docs: add mTLS setup tutorial

Add a tutorial detailing how to set up an mTLS-authenticated bundle server.
Include a link to the 'docs/tutorials' directory in the repository root
'README.md' to clearly guide users to those resources.

Signed-off-by: Victoria Dye <[email protected]>

Author: vdye

README.md

@@ -152,6 +152,11 @@ server, you can manage the web server process itself using these commands:
 Finally, if you want to run the web server process directly in your terminal,
 for debugging purposes, then you can run `git-bundle-web-server`.
 
+### Additional resources
+
+Detailed guides to more complex administration tasks or user workflows can be
+found in the [`docs/tutorials`](./docs/tutorials/) directory of this repository.
+
 ## Local development
 
 ### Building

docs/tutorials/README.md

@@ -0,0 +1,4 @@
+# Tutorials
+
+This directory contains a series of in-depth tutorials regarding administration
+and usage of the bundle server.

docs/tutorials/mtls.md

@@ -0,0 +1,122 @@
+# Configuring mTLS authentication for the web server
+
+[Mutual TLS (mTLS)][mtls] is a mechanism for mutual authentication between a server and
+client. Configuring mTLS for a bundle server allows a server maintainer to limit
+bundle server access to only the users that have been provided with a valid
+certificate and establishes confidence that users are interacting with a valid
+bundle server.
+
+[mtls]: https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/
+
+## Creating certificates
+
+mTLS connections involve the verification of two X.509 certificates: one from
+the server, the other from the client. These certificates may be "self-signed",
+or issued by a separate certificate authority; either will work with the bundle
+server.
+
+For both the server and client(s), both a public certificate (`.pem` file) and a
+private key must be generated. Self-signed pairs can easily be generated with
+OpenSSL; for example:
+
+```bash
+openssl req -x509 -newkey rsa:4096 -days 365 -keyout cert.key -out cert.pem
+```
+
+The above command will prompt the user to create a password for the 4096-bit RSA
+private key stored in `cert.key` (for no password, use the `-nodes` option),
+then fill in certificate metadata including locality information, company, etc.
+The resulting certificate - stored in `cert.pem` - will be valid for 365 days.
+
+> :rotating_light: If the "Common Name" of the server certificate does not match
+> the bundle web server hostname (e.g. `localhost`), connections to the web
+> server may fail.
+
+If instead generating a certificate signed by a certificate authority (which can
+itself be a self-signed certificate), a private key and _certificate signing
+request_ must first be generated:
+
+```bash
+openssl req -new -newkey rsa:4096 -days 365 -keyout cert.key -out cert.csr
+```
+
+The user will be prompted to fill in the same certificate metadata (`-nodes` can
+again be used to skip the password requirement on the private key). Once the
+request is generated (in `cert.csr`), the request can be signed with the CA (in
+the following example, with public certificate `ca.pem` and private key
+`ca.key`):
+
+```bash
+openssl x509 -req -in cert.csr -CA ca.pem -CAkey ca.key -out cert.pem
+```
+
+This generates the CA-signed certificate `cert.pem`.
+
+## Configuring the web server
+
+To configure the web server, three files are needed:
+
+- If using self-signed client certificate(s), the client certificate `.pem`
+  (which may contain one or multiple client certificates concatenated together)
+  _or_ the certificate authority `.pem` used to sign client certificate(s). In
+  the example below, this is `ca.pem`.
+- The server `.pem` certificate file. In the example below, this is `server.pem`.
+- The server private key file. In the example below, this is `server.key`.
+
+The bundle server can then be configured with the `web-server` command to run in
+the background:
+
+```bash
+git-bundle-server web-server start --force --port 443 --cert server.pem --key server.key --client-ca ca.pem
+```
+
+Alternatively, the web server can be started directly:
+
+```bash
+git-bundle-web-server --port 443 --cert server.pem --key server.key --client-ca ca.pem
+```
+
+If the contents of any of the certificate or key files change, the web server
+process must be restarted. To reload the background web server daemon, run
+`git-bundle-server web-server stop` followed by `git-bundle-server web-server
+start`.
+
+## Configuring Git
+
+If cloning or fetching from the bundle server via Git, the client needs to be
+configured to both verify the server certificate and send the appropriate client
+certificate information. This configuration can be applied using environment
+variables or `.gitconfig` values. The required configuration is as follows:
+
+| Config (Environment) | Value |
+| --- | --- |
+| [`http.sslVerify`][sslVerify] (`GIT_SSL_NO_VERIFY`) | `true` for config, `false` for environment var. |
+| [`http.sslCert`][sslCert] (`GIT_SSL_CERT`) | Path to the `client.pem` public cert file. |
+| [`http.sslKey`][sslKey] (`GIT_SSL_KEY`) | Path to the `client.key` private key file. |
+| [`http.sslCertPasswordProtected`][sslKeyPassword] (`GIT_SSL_CERT_PASSWORD_PROTECTED`) | `true` |
+| [`http.sslCAInfo`][sslCAInfo] (`GIT_SSL_CAINFO`) | Path to the certificate authority file, including the server self-signed cert _or_ CA.[^1] |
+| [`http.sslCAPath`][sslCAPath] (`GIT_SSL_CAPATH`) | Path to the directory containing certificate authority files, including the server self-signed cert _or_ CA.[^1] |
+
+Configuring the certificate authority information, in particular, can be tricky.
+Git does not have separate `http` configurations for clones/fetches vs. bundle
+URIs; both will use the same settings. As a result, if cloning via HTTP(S) with
+a bundle URI, users will need to _add_ the custom bundle server CA to the system
+store. The process for adding to the system certificate authorities are
+platform-dependent; for example, Ubuntu uses the
+[`update-ca-certificates`][update-ca-certificates] command.
+
+To avoid needing to add the bundle server CA to the trusted CA store, users can
+instead choose to clone via SSH. In that case, only the bundle URI will use the
+`http` settings, so `http.sslCAInfo` can point directly to the standalone server
+CA.
+
+[sslVerify]: https://git-scm.com/docs/git-config#Documentation/git-config.txt-httpsslVerify
+[sslCert]: https://git-scm.com/docs/git-config#Documentation/git-config.txt-httpsslCert
+[sslKey]: https://git-scm.com/docs/git-config#Documentation/git-config.txt-httpsslKey
+[sslKeyPassword]: https://git-scm.com/docs/git-config#Documentation/git-config.txt-httpsslCertPasswordProtected
+[sslCAInfo]: https://git-scm.com/docs/git-config#Documentation/git-config.txt-httpsslCAInfo
+[sslCAPath]: https://git-scm.com/docs/git-config#Documentation/git-config.txt-httpsslCAPath
+[update-ca-certificates]: https://manpages.ubuntu.com/manpages/xenial/man8/update-ca-certificates.8.html
+
+[^1]: These settings are passed to cURL internally, setting `CURLOPT_CAINFO` and
+    `CURLOPT_CAPATH` respectively.