W dniu 11.04.2013 19:02, Jeff King napisał:
On Thu, Apr 11, 2013 at 06:47:49PM +0200, Jakub Narębski wrote:
W dniu 11.04.2013 05:36, Jeff King napisał:
+Note that unlike the similar setup with Apache, we can easily match the
+query string for receive-pack, catching the initial request from the
+client. This means that the server administrator does not have to worry
+about configuring `http.receivepack` for the repositories (the default
+value, which enables it only in the case of authentication, is
+sufficient).
Perhaps it would be worth including for Apache2 beside basic setup that
requires http.receivepack set to true, also one like for LigHTTPd, i.e.
RewriteCond %{QUERY_STRING} =service=git-receive-pack [OR]
RewriteCond %{REQUEST_URI} /git-receive-pack$
RewriteRule (.*) $1 [E=AUTHREQUIRED:yes]
[...]
And perhaps also adding it as test...
That was the I am not clever nor interested in Apache enough to figure
out how to do this... part that I wrote. I have no clue if the above
works, but I'd be happy if you wanted to test it out and submit it as a
patch on top (I think it could even replace my 1/2, as making it just
work is a much better solution than having to explain the extra step in
the documentation).
I don't know if short description of `http.receivepack`, suitable for
a reference documentation, tells a new user how to configure web server
for pushes.
With `http.receivepack` unset git (git-http-backed?) will refuse
unauthenthicated pushes but allow authenthicated ones (though it doesn't
handle authorization). This makes it easy to configure web server for
fetches (read-only) access via smart HTTP (and you can make it
bulletproof by refusing pushes at all with `http.receivepack` false,
isn't it?).
But in this case (`http.receivepack` unset - the default) web server
must be configured to request authorization for both steps of push:
requesting references (for coming up with what
repositories have in common), i.e.
GET ...?service=git-receive-pack
and actual sending of data and updating refs...
POST .../git-receive-pack
though only second part is actually writing.
With `http.receivepack` set to true git (git-http-backend?) allows
anonymous pushes, and it is responsibility of web server configuration
to deny unauthorized pushes... but it is sufficient to do it only for
writes i.e.
POST .../git-receive-pack
[Now to translate it to manpage or users-manual contents...]
P.S. Do I understand it correctly that `http.receivepack` is
three-state: true (allow all), unset (allow authenthicated) and false
(deny all)?
P.P.S. It would be better to accept both patches; I don't know when
I would be able to test Apache config; I remember that I had problems
with it...
--
Jakub Narębski
--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html