Re: [PATCH 2/2] doc/http-backend: give some lighttpd config examples

["Jakub Narębski" <jnareb@gmail.com>]

W dniu 11.04.2013 19:02, Jeff King napisał:
> On Thu, Apr 11, 2013 at 06:47:49PM +0200, Jakub Narębski wrote:
>> W dniu 11.04.2013 05:36, Jeff King napisał:
>>
>>> +Note that unlike the similar setup with Apache, we can easily match the
>>> +query string for receive-pack, catching the initial request from the
>>> +client. This means that the server administrator does not have to worry
>>> +about configuring `http.receivepack` for the repositories (the default
>>> +value, which enables it only in the case of authentication, is
>>> +sufficient).
>>
>> Perhaps it would be worth including for Apache2 beside basic setup that
>> requires http.receivepack set to true, also one like for LigHTTPd, i.e.
>>
>>   RewriteCond %{QUERY_STRING} =service=git-receive-pack [OR]
>>   RewriteCond %{REQUEST_URI} /git-receive-pack$
>>   RewriteRule (.*) $1 [E=AUTHREQUIRED:yes]
[...]
>> And perhaps also adding it as test...
> 
> That was the "I am not clever nor interested in Apache enough to figure
> out how to do this..." part that I wrote. I have no clue if the above
> works, but I'd be happy if you wanted to test it out and submit it as a
> patch on top (I think it could even replace my 1/2, as making it just
> work is a much better solution than having to explain the extra step in
> the documentation).

I don't know if short description of `http.receivepack`, suitable for
a reference documentation, tells a new user how to configure web server
for pushes.


With `http.receivepack` unset git (git-http-backed?) will refuse
unauthenthicated pushes but allow authenthicated ones (though it doesn't
handle authorization).  This makes it easy to configure web server for
fetches (read-only) access via smart HTTP (and you can make it
bulletproof by refusing pushes at all with `http.receivepack` false,
isn't it?).

But in this case (`http.receivepack` unset - the default) web server
must be configured to request authorization for both steps of push:
requesting references (for coming up with what
repositories have in common), i.e.

  GET ...?service=git-receive-pack

and actual sending of data and updating refs...

  POST .../git-receive-pack

though only second part is actually writing.


With `http.receivepack` set to true git (git-http-backend?) allows
anonymous pushes, and it is responsibility of web server configuration
to deny unauthorized pushes... but it is sufficient to do it only for
writes i.e.

  POST .../git-receive-pack


[Now to translate it to manpage or users-manual contents...]

P.S. Do I understand it correctly that `http.receivepack` is
three-state: true (allow all), unset (allow authenthicated) and false
(deny all)?

P.P.S. It would be better to accept both patches; I don't know when
I would be able to test Apache config; I remember that I had problems
with it...
-- 
Jakub Narębski