subject:"\[PATCH 2\/2\] doc\/http\-backend\: give some lighttpd config examples"

Re: [PATCH 2/2] doc/http-backend: give some lighttpd config examples

2013-04-11 Thread Jakub Narębski

W dniu 11.04.2013 05:36, Jeff King napisał:

 +Note that unlike the similar setup with Apache, we can easily match the
 +query string for receive-pack, catching the initial request from the
 +client. This means that the server administrator does not have to worry
 +about configuring `http.receivepack` for the repositories (the default
 +value, which enables it only in the case of authentication, is
 +sufficient).

Perhaps it would be worth including for Apache2 beside basic setup that
requires http.receivepack set to true, also one like for LigHTTPd, i.e.

  RewriteCond %{QUERY_STRING} =service=git-receive-pack [OR]
  RewriteCond %{REQUEST_URI} /git-receive-pack$
  RewriteRule (.*) $1 [E=AUTHREQUIRED:yes]

  Location /gitweb/
  Order Deny,Allow
  Deny from env=AUTHREQUIRED

  AuthType Basic
  AuthName Git Access
  Require group committers

  Satisfy Any
  Location

And perhaps also adding it as test...
-- 
Jakub Narębski
--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/2] doc/http-backend: give some lighttpd config examples

2013-04-11 Thread Jeff King

On Thu, Apr 11, 2013 at 06:47:49PM +0200, Jakub Narębski wrote:

 W dniu 11.04.2013 05:36, Jeff King napisał:
 
  +Note that unlike the similar setup with Apache, we can easily match the
  +query string for receive-pack, catching the initial request from the
  +client. This means that the server administrator does not have to worry
  +about configuring `http.receivepack` for the repositories (the default
  +value, which enables it only in the case of authentication, is
  +sufficient).
 
 Perhaps it would be worth including for Apache2 beside basic setup that
 requires http.receivepack set to true, also one like for LigHTTPd, i.e.
 
   RewriteCond %{QUERY_STRING} =service=git-receive-pack [OR]
   RewriteCond %{REQUEST_URI} /git-receive-pack$
   RewriteRule (.*) $1 [E=AUTHREQUIRED:yes]
 
   Location /gitweb/
   Order Deny,Allow
   Deny from env=AUTHREQUIRED
 
   AuthType Basic
   AuthName Git Access
   Require group committers
 
   Satisfy Any
   Location
 
 And perhaps also adding it as test...

That was the I am not clever nor interested in Apache enough to figure
out how to do this... part that I wrote. I have no clue if the above
works, but I'd be happy if you wanted to test it out and submit it as a
patch on top (I think it could even replace my 1/2, as making it just
work is a much better solution than having to explain the extra step in
the documentation).

-Peff

 -- 
 Jakub Narębski
--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/2] doc/http-backend: give some lighttpd config examples

2013-04-11 Thread Jakub Narębski

W dniu 11.04.2013 19:02, Jeff King napisał:
 On Thu, Apr 11, 2013 at 06:47:49PM +0200, Jakub Narębski wrote:
 W dniu 11.04.2013 05:36, Jeff King napisał:

 +Note that unlike the similar setup with Apache, we can easily match the
 +query string for receive-pack, catching the initial request from the
 +client. This means that the server administrator does not have to worry
 +about configuring `http.receivepack` for the repositories (the default
 +value, which enables it only in the case of authentication, is
 +sufficient).

 Perhaps it would be worth including for Apache2 beside basic setup that
 requires http.receivepack set to true, also one like for LigHTTPd, i.e.

   RewriteCond %{QUERY_STRING} =service=git-receive-pack [OR]
   RewriteCond %{REQUEST_URI} /git-receive-pack$
   RewriteRule (.*) $1 [E=AUTHREQUIRED:yes]
[...]
 And perhaps also adding it as test...
 
 That was the I am not clever nor interested in Apache enough to figure
 out how to do this... part that I wrote. I have no clue if the above
 works, but I'd be happy if you wanted to test it out and submit it as a
 patch on top (I think it could even replace my 1/2, as making it just
 work is a much better solution than having to explain the extra step in
 the documentation).

I don't know if short description of `http.receivepack`, suitable for
a reference documentation, tells a new user how to configure web server
for pushes.


With `http.receivepack` unset git (git-http-backed?) will refuse
unauthenthicated pushes but allow authenthicated ones (though it doesn't
handle authorization).  This makes it easy to configure web server for
fetches (read-only) access via smart HTTP (and you can make it
bulletproof by refusing pushes at all with `http.receivepack` false,
isn't it?).

But in this case (`http.receivepack` unset - the default) web server
must be configured to request authorization for both steps of push:
requesting references (for coming up with what
repositories have in common), i.e.

  GET ...?service=git-receive-pack

and actual sending of data and updating refs...

  POST .../git-receive-pack

though only second part is actually writing.


With `http.receivepack` set to true git (git-http-backend?) allows
anonymous pushes, and it is responsibility of web server configuration
to deny unauthorized pushes... but it is sufficient to do it only for
writes i.e.

  POST .../git-receive-pack


[Now to translate it to manpage or users-manual contents...]

P.S. Do I understand it correctly that `http.receivepack` is
three-state: true (allow all), unset (allow authenthicated) and false
(deny all)?

P.P.S. It would be better to accept both patches; I don't know when
I would be able to test Apache config; I remember that I had problems
with it...
-- 
Jakub Narębski
--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 2/2] doc/http-backend: give some lighttpd config examples

2013-04-10 Thread Jeff King

The examples in the documentation are all for Apache. Let's
at least cover the basics: an anonymous server, an
authenticated server, and a half auth server with
anonymous read and authenticated write.

Signed-off-by: Jeff King p...@peff.net
---
I am by no means a lighttpd expert, so there may be better ways to do
some of these. But I did test that they all work as expected.

I was tempted for a moment to provide a mechanism for the t55* tests to
use either lighttpd _or_ apache, so that these could get some automated
testing. But I don't relish the thought of trying to keep both configs
synchronized as people update one or the other.

There are also some advanced setups in the apache part of the doc that I
didn't translate here (e.g., dumb-http fallback, and static serving of
dumb-http files). Mostly because I don't think they are that commonly
used these days, and I do not know enough about lighttpd configuration
to translate them easily. If somebody wants to make a patch on top, they
can.

 Documentation/git-http-backend.txt | 55 ++
 1 file changed, 55 insertions(+)

diff --git a/Documentation/git-http-backend.txt 
b/Documentation/git-http-backend.txt
index f43980f..cad18ce 100644
--- a/Documentation/git-http-backend.txt
+++ b/Documentation/git-http-backend.txt
@@ -167,6 +167,61 @@ ScriptAlias /git/ /var/www/cgi-bin/gitweb.cgi/
 ScriptAlias /git/ /var/www/cgi-bin/gitweb.cgi/
 
 
+Lighttpd::
+   Ensure that `mod_cgi`, `mod_alias, `mod_auth`, `mod_setenv` are
+   loaded, then set `GIT_PROJECT_ROOT` appropriately and redirect
+   all requests to the CGI:
++
+
+alias.url += ( /git = /usr/lib/git-core/git-http-backend )
+$HTTP[url] =~ ^/git {
+   cgi.assign = ( = )
+   setenv.add-environment = (
+   GIT_PROJECT_ROOT = /var/www/git,
+   GIT_HTTP_EXPORT_ALL = 
+   )
+}
+
++
+To enable anonymous read access but authenticated write access:
++
+
+$HTTP[querystring] =~ service=git-receive-pack {
+   include git-auth.conf
+}
+$HTTP[url] =~ ^/git/.*/git-receive-pack$ {
+   include git-auth.conf
+}
+
++
+where `git-auth.conf` looks something like:
++
+
+auth.require = (
+   / = (
+   method = basic,
+   realm = Git Access,
+   require = valid-user
+  )
+)
+# ...and set up auth.backend here
+
++
+Note that unlike the similar setup with Apache, we can easily match the
+query string for receive-pack, catching the initial request from the
+client. This means that the server administrator does not have to worry
+about configuring `http.receivepack` for the repositories (the default
+value, which enables it only in the case of authentication, is
+sufficient).
++
+To require authentication for both reads and writes:
++
+
+$HTTP[url] =~ ^/git/private {
+   include git-auth.conf
+}
+
+
 
 ENVIRONMENT
 ---
-- 
1.8.2.rc0.33.gd915649
--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/2] doc/http-backend: give some lighttpd config examples

Re: [PATCH 2/2] doc/http-backend: give some lighttpd config examples

Re: [PATCH 2/2] doc/http-backend: give some lighttpd config examples

[PATCH 2/2] doc/http-backend: give some lighttpd config examples

4 matches

Site Navigation

Mail list logo

Footer information