[Req] Password-protected Repos

[Nushio]

Hey! I just learned about Gitlist, it was incredibly easy to set up and I wanted to use at $DayJob, however the Boss is obviously concerned about the security, so I was wondering if some sort of user/password setup was in the roadmap for this project. This wouldn't be used to protect the actual git repo, just to display the stuff via web.

Thanks.

[klaussilveira]

Well, i want to keep GitList as simple as possible and avoid any kind of database. That may change in the future or a spin-off project, of course. To solve your problem, you have a few options:

• Use Apache features! Setup some users and/or groups and only allow them to access the GitList folder on /var/www. Take a look at this article
• Modify the application yourself and add user authentication to access the whole thing, which is rather easy if you know Silex a little bit or read through it's docs (and that's the beauty of GitList, it's built on top of well-know and easily extendable technology)

[Nushio]

Actually, I was looking into setting things up with Apache Auth, I'll document the process and write up a smallish blogpost.

I love the way gitlist looks and how easy it was to set up!

[klaussilveira]

If you need help, let me know. :)

[dhanushka-samarakoon]

Can you please tell me how to add a simple username/password (that we can share among our team) to gitlist?
I checked the symfony doc (http://symfony.com/doc/current/book/security.html), but the structure of gitlist seems to be completely different.
I don't need anything fancy, just a hard coded username/pwd, until you guy release the authorization module.

PS: We are trying to stay away from using htpasswd

[sstok]

The Symfony Security component in the book is meanly focused on the Symfony full stack framework.
Take a look at http://silex.sensiolabs.org/doc/providers/security.html

[rockneverdies55]

Very surprised that gitlist doesn't have built-in authentication mechanism.

If I wanna make my repo open to the world I rather use github not gitlist. And if I choose to use something like gitlist that probably means I wanna keep my project private on my own server.

[sstok]

Gitlist was designed as a Repository viewer not a full fledged Git repositories managing software.
So its understandable this is not provided.

I actually started using http://gitlab.org/ a while back.

[rockneverdies55]

@sstok - Thank you.
That's exactly what I was looking for.

[jean-io]

Hey guys,

A year later, I was wondering what solutions you have found.

Thank

[escoreal]

Hello,

I would like to see some authorization functions in GitList, too. For example like in WebSVN. There you can use Apache authentication and use the "AuthzSVNAccessFile" to specify the repository permissions.

esco

[mgraupe]

Hi,

I love gitlist and I would like to support the request to build in some sort of password protection.

Thanks,
Michael

[acrolink]

Great work :-) I agree with most people here, this utility needs to provide some in-built access control.

[sharkydog]

Just want to share my solution on the issue using http auth in nginx.
Based on nginx config from INSTALL.md, this asks for password when listing repositories and for every repo in the root directory, but not for repos in the pub direcotory like /pub/somerepo.git.

server {
	server_name some.domain.com;
	
	root /some/document/root/path;
	index index.php;
	
	location = /robots.txt {
		allow all;
		log_not_found off;
		access_log off;
	}
	
	location ~* ^/index.php.*$ {
		include custom-common/php5;
	}
	
	location ~* ^/pub {
		try_files $uri @gitlist;
	}
	
	location ~* ^/(.+\.git/)?$ {
		auth_basic "Protected";
		auth_basic_user_file /some/htpasswd/path;
		allow 192.168.1.0/24; # next three lines to allow direct access from LAN
		deny all;
		satisfy any;
		
		try_files $uri @gitlist;
	}
	
	location / {
		try_files $uri @gitlist;
	}
	
	location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
		add_header Vary "Accept-Encoding";
		expires max;
		try_files $uri @gitlist;
		tcp_nodelay off;
		tcp_nopush on;
	}
	
	location ~* \.(git|svn|patch|htaccess|log|route|plist|inc|json|pl|po|sh|ini|sample|kdev4)$ {
		deny all;
	}
	
	location @gitlist {
		rewrite ^/.*$ /index.php;
	}
}

[dvbava]

I agree here that it needs basic access control feature in-build. gitlist has expose many companies source code on internet without company/admin actually knowing it.
ex.

1. http://git.blue-mind.net/
2. http://git.maxx.matrixdev.net/matrix.git/maxx17.2/
   You can see their entire source code..

Want to find more? just google gitlist and scroll through next few pages in result.

Its obvious that everyone is not well experienced in security aspects at least.

[alehaa]

Maybe this could be solved with "plugins" (see #739), so one could add access protection easily.

However, this should be an optional plugin. The default GitList installation shouldn't be bloated.

[dvbava]

think so, and the download as ZIP/tar makes it worse on internet.. You can own anyone code literally.

[DannyvdSluijs]

One could reason that we should disallow google bot and others to avoid being indexed by search engines. This could be done with a small robots.txt.

[klaussilveira]

How is that a responsibility of GitList? If you want to restrict access, you do it yourself, based on your own needs. Same for restricting bots. Some people might think that robots.txt are enough, others will probably need Varnish or an web application firewall.

@dvbava You are hosting a repository viewer on your public Apache/Nginx server. It is kind of obvious that everything will be public. It's up to you to restrict access by IP, VPC or just add a simple HTTP Basic on your Apache/Nginx configuration.

If we add a simple user/pass mechanism stored in the configuration file, then why not LDAP? Or OAuth? Or SAML? It's a can of worms and it's out of the scope of a simple git repository viewer.