CGIT + NGINX : Not able to push commit

Hi, I plan to setup my own git web using cgit. For now I able to clone 
but I not able to push changes.

$ export GIT_CURL_VERBOSE=1
$ git push --set-upstream origin robbi.my_custom
23:24:24.335603 http.c:703              == Info: Couldn't find host 
source.robbi.my in the (nil) file; using defaults
23:24:24.339495 http.c:703              == Info:   Trying 172.64.80.1:443...
23:24:25.157231 http.c:703              == Info: Connected to 
source.robbi.my (172.64.80.1) port 443 (#0)
23:24:25.158730 http.c:703              == Info: ALPN: offers h2
23:24:25.158730 http.c:703              == Info: ALPN: offers http/1.1
23:24:25.169314 http.c:703              == Info:  CAfile: C:/Program 
Files/Git/mingw64/ssl/certs/ca-bundle.crt
23:24:25.169314 http.c:703              == Info:  CApath: none
23:24:25.169314 http.c:703              == Info: TLSv1.3 (OUT), TLS 
handshake, Client hello (1):
23:24:25.613101 http.c:703              == Info: TLSv1.3 (IN), TLS 
handshake, Server hello (2):
23:24:25.615105 http.c:703              == Info: TLSv1.3 (IN), TLS 
handshake, Encrypted Extensions (8):
23:24:25.615105 http.c:703              == Info: TLSv1.3 (IN), TLS 
handshake, Certificate (11):
23:24:25.619104 http.c:703              == Info: TLSv1.3 (IN), TLS 
handshake, CERT verify (15):
23:24:25.619104 http.c:703              == Info: TLSv1.3 (IN), TLS 
handshake, Finished (20):
23:24:25.620104 http.c:703              == Info: TLSv1.3 (OUT), TLS 
change cipher, Change cipher spec (1):
23:24:25.620104 http.c:703              == Info: TLSv1.3 (OUT), TLS 
handshake, Finished (20):
23:24:25.620104 http.c:703              == Info: SSL connection using 
TLSv1.3 / TLS_AES_256_GCM_SHA384
23:24:25.620104 http.c:703              == Info: ALPN: server accepted h2
23:24:25.620104 http.c:703              == Info: Server certificate:
23:24:25.620104 http.c:703              == Info:  subject: CN=*.robbi.my
23:24:25.620104 http.c:703              == Info:  start date: Oct 13 
02:03:14 2022 GMT
23:24:25.620104 http.c:703              == Info:  expire date: Jan 11 
02:03:13 2023 GMT
23:24:25.620104 http.c:703              == Info:  subjectAltName: host 
"source.robbi.my" matched cert's "*.robbi.my"
23:24:25.620104 http.c:703              == Info:  issuer: C=US; O=Let's 
Encrypt; CN=E1
23:24:25.620104 http.c:703              == Info:  SSL certificate verify ok.
23:24:25.620104 http.c:703              == Info: Using HTTP2, server 
supports multiplexing
23:24:25.620104 http.c:703              == Info: Copying HTTP/2 data in 
stream buffer to connection buffer after upgrade: len=0
23:24:25.620104 http.c:703              == Info: h2h3 [:method: GET]
23:24:25.620104 http.c:703              == Info: h2h3 [:path: 
/cgit-pink/info/refs?service=git-receive-pack]
23:24:25.620104 http.c:703              == Info: h2h3 [:scheme: https]
23:24:25.620104 http.c:703              == Info: h2h3 [:authority: 
source.robbi.my]
23:24:25.620104 http.c:703              == Info: h2h3 [user-agent: 
git/2.37.2.windows.2]
23:24:25.620104 http.c:703              == Info: h2h3 [accept: */*]
23:24:25.620104 http.c:703              == Info: h2h3 [accept-encoding: 
deflate, gzip, br, zstd]
23:24:25.620104 http.c:703              == Info: h2h3 [pragma: no-cache]
23:24:25.620104 http.c:703              == Info: Using Stream ID: 1 
(easy handle 0x22b7fa5f690)
23:24:25.620104 http.c:650              => Send header, 0000000190 bytes 
(0x000000be)
23:24:25.620104 http.c:662              => Send header: GET 
/cgit-pink/info/refs?service=git-receive-pack HTTP/2
23:24:25.620104 http.c:662              => Send header: Host: 
source.robbi.my
23:24:25.620104 http.c:662              => Send header: user-agent: 
git/2.37.2.windows.2
23:24:25.620104 http.c:662              => Send header: accept: */*
23:24:25.620104 http.c:662              => Send header: accept-encoding: 
deflate, gzip, br, zstd
23:24:25.620104 http.c:662              => Send header: pragma: no-cache
23:24:25.620104 http.c:662              => Send header:
23:24:25.962937 http.c:703              == Info: TLSv1.3 (IN), TLS 
handshake, Newsession Ticket (4):
23:24:25.963949 http.c:703              == Info: TLSv1.3 (IN), TLS 
handshake, Newsession Ticket (4):
23:24:25.963949 http.c:703              == Info: old SSL session ID is 
stale, removing
23:24:25.963949 http.c:703              == Info: Connection state 
changed (MAX_CONCURRENT_STREAMS == 256)!
23:24:26.253252 http.c:650              <= Recv header, 0000000013 bytes 
(0x0000000d)
23:24:26.253252 http.c:662              <= Recv header: HTTP/2 403
23:24:26.253252 http.c:650              <= Recv header, 0000000037 bytes 
(0x00000025)
23:24:26.253252 http.c:662              <= Recv header: date: Thu, 17 
Nov 2022 15:24:24 GMT
23:24:26.253252 http.c:650              <= Recv header, 0000000040 bytes 
(0x00000028)
23:24:26.253252 http.c:662              <= Recv header: expires: Fri, 01 
Jan 1980 00:00:00 GMT
23:24:26.253252 http.c:650              <= Recv header, 0000000040 bytes 
(0x00000028)
23:24:26.253252 http.c:662              <= Recv header: expires: Fri, 01 
Jan 1980 00:00:00 GMT
23:24:26.253252 http.c:650              <= Recv header, 0000000018 bytes 
(0x00000012)
23:24:26.253252 http.c:662              <= Recv header: pragma: no-cache
23:24:26.253252 http.c:650              <= Recv header, 0000000018 bytes 
(0x00000012)
23:24:26.253252 http.c:662              <= Recv header: pragma: no-cache
23:24:26.253252 http.c:650              <= Recv header, 0000000053 bytes 
(0x00000035)
23:24:26.253252 http.c:662              <= Recv header: cache-control: 
no-cache, max-age=0, must-revalidate
23:24:26.253252 http.c:650              <= Recv header, 0000000053 bytes 
(0x00000035)
23:24:26.253252 http.c:662              <= Recv header: cache-control: 
no-cache, max-age=0, must-revalidate
23:24:26.253252 http.c:650              <= Recv header, 0000000026 bytes 
(0x0000001a)
23:24:26.253252 http.c:662              <= Recv header: cf-cache-status: 
DYNAMIC
23:24:26.253252 http.c:650              <= Recv header, 0000000256 bytes 
(0x00000100)
23:24:26.253252 http.c:662              <= Recv header: report-to: 
{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=fD6cyeHU7oKzC1IXV6hfWtcCXjRGLX7lNK39sEBhlpUSgG6%2F4V8RjFxV%2F20PIQPuFFJeb03csCfZb87f9Q7b7amvGWLhncuAPTZEZ9GraBoHdhs1MObZEz5FdlvADngnu8w%3D"}],"group":"cf-nel","max_age":604800}
23:24:26.253252 http.c:650              <= Recv header, 0000000067 bytes 
(0x00000043)
23:24:26.253252 http.c:662              <= Recv header: nel: 
{"success_fraction":0,"report_to":"cf-nel","max_age":604800}
23:24:26.253252 http.c:650              <= Recv header, 0000000038 bytes 
(0x00000026)
23:24:26.253252 http.c:662              <= Recv header: 
strict-transport-security: max-age=0
23:24:26.253252 http.c:650              <= Recv header, 0000000033 bytes 
(0x00000021)
23:24:26.253252 http.c:662              <= Recv header: 
x-content-type-options: nosniff
23:24:26.253252 http.c:650              <= Recv header, 0000000020 bytes 
(0x00000014)
23:24:26.253252 http.c:662              <= Recv header: server: cloudflare
23:24:26.253252 http.c:650              <= Recv header, 0000000030 bytes 
(0x0000001e)
23:24:26.253252 http.c:662              <= Recv header: cf-ray: 
76b9791ecb6405b7-IAD
23:24:26.253252 http.c:650              <= Recv header, 0000000054 bytes 
(0x00000036)
23:24:26.253252 http.c:662              <= Recv header: alt-svc: 
h3=":443"; ma=86400, h3-29=":443"; ma=86400
23:24:26.253252 http.c:650              <= Recv header, 0000000002 bytes 
(0x00000002)
23:24:26.253252 http.c:662              <= Recv header:
23:24:26.253252 http.c:703              == Info: Connection #0 to host 
source.robbi.my left intact
fatal: unable to access 'https://source.robbi.my/cgit-pink/': The 
requested URL returned error: 403

as you see, it give me 403

Here my NginX conf
$ cat /etc/nginx/sites-available/source.robbi.my.conf | sed -e 
's/#[^!].*$//'
server {
     listen [::]:80;
     listen 80;
     listen 443 ssl http2;
     listen [::]:443 ssl http2;

     server_name source.robbi.my;
     root /usr/share/cgit;
     try_files $uri @cgit;

     location @cgit {
         include             fastcgi_params;
         fastcgi_param           SCRIPT_FILENAME 
/var/www/htdocs/cgit/cgit.cgi;
         fastcgi_param           PATH_INFO       $request_uri;
         fastcgi_param           QUERY_STRING    $query_string;
         fastcgi_param           HTTP_HOST       $server_name;
         fastcgi_pass        unix:/run/fcgiwrap.socket;
     }

     location ~ /.+/(info/refs|git-upload-pack) {
         include             fastcgi_params;
         fastcgi_param       SCRIPT_FILENAME 
/usr/lib/git-core/git-http-backend;
         fastcgi_param       PATH_INFO           $uri;
         fastcgi_param       GIT_HTTP_EXPORT_ALL 1;
         fastcgi_param       GIT_PROJECT_ROOT    /srv/git;
         fastcgi_param       HOME                /srv/git;
         fastcgi_pass        unix:/run/fcgiwrap.socket;
     }
     ssl_certificate /etc/nginx/ssl/cloudflare.pem;
     ssl_certificate_key /etc/nginx/ssl/cloudflare.key;
}

It not sure what wrong here, it keep sent 403 when I tried to push ?

-- 
Regards
Robbi Nespu

PGP: 7816 3327 745D 4B14 0D70 0237 05C3 9BE3 9AAF 49F4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x05C39BE39AAF49F4.asc
Type: application/pgp-keys
Size: 3061 bytes
Desc: OpenPGP public key
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20221118/1873aaab/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20221118/1873aaab/attachment-0001.bin>

On Fri, Nov 18, 2022 at 12:04:42AM +0800, Robbi wrote:

Hi there,

> Hi, I plan to setup my own git web using cgit. For now I able to clone but I
> not able to push changes.

What do the nginx logs say about this request?

Specifically, these headers:

> 23:24:26.253252 http.c:662              <= Recv header: cf-cache-status:
> DYNAMIC
> 23:24:26.253252 http.c:662              <= Recv header: report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=fD6cyeHU7oKzC1IXV6hfWtcCXjRGLX7lNK39sEBhlpUSgG6%2F4V8RjFxV%2F20PIQPuFFJeb03csCfZb87f9Q7b7amvGWLhncuAPTZEZ9GraBoHdhs1MObZEz5FdlvADngnu8w%3D"}],"group":"cf-nel","max_age":604800}
> 23:24:26.253252 http.c:662              <= Recv header: server: cloudflare

are not obviously listed in your nginx config; so it might be that you
are talking to something other than the nginx server you think you are
talking to; and that other thing might be returning the 403.

If you can test talking to nginx directly, then maybe something will
show whether the 403 is coming from nginx, or is coming from the fastcgi
server that nginx, in turn, is talking to.

Good luck with it,

    f
-- 
Francis Daly        francis at daoine.org