From: "Jakub Narębski" <jnareb@gmail.com>
To: Jeff King <peff@peff.net>
Cc: Magnus Therning <magnus@therning.org>, git@vger.kernel.org
Subject: Re: [PATCH 2/2] doc/http-backend: give some lighttpd config examples
Date: Thu, 11 Apr 2013 20:27:41 +0200 [thread overview]
Message-ID: <5167009D.1050906@gmail.com> (raw)
In-Reply-To: <20130411170233.GB1255@sigill.intra.peff.net>
W dniu 11.04.2013 19:02, Jeff King napisał:
> On Thu, Apr 11, 2013 at 06:47:49PM +0200, Jakub Narębski wrote:
>> W dniu 11.04.2013 05:36, Jeff King napisał:
>>
>>> +Note that unlike the similar setup with Apache, we can easily match the
>>> +query string for receive-pack, catching the initial request from the
>>> +client. This means that the server administrator does not have to worry
>>> +about configuring `http.receivepack` for the repositories (the default
>>> +value, which enables it only in the case of authentication, is
>>> +sufficient).
>>
>> Perhaps it would be worth including for Apache2 beside basic setup that
>> requires http.receivepack set to true, also one like for LigHTTPd, i.e.
>>
>> RewriteCond %{QUERY_STRING} =service=git-receive-pack [OR]
>> RewriteCond %{REQUEST_URI} /git-receive-pack$
>> RewriteRule (.*) $1 [E=AUTHREQUIRED:yes]
[...]
>> And perhaps also adding it as test...
>
> That was the "I am not clever nor interested in Apache enough to figure
> out how to do this..." part that I wrote. I have no clue if the above
> works, but I'd be happy if you wanted to test it out and submit it as a
> patch on top (I think it could even replace my 1/2, as making it just
> work is a much better solution than having to explain the extra step in
> the documentation).
I don't know if short description of `http.receivepack`, suitable for
a reference documentation, tells a new user how to configure web server
for pushes.
With `http.receivepack` unset git (git-http-backed?) will refuse
unauthenthicated pushes but allow authenthicated ones (though it doesn't
handle authorization). This makes it easy to configure web server for
fetches (read-only) access via smart HTTP (and you can make it
bulletproof by refusing pushes at all with `http.receivepack` false,
isn't it?).
But in this case (`http.receivepack` unset - the default) web server
must be configured to request authorization for both steps of push:
requesting references (for coming up with what
repositories have in common), i.e.
GET ...?service=git-receive-pack
and actual sending of data and updating refs...
POST .../git-receive-pack
though only second part is actually writing.
With `http.receivepack` set to true git (git-http-backend?) allows
anonymous pushes, and it is responsibility of web server configuration
to deny unauthorized pushes... but it is sufficient to do it only for
writes i.e.
POST .../git-receive-pack
[Now to translate it to manpage or users-manual contents...]
P.S. Do I understand it correctly that `http.receivepack` is
three-state: true (allow all), unset (allow authenthicated) and false
(deny all)?
P.P.S. It would be better to accept both patches; I don't know when
I would be able to test Apache config; I remember that I had problems
with it...
--
Jakub Narębski
next prev parent reply other threads:[~2013-04-11 18:27 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-09 5:45 git-http-backend: anonymous read, authenticated write Magnus Therning
2013-04-09 12:24 ` Jakub Narębski
2013-04-10 20:53 ` Magnus Therning
2013-04-09 17:12 ` Jeff King
2013-04-10 20:45 ` Magnus Therning
2013-04-10 21:53 ` Jeff King
2013-04-10 21:30 ` Jakub Narębski
2013-04-10 21:47 ` Jeff King
2013-04-10 23:19 ` Magnus Therning
2013-04-11 1:56 ` Jeff King
2013-04-11 3:30 ` [PATCH 0/2] http-backend documentation examples Jeff King
2013-04-11 3:32 ` [PATCH 1/2] doc/http-backend: clarify "half-auth" repo configuration Jeff King
2013-04-11 6:57 ` Magnus Therning
2013-04-11 3:36 ` [PATCH 2/2] doc/http-backend: give some lighttpd config examples Jeff King
2013-04-11 16:47 ` Jakub Narębski
2013-04-11 17:02 ` Jeff King
2013-04-11 18:27 ` Jakub Narębski [this message]
2013-04-13 3:33 ` [PATCH 3/2] doc/http-backend: match query-string in apache half-auth example Jeff King
2013-04-13 8:52 ` Jakub Narębski
2013-04-11 6:52 ` git-http-backend: anonymous read, authenticated write Magnus Therning
2013-04-11 19:34 ` Jeff King
2013-04-12 7:22 ` Magnus Therning
2013-04-11 16:43 ` Jakub Narębski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5167009D.1050906@gmail.com \
--to=jnareb@gmail.com \
--cc=git@vger.kernel.org \
--cc=magnus@therning.org \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).