Gfilui

I want to mirgrate my repositories from:
RedHat 6.9 (Santiago) with apache 2.2 and php 5.3

to:
Ubuntu 16.04.4 LTS with apache 2.4 and php 7.0

I'm using the "gitweb/git-http-backend" to server the repositories through https, so, I'm not using SSH here. Another important thing is that I'm not going to change the VirtualHost Server name, so the users should not even notice this.

Unfortunately the preliminary tests on my new server aren't working, when trying to clone an existing repository, I will get a 404 not found error.

My first question here: for the tests, the original server's name is: my_server.com, then for the new server, I'm using my_server_dev.com. This is only for testing. Afterwards I will replace the name of the new server with the name of the old server. Do I have to change the server name in the repositories of the testing setup to be able to see if git works? I guess that once the tests work and won't have to change anything on the repositories, right?

This is working in my old server:

<VirtualHost *:443>
 ServerName my_server.com
 AddType application/x-httpd-php .php
 CustomLog "/var/log/httpd/my_server_access.log" common
 RewriteEngine On

 SSLEngine on
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 SSLCertificateFile "/etc/ssl/certs/my_cert.crt"
 SSLCertificateChainFile "/etc/ssl/certs/my_fullchain.crt"
 SSLCertificateKeyFile "/etc/ssl/certs/my_key.priv.key"

 DocumentRoot /var/www/
 <Directory />
 Options FollowSymLinks
 AllowOverride None
 </Directory>

 <Directory /var/www/>
 Options Indexes FollowSymLinks MultiViews
 AllowOverride None
 Order allow,deny
 allow from all
 </Directory>

 SetEnv GIT_PROJECT_ROOT /home/git
 SetEnv GIT_HTTP_EXPORT_ALL
 ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
 Alias /git /home/git

 <Location /git>
 AuthType Basic
 AuthName "Git repositories"
 AuthBasicProvider ldap
 AuthzLDAPAuthoritative on

 AuthLDAPURL "ldaps://my_server1.com my_server2.com my_server3.com/ou=users,ou=my_ou,o=my_domain,c=my_country?uid?sub?(objectClass=*)"
 AuthLDAPBindDN "my_bind_dn"
 AuthLDAPBindPassword my_password
 AuthLDAPGroupAttributeIsDN off
 AuthLDAPGroupAttribute memberUid
 require valid-user

 AuthGroupFile /etc/httpd/my_group_file
 </Location>
 <Location /git/my_repo1.git>
 Allow from all
 Order allow,deny
 require group group1 group2
 </Location>
 <Location /git/my_repo2.git>
 Allow from all
 Order allow,deny
 require group group1 group3
 </Location>
 #More repositories here
</VirtualHost>

So now, after having copied everything under "/home/git" from my old server to my new server, I have:

<VirtualHost *:443>
 ServerName my_server.com

 SSLEngine on
 SSLProtocol ALL -SSLv2 -SSLv3
 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
 SSLHonorCipherOrder on
 SSLCompression off
 SSLOptions +StrictRequire
 SSLCertificateFile /etc/ssl/certs/my_cert.pem
 SSLCertificateChainFile /etc/ssl/certs/my_fullchain.pem
 SSLCertificateKeyFile /etc/ssl/certs/my_privkey.pem

 ErrorLog $APACHE_LOG_DIR/error.log
 CustomLog $APACHE_LOG_DIR/my_domain_access.log combined
 RewriteEngine On

 DocumentRoot $APACHE_ROOT/my_server
 <Directory $APACHE_ROOT/my_server>
 Options Indexes FollowSymLinks MultiViews
 Require all granted
 AllowOverride All
 </Directory>

 SetEnv GIT_PROJECT_ROOT /var/www/html/my_server/git
 SetEnv GIT_HTTP_EXPORT_ALL
 ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
 Alias /git /var/www/html/my_server/git

 <Location /git>
 AuthType Basic
 AuthName "Git repositories"
 AuthBasicProvider ldap
 AuthLDAPBindAuthoritative on
 AuthLDAPURL "ldaps://my_server1.com my_server2.com my_server3.com/ou=users,ou=my_ou,o=my_domain,c=my_country?uid?sub?(objectClass=*)"
 AuthLDAPBindDN "my_bind_dn"
 AuthLDAPBindPassword my_password
 AuthLDAPGroupAttributeIsDN off
 AuthLDAPGroupAttribute memberUid
 require valid-user

 AuthGroupFile /etc/apache2/my_group_file
 </Location>
 <Location /git/my_repo1.git>
 require group group1 group2
 </Location>
 <Location /git/my_repo2.git>
 require group group1 group3
 </Location>
 #More repositories here
</VirtualHost>

If you look carefully, you will see that the only changes I have are:

1. Removed: "AddType application/x-httpd-php .php". This is already enabled in Ubuntu though "/etc/mods-enabled -> php7.0.*"


2. The apache directories were changed to the Ubuntu ones: /etc/apache2, /var/log/apache2, and /var/www/html


3. SSLCipherSuite changed a litte bit, but this shouldn't be a problem


4. 
   

   This was changed:

   
   
   

   Order allow,deny

   
   
   

   allow from all

   
   
   

   by:

   
   
   

   Require all granted

   
   



5. "/home/git" was changed by: "/var/www/html/my_domain/git". To be honest, I also tried the first option, but it didn't work. I have seen cases where other folders outside from "/var/www/html" won't work.



6. "/usr/libexec/git-core/git-http-backend/" was changed by: "/usr/lib/git-core/git-http-backend/", which is where this binary resides on Ubuntu.


7. "AuthzLDAPAuthoritative" was changed by: "AuthLDAPBindAuthoritative". The first directive doesn't exist on apache 2.4 anymore.


8. Changed:

Allow from all

Order allow,deny

require group group1

by just:

require group group1

This seems to be enough for Apache 2.4

The rest of my configuration is pretty the same. I just now that SSL is working and the LDAP authentication too. If I give the credentials from user, that is not allowed to access a repository, then I will see this on the error log file:

[authz_groupfile:error] [pid 17829] [client xxx.xxx.xxx.xxx:xxxx] AH01666: Authorization of user my_user1 to access /git/my_repo.git failed, reason: user doesn't appear in group file (/etc/apache2/my_group_file).
[authz_core:error] [pid 17829] [client xxx.xxx.xxx.xxx:xxxx] AH01631: user my_user1: authorization failure for "/git/my_repo.git":

Trying with a user that has the access, will pass the authentication, but I will see this on the client:

fatal: repository 'https://my_domain.com/git/my_repo.git/' not found

And in the access log there is indeed a 404 error code:

xxx.xxx.xxx.xxx - my_user [14/Mar/2018:20:45:29 +0100] "GET /git/my_repo.git/info/refs?service=git-upload-pack HTTP/1.1" 404 596 "-" "git/2.10.0.windows.1"

What could be wrong here?

Thanks in advanced

Best regards
Josef

Ok, I figured this out. It turns out that either mod_cgi or mod_cgid is needed. Here is the standard /etc/apache2/conf-available/gitweb.conf that comes with the binary package from Ubuntu:

<IfModule mod_alias.c>
 <IfModule mod_mime.c>
 <IfModule mod_cgi.c>
 Define ENABLE_GITWEB
 </IfModule>
 <IfModule mod_cgid.c>
 Define ENABLE_GITWEB
 </IfModule>
 </IfModule>
</IfModule>

<IfDefine ENABLE_GITWEB>
 Alias /gitweb /usr/share/gitweb

 <Directory /usr/share/gitweb>
 Options +FollowSymLinks +ExecCGI
 AddHandler cgi-script .cgi
 </Directory>
</IfDefine>

So if you are working with gitweb you need: mod_alias and mod_mime. You need either: mod_cgi or mod_cgid. In my case, I had the first two, but none of the last two cgi modules.

For enabling mod_cgid you need either mpm_worker_module or mpm_event_module.
For mod_cgi, you need: mpm_prefork_module

I don't know what the differences between the two cgis is, but since I already have mpm_prefork_module, I decided to enable the latter one:

sudo a2enmod cgi

On my case, for the testing server I need to go to each repository and do:

git update-server-info

The initial tests are now working.

Best regards
Josef