Detect when webserver configuration does not forward HTTP authorization
Closed, ResolvedPublic
Actions

Assigned To

None

Authored By

	enko
	Apr 29 2014, 6:09 PM

Description

I'm unable to push to my git repository, all I get is authentication failed, event though my vcs password is definitly correct as I changed it. This is what I do:

$ git push -u origin master
Username for 'https://phablab.krautspace.de': enko
Password for 'https://enko@phablab.krautspace.de':
fatal: Authentication failed for 'https://phablab.krautspace.de/diffusion/M/morecms.git/'

My version of phabricator is obviously 692a28b5b2df9c09a90106dc9d10daa32389f3eb :). My settings look like this: http://i.imgur.com/wAu4cKi.png.

Any idea what could be causing this?

Revisions and Commits

rP Phabricator
	D12622	rPffdc082852fe Add a wide range of HTTP-request-based setup checks

Related Objects
Search...

		Status	Assigned	Task
		Resolved	epriestley	T11553 Add various "make an HTTP call" setup checks, and run them in parallel
		Resolved	None	T4921 Detect when webserver configuration does not forward HTTP authorization

Event Timeline

enko created this task.Apr 29 2014, 6:09 PM

enko raised the priority of this task from to Needs Triage.

enko updated the task description. (Show Details)

enko added a project: Diffusion.

enko added a subscriber: enko.

Can you show me the output of this command?

$ php -r 'echo CRYPT_BLOWFISH, ", ", PASSWORD_BCRYPT, "\n";'

(When run on the Phabricator server, not your local machine.)

Of course. This is the output:

$ php -r 'echo CRYPT_BLOWFISH, ", ", PASSWORD_BCRYPT, "\n";'
1, 1

No dice -- if they were different, this might have been fixed by D8808.

I'm going to add more information about this authentication to the user activity log -- we have at least one other user reporting some possibly-similar issues, and don't have any great ways to debug this right now. Let me do that, and hopefully that will make it more clear what's going on.

◀ Merged tasks: T4858.

I'm not sure if T4858 is really the same issue, but the next step in both cases is to add more logging/diagnostics, so I'm merging it here.

That looks like the same issue, since I have set the access policy of the repo to public I did not encounter the problem till pushing.

I think to problem is self made, as HTTP-Authentication headers are not passed on to the application if you use apache + fastcgi/fcgi. I'm investigating.

It works now! I changed 2 files:

.htaccess:

RewriteRule ^(.*)$          index.php?__path__=/$1  [env=HTTP_AUTHORIZATION:%{HTTP:Authorization},B,L,QSA]

index.php (Added it into the top):

<?php
if (isset($_SERVER['HTTP_AUTHORIZATION']) && preg_match('/Basic\s+(.*)$/i', $_SERVER['HTTP_AUTHORIZATION'], $matches)) {
  list($name, $password) = explode(':', base64_decode($matches[1]));
  $_SERVER['PHP_AUTH_USER'] = strip_tags($name);
  $_SERVER['PHP_AUTH_PW'] = strip_tags($password);
}

//set http auth headers for apache+php-cgi work around if variable gets renamed by apache
if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) && preg_match('/Basic\s+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $matches)) {
  list($name, $password) = explode(':', base64_decode($matches[1]));
  $_SERVER['PHP_AUTH_USER'] = strip_tags($name);
  $_SERVER['PHP_AUTH_PW'] = strip_tags($password);
}

I think this needs a better wrap up, but is needed and of course some documentation ;-).

Awesome, thanks for hunting that down!

I'll see if we can find some way to detect this, and hopefully some easier way to configure things.

epriestley edited this Maniphest Task.May 15 2014, 3:54 PM

epriestley edited this Maniphest Task.

This is possibly related to T2226.

epriestley edited projects, added Setup; removed Diffusion.May 15 2014, 3:56 PM

epriestley removed a subscriber: epriestley.

epriestley added a subscriber: epriestley.

I am having the same issue but using nginx. Please help.

I'm trying to make a demonstration of Phabricator to my company so we could use it, but I'm having the same issue. We are using Apache 2.2 on Solaris 11. I've tried the same fix that enko provided but did not worked. Please Help #2.

Same problem here.

Same issue, using Apache 2.4.7 on Ubuntu 14.04. Basically have the same debug info as T4858. I would add that using the VCS password results in HTTP error 500, while user password results in 403.

Same issue, using Apache 2.4.7 on Ubuntu 14.04 with PLESK setup (PHP FastCGI)

Thanks a lot Enko, your solution works great for me :-) !

• gailovesgames4 closed this task as Resolved.Mar 7 2015, 11:07 PM

• gailovesgames4 claimed this task.

epriestley reopened this task as Open.Mar 7 2015, 11:09 PM

hi folks

I hit this issue with Apache + FCGI.
FCGI doesn't pass the Authorization request header through.

Along with the comment at T4921#56866, the following config changes got HTTP Auth working for me:

in your Apache VirtualHost config:

FcgidPassHeader Authorization

(reload apache, after running a configtest)

Make the change to index.php in the referenced comment at T4921#56866, and the change in .httaccess the only difference being I have

RewriteRule ^(.*)$ /index.php?__path__=/$1  [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},B,L,QSA]

Changes:

E, instead of env
leading slash in index.php

Do a test pull/clone:

GIT_CURL_VERBOSE=1 git clone https://somewhere/diffusion/path/to.git local_dir

The verbose mode will show you the request headers being sent. You should end up with a HTTP_AUTHORIZATION header in $_SERVER that the index.php change can pick up.

HTH

HI all, I have same issue, I tried all solution above, but it does not work yet, this is output after I run GIT_CURL_VERBOSE=1 git clone <url> repo:

Cloning into 'repo'...
* Couldn't find host phabricator.mydomain.com in the .netrc file; using defaults
* Hostname was NOT found in DNS cache
*   Trying 101.50.3.79...
* Connected to phabricator.mydomain.com (101.50.3.79) port 80 (#0)
> GET /diffusion/SLUG/some-repo.git/info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/2.1.0
Host: phabricator.mydomain.com
Accept: */*
Accept-Encoding: gzip
Pragma: no-cache

* HTTP 1.0, assume close after body
< HTTP/1.0 401 Unauthorized
< Date: Mon, 03 Aug 2015 07:13:28 GMT
< Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
< X-Powered-By: PHP/5.4.43
< WWW-Authenticate: Basic realm="Phabricator Repositories"
< Content-Type: text/html
< X-Cache: MISS from mcserver
< X-Cache-Lookup: MISS from mcserver:3128
< Connection: close
< 
* Closing connection 0
Username for 'http://phabricator.mydomain.com': egig
Password for 'http://egig@phabricator.mydomain.com': 
* Couldn't find host phabricator.mydomain.com in the .netrc file; using defaults
* Hostname was found in DNS cache
*   Trying 101.50.3.79...
* Connected to phabricator.mydomain.com (101.50.3.79) port 80 (#1)
> GET /diffusion/SLUG/some-repo.git/info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/2.1.0
Host: phabricator.mydomain.com
Accept: */*
Accept-Encoding: gzip
Pragma: no-cache

* HTTP 1.0, assume close after body
< HTTP/1.0 401 Unauthorized
< Date: Mon, 03 Aug 2015 07:13:34 GMT
< Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
< X-Powered-By: PHP/5.4.43
< WWW-Authenticate: Basic realm="Phabricator Repositories"
< Content-Type: text/html
< X-Cache: MISS from mcserver
< X-Cache-Lookup: MISS from mcserver:3128
< Connection: close
< 
* Closing connection 1
* Issue another request to this URL: 'http://phabricator.mydomain.com/diffusion/SLUG/some-repo.git/info/refs?service=git-upload-pack'
* Couldn't find host phabricator.mydomain.com in the .netrc file; using defaults
* Hostname was found in DNS cache
*   Trying 101.50.3.79...
* Connected to phabricator.mydomain.com (101.50.3.79) port 80 (#2)
* Server auth using Basic with user 'egig'
> GET /diffusion/SLUG/some-repo.git/info/refs?service=git-upload-pack HTTP/1.0
Authorization: Basic ZWdpZzp2Y3dfNwYXNz
User-Agent: git/2.1.0
Host: phabricator.mydomain.com
Accept: */*
Accept-Encoding: gzip
Pragma: no-cache

* HTTP 1.0, assume close after body
< HTTP/1.0 401 Unauthorized
< Date: Mon, 03 Aug 2015 07:13:35 GMT
< Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
< X-Powered-By: PHP/5.4.43
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Phabricator Repositories"
< Content-Type: text/html
< X-Cache: MISS from mcserver
< X-Cache-Lookup: MISS from mcserver:3128
< Connection: close
< 
* Closing connection 2
fatal: Authentication failed for 'http://phabricator.mydomain.com/diffusion/SLUG/some-repo.git/'

I run phabricator on:
Centos 6
php 5.4
Best Available Password Algorith: Iterated MD5
Apache 2.2

Any help please. Thank you.

I have the same issue after upgrading to master on date 2015-09-07:

$ GIT_CURL_VERBOSE=1 git clone http://rok@myserver.example.com:80/diffusion/INFOZONE/infozone.git --verbose
Cloning into 'infozone'...
* STATE: INIT => CONNECT handle 0x6000966e0; line 1026 (connection #-5000)
* Couldn't find host myserver.example.com in the .netrc file; using defaults
* Hostname was NOT found in DNS cache
*   Trying 192.168.10.31...
* STATE: CONNECT => WAITCONNECT handle 0x6000966e0; line 1073 (connection #0)
* Connected to tux.spica.si (192.168.10.31) port 80 (#0)
* STATE: WAITCONNECT => DO handle 0x6000966e0; line 1192 (connection #0)
> GET /diffusion/INFOZONE/infozone.git/info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/1.7.9
Host: myserver.example.com
Accept: */*
Pragma: no-cache

* STATE: DO => DO_DONE handle 0x6000966e0; line 1278 (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x6000966e0; line 1404 (connection #0)
* STATE: WAITPERFORM => PERFORM handle 0x6000966e0; line 1417 (connection #0)
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 401 You must log in to access repositories.
< Date: Tue, 08 Sep 2015 07:49:41 GMT
* Server Apache is not blacklisted
< Server: Apache
< X-Powered-By: PHP/5.4.38
< WWW-Authenticate: Basic realm="Phabricator Repositories"
< X-Frame-Options: SAMEORIGIN
< Transfer-Encoding: chunked
< Content-Type: text/html
<
* Ignoring the response-body
* Connection #0 to host tux.spica.si left intact
* Issue another request to this URL: 'http://rok@myserver.example.com:80/diffusion/INFOZONE/infozone.git/info/refs?service=git-upload-pack'
* STATE: PERFORM => CONNECT handle 0x6000966e0; line 1562 (connection #-5000)
* Couldn't find host tux.spica.si in the .netrc file; using defaults
* Found bundle for host tux.spica.si: 0x6000a0500
* Re-using existing connection! (#0) with host tux.spica.si
* Connected to myserver.example.com (192.168.10.31) port 80 (#0)
* STATE: CONNECT => DO handle 0x6000966e0; line 1066 (connection #0)
* Server auth using Basic with user 'rok'
> GET /diffusion/INFOZONE/infozone.git/info/refs?service=git-upload-pack HTTP/1.1
Authorization: Basic cm9rOg==
User-Agent: git/1.7.9
Host: tux.spica.si
Accept: */*
Pragma: no-cache

* STATE: DO => DO_DONE handle 0x6000966e0; line 1278 (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x6000966e0; line 1404 (connection #0)
* STATE: WAITPERFORM => PERFORM handle 0x6000966e0; line 1417 (connection #0)
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 401 You must log in to access repositories.
< Date: Tue, 08 Sep 2015 07:49:41 GMT
* Server Apache is not blacklisted
< Server: Apache
< X-Powered-By: PHP/5.4.38
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Phabricator Repositories"
< X-Frame-Options: SAMEORIGIN
< Transfer-Encoding: chunked
< Content-Type: text/html
* The requested URL returned error: 401
* Closing connection 0
* The cache now contains 0 members
* Expire cleared
Password for 'http://rok@myserver.example.com:80':
* STATE: INIT => CONNECT handle 0x6000966e0; line 1026 (connection #-5000)
* Couldn't find host myserver.example.com in the .netrc file; using defaults
* Hostname was found in DNS cache
*   Trying 192.168.10.31...
* STATE: CONNECT => WAITCONNECT handle 0x6000966e0; line 1073 (connection #1)
* Connected to myserver.example.com (192.168.10.31) port 80 (#1)
* STATE: WAITCONNECT => DO handle 0x6000966e0; line 1192 (connection #1)
* Server auth using Basic with user 'rok'
> GET /diffusion/INFOZONE/infozone.git/info/refs?service=git-upload-pack HTTP/1.1
Authorization: Basic cm9rOnRyaXN0dmFyaQ==
User-Agent: git/1.7.9
Host: myserver.example.com
Accept: */*
Pragma: no-cache

* STATE: DO => DO_DONE handle 0x6000966e0; line 1278 (connection #1)
* STATE: DO_DONE => WAITPERFORM handle 0x6000966e0; line 1404 (connection #1)
* STATE: WAITPERFORM => PERFORM handle 0x6000966e0; line 1417 (connection #1)
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 401 You must log in to access repositories.
< Date: Tue, 08 Sep 2015 07:49:44 GMT
* Server Apache is not blacklisted
< Server: Apache
< X-Powered-By: PHP/5.4.38
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Phabricator Repositories"
< X-Frame-Options: SAMEORIGIN
< Transfer-Encoding: chunked
< Content-Type: text/html
* The requested URL returned error: 401
* Closing connection 1
* The cache now contains 0 members
* Expire cleared
fatal: Authentication failed

It worked fine before now all old repos give the same error on any git operation. I have no .htaccess file on the system (using bitnami appliance) and am not sure which index.php I should be editing or where exactly to put the code?

Any help would be greatly appreciated.

chad mentioned this in T9849: Keep getting 403 error when trying to push to a repository.Nov 25 2015, 3:34 PM

revi removed • gailovesgames4 as the assignee of this task.Nov 28 2015, 7:45 AM

revi added a subscriber: revi.

Ephasme awarded a token.Nov 29 2015, 12:31 AM

Ephasme added a subscriber: Ephasme.

epriestley mentioned this in T7789: Support Git Large File Storage.Mar 15 2016, 12:17 PM

epriestley mentioned this in T11553: Add various "make an HTTP call" setup checks, and run them in parallel.Aug 29 2016, 4:21 PM

epriestley added a parent task: T11553: Add various "make an HTTP call" setup checks, and run them in parallel.

epriestley added a revision: D12622: Add a wide range of HTTP-request-based setup checks.Dec 8 2016, 11:37 PM

epriestley closed this task as Resolved by committing rPffdc082852fe: Add a wide range of HTTP-request-based setup checks.Dec 8 2016, 11:46 PM

epriestley added a commit: rPffdc082852fe: Add a wide range of HTTP-request-based setup checks.