Two 401 responses for every Git operation
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Git operations have 3 entries in the access logs. Two 401 unauthorized responses that appear to be bad credentials, then finally an accepted 200 response.
127.0.0.1 | https | i*GVIXKXx475x1414694x1 | - | 2017-09-26 07:55:34,325 | "GET /scm/exp/example.git/info/refs HTTP/1.1" | "" "git/1.8.3.msysgit.0" | - | - | - | - | - | - |
127.0.0.1 | https | o*GVIXKXx475x1414694x1 | - | 2017-09-26 07:55:34,329 | "GET /scm/exp/example.git/info/refs HTTP/1.1" | "" "git/1.8.3.msysgit.0" | 401 | 0 | 0 | - | 4 | - |
127.0.0.1 | https | i*GVIXKXx475x1414695x1 | - | 2017-09-26 07:55:34,332 | "GET /scm/exp/example.git/info/refs HTTP/1.1" | "" "git/1.8.3.msysgit.0" | - | - | - | - | - | - |
127.0.0.1 | https | o*GVIXKXx475x1414695x1 | - | 2017-09-26 07:55:34,333 | "GET /scm/exp/example.git/info/refs HTTP/1.1" | "" "git/1.8.3.msysgit.0" | 401 | 0 | 0 | - | 0 | - |
127.0.0.1 | https | i*GVIXKXx475x1414696x1 | - | 2017-09-26 07:55:34,407 | "GET /scm/exp/example.git/info/refs HTTP/1.1" | "" "git/1.8.3.msysgit.0" | - | - | - | - | - | - |
127.0.0.1 | https | o*GVIXKXx475x1414696x1 | afl8fe | 2017-09-26 07:55:34,708 | "GET /scm/exp/example.git/info/refs HTTP/1.1" | "" "git/1.8.3.msysgit.0" | 200 | 0 | 2615 | refs | 301 | - |
Environment
Bitbucket Server/DC
Cause
The bad credentials messages are normal and should be expected for every Git operation performed over HTTP protocol (this includes HTTP and HTTPS).
Git will never send a password over HTTP unless it receives a 401 status from the server explicitly asking for the password. What this means is that on the first attempt to connect to a remote repository over http(s) Git will send only the username but not the password. When Bitbucket Server intercepts this request and can't proceed because a username and password are required, it returns the HTTP status of 401 to Git. Git receives this response and then re-sends the request using the username and password that were provided. This dance between git and Bitbucket Server is usually handled in a couple of milliseconds.
Solution
There's no solution to hide or prevent these entries in the logs. The access logs are an accurate reflection of this GIT process and we don't have any means to remove these messages with the built-in functionality.
A possible workaround would be to use SSH to access GIT repos instead of HTTP since will reduce the 401 error entries in the logs.