chrootsetup_linux.sh: include libnss_files.so* in chroot
[girocco.git] / apache.conf.in
blob542060c48de7be677b37bfa57bbdcb0497ceb107
1 ##  To convert this file to apache.conf using the current Girocco::Config
2 ##  values either do "make" or "make apache.conf" or ./make-apache-conf.sh
3 ##
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, somewhat independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
7 <VirtualHost *:80>
9 # ---- BEGIN LINES TO DUPLICATE ----
11         ServerName @@httpdnsname@@
12         ServerAlias www.@@httpdnsname@@
13         ServerAdmin @@admin@@
15         # This is the standard "combined" log format modified as follows:
16         #    the REMOTE_USER (%u) has double-quotes around it
17         #    the received time is shown as [YYYY-mm-dd_HH:MM:SS +hhmm] (almost RFC 3339 format)
18         #        -- this is one character shorter than the default but sorts so much better
19         #    when the logio_module is present (almost always) the %O value is prefixed with:
20         #        %I->  -- <bytes-received-including-request-and-headers>
21         #    the first line of the request ("%r") is prefixed with
22         #        %X%k: -- <connection-status><keepalive-request-num>
23         #                 <keepalive-request-num> will be omitted if apache < 2.2.11
24         #    these fields are added to the end:
25         #        :%{local}p   -- :<actual-server-port>
26         #        %Dus         -- <request-time-in-microseconds>
27         #        "%o{Content-Range}" -- <outgoing Content-Range header>
28         <IfVersion >= 2.2.11>
29         LogFormat "%h %l \"%u\" %{[%F_%T %z]}t %X%k:\"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
30         </IfVersion>
31         <IfVersion !>= 2.2.11>
32         LogFormat "%h %l \"%u\" %{[%F_%T %z]}t %X:\"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
33         </IfVersion>
34         <IfModule logio_module>
35                 # %I and %O are only available with the logio_module
36                 <IfVersion >= 2.2.11>
37                 LogFormat "%h %l \"%u\" %{[%F_%T %z]}t %X%k:\"%r\" %>s %I->%O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
38                 </IfVersion>
39                 <IfVersion !>= 2.2.11>
40                 LogFormat "%h %l \"%u\" %{[%F_%T %z]}t %X:\"%r\" %>s %I->%O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
41                 </IfVersion>
42         </IfModule>
44         # If your distribution does not set APACHE_LOG_DIR before
45         # starting Apache you will need to edit the next two directives
46         ErrorLog "${APACHE_LOG_DIR}/@@nickname@@-error.log"
47         CustomLog "${APACHE_LOG_DIR}/@@nickname@@-access.log" girocco
49         <IfModule mime_magic_module>
50                 # Avoid spurious Content-Type values when git-http-backend
51                 # fails to provide a Content-Type header in its output
52                 MimeMagicFile /dev/null
53         </IfModule>
55         DocumentRoot @@webroot@@
56         <Directory @@webroot@@>
57                 # Add MultiViews only if pages are truly
58                 # offered in more than a single language
59                 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
60                 Options FollowSymLinks
61                 # FileInfo (or All) must be enabled to activate .htaccess file mod_rewrite rules
62                 AllowOverride All
63                 <IfVersion < 2.3>
64                 Order allow,deny
65                 Allow from all
66                 Satisfy all
67                 </IfVersion>
68                 <IfVersion >= 2.3>
69                 Require all granted
70                 </IfVersion>
71                 DirectoryIndex w
72         </Directory>
74         # The non-mod_rewrite items are handled first where the magic /[bchrw]
75         # prefix always forces selection of the prefix-indicated cgi handler.
77         ScriptAlias /w @@cgiroot@@/gitweb.cgi
78         ScriptAlias /b @@cgiroot@@/bundles.cgi
79         AliasMatch ^/h/(.*\.html)$ @@cgiroot@@/html/$1
80         ScriptAliasMatch ^/(?!(?i)gitweb\.cgi|bundles\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
82         # Any requests without the magic /[bchrw] are treated as Git requests if they
83         # are one of the few possible Git URLs otherwise they go to bundles or gitweb
85         # Change the setting of $SmartHTTPOnly in Girocco::Config.pm to
86         # change whether or not non-smart HTTP fetch access will be allowed.
88         <IfDefine !@@SmartHTTPOnly@@>
89         # This accelerates non-smart HTTP access to loose objects, packs and info
90         AliasMatch \
91                 "(?x)^/(?![bchw]/)(?:r/)? \
92                 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
93                         HEAD | \
94                         objects/info/alternates | \
95                         objects/info/http-alternates | \
96                         objects/info/packs | \
97                         objects/[0-9a-f]{2}/[0-9a-f]{38} | \
98                         objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
99                 @@reporoot@@/$1.git/$2
100         </IfDefine>
102         # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
103         ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
105         ScriptAliasMatch \
106                 "(?x)^/(?![bchrw]/) \
107                 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
108                         info/refs | \
109                         git-upload-pack | \
110                         git-receive-pack | \
111                         [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
112                 @@basedir@@/bin/git-http-backend-verify/$1.git/$2
114         # Everything else off to bundles.cgi or gitweb.cgi
115         ScriptAliasMatch \
116                 "(?x)^/(?![bchrw]/) \
117                 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/bundles)$" \
118                 @@cgiroot@@/bundles.cgi/$1
119         ScriptAliasMatch \
120                 "(?x)^/(?![bchrw]/) \
121                 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git(?!/bundles)(?:/.*)?)$" \
122                 @@cgiroot@@/gitweb.cgi/$1
124         # mod_rewrite is not strictly required for gitweb and fetch access, but
125         # if it's not available the trailing ".git" is never optional for
126         # gitweb, the leading /h is always required for *.html, snapshots are
127         # not throttled, some bogus Git http protocol requests will not be
128         # detected early and, if non-smart HTTP is allowed, access to the
129         # /info/refs file will not be accelerated in non-smart HTTP mode.
131         <IfModule rewrite_module>
132                 RewriteEngine On
134                 # Snapshot/blob_plain requests are only allowed via the PATH_INFO mechanism
135                 RewriteCond %{QUERY_STRING}     (^|[&;])a=(?:snapshot|blob_plain)([&;]|$) [NC]
136                 RewriteRule .? - [NS,F,L]
138                 # Redirect snapshot requests to snapshot.cgi
139                 RewriteRule \
140                         "(?x)^/(?![bchr]/)(?:w/)? \
141                         ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/ \
142                                 snapshot(?:/.*)?)$" \
143                         @@cgiroot@@/snapshot.cgi/$1 [NS,L,H=cgi-script]
145                 # Detect blob_plain requests with is_blob_plain
146                 RewriteRule \
147                         "(?x)^/(?![bchr]/)(?:w/)? \
148                         ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git)/ \
149                                 blob_plain(?:/.*)?$" \
150                         - [E=is_blob_plain:$1]
152                 # Reject blob_plain requests if .no_blob_plain file exists and is not zero bytes
153                 RewriteCond "%{ENV:is_blob_plain}" !=""
154                 RewriteCond "@@reporoot@@/%{ENV:is_blob_plain}/.no_blob_plain" -s
155                 RewriteRule ^ - [NS,F]
157                 # Reject blob_plain requests if .no_blob_plain file exists AND mismatched Referer
158                 # We require the referer host and port and git project to match the current request
159                 RewriteCond "%{ENV:is_blob_plain}" !=""
160                 RewriteCond "@@reporoot@@/%{ENV:is_blob_plain}/.no_blob_plain" -f
161                 RewriteRule ^ - [C,E=is_blob_ref:1]
162                 RewriteRule ^ - [C,E=ref_host:]
163                 RewriteRule ^ - [E=ref_path:]
164                 RewriteCond "%{ENV:is_blob_ref}" =1
165                 RewriteCond "%{HTTP_REFERER}" "^https?://(?:[^@/]*@)?([^@:/?#]+(?::[0-9]+)?)"
166                 RewriteRule ^ - [E=ref_host:%1]
167                 RewriteCond "%{ENV:is_blob_ref}" =1
168                 RewriteCond "%{HTTP_REFERER}" "^https?://(?:[^@/]*@)?[^@:/?#]+(?::[0-9]*)?(?:/w)?(.*)$"
169                 RewriteRule ^ - [E=ref_path:%1]
170                 RewriteCond "%{ENV:is_blob_ref}" =1
171                 RewriteCond "@%{HTTP_HOST}=%{ENV:ref_host}@" "!^@([^=]*)=\1@$" [NC,OR]
172                 RewriteCond "@/%{ENV:is_blob_plain}=%{ENV:ref_path}" "!^@([^=]*)=\1(?:[/?#]|$)"
173                 RewriteRule ^ - [NS,F]
175                 # Make the leading /h optional for requests that name an existing .html template
176                 RewriteCond @@webroot@@/$1 !-f
177                 RewriteCond @@cgiroot@@/$1 !-f
178                 RewriteCond @@cgiroot@@/html/$1 -s
179                 RewriteRule \
180                         ^/(?![bchrw]/)(.*\.html)$ \
181                         /h/$1 [NS,PT]
183                 # Redirect bare gitweb requests without .git that name an existing repo...
184                 RewriteCond @@webroot@@/$2 !-f
185                 RewriteCond @@cgiroot@@/$2 !-f
186                 RewriteCond @@reporoot@@/$2.git/HEAD -s
187                 RewriteRule \
188                         "(?x)^/(?![bchr]/)((?:w/)?) \
189                         ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git))$" \
190                         /$1$2.git [NS,L,R=301]
192                 # Of the 11 possible Git protocol URLs (i.e. passed to git-http-backend-verify),
193                 # 9 are only valid with GET/HEAD and the other two are only valid with POST
194                 # Furthermore, 7 are only valid when non-smart is allowed and
195                 # 1 is only valid when smart-only is enabled if it has the correct query string.
197                 # These two always require POST
198                 RewriteCond %{REQUEST_METHOD} !=POST
199                 RewriteRule \
200                         "(?x)^/(?![bchw]/)(?:r/)? \
201                         (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
202                                 git-upload-pack | \
203                                 git-receive-pack )$" \
204                         - [NS,F]
206                 <IfDefine @@SmartHTTPOnly@@>
207                 # These 7 are always forbidden when non-smart HTTP is disabled
208                 RewriteRule \
209                         "(?x)^/(?![bchw]/)(?:r/)? \
210                         (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
211                                 HEAD | \
212                                 objects/info/alternates | \
213                                 objects/info/http-alternates | \
214                                 objects/info/packs | \
215                                 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
216                                 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
217                         - [NS,F]
218                 # This one is forbidden without the magic query string when non-smart is disabled
219                 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$ [OR]
220                 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
221                 RewriteRule \
222                         "(?x)^/(?![bchw]/)(?:r/)? \
223                         (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
224                                 info/refs $" \
225                         - [NS,F]
226                 # This one requires GET (or HEAD)
227                 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
228                 RewriteRule \
229                         "(?x)^/(?![bchw]/)(?:r/)? \
230                         (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
231                                 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle $" \
232                         - [NS,F]
233                 </IfDefine>
235                 <IfDefine !@@SmartHTTPOnly@@>
236                 # These 9 require GET (or HEAD)
237                 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
238                 RewriteRule \
239                         "(?x)^/(?![bchw]/)(?:r/)? \
240                         (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
241                                 HEAD | \
242                                 info/refs | \
243                                 objects/info/alternates | \
244                                 objects/info/http-alternates | \
245                                 objects/info/packs | \
246                                 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
247                                 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) | \
248                                 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
249                         - [NS,F]
250                 # This one can be accelerated when accessed with non-smart HTTP
251                 RewriteCond %{REQUEST_METHOD} ^(?:GET|HEAD)$
252                 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
253                 RewriteRule \
254                         "(?x)^/(?![bchw]/)(?:r/)? \
255                         ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/ \
256                                 info/refs $" \
257                         @@reporoot@@/$1.git/info/refs [NS,L]
258                 </IfDefine>
259         </IfModule>
261         <Directory @@reporoot@@>
262                 Options FollowSymLinks
263                 AllowOverride None
264                 <IfVersion < 2.3>
265                 Order allow,deny
266                 Allow from all
267                 Satisfy all
268                 </IfVersion>
269                 <IfVersion >= 2.3>
270                 Require all granted
271                 </IfVersion>
273                 <IfModule rewrite_module>
274                         # Everything fetched over the non-smart git http
275                         # protocol should be an existing file.  If the request
276                         # is not for an existing file, just send back an error
277                         # message without emitting anything into the error log.
278                         RewriteEngine On
279                         RewriteBase /
280                         RewriteCond @@reporoot@@/$1 !-f
281                         RewriteRule ^(.*)$ - [NS,R=404,L]
282                 </IfModule>
283         </Directory>
285         <Directory @@cgiroot@@>
286                 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
287                 Options SymLinksIfOwnerMatch
288                 # FileInfo must be enabled to activate .htaccess file mod_rewrite rules
289                 AllowOverride FileInfo
290                 <IfVersion < 2.3>
291                 Order deny,allow
292                 Deny from all
293                 Satisfy all
294                 </IfVersion>
295                 <IfVersion >= 2.3>
296                 Require all denied
297                 </IfVersion>
298                 <Files gitweb.cgi>
299                         Options +ExecCGI
300                         <IfVersion < 2.3>
301                         Order deny,allow
302                         Allow from all
303                         Satisfy all
304                         </IfVersion>
305                         <IfVersion >= 2.3>
306                         Require all granted
307                         </IfVersion>
308                         <IfModule !mod_fastcgi.c>
309                         <IfModule !mod_fcgid.c>
310                                 SetHandler cgi-script
311                         </IfModule>
312                         </IfModule>
314                         # Note that in testing mod_fastcgi (in dynamic mode)
315                         # was found to be slightly faster than mod_fcgid.
316                         #
317                         # However, we prefer mod_fcgid if both are available
318                         # because we cannot control the server-global settings
319                         # of mod_fastcgi's "FastCgiConfig" options.
320                         #
321                         # In order for gitweb.cgi to run reasonably well as a
322                         # mod_fastcgi dynamic FastCGI application, the
323                         # "FastCgiConfig" option "-idle-timeout" value needs to
324                         # be increased from the default value of "30" to at
325                         # least "120", preferably more like "300".  But that
326                         # will affect ALL dynamic mod_fastcgi applications on
327                         # the ENTIRE server, not just gitweb.cgi.  Additionally
328                         # the "FastCgiConfig" "-restart" option probably ought
329                         # to be set as well.  Also, unfortunately, there is no
330                         # mod_fastcgi option corresponding to mod_fcgid's
331                         # MaxRequestsPerProcess option and gitweb.cgi running
332                         # in FastCGI mode (without using FCGI::ProcManager) will
333                         # always exit after serving 100 requests (a good thing).
334                         #
335                         # The alternative is to make gitweb.cgi a static
336                         # mod_fastcgi application (the "FastCgiServer"
337                         # directive), but then the number of running instances
338                         # will be fixed at whatever value is chosen for the
339                         # "-processes" option rather than being dynamically
340                         # adjusted based on load and that's probably undesirable
341                         # in most cases unless you run gitweb.cgi under a
342                         # front-end that dynamically forks multiple copies of
343                         # gitweb.cgi based on the current load.  See the CPAN
344                         # FCGI::ProcManager::Dynamic module for an example of
345                         # how to do this in Perl:
346                         #
347                         #   http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
348                         #
349                         # So instead we prefer mod_fcgid because we can adjust
350                         # the necessary options for good gitweb.cgi behavior
351                         # while affecting only gitweb.cgi and having it remain
352                         # a dynamic application whose total number of running
353                         # instances is adjusted based on current server load.
355                         <IfModule mod_fcgid.c>
356                                 SetHandler fcgid-script
357                         </IfModule>
358                         <IfModule !mod_fcgid.c>
359                         <IfModule mod_fastcgi.c>
360                                 SetHandler fastcgi-script
361                         </IfModule>
362                         </IfModule>
363                 </Files>
364                 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
365                         Options +ExecCGI
366                         SetHandler cgi-script
367                         <IfVersion < 2.3>
368                         Order deny,allow
369                         Allow from all
370                         Satisfy all
371                         </IfVersion>
372                         <IfVersion >= 2.3>
373                         Require all granted
374                         </IfVersion>
375                 </FilesMatch>
376         </Directory>
377         <Directory @@cgiroot@@/html>
378                 <IfVersion < 2.3>
379                 Order deny,allow
380                 Allow from all
381                 Satisfy all
382                 </IfVersion>
383                 <IfVersion >= 2.3>
384                 Require all granted
385                 </IfVersion>
386                 <Files *.html>
387                         ForceType "text/html; charset=utf-8"
388                 </Files>
389         </Directory>
391         <IfModule mod_fcgid.c>
392                 # mod_fcgid benefits from some additional config for gitweb.cgi
393                 # gitweb.cgi has a hard-coded maximum of 100 requests
394                 # and we do not want to give up too soon in case Git is lagging.
395                 # Note that adding a 'MaxProcesses ...' option here may be valuable
396                 # to limit the maximum number of gitweb.cgi processes that can be
397                 # spawned (default is 100) -- perhaps to something much lower such
398                 # as 1 or 2 times the number of CPU cores.  Also note that in the
399                 # unlikely event all the children finish their 100 requests at the
400                 # same time, the server's FcgidSpawnScoreUpLimit (which defaults
401                 # to 10 if not set) should be set to at least 3 times the
402                 # MaxProcesses value chosen to allow them all to respawn
403                 # immediately.  FcgidSpawnScoreUpLimit MUST be at least twice the
404                 # chosen MaxProcesses value (assuming FcgidTerminationScore is
405                 # still set to the default 2) in order to allow any child at all to
406                 # respawn immediately in this case without a delay.
407                 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
408                 MaxRequestsPerProcess 100 IOTimeout 300
409         </IfModule>
411         <Directory @@basedir@@/bin>
412                 Options None
413                 AllowOverride None
414                 <IfVersion < 2.3>
415                 Order deny,allow
416                 Deny from all
417                 Satisfy all
418                 </IfVersion>
419                 <IfVersion >= 2.3>
420                 Require all denied
421                 </IfVersion>
422                 <Files git-http-backend-verify>
423                         Options ExecCGI
424                         SetHandler cgi-script
425                         <IfVersion < 2.3>
426                         Order deny,allow
427                         Allow from all
428                         Satisfy all
429                         </IfVersion>
430                         <IfVersion >= 2.3>
431                         Require all granted
432                         </IfVersion>
433                 </Files>
434         </Directory>
436 # ---- END LINES TO DUPLICATE ----
438 </VirtualHost>
441 # Change the setting of $TLSHost in Girocco::Config.pm to change
442 # whether or not the following https virtual host is enabled.
444 <IfDefine @@TLSHost@@>
446 # This is an example configuration of an https virtualhost running Girocco, as set
447 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
448 # It is not essential for Girocco to use a special virtualhost, however.
449 # The Config.pm $httpspushurl variable needs to be defined to properly enable
450 # https pushing.
451 <VirtualHost *:443>
453         # These certificate files will all be automatically generated, but the
454         # paths here may need to be corrected to match the paths
455         # (especially $certsdir) from Config.pm
457         SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
458         SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
459         SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
460         # When using a www server cert signed by a pre-trusted root, only
461         # the above three lines should be changed.  Changing either of the
462         # below two lines will likely break https client authentication.
463         SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
464         SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
466         SSLVerifyDepth 3
467         SSLOptions +FakeBasicAuth +StrictRequire
468         SSLEngine on
470         # This configuration allows fetching over https without a certificate
471         # while always requiring a certificate for pushing over https
472         RewriteEngine On
473         SSLVerifyClient optional
474         RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC]
475         RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$) [NC]
476         RewriteRule /info/refs$ - [NC,NS,env=client_auth_required:1]
477         RewriteCond %{REQUEST_METHOD} =POST [NC]
478         RewriteRule /git-receive-pack$ - [NC,NS,env=client_auth_required:1]
479         RewriteCond %{ENV:client_auth_required} 1
480         RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
481         RewriteRule .? %{REQUEST_URI} [NS,R=401]
482         <Location />
483                 SSLRequireSSL
484                 SSLOptions +FakeBasicAuth
485                 AuthName "Git Client Authentication"
486                 AuthType Basic
487                 AuthBasicProvider anon
488                 Anonymous *
489                 <IfVersion < 2.3>
490                 Order deny,allow
491                 Deny from env=client_auth_required
492                 Satisfy any
493                 Require valid-user
494                 </IfVersion>
495                 <IfVersion >= 2.3>
496                 <RequireAny>
497                 <RequireAll>
498                 Require all granted
499                 Require not env client_auth_required
500                 </RequireAll>
501                 Require valid-user
502                 </RequireAny>
503                 </IfVersion>
504         </Location>
505         ErrorDocument 401 /authrequired.cgi
507 # ---- BEGIN DUPLICATE LINES ----
509 ##  *** IMPORTANT ***
511 ##  ALL the entire contents from the <VirtualHost *:80> section at the top of
512 ##  this file must be copied here.
514 ##  To avoid this duplication, the contents of the <VirtualHost *:80> section
515 ##  above can be moved to a separate file and then included both here and in
516 ##  the <VirtualHost *:80> section using an Include directive.  Be careful not
517 ##  to place the new include file in one of the directories the standard apache
518 ##  configuration blindly includes all files from.
520 # ---- END DUPLICATE LINES ----
522 </VirtualHost>
524 </IfDefine>