1 ## To convert this file to apache.conf using the current Girocco::Config values
2 ## either do "make" or "make apache.conf" or ./make-apache-conf.sh
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, completely independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
9 # ---- BEGIN LINES TO DUPLICATE ----
11 ServerName @@httpdnsname@@
12 ServerAlias www.@@httpdnsname@@
15 ErrorLog /var/log/apache2/repo-error.log
16 CustomLog /var/log/apache2/repo-access.log combined
18 <IfModule mime_magic_module>
19 # Avoid spurious Content-Type values when git-http-backend
20 # fails to provide a Content-Type header in its output
21 MimeMagicFile /dev/null
24 DocumentRoot @@webroot@@
25 <Directory @@webroot@@>
26 # Add MultiViews only if pages are truly
27 # offered in more than a single language
28 Options FollowSymLinks
36 ScriptAlias /w @@cgiroot@@/gitweb.cgi
37 ScriptAlias /h @@cgiroot@@/html.cgi
38 AliasMatch ^/(?!(?i)gitweb\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
40 <IfModule rewrite_module>
42 # Redirect bare /w requests without .git that name an existing repo...
43 RewriteCond @@reporoot@@/$1.git/HEAD -f
45 ^/w/((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
48 # ...and also make the leading /w optional for those types of requests
49 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
50 RewriteCond @@reporoot@@/$1.git/HEAD -f
52 ^/(?!w/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
55 # Make the leading /w optional if the rest names an existing repo
56 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
57 RewriteCond @@reporoot@@/$1/HEAD -f
58 # Might want to use [L,R] instead of [PT] maybe even [L,R=301]
60 ^/(?!w/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)((?:/.*)?)$ \
64 <Directory @@reporoot@@>
65 Options FollowSymLinks
71 <IfModule rewrite_module>
72 # Everything fetched over the non-smart git http
73 # protocol should be an existing file. If the request
74 # is not for an existing file, just send back an error
75 # message without emitting anything into the error log.
77 RewriteCond %{REQUEST_FILENAME} !-f
78 RewriteRule .* - [R=404,L]
82 <Directory @@cgiroot@@>
90 <IfModule !mod_fastcgi.c>
91 <IfModule !mod_fcgid.c>
95 # Note that in testing mod_fastcgi (in dynamic mode)
96 # was found to be slightly faster than mod_fcgid so
97 # it's preferred if both are available
98 <IfModule mod_fastcgi.c>
99 SetHandler fastcgi-script
101 <IfModule !mod_fastcgi.c>
102 <IfModule mod_fcgid.c>
103 SetHandler fcgid-script
107 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
109 SetHandler cgi-script
115 <IfModule !mod_fastcgi.c>
116 <IfModule mod_fcgid.c>
117 # mod_cgid benefits from some additional config for gitweb.cgi
118 # gitweb.cgi has a hard-coded maximum of 100 requests
119 # and we do not want to give up too soon in case Git is lagging
120 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
121 MaxRequestsPerProcess 100 IOTimeout 120
125 <Directory @@basedir@@/bin>
130 <Files git-http-backend-verify>
132 SetHandler cgi-script
138 # By default non-smart HTTP fetch access will be allowed, however
139 # by defining SmartHTTPOnly (or changing the sense of the IfDefine tests)
140 # non-smart HTTP requests can be denied directly by the web server
142 <IfDefine !SmartHTTPOnly>
143 # These accelerate non-smart HTTP access to loose objects and packs with the /r/ prefix
144 # But not for projects starting with '_' to which access should never be allowed
145 AliasMatch ^/r/([^_].*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ @@reporoot@@/$1
146 AliasMatch ^/r/([^_].*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ @@reporoot@@/$1
148 # These accelerate non-smart HTTP access for Git user agents without the /r/ prefix
149 # But not for projects starting with '_' to which access should never be allowed
150 <IfModule rewrite_module>
152 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
153 RewriteRule "(?x) ^/((?!r/)[^_].*/objects/(?: \
154 (?:[0-9a-f]{2}/[0-9a-f]{38}) | \
155 (?:pack/pack-[0-9a-f]{40}.(?:pack|idx)) ))$" \
160 <IfDefine SmartHTTPOnly>
161 # Disable non-smart HTTP access
163 RewriteCond %{REQUEST_METHOD} !^POST$
164 RewriteRule ^/r/.*(?<!/info/refs)$ - [F]
165 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
166 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
167 RewriteCond %{REQUEST_METHOD} !^POST$
168 RewriteRule ^/(?!r/).*(?<!/info/refs)$ - [F]
169 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
170 RewriteRule ^/r/.*/info/refs$ - [F]
171 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
172 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
173 RewriteRule ^/(?!r/).*/info/refs$ - [F]
176 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
177 # git-http-backend-verify denies all access to projects starting with '_'
178 ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
180 # This allows HTTP access for Git user agents without the /r/ prefix
181 <IfModule rewrite_module>
183 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
184 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
185 RewriteRule ^/(?!r/)(.*)$ \
186 @@basedir@@/bin/git-http-backend-verify/$1 \
190 # ---- END LINES TO DUPLICATE ----
195 # This comments out the following so this file can be used as-is
196 # for an http-only configuration. Remove or change the sense of
197 # the test (by inserting a !) to activate the https virtual host.
198 <IfDefine EnableGiroccoHttpsVirtualHost>
201 # This is an example configuration of an https virtualhost running Girocco, as set
202 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
203 # It is not essential for Girocco to use a special virtualhost, however.
204 # The Config.pm $httpspushurl variable needs to be defined to properly enable
208 # These certificate files will all be automatically generated, but the
209 # paths here may need to be corrected to match the paths
210 # (especially $certsdir) from Config.pm
212 SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
213 SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
214 SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
215 # when using a paid www server cert, only the above three lines should
216 # be changed. Changing any of the below two lines (other than updating
217 # the paths to match $certsdir) will likely break https client auth
218 SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
219 SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
222 SSLOptions +FakeBasicAuth +StrictRequire
225 # This configuration allows fetching over https without a certificate
226 # while always requiring a certificate for pushing over https
228 SSLVerifyClient optional
229 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
230 RewriteRule ^/r/.*/info/refs$ - [env=client_auth_required:1]
231 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
232 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
233 RewriteRule ^/(?!r/).*/info/refs$ - [env=client_auth_required:1]
234 RewriteRule ^/r/.*/git-receive-pack$ - [env=client_auth_required:1]
235 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
236 RewriteRule ^/(?!r/).*/git-receive-pack$ - [env=client_auth_required:1]
237 RewriteCond %{ENV:client_auth_required} 1
238 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
239 RewriteRule .* %{REQUEST_URI} [R=401]
243 Deny from env=client_auth_required
244 SSLOptions +FakeBasicAuth
245 AuthName "Git Client Authentication"
247 AuthBasicProvider anon
252 ErrorDocument 401 /authrequired.cgi
256 # ALL the entire contents from the <VirtualHost *:80> section at
257 # the top of this file must be copied here.
259 # To avoid this duplication, the contents of the <VirtualHost *:80>
260 # section above can be moved to a separate file and then included
261 # both here and in the <VirtualHost *:80> section using an Include
262 # directive. Be careful not to place the new include file in one of the
263 # directories the standard apache configuration blindly includes all
266 # ---- BEGIN DUPLICATE LINES ----
268 # ---- END DUPLICATE LINES ----