Can I "disable" git-clone over http?

George Mandis picture George Mandis · Aug 28, 2009 · Viewed 7.6k times · Source

I'm using git to manage a tiny project. I've been performing all of my transactions (clone, push, pull, etc) through SSH, but recently ran git-update-server-info because I wanted to experiment with running git-clone over http. It worked great. Cool. Now I realize though that anyone can clone my repository over http without any credentials. I'm vaguely aware of setting up http authentication through gitosis, but that's really not what I want. I'd prefer to just disable http cloning entirely.

Is there a way I can tell git to only allow transactions over ssh? Or can I undo what I did when I ran git-update-server-info to enable cloning over http in the first place?

Answer

Jakub Narębski picture Jakub Narębski · Aug 28, 2009

For git repository to be available via HTTP transport, it needs to be "exported" by (any) web server. If your repository (to be more exact its .git directory) is visible from outside in a web browser, then it can be cloned or fetched anonymously via HTTP protocol. git update-server-info is used to generate extra auxiliary helper information (.git/objects/info/packs and .git/info/refs) for clone (or fetch) to know what is available.

So what you need to do is to either remove those two files (.git/objects/info/packs and .git/info/refs), or just make it so your repository is not available via web, perhaps by changing permissions in such way that user which web server runs as (usually 'nobody' or 'www', or 'apache') doesn't have access to .git repository. Or configure web server so that it doesn't export (make visible) your repository.

The HTTP protocol is (currently) so called "dumb" protocol, meaning that it serves files as is, and access control is done by a [dumb] server, in this instance by web server you use (or by filesystem).

I guess that your repository is not exported by web server, so you don't have anything to worry about: your repository is not available via HTTP.

Note that it is quote usual for Git repositories to have anonymous unauthenticated read-only access, and require authentication only for writing to repository i.e. pushing (at least for open-source projects)