Git supports various protocols. One of them is called the “dumb” protocol.
This dumb protocol is based on HTTP+Webdav. There is also a smart protocol, but this one is not really HTTP compliant (it starts as HTTP for an handshake, but then switches to a custom protocol).
The dumb protocol is really handy in scenarios where you can only expose a Git repository through standard HTTP+WebDav. For instance, if you have a firewall in front of your webserver. Or if you want to implement a “fake” Git repository using a standard web framework (Django for instance).
Read-only access is really simple and elegant.
Basically, you just need a standard Git repository (bare repository, or the
.git in a non-bare one). Put it somewhere your webserver can access it. Then
git update-server-info in it, to update an index file used by Git.
And you’re done.
Git will use simple GET HTTP requests to access any file it may need.
Read-write access is much more tricky. It uses most of the methods provided by the Webdav standard (PROPFIND, PUT, MKCOL, LOCK, UNLOCK, etc). It requires locking support.
Now, while Webdav is really well documented, Git exact behavior and expectations are not. Git exact requirements are hard to find, and authentication principles are not easy to figure out.
So for anyone else who could need it, here is pcap of a simple git push, taken with Wireshark.