| blob | d3b6511158729aee0a1d9870bf59188734918ec7 |
1 ## To convert this file to apache.conf using the current Girocco::Config values
2 ## either do "make" or "make apache.conf" or ./make-apache-conf.sh
3 ##
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, completely independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
7 <VirtualHost *:80>
9 # ---- BEGIN LINES TO DUPLICATE ----
11 ServerName @@httpdnsname@@
12 ServerAlias www.@@httpdnsname@@
13 ServerAdmin @@admin@@
15 ErrorLog /var/log/apache2/repo-error.log
16 CustomLog /var/log/apache2/repo-access.log combined
18 <IfModule mime_magic_module>
19 # Avoid spurious Content-Type values when git-http-backend
20 # fails to provide a Content-Type header in its output
21 MimeMagicFile /dev/null
22 </IfModule>
24 DocumentRoot @@webroot@@
25 <Directory @@webroot@@>
26 # Add MultiViews only if pages are truly
27 # offered in more than a single language
28 Options FollowSymLinks
29 AllowOverride All
30 Order allow,deny
31 Allow from all
32 DirectoryIndex w
33 Satisfy all
34 </Directory>
36 ScriptAlias /w @@cgiroot@@/gitweb.cgi
37 ScriptAlias /h @@cgiroot@@/html.cgi
38 AliasMatch ^/(?!(?i)gitweb\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
40 <IfModule rewrite_module>
41 RewriteEngine On
42 # Redirect bare /w requests without .git that name an existing repo...
43 RewriteCond @@reporoot@@/$1.git/HEAD -f
44 RewriteRule \
45 ^/w/((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
46 /w/$1.git [L,R=301]
48 # ...and also make the leading /w optional for those types of requests
49 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
50 RewriteCond @@reporoot@@/$1.git/HEAD -f
51 RewriteRule \
52 ^/(?!w/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
53 /$1.git [L,R=301]
55 # Make the leading /w optional if the rest names an existing repo
56 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
57 RewriteCond @@reporoot@@/$1/HEAD -f
58 # Might want to use [L,R] instead of [PT] maybe even [L,R=301]
59 RewriteRule \
60 ^/(?!w/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)((?:/.*)?)$ \
61 /w/$1$2 [PT]
62 </IfModule>
64 <Directory @@reporoot@@>
65 Options FollowSymLinks
66 AllowOverride None
67 Order allow,deny
68 Allow from all
69 Satisfy all
71 <IfModule rewrite_module>
72 # Everything fetched over the non-smart git http
73 # protocol should be an existing file. If the request
74 # is not for an existing file, just send back an error
75 # message without emitting anything into the error log.
76 RewriteEngine On
77 RewriteCond %{REQUEST_FILENAME} !-f
78 RewriteRule .* - [R=404,L]
79 </IfModule>
80 </Directory>
82 <Directory @@cgiroot@@>
83 Options None
84 AllowOverride None
85 Order deny,allow
86 Deny from all
87 <Files gitweb.cgi>
88 Options ExecCGI
89 Allow from all
90 <IfModule !mod_fastcgi.c>
91 <IfModule !mod_fcgid.c>
92 SetHandler cgi-script
93 </IfModule>
94 </IfModule>
96 # Note that in testing mod_fastcgi (in dynamic mode)
97 # was found to be slightly faster than mod_fcgid.
98 #
99 # However, we prefer mod_fcgid if both are available
100 # because we cannot control the server-global settings
101 # of mod_fastcgi's "FastCgiConfig" options.
102 #
103 # In order for gitweb.cgi to run reasonably well as a
104 # mod_fastcgi dynamic FastCGI application, the
105 # "FastCgiConfig" option "-idle-timeout" value needs to
106 # be increased from the default value of "30" to at
107 # least "120", preferably more like "300". But that
108 # will affect ALL dynamic mod_fastcgi applications on
109 # the ENTIRE server, not just gitweb.cgi. Additionally
110 # the "FastCgiConfig" "-restart" option probably ought
111 # to be set as well. Also, unfortunately, there is no
112 # mod_fastcgi option corresponding to mod_fcgid's
113 # MaxRequestsPerProcess option and gitweb.cgi running
114 # in FastCGI mode (without using FCGI::ProcManager) will
115 # always exit after serving 100 requests (a good thing).
116 #
117 # The alternative is to make gitweb.cgi a static
118 # mod_fastcgi application (the "FastCgiServer"
119 # directive), but then the number of running instances
120 # will be fixed at whatever value is chosen for the
121 # "-processes" option rather than being dynamically
122 # adjusted based on load and that's probably undesirable
123 # in most cases unless you run gitweb.cgi under a
124 # front-end that dynamically forks multiple copies of
125 # gitweb.cgi based on the current load. See the CPAN
126 # FCGI::ProcManager::Dynamic module for an example of
127 # how to do this in Perl:
128 #
129 # http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
130 #
131 # So instead we prefer mod_fcgid because we can adjust
132 # the necessary options for good gitweb.cgi behavior
133 # while affecting only gitweb.cgi and having it remain
134 # a dynamic application whose total number of running
135 # instances is adjusted based on current server load.
137 <IfModule mod_fcgid.c>
138 SetHandler fcgid-script
139 </IfModule>
140 <IfModule !mod_fcgid.c>
141 <IfModule mod_fastcgi.c>
142 SetHandler fastcgi-script
143 </IfModule>
144 </IfModule>
145 </Files>
146 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
147 Options ExecCGI
148 SetHandler cgi-script
149 Allow from all
150 </FilesMatch>
151 Satisfy all
152 </Directory>
154 <IfModule mod_fcgid.c>
155 # mod_cgid benefits from some additional config for gitweb.cgi
156 # gitweb.cgi has a hard-coded maximum of 100 requests
157 # and we do not want to give up too soon in case Git is lagging
158 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
159 MaxRequestsPerProcess 100 IOTimeout 300
160 </IfModule>
162 <Directory @@basedir@@/bin>
163 Options None
164 AllowOverride None
165 Order deny,allow
166 Deny from all
167 <Files git-http-backend-verify>
168 Options ExecCGI
169 SetHandler cgi-script
170 Allow from all
171 </Files>
172 Satisfy all
173 </Directory>
175 # By default non-smart HTTP fetch access will be allowed, however
176 # by defining SmartHTTPOnly (or changing the sense of the IfDefine tests)
177 # non-smart HTTP requests can be denied directly by the web server
179 <IfDefine !SmartHTTPOnly>
180 # These accelerate non-smart HTTP access to loose objects and packs with the /r/ prefix
181 # But not for projects starting with '_' to which access should never be allowed
182 AliasMatch ^/r/([^_].*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ @@reporoot@@/$1
183 AliasMatch ^/r/([^_].*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ @@reporoot@@/$1
185 # These accelerate non-smart HTTP access for Git user agents without the /r/ prefix
186 # But not for projects starting with '_' to which access should never be allowed
187 <IfModule rewrite_module>
188 RewriteEngine On
189 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
190 RewriteRule "(?x) ^/((?!r/)[^_].*/objects/(?: \
191 (?:[0-9a-f]{2}/[0-9a-f]{38}) | \
192 (?:pack/pack-[0-9a-f]{40}.(?:pack|idx)) ))$" \
193 @@reporoot@@/$1 [L]
194 </IfModule>
195 </IfDefine>
197 <IfDefine SmartHTTPOnly>
198 # Disable non-smart HTTP access
199 RewriteEngine On
200 RewriteCond %{REQUEST_METHOD} !^POST$
201 RewriteRule ^/r/.*(?<!/info/refs)$ - [F]
202 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
203 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
204 RewriteCond %{REQUEST_METHOD} !^POST$
205 RewriteRule ^/(?!r/).*(?<!/info/refs)$ - [F]
206 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
207 RewriteRule ^/r/.*/info/refs$ - [F]
208 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
209 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
210 RewriteRule ^/(?!r/).*/info/refs$ - [F]
211 </IfDefine>
213 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
214 # git-http-backend-verify denies all access to projects starting with '_'
215 ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
217 # This allows HTTP access for Git user agents without the /r/ prefix
218 <IfModule rewrite_module>
219 RewriteEngine On
220 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
221 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
222 RewriteRule ^/(?!r/)(.*)$ \
223 @@basedir@@/bin/git-http-backend-verify/$1 \
224 [L,H=cgi-script]
225 </IfModule>
227 # ---- END LINES TO DUPLICATE ----
229 </VirtualHost>
232 # This comments out the following so this file can be used as-is
233 # for an http-only configuration. Remove or change the sense of
234 # the test (by inserting a !) to activate the https virtual host.
235 <IfDefine EnableGiroccoHttpsVirtualHost>
238 # This is an example configuration of an https virtualhost running Girocco, as set
239 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
240 # It is not essential for Girocco to use a special virtualhost, however.
241 # The Config.pm $httpspushurl variable needs to be defined to properly enable
242 # https pushing.
243 <VirtualHost *:443>
245 # These certificate files will all be automatically generated, but the
246 # paths here may need to be corrected to match the paths
247 # (especially $certsdir) from Config.pm
249 SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
250 SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
251 SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
252 # when using a paid www server cert, only the above three lines should
253 # be changed. Changing any of the below two lines (other than updating
254 # the paths to match $certsdir) will likely break https client auth
255 SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
256 SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
258 SSLVerifyDepth 3
259 SSLOptions +FakeBasicAuth +StrictRequire
260 SSLEngine on
262 # This configuration allows fetching over https without a certificate
263 # while always requiring a certificate for pushing over https
264 RewriteEngine On
265 SSLVerifyClient optional
266 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
267 RewriteRule ^/r/.*/info/refs$ - [env=client_auth_required:1]
268 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
269 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
270 RewriteRule ^/(?!r/).*/info/refs$ - [env=client_auth_required:1]
271 RewriteRule ^/r/.*/git-receive-pack$ - [env=client_auth_required:1]
272 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
273 RewriteRule ^/(?!r/).*/git-receive-pack$ - [env=client_auth_required:1]
274 RewriteCond %{ENV:client_auth_required} 1
275 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
276 RewriteRule .* %{REQUEST_URI} [R=401]
277 <Location />
278 SSLRequireSSL
279 Order deny,allow
280 Deny from env=client_auth_required
281 SSLOptions +FakeBasicAuth
282 AuthName "Git Client Authentication"
283 AuthType Basic
284 AuthBasicProvider anon
285 Anonymous *
286 Require valid-user
287 Satisfy any
288 </Location>
289 ErrorDocument 401 /authrequired.cgi
291 # *** IMPORTANT ***
292 #
293 # ALL the entire contents from the <VirtualHost *:80> section at
294 # the top of this file must be copied here.
295 #
296 # To avoid this duplication, the contents of the <VirtualHost *:80>
297 # section above can be moved to a separate file and then included
298 # both here and in the <VirtualHost *:80> section using an Include
299 # directive. Be careful not to place the new include file in one of the
300 # directories the standard apache configuration blindly includes all
301 # files from.
303 # ---- BEGIN DUPLICATE LINES ----
305 # ---- END DUPLICATE LINES ----
307 </VirtualHost>
310 # End commenting
311 </IfDefine>