折腾玩玩的一个选项,环境为CentOS 7,Smart HTTP协议。
使用nginx做web服务器,Apache httpd作为GIT处理服务器,支持SELinux。
首先安装git和web服务器:
yum install install git nginx httpd httpd-tools setroubleshoot -y创建一个git的web目录:
mkdir /var/www/git修正权限:
semanage fcontext -m -t httpd_sys_rw_content_t "/var/www/git(/.*)?"
restorecon -Rv /var/www/git
chcon -u system_u -R /var/www/git
setsebool -P httpd_unified 1
chown -R apache:apache /var/www/gitnginx在前httpd在后就需要让httpd不要和nignx抢着监听80端口(这里监听8443端口):
sed -i 's/^Listen 80/Listen 127.0.0.1:8443/g' /etc/httpd/conf/httpd.conf创建git服务器配置:
vi /etc/httpd/conf.d/git.conf添加配置(下面的8443和监听的8443端口是对应的):
<VirtualHost *:8443>
SetEnv GIT_PROJECT_ROOT /var/www/git
SetEnv GIT_HTTP_EXPORT_ALL
DocumentRoot /var/www/git
ScriptAlias / /usr/libexec/git-core/git-http-backend/
<Directory "/usr/libexec/git-core">
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
AllowOverride None
Require all granted
</Directory>
<Directory "/var/www/git">
Dav On
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>httpd不暴露到公网,生成一个子进程就够了:
echo 'ServerLimit 1' >> /etc/httpd/conf/httpd.conf
echo 'StartServers 1' >> /etc/httpd/conf/httpd.conf这样git后端就配置好了,接下来要配置nginx,让特定URL成为git的入口,在nginx.conf的server项内添加:
location /git {
auth_basic "Private Git Repository";
auth_basic_user_file $document_root/.htpasswd;
rewrite ^/git/?(.*)$ /$1 break;
proxy_pass http://127.0.0.1:8443;
}auth_basic的意思是添加认证,防止任何人都能访问git仓库。
auth_basic_user_file参数就是用户权限文件,一般放在文档根目录($document_root)内,
就像/var/www/git/.htpasswd。文件名随意,只要nginx可以访问。下面是相对完整的nginx.conf文件示例:
user nginx;
worker_processes 3;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 443 ssl default_server;
server_name explause.com;
ssl_certificate "/etc/explause.crt";
ssl_certificate_key "/etc/explause.key";
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
root /var/www/html;
index index.php;
client_max_body_size 100M;
include /etc/nginx/default.d/*.conf;
location ~ [^/]\.php(/|$) {
fastcgi_param HTTP_PROXY "";
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
}
location /git {
auth_basic "Private Git Repository";
auth_basic_user_file $document_root/.htpasswd;
rewrite ^/git/?(.*)$ /$1 break;
proxy_pass http://127.0.0.1:8443;
}
}
}$document_root参数绑定于server项内的root参数。
创建认证文件,创建一个名为admin的用户:
htpasswd -c /var/www/html/.htpasswd admin接下来会提示输入密码并确认,就成功创建了认证文件。添加新的用户到认证文件,去掉-c参数就行:
htpasswd /var/www/html/.htpasswd user2修正权限信息:
chcon -u system_u /var/www/html/.htpasswd
chown nginx:nginx /var/www/html/.htpasswd
chmod 0600 /var/www/html/.htpasswd这样只要启动nginx和httpd就能实现私有的git仓库啦。
systemctl start nginx
systemctl enable nginx
systemctl start httpd
systemctl enable httpd这里提供一个创建git仓库的脚本,创建在/usr/sbin目录下:
vi /usr/sbin/addgitrepo添加下面的内容:
#!/bin/bash
GIT_DIR="/var/www/git"
REPO_NAME=$1
mkdir -p "${GIT_DIR}/${REPO_NAME}.git"
git init --bare "${GIT_DIR}/${REPO_NAME}.git" > /dev/null
touch "${GIT_DIR}/${REPO_NAME}.git"/git-daemon-export-ok
git --git-dir="${GIT_DIR}/${REPO_NAME}.git" config http.receivepack true
git --git-dir="${GIT_DIR}/${REPO_NAME}.git" config http.uploadpack true
git --git-dir="${GIT_DIR}/${REPO_NAME}.git" update-server-info
chown -Rf apache:apache "${GIT_DIR}/${REPO_NAME}.git"
chcon -R system_u:object_r:httpd_sys_rw_content_t:s0 "${GIT_DIR}/${REPO_NAME}.git"
echo "Git repository '${REPO_NAME}' created in ${GIT_DIR}/${REPO_NAME}.git"然后配置权限:
chmod +x /usr/sbin/addgitrepo执行即可创建git仓库,支持push:
addgitrepo repo1