Unable to authenticate over HTTPS

Since setting up hosted repository access over SSH is a bit more complicated, I tried to set up HTTP(S) access first. Unfortunately, after setting everything up according to the guide, I’m not able to authenticate myself with phabricator via git.

The curl output for git clone is the following. It appears as if phabricator does not see the Authentication header and just requests authentication again.

Is this a setup issue? diffusion.allow-http-auth is enabled, I have a VCS Password for my user and there are HTTP and HTTPS URIs available on the repository.

MacBook-Pro-User:user user$ GIT_CURL_VERBOSE=1 git clone https://phabricator.xxx.xxx/diffusion/19/255-test-repo.git
Cloning into '255-test-repo'...
* Couldn't find host phabricator.xxx.xxx in the .netrc file; using defaults
*   Trying 54.93.0.0...
* TCP_NODELAY set
* Connected to phabricator.xxx.xxx (54.93.0.0) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=phabricator.xxx.xxx
*  start date: Jun  3 05:23:32 2019 GMT
*  expire date: Sep  1 05:23:32 2019 GMT
*  subjectAltName: host "phabricator.xxx.xxx" matched cert's "phabricator.xxx.xxx"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET /diffusion/19/255-test-repo.git/info/refs?service=git-upload-pack HTTP/1.1
Host: phabricator.xxx.xxx
User-Agent: git/2.22.0
Accept: */*
Accept-Encoding: deflate, gzip
Accept-Language: en-US, *;q=0.9
Pragma: no-cache

< HTTP/1.1 401 You must log in to access repositories.
< Date: Tue, 25 Jun 2019 11:27:46 GMT
< Server: Apache/2.4.37 (Amazon) OpenSSL/1.0.2k-fips PHP/5.6.39
< X-Powered-By: PHP/7.2.13
< WWW-Authenticate: Basic realm="Phabricator Repositories"
< Content-Encoding: gzip
< Vary: Accept-Encoding
< Upgrade: h2,h2c
< Connection: Upgrade
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host phabricator.xxx.xxx left intact
Username for 'https://phabricator.xxx.xxx': user
Password for 'https://user@phabricator.xxx.xxx': 
* Couldn't find host phabricator.xxx.xxx in the .netrc file; using defaults
* Connection 0 seems to be dead!
* Closing connection 0
* Hostname phabricator.xxx.xxx was found in DNS cache
*   Trying 54.93.0.0...
* TCP_NODELAY set
* Connected to phabricator.xxx.xxx (54.93.0.0) port 443 (#1)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* SSL re-using session ID
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=phabricator.xxx.xxx
*  start date: Jun  3 05:23:32 2019 GMT
*  expire date: Sep  1 05:23:32 2019 GMT
*  subjectAltName: host "phabricator.xxx.xxx" matched cert's "phabricator.xxx.xxx"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Server auth using Basic with user 'user'
> GET /diffusion/19/255-test-repo.git/info/refs?service=git-upload-pack HTTP/1.1
Host: phabricator.xxx.xxx
Authorization: Basic XXXXXXXX
User-Agent: git/2.22.0
Accept: */*
Accept-Encoding: deflate, gzip
Accept-Language: en-US, *;q=0.9
Pragma: no-cache

< HTTP/1.1 401 You must log in to access repositories.
< Date: Tue, 25 Jun 2019 11:28:00 GMT
< Server: Apache/2.4.37 (Amazon) OpenSSL/1.0.2k-fips PHP/5.6.39
< X-Powered-By: PHP/7.2.13
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Phabricator Repositories"
< Content-Encoding: gzip
< Vary: Accept-Encoding
< Upgrade: h2,h2c
< Connection: Upgrade
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
< 
* Connection #1 to host phabricator.xxx.xxx left intact
fatal: Authentication failed for 'https://phabricator.xxx.xxx/diffusion/19/255-test-repo.git/'

Here also a screenshot of the repo status which seems to be all good:

I also tried the apache error logs, but they do not contain anything regarding phabricator. Is there anywhere else I could check for issues?

(I can’t reproduce this.)

Just in case it matters, since you censored all the other sensitive information: the Authorization: header in your protocol log contains your username and password in plain text with base64 encoding applied.

Do you have any idea how I can get more information on why phabricator is not accepting the authentication header? Or can you point me to the right file where phabricator is checking the authentication?

:sweat_smile: totally forgot about that. Shouldn’t matter, but thanks, I removed it anyway.

The authentication header is read in src/applications/diffusion/controller/DiffusionServeController.php near line 186:

    $have_user = strlen(idx($_SERVER, 'PHP_AUTH_USER'));
    $have_pass = strlen(idx($_SERVER, 'PHP_AUTH_PW'));
    if ($have_user && $have_pass) {
      $username = $_SERVER['PHP_AUTH_USER'];
      $password = new PhutilOpaqueEnvelope($_SERVER['PHP_AUTH_PW']);

You can add phlog("message"); here to send messages to the Apache error log.

The behavior you observe is consistent with (for example) your webserver being configured in a way that does not pass “Authorization” information to PHP.

However, Phabricator has a setup check to make sure “Authorization” is being passed properly, so this shouldn’t be a possible explanation unless you’ve ignored the setup issue.

Yes this was exactly the problem. We initially didn’t intend to use Basic Auth or repository hosting and therefore ignored the issue. As our setup now changes, we were not aware of the warning anymore. Fixing the Basic Auth issue solved the problem.