Comments (18)
How is that a responsibility of GitList? If you want to restrict access, you do it yourself, based on your own needs. Same for restricting bots. Some people might think that robots.txt are enough, others will probably need Varnish or an web application firewall.
@dvbava You are hosting a repository viewer on your public Apache/Nginx server. It is kind of obvious that everything will be public. It's up to you to restrict access by IP, VPC or just add a simple HTTP Basic on your Apache/Nginx configuration.
If we add a simple user/pass mechanism stored in the configuration file, then why not LDAP? Or OAuth? Or SAML? It's a can of worms and it's out of the scope of a simple git repository viewer.
from gitlist.
Just want to share my solution on the issue using http auth in nginx.
Based on nginx config from INSTALL.md, this asks for password when listing repositories and for every repo in the root directory, but not for repos in the pub direcotory like /pub/somerepo.git.
server {
server_name some.domain.com;
root /some/document/root/path;
index index.php;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~* ^/index.php.*$ {
include custom-common/php5;
}
location ~* ^/pub {
try_files $uri @gitlist;
}
location ~* ^/(.+\.git/)?$ {
auth_basic "Protected";
auth_basic_user_file /some/htpasswd/path;
allow 192.168.1.0/24; # next three lines to allow direct access from LAN
deny all;
satisfy any;
try_files $uri @gitlist;
}
location / {
try_files $uri @gitlist;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
add_header Vary "Accept-Encoding";
expires max;
try_files $uri @gitlist;
tcp_nodelay off;
tcp_nopush on;
}
location ~* \.(git|svn|patch|htaccess|log|route|plist|inc|json|pl|po|sh|ini|sample|kdev4)$ {
deny all;
}
location @gitlist {
rewrite ^/.*$ /index.php;
}
}
from gitlist.
Well, i want to keep GitList as simple as possible and avoid any kind of database. That may change in the future or a spin-off project, of course. To solve your problem, you have a few options:
- Use Apache features! Setup some users and/or groups and only allow them to access the GitList folder on /var/www. Take a look at this article
- Modify the application yourself and add user authentication to access the whole thing, which is rather easy if you know Silex a little bit or read through it's docs (and that's the beauty of GitList, it's built on top of well-know and easily extendable technology)
from gitlist.
Actually, I was looking into setting things up with Apache Auth, I'll document the process and write up a smallish blogpost.
I love the way gitlist looks and how easy it was to set up!
from gitlist.
If you need help, let me know. :)
from gitlist.
Can you please tell me how to add a simple username/password (that we can share among our team) to gitlist?
I checked the symfony doc (http://symfony.com/doc/current/book/security.html), but the structure of gitlist seems to be completely different.
I don't need anything fancy, just a hard coded username/pwd, until you guy release the authorization module.
PS: We are trying to stay away from using htpasswd
from gitlist.
The Symfony Security component in the book is meanly focused on the Symfony full stack framework.
Take a look at http://silex.sensiolabs.org/doc/providers/security.html
from gitlist.
Very surprised that gitlist doesn't have built-in authentication mechanism.
If I wanna make my repo open to the world I rather use github not gitlist. And if I choose to use something like gitlist that probably means I wanna keep my project private on my own server.
from gitlist.
Gitlist was designed as a Repository viewer not a full fledged Git repositories managing software.
So its understandable this is not provided.
I actually started using http://gitlab.org/ a while back.
from gitlist.
@sstok - Thank you.
That's exactly what I was looking for.
from gitlist.
Hey guys,
A year later, I was wondering what solutions you have found.
Thank
from gitlist.
Hello,
I would like to see some authorization functions in GitList, too. For example like in WebSVN. There you can use Apache authentication and use the "AuthzSVNAccessFile" to specify the repository permissions.
esco
from gitlist.
Hi,
I love gitlist and I would like to support the request to build in some sort of password protection.
Thanks,
Michael
from gitlist.
Great work :-) I agree with most people here, this utility needs to provide some in-built access control.
from gitlist.
I agree here that it needs basic access control feature in-build. gitlist has expose many companies source code on internet without company/admin actually knowing it.
ex.
- http://git.blue-mind.net/
- http://git.maxx.matrixdev.net/matrix.git/maxx17.2/
You can see their entire source code..
Want to find more? just google gitlist and scroll through next few pages in result.
Its obvious that everyone is not well experienced in security aspects at least.
from gitlist.
Maybe this could be solved with "plugins" (see #739), so one could add access protection easily.
However, this should be an optional plugin. The default GitList installation shouldn't be bloated.
from gitlist.
think so, and the download as ZIP/tar makes it worse on internet.. You can own anyone code literally.
from gitlist.
One could reason that we should disallow google bot and others to avoid being indexed by search engines. This could be done with a small robots.txt.
from gitlist.
Related Issues (20)
- Symfony Exception: "entrypoints.json" is missing when rendering template HOT 4
- Better support for repository depth
- Php compatability HOT 1
- Gave up on installing this... HOT 3
- Search for repository in subdirectories HOT 1
- Uncaught Error: Cannot assign string to property Symfony\Component\HttpKernel\Debug\FileLinkFormatter::$fileLinkFormat of type array|false HOT 2
- 404 on all assets HOT 11
- Hello, I use Gitlist 1.1.1 and I want to know if I respect the BSD-2-Clause HOT 2
- git clone over https does not work
- Support needed on installing HOT 3
- git_path from config.yml not used
- Can't create development environment HOT 1
- Can't list repositories HOT 2
- PHP 8.2 => 500 Internal Server Error, setLastErrors must be of type array, bool given HOT 2
- default_repository_dir from config.yml don't work HOT 2
- public/.htaccess is missing HOT 2
- automacao
- Openening a file containing the name of a branch or tag throws a CommandException
- Display Issue and Content Not Found Problem HOT 1
- Problem when adding gits
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gitlist.