RFC: allowing HTTP push on a shared host

Alexis S. L. Carvalho alexis at cecm.usp.br
Wed Nov 22 20:34:01 UTC 2006 

Thus spake Corey Bordelon:
> I'm trying to setup a way for me to allow friends to push their
> changes over HTTP to my website on a shared host.  I can't use HTTPS.
> I still want the repositories to be viewable when going to a public
> address.  Here are the scenarios I am considering using with questions
> that accompany the setup:  (Please tell me which one would be the
> better choice)
> 
> * Setting allow_push = *, push_ssl = false and not worry about
> security.  (not an option)

Well, if you can't use SSL, the passwords will have to be sent in clear
text...

> * Setup 1 hgwebdir setup, w/ authentication in a htaccess/htpasswd
> file ( http://httpd.apache.org/docs/2.0/howto/auth.html ). But place
> the Require statement in a Limit statement (
> http://httpd.apache.org/docs/2.0/mod/core.html#limit ), and limit it
> to what ever HTTP method is used during a "hg push" operation.
> 
> QUESTION: What HTTP methods are used when Mercurial pushes to an HTTP
> repo?  I couldn't find it out by looking at httprangereader.py and
> httprepo.py.

GET for the "figure out what needs to be sent" stage (which is pretty
much the same as the "figure out what needs to be downloaded" stage for
pull).  These are all read-only operations.

POST for actually sending the data.

> * Setup 2 hgwebdir setups, one as public repositories without
> authentication, and another that has the private repositories w/
> authentication in a htaccess/htpasswd file.  QUESTION: Is there a way
> to make some script automatically push the new changesets in the
> private version to the public version?  I'm thinking something to do
> with the hooks, but I don't know which one, and if it gets executed
> when run as an http repo.

No hooks needed - just serve the same repo from the two scripts.  Since
the public hgwebdir is not protected by a .htaccess file, it won't get a
REMOTE_USER environment variable, and so it will deny all push attempts
(assuming you don't have an allow_push = *, of course).

This works here with apache 2.0, but you may want to double-check that
your web server really does not add a REMOTE_USER variable if there's no
.htaccess .  Notice that many web clients (including wget and the python
implementation used by Mercurial) will only send the username/password
if the server has denied access without them (which means you can't test
this by just trying to hg push).  I'd suggest curl as the client and
something like this in a cgi script:

---
#!/usr/bin/env python
import os

print 'Content-Type: text/plain\r'
print '\r'

user = os.getenv("REMOTE_USER")
if user is None:
    print 'REMOTE_USER is not set'
else:
    print 'REMOTE_USER="%s"'% user
---

Alexis

More information about the Mercurial mailing list