Pick up git-browser multiple scheme fix

[girocco.git] / html / httpspush.html

@section=site guide
@heading=How to Setup HTTPS Push
@header

<!-- This file is preprocessed by cgi/html.cgi -->

<p>The https push facility relies on user client authentication certificates to
enable pushing.  These certificates are automatically created whenever an
RSA SSH public key is included in the &#x201c;Public SSH Key(s)&#x201d; section
of the <a href="/reguser.cgi">Register user</a> page and may be downloaded
from the download link(s) shown on the user registration confirmation page
or the <a href="/edituser.cgi">Update user email/SSH Keys</a> page.</p>

<h2>Prerequisites</h2>

<p>Assuming the user login name is <tt>test</tt> and the
<a href="@@path(webadmurl)@@/@@nickname@@_root_cert.pem">root certificate</a>
has been downloaded to <tt>/tmp/@@nickname@@_root_cert.pem</tt> (see
<a href="@@path(htmlurl)@@/rootcert.html">here</a> for more information about the
<a href="@@path(webadmurl)@@/@@nickname@@_root_cert.pem">root certificate</a>),
the single RSA SSH public key from <tt>~/.ssh/id_rsa.pub</tt> has been uploaded
as the sole public key for the <tt>test</tt> user and the resulting
<tt>test</tt> user authentication certifcate has been downloaded to
<tt>/tmp/@@nickname@@_test_user_1.pem</tt>, the following
shows how to clone and then push to a <tt>mobexample.git</tt> project using
only the smart HTTP protocol.</p>

<p>A user authentication certificate may be downloaded from the
<a href="/reguser.cgi">Register user</a> confirmation page or the
<a href="/edituser.cgi">Update user email/SSH Keys</a> page.</p>

<h2>Example</h2>

<p>It&#x2019;s possible to both fetch and push over https.  It&#x2019;s also
possible to fetch over http and push over https.  There&#x2019;s an example
of each.</p>

<pre style="margin:3ex">
# the @@nickname@@ root certificate is in /tmp/@@nickname@@_root_cert.pem
# the test user certificate is in /tmp/@@nickname@@_test_user_1.pem
# the ~/.ssh/id_rsa.pub SSH public key was uploaded
# the ~/.ssh/id_rsa file is the ~/.ssh/id_rsa.pub private key

# work in /tmp
cd /tmp

# clone using http
git clone @@httppullurl@@/mobexample.git mob1

# clone using https
GIT_SSL_CAINFO=/tmp/@@nickname@@_root_cert.pem \
git clone @@httpspushurl@@/mobexample.git mob2

# configure mob1 to push over https
cd /tmp/mob1
git config http.sslCAInfo /tmp/@@nickname@@_root_cert.pem
git config http.sslCert /tmp/@@nickname@@_test_user_1.pem
git config http.sslKey ~/.ssh/id_rsa
git remote set-url --push origin @@httpspushurl@@/mobexample.git
echo mob1 >> mob1
git add mob1
git commit -m mob1
# push will fail because test does not have push permission
git push --all origin

# configure mob2 to fetch and push over https
cd /tmp/mob2
git config http.sslCAInfo /tmp/@@nickname@@_root_cert.pem
git config http.sslCert /tmp/@@nickname@@_test_user_1.pem
git config http.sslKey ~/.ssh/id_rsa
echo mob2 >> mob2
git add mob2
git commit -m mob2
# push will fail because test does not have push permission
git push --all origin
</pre>

<p>The example <tt>git push</tt> commands above will fail with a push permission
error since the test user does not have permission to push to the
<tt>mobexample.git</tt> project@@ifmob@@, but the mob user can push to the mob branch of
<tt>mobexample.git</tt> over https as detailed
<a href="@@path(htmlurl)@@/mob.html#httpsmobpush">here</a>@@end@@.

<h2>Password Caching</h2>

<p>In the above examples, if the <tt>~/.ssh/id_rsa</tt> private key is password
protected, then it&#x2019;s desirable to set <tt>http.sslCertPasswordProtected</tt>
to true like so:</p>

<pre style="margin:3ex">
# with the current directory /tmp/mob1 or /tmp/mob2
git config --bool http.sslCertPasswordProtected true
</pre>