Today i’ve successfully managed to run a hgwebdir istance which is able to allow pull, push and web browsing of multiple mercurial istances. Here is what i did.
First of all install the mercurial package via aptitude which will give you a working hgwebdir.wsgi file. Grab the hgwebdir.wsgi from /usr/share/doc/mercurial/examples/hgwebdir.wsgi and put it in /var/www/hg (i’ve used /var/www/hg.vincenzo-ampolo.net on in whatever directory you want to expose with apache. Then edit hgwebdir.wsgi and put an absolute pathname for the configuration file. Despite about relative paths, they didn’t work for me in this case. Last line of that file should look like:

application = hgwebdir('/var/www/hg.vincenzo-ampolo.net/hgweb.config')

Now let’s configure hgwebdir using the file /var/www/hg.vincenzo-ampolo.net/hgweb.config:

[web]
allow_archive = gz, zip, bz2
style = coal
allow_push = *
push_ssl = false


[collections]
/var/repositories = /var/repositories

I’m using /var/repositories as a directory for my repositories, using the coal style and allowing push to everyone (allow_push = *) and accept push even without ssl (push_ssl = false). Don’t worry, i’m not opening my repo to anyone, i’ll use apache to handle authentication and to decide who could push and who couldn’t. Last file to modify is the apache configuration which makes a “glue” between hgwebdir and apache. I’ve used virtualhosts which are the common way to host multiple sites in apache.

<VirtualHost *:80>
    ServerName hg.vincenzo-ampolo.net

    WSGIScriptAliasMatch ^(.*)$ /var/www/hg.vincenzo-ampolo.net/hgwebdir.wsgi$1

    # To enable "daemon" mode, uncomment following lines. (Read mod_wsgi docs for more info)
    # WSGIDaemonProcess hg.example.net user=USER group=GROUP threads=15 maximum-requests=1000
    # some more interesting options (tested on mod_wsgi 2.0):
    # processes=2 umask=0007 display-name=wsgi-hg.example.net inactivity-timeout=300
    # WSGIProcessGroup hg.example.net

    <Directory /var/www/hg.vincenzo-ampolo.net/>
        Options ExecCGI FollowSymlinks

        AddHandler wsgi-script .wsgi

        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
    <Location />
    AuthType Basic
    AuthName "Mercurial repositories"
    AuthUserFile /var/www/trac.vincenzo-ampolo.net/.htpasswd
    Require valid-user
    </Location>
</VirtualHost>

The Location directive handles the authentication. It’s a quite restrictive configuration which uses the same .htpasswd of my trac istance and needs authentication also to look at the repo. I’m hosting a company’s source code but even if it’s gpl3 there are some keys and passwords hardcoded in it, so for now the code is keept secret. Maybe you don’t want this feature, but you want to be able to make the repo world readable but allow pushing only to some people. To do so you should change the Location:

<Location />
    AuthType Basic
    AuthName "Mercurial repositories"
    AuthUserFile /var/www/trac.vincenzo-ampolo.net/.htpasswd
    <LimitExcept GET>
        Require valid-user
    </LimitExcept>
</Location>

This will request authentication to make a push only. I also suggest you to run this all on port 443 so ssl will be enabled and password will be safe across the network. To so so, configure properly your apache and then modify the virtualhost field so you accept https only. ( instead of ).