git-http-backend on Apache 2.4

Moving to a new server, I also had to setup HTTP access for my Git repositories at

My old server was Debian 8 with Apache 2.2, the new one Debian 9 with Apache 2.4. Simply copying the configuration did not work - I got an error:

AH01630: client denied by server configuration: /usr/lib/git-core/git-http-backend

I did not want to make the whole /usr/lib/git-core/ directory executable, but only git-http-backend. At first I tried it with:

<Files "/usr/lib/git-core/git-http-backend">
    Options +ExecCGI
    Require all granted

- but that did not work. The documentation about files says:

Directives enclosed in a <Files> section apply to any file with the specified name, regardless of what directory it lies in.

So the correct way was to nest a <Files> tag inside a <Directory> tag:

<Directory "/usr/lib/git-core/">
    <Files "git-http-backend">
        Options +ExecCGI
        Require all granted

Full configuration

This is the full configuration for the virtual host:

<VirtualHost *:443>
    HeaderName HEADER
    DocumentRoot /home/cweiske/www/
    Include /etc/apache2/sites-available/cweiske/includes/linkback.conf
    Include /etc/apache2/sites-available/cweiske/includes/letsencrypt-acme-challenges.conf
    SetEnv GITWEB_CONFIG /home/cweiske/www/
    ScriptAlias /gitweb.cgi /usr/share/gitweb/gitweb.cgi
    #smart http protocol
    # by default allows GET only, not push.
    # we serve it over the same URLs as the normal gitweb URLs!
    SetEnv GIT_PROJECT_ROOT /var/lib/git-public/
    ScriptAliasMatch \
        "(?x)^/(.*git/(HEAD | \
                        info/refs | \
                        objects/(info/[^/]+ | \
                                 [0-9a-f]{2}/[0-9a-f]{38} | \
                                 pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
                        git-(upload|receive)-pack))$" \
    CustomLog /var/log/apache2/cweiske/ combined
    ErrorLog  /var/log/apache2/cweiske/
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/
    ServerSignature Off
    <Directory "/home/cweiske/www/">
        Options +FollowSymLinks +ExecCGI
	AddHandler cgi-script .cgi
        Require all granted
	DirectoryIndex /gitweb.cgi
        RewriteEngine On
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule ^.* /gitweb.cgi/$0  [L,PT]
    <Directory "/usr/lib/git-core/">
        <Files "git-http-backend">
            Options +ExecCGI
            Require all granted
    <Location "/gitweb.conf">
    	Require all denied

Written by Christian Weiske.

Comments? Please send an e-mail.