Difference between revisions of "Git, Apache and HTTPS with a free certificate"

Prerequisites

• Ubuntu CLI understanding
• Git knowledge
• Ubuntu, this was tested using Ubuntu 16
• Apache 2

Git using Apache

This is a basic setup to allow Git on a server to be accessible via HTTP (no HTTPS yet, read further).

1.  Install Apache

   sudo apt-get install apache2 apache2-utils

2. Enable necessary modules

   a2enmod cgi alias env

3. (Optional) Add user(s) to the htpasswd file. This step is optional if this setup is going to serve only anonymous repository (pull/fetch). However if you want to push or if you want to allow to only obtain a repository using user/pass combo this step is necessary (see next step).

   # Create file and add a user
   # -c = create file
   # The file is stored in /git/ the git repository for this specific setup
   htpasswd -c /git/.htpasswd [user name]
   # This will ask for a password
   
   # Add a user to the file
   htpasswd /git/.htpasswd [user name]

4. To allow to obtain a git repository using http, add the following to the apache2.conf

   # Path to the Git directory (inside the OS)
   SetEnv GIT_PROJECT_ROOT /git
   
   # Allows all projects to be served
   # If commented a file must exist in each available repository via Apache, file name: git-daemon-export-ok
   SetEnv GIT_HTTP_EXPORT_ALL
   
   # Defines the URL path where git is located, as seen via http
   # First param is path, second is os path to git-http-backend, don't forget the last slash
   ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
   
   # Access configuration
   <Files "git-http-backend">
   	# Enable Basic HTTP Authentication
   	AuthType Basic
   	AuthName "Git Access"
   	AuthUserFile /git/.htpasswd
   	# The following line allows to obtain a repository (pull/fetch) without having a user/pass combo
   	# Comment it if user/pass are needed to obtain info as well
   	Require expr !(%{QUERY_STRING} -strmatch '*service=git-receive-pack*' || %{REQUEST_URI} =~ m#/git-receive-pack$#)
   	Require valid-user
   	# END Enable Basic HTTP Authentication
   </Files>

Additional info:

• Git - Smart HTTP
• Git - git-http-backend Documentation
• For more info on htpasswd, read the docs.

Self signed Certificate

How Certificates work

• https://www.youtube.com/watch?v=JCvPnwpWVUQ
• https://www.youtube.com/watch?v=iQsKdtjwtYI&t=423s
• https://www.youtube.com/watch?v=earzZpX-PiY&t=224s
• https://support.dnsimple.com/articles/what-is-ssl-certificate-chain/
• https://www.symantec.com/connect/blogs/types-ssl-certificates-choose-right-one
• (SSL file types) https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them

More info:

• https://en.wikipedia.org/wiki/X.509

How to

How to create a Root Certificate authority and child certificates:

• (Very good) https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
• (nice) https://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/
• (video from above) https://www.youtube.com/watch?v=zwnEmLx2LRs
• https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

Other sites:

• (Basic steps, not too clear) https://devcenter.heroku.com/articles/ssl-certificate-self
• (Good but not everything useful) https://www.ibm.com/support/knowledgecenter/en/SSWHYP_4.0.0/com.ibm.apimgmt.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html
• https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04

Adding the certificate to Apache

• https://www.youtube.com/watch?v=YR6-6XUC3sY
• https://www.youtube.com/watch?v=m06TttS2ZAM
• https://www.maketecheasier.com/apache-server-ssl-support/
• https://www.digicert.com/ssl-certificate-installation-apache.htm

Ensuring the right protocol:

• https://askubuntu.com/questions/643037/how-to-enable-tls-1-2-in-apache
• https://tecadmin.net/enable-tls-in-modssl-and-apache/
• https://serverfault.com/questions/314858/how-to-enable-tls-1-1-and-1-2-with-openssl-and-apache

Other links:

• https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#ocspstapling

Configuring Git to use the self signed certificate

• https://stackoverflow.com/questions/11621768/how-can-i-make-git-accept-a-self-signed-certificate
• https://stackoverflow.com/questions/23807313/adding-self-signed-ssl-certificate-without-disabling-authority-signed-ones

More sites:

• https://stackoverflow.com/questions/9072376/configure-git-to-accept-a-particular-self-signed-server-certificate-for-a-partic

Client based authentication using certificates in Apache

Used links:

• http://wiki.cacert.org/ApacheServerClientCertificateAuthentication
• https://stackoverflow.com/a/24543642/1071459
• http://stuff-things.net/2015/09/28/configuring-apache-for-ssl-client-certificate-authentication/

Other links:

• http://pages.cs.wisc.edu/~zmiller/ca-howto/
• https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcacertificatefile

(Possibly) Giving Git a Client Certificate

More (possibly useful) info

• https://www.creang.com/howtoforge/howto_set_up_git_over_https_with_apache_on_ubuntu/
• http://ubuntuwiki.net/index.php/Apache,_Digest_authentication