From mboxrd@z Thu Jan 1 00:00:00 1970 From: Junio C Hamano Subject: Re: Corporate firewall braindamage Date: Thu, 10 Apr 2008 16:14:54 -0700 Message-ID: <7v7if5wbdd.fsf@gitster.siamese.dyndns.org> References: <47FE8277.8070503@zytor.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Git Mailing List , ftpadmin To: "H. Peter Anvin" X-From: git-owner@vger.kernel.org Fri Apr 11 01:16:33 2008 Return-path: Envelope-to: gcvg-git-2@gmane.org Received: from vger.kernel.org ([209.132.176.167]) by lo.gmane.org with esmtp (Exim 4.50) id 1Jk60I-0004WB-8n for gcvg-git-2@gmane.org; Fri, 11 Apr 2008 01:16:26 +0200 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756029AbYDJXPM (ORCPT ); Thu, 10 Apr 2008 19:15:12 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1758706AbYDJXPM (ORCPT ); Thu, 10 Apr 2008 19:15:12 -0400 Received: from a-sasl-fastnet.sasl.smtp.pobox.com ([207.106.133.19]:46185 "EHLO sasl.smtp.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752910AbYDJXPL (ORCPT ); Thu, 10 Apr 2008 19:15:11 -0400 Received: from localhost.localdomain (localhost [127.0.0.1]) by a-sasl-fastnet.sasl.smtp.pobox.com (Postfix) with ESMTP id 7F1441FE1; Thu, 10 Apr 2008 19:15:08 -0400 (EDT) Received: from pobox.com (ip68-225-240-77.oc.oc.cox.net [68.225.240.77]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-sasl-fastnet.sasl.smtp.pobox.com (Postfix) with ESMTP id 908071FDF; Thu, 10 Apr 2008 19:15:02 -0400 (EDT) In-Reply-To: <47FE8277.8070503@zytor.com> (H. Peter Anvin's message of "Thu, 10 Apr 2008 14:11:19 -0700") User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) Sender: git-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org Archived-At: "H. Peter Anvin" writes: > 1. git protocol via CONNECT http proxy > > Connect to http proxy, and use a CONNECT method to establish a link > to the git server, using the normal git protocol. > > Minor change to TCP connection setup, but no other changes needed. > No changes on the server side. Many firewalls will detect that CONNECT will not going to 443 and block you, and even if you run git:// daemon on 443, they will detect that you are not talking SSL initial exchange and shut you off. > 2. git protocol over SSL via CONNECT http proxy > > Same as #1, but encapsulate the data stream in an SSL connection. > If the git server is run on port 443, then the fact that the data > on the SSL connection isn't actually HTTP should be invisible to the > proxy, and thus this *should* work anywhere which allows https:// > traffic. > > Requires the git server to speak SSL. Yes, perhaps putting it behind an independent ssl relay would give you a solution without any code change. > 3. git protocol encapsulated in HTTP POST transaction > > git protocol is already fundamentally a RPC protocol, where the > client sends a query and the server responds. Furthermore, it > tries to minimize the number of round trips (RPC calls), which is > of course desirable. > > Each such RPC transaction could be formulated as an HTTP POST > transaction. > > This requires modifications to both the client and the server; > furthermore, the server can no longer rely on the invariant "one TCP > connection == one session"; a proxy might break a single session > into arbitrarily many TCP connections. It would probably be a one-CS/EE-student-half-a-summer sized project to create such a server-side support with a specialized client.