From: Junio C Hamano <gitster@pobox.com>
To: "H. Peter Anvin" <hpa@zytor.com>
Cc: Git Mailing List <git@vger.kernel.org>, ftpadmin <ftpadmin@kernel.org>
Subject: Re: Corporate firewall braindamage
Date: Thu, 10 Apr 2008 16:14:54 -0700 [thread overview]
Message-ID: <7v7if5wbdd.fsf@gitster.siamese.dyndns.org> (raw)
In-Reply-To: <47FE8277.8070503@zytor.com> (H. Peter Anvin's message of "Thu, 10 Apr 2008 14:11:19 -0700")
"H. Peter Anvin" <hpa@zytor.com> writes:
> 1. git protocol via CONNECT http proxy
>
> Connect to http proxy, and use a CONNECT method to establish a link
> to the git server, using the normal git protocol.
>
> Minor change to TCP connection setup, but no other changes needed.
> No changes on the server side.
Many firewalls will detect that CONNECT will not going to 443 and block
you, and even if you run git:// daemon on 443, they will detect that you
are not talking SSL initial exchange and shut you off.
> 2. git protocol over SSL via CONNECT http proxy
>
> Same as #1, but encapsulate the data stream in an SSL connection.
> If the git server is run on port 443, then the fact that the data
> on the SSL connection isn't actually HTTP should be invisible to the
> proxy, and thus this *should* work anywhere which allows https://
> traffic.
>
> Requires the git server to speak SSL.
Yes, perhaps putting it behind an independent ssl relay would give you a
solution without any code change.
> 3. git protocol encapsulated in HTTP POST transaction
>
> git protocol is already fundamentally a RPC protocol, where the
> client sends a query and the server responds. Furthermore, it
> tries to minimize the number of round trips (RPC calls), which is
> of course desirable.
>
> Each such RPC transaction could be formulated as an HTTP POST
> transaction.
>
> This requires modifications to both the client and the server;
> furthermore, the server can no longer rely on the invariant "one TCP
> connection == one session"; a proxy might break a single session
> into arbitrarily many TCP connections.
It would probably be a one-CS/EE-student-half-a-summer sized project to
create such a server-side support with a specialized client.
next prev parent reply other threads:[~2008-04-10 23:16 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-10 21:11 Corporate firewall braindamage H. Peter Anvin
2008-04-10 23:14 ` Junio C Hamano [this message]
2008-04-10 23:33 ` Shawn O. Pearce
2008-04-10 23:50 ` H. Peter Anvin
2008-04-11 1:03 ` H. Peter Anvin
2008-04-11 8:25 ` david
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7v7if5wbdd.fsf@gitster.siamese.dyndns.org \
--to=gitster@pobox.com \
--cc=ftpadmin@kernel.org \
--cc=git@vger.kernel.org \
--cc=hpa@zytor.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).