HTTP auth for hgwebdir.cgi

The easiest way to publish your Mercurial repository via HTTP is probably the use of hgwebdir.cgi.

There are quite a number of HOWTOs out there on how to configure hgwebdir.cgi on the web, e.g. this one: it talks about configuring hgwebdir.cgi and how to set up “nicer” URLs and authentication for the repository.

While following that instruction I stumbled upon a possible leak in all of the HOWTOs I found out there: they protect the rewritten, “nice” URL to the repository but still allow unauthenticated acces to /cgi-bin/hgwebdir.cgi.

The following configuration circumvents this bug:

Step 1: configure nice repository URLs:

ScriptAliasMatch ^/hg(.*) /where/ever/cgi-bin/hgwebdir.cgi$1

Step2: use the LocationMatch directive to protect all possible accesses to the repository:

<LocationMatch /(cgi-bin/hgwebdir.cgi|hg)/myhgrepository>
    AuthType Basic
    ....
</LocationMatch>

Now you can use either http://myhost/hg/myhgrepository or http://myhost/cgi-bin/hgwebdir.cgi/myhgrepository to access the repo and you’ll get the auth prompt on either URL.