Hi Kevin,
I’m running mercurial as
hg serve --address localhost --port 8000 --web-conf webdir.conf
And as you see in my nginx configuration, I’m passing X-Forwarded-User as well,
which is ignored by mercurial, hence I applied a patch which works for me.
I will be happy if mercurial eventually accept X-Forwarded-User for
authorization purposes:
In that case my patch will look like:
env['REMOTE_HOST'] = self.client_address[0]
env['REMOTE_ADDR'] = self.client_address[0]
env['REMOTE_USER'] = self.headers.getheader('X-Forwarded-User')
if query:
env['QUERY_STRING'] = query
I understand your note about _environment_variable_; my point is
HTTP_REMOTE_USER is also ignored for authorization purposes. when mercurial is
running as “hg serve”
May be we can address that in future releases one way or another?
Best,
~Dmitriy
> On Mar 9, 2017, at 1:56 PM, Kevin Bullock <[email protected]>
> wrote:
>
>> On Mar 9, 2017, at 02:54, Dmitriy Pichugin via Mercurial
>> <[email protected]> wrote:
>>
>> Hi,
>> I’ve been struggling to use nginx as reverse proxy for SSL and
>> authentication with mercurial.
>> Problem was — mercurial does not accept REMOTE_USER which nginx passes after
>> authentication.
>>
>> My nginx config is:
>>
>> location / {
>> auth_basic "HG";
>> auth_basic_user_file htpasswd;
>> proxy_pass http://127.0.0.1:8000;
>> proxy_redirect off;
>> proxy_buffering off;
>> proxy_set_header Host $host;
>> proxy_set_header X-Real-IP $remote_addr;
>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>> proxy_set_header X-Forwarded-Ssl on;
>> proxy_set_header Remote_User $remote_user; #### THIS is
>> for Remote_User which mercurial should check
>> proxy_set_header X-Forwarded-User $remote_user;
>
> How are you running Mercurial? As a CGI script or via a WSGI container, and
> if so then which one?
>
> `Remote_User` (nor Remote-User, which would be a more standard spelling per
> RFCs) is not a standard HTTP header AFAIK. The usual header that's used for
> this purpose is X-Forwarded-User. You'll need to arrange to have your hgweb
> process read this header -- some containers will do this automatically, or
> you can read it in your hgweb.cgi or hgweb.wsgi script and set the
> REMOTE_USER variable. (Note that REMOTE_USER is an _environment variable_
> passed to CGI scripts, not an HTTP header. HTTP headers passed to CGI scripts
> are prefixed with HTTP_, which is why you're seeing HTTP_REMOTE_USER with
> your configuration.)
>
> pacem in terris / мир / शान्ति / سَلاَم / 平和
> Kevin R. Bullock
>
_______________________________________________
Mercurial mailing list
[email protected]
https://www.mercurial-scm.org/mailman/listinfo/mercurial
