| blob | 0c39ec7197b5bda3329c15a8cc41814cdeadf8bb |
1 ## To convert this file to apache.conf using the current Girocco::Config values
2 ## either do "make" or "make apache.conf" or ./make-apache-conf.sh
3 ##
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, completely independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
7 <VirtualHost *:80>
9 # ---- BEGIN LINES TO DUPLICATE ----
11 ServerName @@httpdnsname@@
12 ServerAlias www.@@httpdnsname@@
13 ServerAdmin @@admin@@
15 ErrorLog /var/log/apache2/repo-error.log
16 CustomLog /var/log/apache2/repo-access.log combined
18 <IfModule mime_magic_module>
19 # Avoid spurious Content-Type values when git-http-backend
20 # fails to provide a Content-Type header in its output
21 MimeMagicFile /dev/null
22 </IfModule>
24 DocumentRoot @@webroot@@
25 <Directory @@webroot@@>
26 # Add MultiViews only if pages are truly
27 # offered in more than a single language
28 Options FollowSymLinks
29 AllowOverride All
30 Order allow,deny
31 Allow from all
32 DirectoryIndex w
33 Satisfy all
34 </Directory>
36 ScriptAlias /w @@cgiroot@@/gitweb.cgi
37 ScriptAlias /h @@cgiroot@@/html.cgi
38 AliasMatch ^/(?!(?i)gitweb\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
40 <IfModule rewrite_module>
41 RewriteEngine On
42 # Redirect bare /w requests without .git that name an existing repo...
43 RewriteCond @@reporoot@@/$1.git/HEAD -f
44 RewriteRule \
45 ^/w/((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
46 /w/$1.git [L,R=301]
48 # ...and also make the leading /w optional for those types of requests
49 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
50 RewriteCond @@reporoot@@/$1.git/HEAD -f
51 RewriteRule \
52 ^/(?!w/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
53 /$1.git [L,R=301]
55 # Make the leading /w optional if the rest names an existing repo
56 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
57 RewriteCond @@reporoot@@/$1/HEAD -f
58 # Might want to use [L,R] instead of [PT] maybe even [L,R=301]
59 RewriteRule \
60 ^/(?!w/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)((?:/.*)?)$ \
61 /w/$1$2 [PT]
62 </IfModule>
64 <Directory @@reporoot@@>
65 Options FollowSymLinks
66 AllowOverride None
67 Order allow,deny
68 Allow from all
69 Satisfy all
71 <IfModule rewrite_module>
72 # Everything fetched over the non-smart git http
73 # protocol should be an existing file. If the request
74 # is not for an existing file, just send back an error
75 # message without emitting anything into the error log.
76 RewriteEngine On
77 RewriteCond %{REQUEST_FILENAME} !-f
78 RewriteRule .* - [R=404,L]
79 </IfModule>
80 </Directory>
82 <Directory @@cgiroot@@>
83 Options None
84 AllowOverride None
85 Order deny,allow
86 Deny from all
87 <Files gitweb.cgi>
88 Options ExecCGI
89 Allow from all
90 <IfModule !mod_fastcgi.c>
91 <IfModule !mod_fcgid.c>
92 SetHandler cgi-script
93 </IfModule>
94 </IfModule>
95 # Note that in testing mod_fastcgi (in dynamic mode)
96 # was found to be slightly faster than mod_fcgid so
97 # it's preferred if both are available
98 <IfModule mod_fastcgi.c>
99 SetHandler fastcgi-script
100 </IfModule>
101 <IfModule !mod_fastcgi.c>
102 <IfModule mod_fcgid.c>
103 SetHandler fcgid-script
104 </IfModule>
105 </IfModule>
106 </Files>
107 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
108 Options ExecCGI
109 SetHandler cgi-script
110 Allow from all
111 </FilesMatch>
112 Satisfy all
113 </Directory>
115 <IfModule !mod_fastcgi.c>
116 <IfModule mod_fcgid.c>
117 # mod_cgid benefits from some additional config for gitweb.cgi
118 # gitweb.cgi has a hard-coded maximum of 100 requests
119 # and we do not want to give up too soon in case Git is lagging
120 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
121 MaxRequestsPerProcess 100 IOTimeout 120
122 </IfModule>
123 </IfModule>
125 <Directory @@basedir@@/bin>
126 Options None
127 AllowOverride None
128 Order deny,allow
129 Deny from all
130 <Files git-http-backend-verify>
131 Options ExecCGI
132 SetHandler cgi-script
133 Allow from all
134 </Files>
135 Satisfy all
136 </Directory>
138 # By default non-smart HTTP fetch access will be allowed, however
139 # by defining SmartHTTPOnly (or changing the sense of the IfDefine tests)
140 # non-smart HTTP requests can be denied directly by the web server
142 <IfDefine !SmartHTTPOnly>
143 # These accelerate non-smart HTTP access to loose objects and packs with the /r/ prefix
144 # But not for projects starting with '_' to which access should never be allowed
145 AliasMatch ^/r/([^_].*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ @@reporoot@@/$1
146 AliasMatch ^/r/([^_].*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ @@reporoot@@/$1
148 # These accelerate non-smart HTTP access for Git user agents without the /r/ prefix
149 # But not for projects starting with '_' to which access should never be allowed
150 <IfModule rewrite_module>
151 RewriteEngine On
152 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
153 RewriteRule "(?x) ^/((?!r/)[^_].*/objects/(?: \
154 (?:[0-9a-f]{2}/[0-9a-f]{38}) | \
155 (?:pack/pack-[0-9a-f]{40}.(?:pack|idx)) ))$" \
156 @@reporoot@@/$1 [L]
157 </IfModule>
158 </IfDefine>
160 <IfDefine SmartHTTPOnly>
161 # Disable non-smart HTTP access
162 RewriteEngine On
163 RewriteCond %{REQUEST_METHOD} !^POST$
164 RewriteRule ^/r/.*(?<!/info/refs)$ - [F]
165 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
166 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
167 RewriteCond %{REQUEST_METHOD} !^POST$
168 RewriteRule ^/(?!r/).*(?<!/info/refs)$ - [F]
169 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
170 RewriteRule ^/r/.*/info/refs$ - [F]
171 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
172 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
173 RewriteRule ^/(?!r/).*/info/refs$ - [F]
174 </IfDefine>
176 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
177 # git-http-backend-verify denies all access to projects starting with '_'
178 ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
180 # This allows HTTP access for Git user agents without the /r/ prefix
181 <IfModule rewrite_module>
182 RewriteEngine On
183 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
184 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
185 RewriteRule ^/(?!r/)(.*)$ \
186 @@basedir@@/bin/git-http-backend-verify/$1 \
187 [L,H=cgi-script]
188 </IfModule>
190 # ---- END LINES TO DUPLICATE ----
192 </VirtualHost>
195 # This comments out the following so this file can be used as-is
196 # for an http-only configuration. Remove or change the sense of
197 # the test (by inserting a !) to activate the https virtual host.
198 <IfDefine EnableGiroccoHttpsVirtualHost>
201 # This is an example configuration of an https virtualhost running Girocco, as set
202 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
203 # It is not essential for Girocco to use a special virtualhost, however.
204 # The Config.pm $httpspushurl variable needs to be defined to properly enable
205 # https pushing.
206 <VirtualHost *:443>
208 # These certificate files will all be automatically generated, but the
209 # paths here may need to be corrected to match the paths
210 # (especially $certsdir) from Config.pm
212 SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
213 SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
214 SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
215 # when using a paid www server cert, only the above three lines should
216 # be changed. Changing any of the below two lines (other than updating
217 # the paths to match $certsdir) will likely break https client auth
218 SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
219 SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
221 SSLVerifyDepth 3
222 SSLOptions +FakeBasicAuth +StrictRequire
223 SSLEngine on
225 # This configuration allows fetching over https without a certificate
226 # while always requiring a certificate for pushing over https
227 RewriteEngine On
228 SSLVerifyClient optional
229 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
230 RewriteRule ^/r/.*/info/refs$ - [env=client_auth_required:1]
231 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
232 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
233 RewriteRule ^/(?!r/).*/info/refs$ - [env=client_auth_required:1]
234 RewriteRule ^/r/.*/git-receive-pack$ - [env=client_auth_required:1]
235 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
236 RewriteRule ^/(?!r/).*/git-receive-pack$ - [env=client_auth_required:1]
237 RewriteCond %{ENV:client_auth_required} 1
238 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
239 RewriteRule .* %{REQUEST_URI} [R=401]
240 <Location />
241 SSLRequireSSL
242 Order deny,allow
243 Deny from env=client_auth_required
244 SSLOptions +FakeBasicAuth
245 AuthName "Git Client Authentication"
246 AuthType Basic
247 AuthBasicProvider anon
248 Anonymous *
249 Require valid-user
250 Satisfy any
251 </Location>
252 ErrorDocument 401 /authrequired.cgi
254 # *** IMPORTANT ***
255 #
256 # ALL the entire contents from the <VirtualHost *:80> section at
257 # the top of this file must be copied here.
258 #
259 # To avoid this duplication, the contents of the <VirtualHost *:80>
260 # section above can be moved to a separate file and then included
261 # both here and in the <VirtualHost *:80> section using an Include
262 # directive. Be careful not to place the new include file in one of the
263 # directories the standard apache configuration blindly includes all
264 # files from.
266 # ---- BEGIN DUPLICATE LINES ----
268 # ---- END DUPLICATE LINES ----
270 </VirtualHost>
273 # End commenting
274 </IfDefine>