From: Junio C Hamano <gitster@pobox.com>
To: "H. Peter Anvin" <hpa@zytor.com>
Cc: Git Mailing List <git@vger.kernel.org>, ftpadmin <ftpadmin@kernel.org>
Subject: Re: Corporate firewall braindamage
Date: Thu, 10 Apr 2008 16:14:54 -0700 [thread overview]
Message-ID: <7v7if5wbdd.fsf@gitster.siamese.dyndns.org> (raw)
In-Reply-To: <47FE8277.8070503@zytor.com> (H. Peter Anvin's message of "Thu, 10 Apr 2008 14:11:19 -0700")
"H. Peter Anvin" <hpa@zytor.com> writes:
> 1. git protocol via CONNECT http proxy
>
> Connect to http proxy, and use a CONNECT method to establish a link
> to the git server, using the normal git protocol.
>
> Minor change to TCP connection setup, but no other changes needed.
> No changes on the server side.
Many firewalls will detect that CONNECT will not going to 443 and block
you, and even if you run git:// daemon on 443, they will detect that you
are not talking SSL initial exchange and shut you off.
> 2. git protocol over SSL via CONNECT http proxy
>
> Same as #1, but encapsulate the data stream in an SSL connection.
> If the git server is run on port 443, then the fact that the data
> on the SSL connection isn't actually HTTP should be invisible to the
> proxy, and thus this *should* work anywhere which allows https://
> traffic.
>
> Requires the git server to speak SSL.
Yes, perhaps putting it behind an independent ssl relay would give you a
solution without any code change.
> 3. git protocol encapsulated in HTTP POST transaction
>
> git protocol is already fundamentally a RPC protocol, where the
> client sends a query and the server responds. Furthermore, it
> tries to minimize the number of round trips (RPC calls), which is
> of course desirable.
>
> Each such RPC transaction could be formulated as an HTTP POST
> transaction.
>
> This requires modifications to both the client and the server;
> furthermore, the server can no longer rely on the invariant "one TCP
> connection == one session"; a proxy might break a single session
> into arbitrarily many TCP connections.
It would probably be a one-CS/EE-student-half-a-summer sized project to
create such a server-side support with a specialized client.
next prev parent reply other threads:[~2008-04-10 23:16 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-10 21:11 Corporate firewall braindamage H. Peter Anvin
2008-04-10 23:14 ` Junio C Hamano [this message]
2008-04-10 23:33 ` Shawn O. Pearce
2008-04-10 23:50 ` H. Peter Anvin
2008-04-11 1:03 ` H. Peter Anvin
2008-04-11 8:25 ` david
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7v7if5wbdd.fsf@gitster.siamese.dyndns.org \
--to=gitster@pobox.com \
--cc=ftpadmin@kernel.org \
--cc=git@vger.kernel.org \
--cc=hpa@zytor.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.