Implementing anonymous pull but verified-user push via HTTPS

Question

Basically, how do I do it in Mercurial Repository?

Currently I've configured the Location in Apache to require SSL, use basic auth, and require valid-user. That's a bit much, as I want to allow anonymous pull, just require basic auth for the pushers — right now user/password are required to simply view the repository in a web browser. I'd like to require SSL at all times, and don't really want to host the same repository twice (to have a different Location for the pull-only, and another for the verified push).

Answer 1

Ches Martin has a nice blog with details of how he setup Mercurial complete with what you are asking.

<LimitExcept GET>
  require valid-user
</LimitExcept>

This snippet from an Apache config is part of what is needed to allow anonymous pull (or browsing if published via hgweb) but still require a pass for push.

Answer 2

What you looking for is may be the LimitExcept directive of Apache. Something like:

<LimitExcept GET>
  Require valid-user
</LimitExcept>

So that a user/pass will be needed for anything else than a GET request. But I don't know Mercurial and don't know how hg push is done. If it is a POST request, it will be Ok, but may be that POST is also required to pull.

Answer 3

You're making your problem a lot harder by requiring SSL for the anonymous pull, and I have no idea what you're aiming for by doing so. If anyone can pull without authentication, anyone can see all of the data just by asking, making sniffing the wire completely redundant, so there's no point in encrypting it.

I strongly recommend taking the simpler route of putting your anonymous distribution on http, and save https for pushes.