how can I have a remote git repo which is accessible via http but only for cloning?
Maybe with the help of nginx (already running) and
NOTE: I assume that you meant anonymous read-only access; there is no way to distinguish between clone and fetch in git, I think.
Do you want to set up "smart" HTTP (recommended), or "dumb" HTTP one?
For "dumb" HTTP it is enough to forbid (or just do not set up) WebDAV - this is how pushes come with "dumb" HTTP (no git on server side).
For "smart" HTTP follow directions for anonymous read access but authenticated write access in git-http-backend manpage, translating it from Apache to nginx, and modifying slightly. Note that documentation for anonymous read but authenticated write might be incomplete, but you do not worry about authenthicated write (push) access succeding anyway, isn't it?