mercurial behind nginx reverse proxy with basic authentication

Dmitriy Pichugin dmitriy_pichugin at yahoo.com
Thu Mar 9 19:30:54 UTC 2017


Hi Kevin,
I’m running mercurial as 

	hg serve --address localhost --port 8000 --web-conf webdir.conf

And as you see in my nginx configuration, I’m passing X-Forwarded-User as well, which is ignored by mercurial, hence I applied a patch which works for me.
I will be happy if mercurial eventually accept  X-Forwarded-User for authorization purposes:

In that case my patch will look like:

       env['REMOTE_HOST'] = self.client_address[0]
       env['REMOTE_ADDR'] = self.client_address[0]
       env['REMOTE_USER'] = self.headers.getheader('X-Forwarded-User')
       if query:
           env['QUERY_STRING'] = query

I understand your note about _environment_variable_; my point is HTTP_REMOTE_USER is also ignored for authorization purposes. when mercurial is running as “hg serve” 
May be we can address that in future releases one way or another?

Best,
~Dmitriy

> On Mar 9, 2017, at 1:56 PM, Kevin Bullock <kbullock+mercurial at ringworld.org> wrote:
> 
>> On Mar 9, 2017, at 02:54, Dmitriy Pichugin via Mercurial <mercurial at mercurial-scm.org> wrote:
>> 
>> Hi,
>> I’ve been struggling to use nginx as reverse proxy for SSL and authentication with mercurial.
>> Problem was — mercurial does not accept REMOTE_USER which nginx passes after authentication.
>> 
>> My nginx config is:
>> 
>>       location / {
>>           auth_basic             "HG";
>>           auth_basic_user_file   htpasswd;
>>           proxy_pass             http://127.0.0.1:8000;
>>           proxy_redirect         off;
>>           proxy_buffering        off;
>>           proxy_set_header       Host $host;
>>           proxy_set_header       X-Real-IP $remote_addr;
>>           proxy_set_header       X-Forwarded-For $proxy_add_x_forwarded_for;
>>           proxy_set_header       X-Forwarded-Ssl on;
>>           proxy_set_header       Remote_User $remote_user;   #### THIS is for Remote_User which mercurial should check
>>           proxy_set_header       X-Forwarded-User $remote_user;
> 
> How are you running Mercurial? As a CGI script or via a WSGI container, and if so then which one?
> 
> `Remote_User` (nor Remote-User, which would be a more standard spelling per RFCs) is not a standard HTTP header AFAIK. The usual header that's used for this purpose is X-Forwarded-User. You'll need to arrange to have your hgweb process read this header -- some containers will do this automatically, or you can read it in your hgweb.cgi or hgweb.wsgi script and set the REMOTE_USER variable. (Note that REMOTE_USER is an _environment variable_ passed to CGI scripts, not an HTTP header. HTTP headers passed to CGI scripts are prefixed with HTTP_, which is why you're seeing HTTP_REMOTE_USER with your configuration.)
> 
> pacem in terris / мир / शान्ति / ‎‫سَلاَم‬ / 平和
> Kevin R. Bullock
> 




More information about the Mercurial mailing list