basic .... </LocationMatch> </pre></div> Now you can use either `http://myhost/hg/myhgrepository` or `http://myhost/cgi-bin/hgwebdir.cgi/myhgrepository` to access the repo and you'll get the auth prompt on either URL.