356 lines
15 KiB
Plaintext
356 lines
15 KiB
Plaintext
http.proxy::
|
|
Override the HTTP proxy, normally configured using the 'http_proxy',
|
|
'https_proxy', and 'all_proxy' environment variables (see `curl(1)`). In
|
|
addition to the syntax understood by curl, it is possible to specify a
|
|
proxy string with a user name but no password, in which case git will
|
|
attempt to acquire one in the same way it does for other credentials. See
|
|
linkgit:gitcredentials[7] for more information. The syntax thus is
|
|
'[protocol://][user[:password]@]proxyhost[:port][/path]'. This can be
|
|
overridden on a per-remote basis; see remote.<name>.proxy
|
|
+
|
|
Any proxy, however configured, must be completely transparent and must not
|
|
modify, transform, or buffer the request or response in any way. Proxies which
|
|
are not completely transparent are known to cause various forms of breakage
|
|
with Git.
|
|
|
|
http.proxyAuthMethod::
|
|
Set the method with which to authenticate against the HTTP proxy. This
|
|
only takes effect if the configured proxy string contains a user name part
|
|
(i.e. is of the form 'user@host' or 'user@host:port'). This can be
|
|
overridden on a per-remote basis; see `remote.<name>.proxyAuthMethod`.
|
|
Both can be overridden by the `GIT_HTTP_PROXY_AUTHMETHOD` environment
|
|
variable. Possible values are:
|
|
+
|
|
--
|
|
* `anyauth` - Automatically pick a suitable authentication method. It is
|
|
assumed that the proxy answers an unauthenticated request with a 407
|
|
status code and one or more Proxy-authenticate headers with supported
|
|
authentication methods. This is the default.
|
|
* `basic` - HTTP Basic authentication
|
|
* `digest` - HTTP Digest authentication; this prevents the password from being
|
|
transmitted to the proxy in clear text
|
|
* `negotiate` - GSS-Negotiate authentication (compare the --negotiate option
|
|
of `curl(1)`)
|
|
* `ntlm` - NTLM authentication (compare the --ntlm option of `curl(1)`)
|
|
--
|
|
|
|
http.proxySSLCert::
|
|
The pathname of a file that stores a client certificate to use to authenticate
|
|
with an HTTPS proxy. Can be overridden by the `GIT_PROXY_SSL_CERT` environment
|
|
variable.
|
|
|
|
http.proxySSLKey::
|
|
The pathname of a file that stores a private key to use to authenticate with
|
|
an HTTPS proxy. Can be overridden by the `GIT_PROXY_SSL_KEY` environment
|
|
variable.
|
|
|
|
http.proxySSLCertPasswordProtected::
|
|
Enable Git's password prompt for the proxy SSL certificate. Otherwise OpenSSL
|
|
will prompt the user, possibly many times, if the certificate or private key
|
|
is encrypted. Can be overridden by the `GIT_PROXY_SSL_CERT_PASSWORD_PROTECTED`
|
|
environment variable.
|
|
|
|
http.proxySSLCAInfo::
|
|
Pathname to the file containing the certificate bundle that should be used to
|
|
verify the proxy with when using an HTTPS proxy. Can be overridden by the
|
|
`GIT_PROXY_SSL_CAINFO` environment variable.
|
|
|
|
http.emptyAuth::
|
|
Attempt authentication without seeking a username or password. This
|
|
can be used to attempt GSS-Negotiate authentication without specifying
|
|
a username in the URL, as libcurl normally requires a username for
|
|
authentication.
|
|
|
|
http.proactiveAuth::
|
|
Attempt authentication without first making an unauthenticated attempt and
|
|
receiving a 401 response. This can be used to ensure that all requests are
|
|
authenticated. If `http.emptyAuth` is set to true, this value has no effect.
|
|
+
|
|
If the credential helper used specifies an authentication scheme (i.e., via the
|
|
`authtype` field), that value will be used; if a username and password is
|
|
provided without a scheme, then Basic authentication is used. The value of the
|
|
option determines the scheme requested from the helper. Possible values are:
|
|
+
|
|
--
|
|
* `basic` - Request Basic authentication from the helper.
|
|
* `auto` - Allow the helper to pick an appropriate scheme.
|
|
* `none` - Disable proactive authentication.
|
|
--
|
|
+
|
|
Note that TLS should always be used with this configuration, since otherwise it
|
|
is easy to accidentally expose plaintext credentials if Basic authentication
|
|
is selected.
|
|
|
|
http.delegation::
|
|
Control GSSAPI credential delegation. The delegation is disabled
|
|
by default in libcurl since version 7.21.7. Set parameter to tell
|
|
the server what it is allowed to delegate when it comes to user
|
|
credentials. Used with GSS/kerberos. Possible values are:
|
|
+
|
|
--
|
|
* `none` - Don't allow any delegation.
|
|
* `policy` - Delegates if and only if the OK-AS-DELEGATE flag is set in the
|
|
Kerberos service ticket, which is a matter of realm policy.
|
|
* `always` - Unconditionally allow the server to delegate.
|
|
--
|
|
|
|
|
|
http.extraHeader::
|
|
Pass an additional HTTP header when communicating with a server. If
|
|
more than one such entry exists, all of them are added as extra
|
|
headers. To allow overriding the settings inherited from the system
|
|
config, an empty value will reset the extra headers to the empty list.
|
|
|
|
http.cookieFile::
|
|
The pathname of a file containing previously stored cookie lines,
|
|
which should be used
|
|
in the Git http session, if they match the server. The file format
|
|
of the file to read cookies from should be plain HTTP headers or
|
|
the Netscape/Mozilla cookie file format (see `curl(1)`).
|
|
Set it to an empty string, to accept only new cookies from
|
|
the server and send them back in successive requests within same
|
|
connection.
|
|
NOTE that the file specified with http.cookieFile is used only as
|
|
input unless http.saveCookies is set.
|
|
|
|
http.saveCookies::
|
|
If set, store cookies received during requests to the file specified by
|
|
http.cookieFile. Has no effect if http.cookieFile is unset, or set to
|
|
an empty string.
|
|
|
|
http.version::
|
|
Use the specified HTTP protocol version when communicating with a server.
|
|
If you want to force the default. The available and default version depend
|
|
on libcurl. Currently the possible values of
|
|
this option are:
|
|
|
|
- HTTP/2
|
|
- HTTP/1.1
|
|
|
|
http.curloptResolve::
|
|
Hostname resolution information that will be used first by
|
|
libcurl when sending HTTP requests. This information should
|
|
be in one of the following formats:
|
|
|
|
- [+]HOST:PORT:ADDRESS[,ADDRESS]
|
|
- -HOST:PORT
|
|
|
|
+
|
|
The first format redirects all requests to the given `HOST:PORT`
|
|
to the provided `ADDRESS`(s). The second format clears all
|
|
previous config values for that `HOST:PORT` combination. To
|
|
allow easy overriding of all the settings inherited from the
|
|
system config, an empty value will reset all resolution
|
|
information to the empty list.
|
|
|
|
http.sslVersion::
|
|
The SSL version to use when negotiating an SSL connection, if you
|
|
want to force the default. The available and default version
|
|
depend on whether libcurl was built against NSS or OpenSSL and the
|
|
particular configuration of the crypto library in use. Internally
|
|
this sets the 'CURLOPT_SSL_VERSION' option; see the libcurl
|
|
documentation for more details on the format of this option and
|
|
for the ssl version supported. Currently the possible values of
|
|
this option are:
|
|
|
|
- sslv2
|
|
- sslv3
|
|
- tlsv1
|
|
- tlsv1.0
|
|
- tlsv1.1
|
|
- tlsv1.2
|
|
- tlsv1.3
|
|
|
|
+
|
|
Can be overridden by the `GIT_SSL_VERSION` environment variable.
|
|
To force git to use libcurl's default ssl version and ignore any
|
|
explicit http.sslversion option, set `GIT_SSL_VERSION` to the
|
|
empty string.
|
|
|
|
http.sslCipherList::
|
|
A list of SSL ciphers to use when negotiating an SSL connection.
|
|
The available ciphers depend on whether libcurl was built against
|
|
NSS or OpenSSL and the particular configuration of the crypto
|
|
library in use. Internally this sets the 'CURLOPT_SSL_CIPHER_LIST'
|
|
option; see the libcurl documentation for more details on the format
|
|
of this list.
|
|
+
|
|
Can be overridden by the `GIT_SSL_CIPHER_LIST` environment variable.
|
|
To force git to use libcurl's default cipher list and ignore any
|
|
explicit http.sslCipherList option, set `GIT_SSL_CIPHER_LIST` to the
|
|
empty string.
|
|
|
|
http.sslVerify::
|
|
Whether to verify the SSL certificate when fetching or pushing
|
|
over HTTPS. Defaults to true. Can be overridden by the
|
|
`GIT_SSL_NO_VERIFY` environment variable.
|
|
|
|
http.sslCert::
|
|
File containing the SSL certificate when fetching or pushing
|
|
over HTTPS. Can be overridden by the `GIT_SSL_CERT` environment
|
|
variable.
|
|
|
|
http.sslKey::
|
|
File containing the SSL private key when fetching or pushing
|
|
over HTTPS. Can be overridden by the `GIT_SSL_KEY` environment
|
|
variable.
|
|
|
|
http.sslCertPasswordProtected::
|
|
Enable Git's password prompt for the SSL certificate. Otherwise
|
|
OpenSSL will prompt the user, possibly many times, if the
|
|
certificate or private key is encrypted. Can be overridden by the
|
|
`GIT_SSL_CERT_PASSWORD_PROTECTED` environment variable.
|
|
|
|
http.sslCAInfo::
|
|
File containing the certificates to verify the peer with when
|
|
fetching or pushing over HTTPS. Can be overridden by the
|
|
`GIT_SSL_CAINFO` environment variable.
|
|
|
|
http.sslCAPath::
|
|
Path containing files with the CA certificates to verify the peer
|
|
with when fetching or pushing over HTTPS. Can be overridden
|
|
by the `GIT_SSL_CAPATH` environment variable.
|
|
|
|
http.sslBackend::
|
|
Name of the SSL backend to use (e.g. "openssl" or "schannel").
|
|
This option is ignored if cURL lacks support for choosing the SSL
|
|
backend at runtime.
|
|
|
|
http.schannelCheckRevoke::
|
|
Used to enforce or disable certificate revocation checks in cURL
|
|
when http.sslBackend is set to "schannel". Defaults to `true` if
|
|
unset. Only necessary to disable this if Git consistently errors
|
|
and the message is about checking the revocation status of a
|
|
certificate. This option is ignored if cURL lacks support for
|
|
setting the relevant SSL option at runtime.
|
|
|
|
http.schannelUseSSLCAInfo::
|
|
As of cURL v7.60.0, the Secure Channel backend can use the
|
|
certificate bundle provided via `http.sslCAInfo`, but that would
|
|
override the Windows Certificate Store. Since this is not desirable
|
|
by default, Git will tell cURL not to use that bundle by default
|
|
when the `schannel` backend was configured via `http.sslBackend`,
|
|
unless `http.schannelUseSSLCAInfo` overrides this behavior.
|
|
|
|
http.pinnedPubkey::
|
|
Public key of the https service. It may either be the filename of
|
|
a PEM or DER encoded public key file or a string starting with
|
|
'sha256//' followed by the base64 encoded sha256 hash of the
|
|
public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will
|
|
exit with an error if this option is set but not supported by
|
|
cURL.
|
|
|
|
http.sslTry::
|
|
Attempt to use AUTH SSL/TLS and encrypted data transfers
|
|
when connecting via regular FTP protocol. This might be needed
|
|
if the FTP server requires it for security reasons or you wish
|
|
to connect securely whenever remote FTP server supports it.
|
|
Default is false since it might trigger certificate verification
|
|
errors on misconfigured servers.
|
|
|
|
http.maxRequests::
|
|
How many HTTP requests to launch in parallel. Can be overridden
|
|
by the `GIT_HTTP_MAX_REQUESTS` environment variable. Default is 5.
|
|
|
|
http.minSessions::
|
|
The number of curl sessions (counted across slots) to be kept across
|
|
requests. They will not be ended with curl_easy_cleanup() until
|
|
http_cleanup() is invoked. If USE_CURL_MULTI is not defined, this
|
|
value will be capped at 1. Defaults to 1.
|
|
|
|
http.postBuffer::
|
|
Maximum size in bytes of the buffer used by smart HTTP
|
|
transports when POSTing data to the remote system.
|
|
For requests larger than this buffer size, HTTP/1.1 and
|
|
Transfer-Encoding: chunked is used to avoid creating a
|
|
massive pack file locally. Default is 1 MiB, which is
|
|
sufficient for most requests.
|
|
+
|
|
Note that raising this limit is only effective for disabling chunked
|
|
transfer encoding and therefore should be used only where the remote
|
|
server or a proxy only supports HTTP/1.0 or is noncompliant with the
|
|
HTTP standard. Raising this is not, in general, an effective solution
|
|
for most push problems, but can increase memory consumption
|
|
significantly since the entire buffer is allocated even for small
|
|
pushes.
|
|
|
|
http.lowSpeedLimit, http.lowSpeedTime::
|
|
If the HTTP transfer speed, in bytes per second, is less than
|
|
'http.lowSpeedLimit' for longer than 'http.lowSpeedTime' seconds,
|
|
the transfer is aborted.
|
|
Can be overridden by the `GIT_HTTP_LOW_SPEED_LIMIT` and
|
|
`GIT_HTTP_LOW_SPEED_TIME` environment variables.
|
|
|
|
http.noEPSV::
|
|
A boolean which disables using of EPSV ftp command by curl.
|
|
This can be helpful with some "poor" ftp servers which don't
|
|
support EPSV mode. Can be overridden by the `GIT_CURL_FTP_NO_EPSV`
|
|
environment variable. Default is false (curl will use EPSV).
|
|
|
|
http.userAgent::
|
|
The HTTP USER_AGENT string presented to an HTTP server. The default
|
|
value represents the version of the Git client such as git/1.7.1.
|
|
This option allows you to override this value to a more common value
|
|
such as Mozilla/4.0. This may be necessary, for instance, if
|
|
connecting through a firewall that restricts HTTP connections to a set
|
|
of common USER_AGENT strings (but not including those like git/1.7.1).
|
|
Can be overridden by the `GIT_HTTP_USER_AGENT` environment variable.
|
|
|
|
http.followRedirects::
|
|
Whether git should follow HTTP redirects. If set to `true`, git
|
|
will transparently follow any redirect issued by a server it
|
|
encounters. If set to `false`, git will treat all redirects as
|
|
errors. If set to `initial`, git will follow redirects only for
|
|
the initial request to a remote, but not for subsequent
|
|
follow-up HTTP requests. Since git uses the redirected URL as
|
|
the base for the follow-up requests, this is generally
|
|
sufficient. The default is `initial`.
|
|
|
|
http.<url>.*::
|
|
Any of the http.* options above can be applied selectively to some URLs.
|
|
For a config key to match a URL, each element of the config key is
|
|
compared to that of the URL, in the following order:
|
|
+
|
|
--
|
|
. Scheme (e.g., `https` in `https://example.com/`). This field
|
|
must match exactly between the config key and the URL.
|
|
|
|
. Host/domain name (e.g., `example.com` in `https://example.com/`).
|
|
This field must match between the config key and the URL. It is
|
|
possible to specify a `*` as part of the host name to match all subdomains
|
|
at this level. `https://*.example.com/` for example would match
|
|
`https://foo.example.com/`, but not `https://foo.bar.example.com/`.
|
|
|
|
. Port number (e.g., `8080` in `http://example.com:8080/`).
|
|
This field must match exactly between the config key and the URL.
|
|
Omitted port numbers are automatically converted to the correct
|
|
default for the scheme before matching.
|
|
|
|
. Path (e.g., `repo.git` in `https://example.com/repo.git`). The
|
|
path field of the config key must match the path field of the URL
|
|
either exactly or as a prefix of slash-delimited path elements. This means
|
|
a config key with path `foo/` matches URL path `foo/bar`. A prefix can only
|
|
match on a slash (`/`) boundary. Longer matches take precedence (so a config
|
|
key with path `foo/bar` is a better match to URL path `foo/bar` than a config
|
|
key with just path `foo/`).
|
|
|
|
. User name (e.g., `user` in `https://user@example.com/repo.git`). If
|
|
the config key has a user name it must match the user name in the
|
|
URL exactly. If the config key does not have a user name, that
|
|
config key will match a URL with any user name (including none),
|
|
but at a lower precedence than a config key with a user name.
|
|
--
|
|
+
|
|
The list above is ordered by decreasing precedence; a URL that matches
|
|
a config key's path is preferred to one that matches its user name. For example,
|
|
if the URL is `https://user@example.com/foo/bar` a config key match of
|
|
`https://example.com/foo` will be preferred over a config key match of
|
|
`https://user@example.com`.
|
|
+
|
|
All URLs are normalized before attempting any matching (the password part,
|
|
if embedded in the URL, is always ignored for matching purposes) so that
|
|
equivalent URLs that are simply spelled differently will match properly.
|
|
Environment variable settings always override any matches. The URLs that are
|
|
matched against are those given directly to Git commands. This means any URLs
|
|
visited as a result of a redirection do not participate in matching.
|