User.pm: avoid use of shell

[girocco.git] / apache.conf.in

## To convert this file to apache.conf using the current Girocco::Config values
## either do "make" or "make apache.conf" or ./make-apache-conf.sh
##
# This is an example configuration of a virtualhost running Girocco, as set up
# at repo.or.cz; unfortunately, completely independent from Girocco::Config.
# It is not essential for Girocco to use a special virtualhost, however.
<VirtualHost *:80>

# ---- BEGIN LINES TO DUPLICATE ----

        ServerName @@httpdnsname@@
        ServerAlias www.@@httpdnsname@@
        ServerAdmin @@admin@@

        ErrorLog /var/log/apache2/repo-error.log
        CustomLog /var/log/apache2/repo-access.log combined

        <IfModule mime_magic_module>
                # Avoid spurious Content-Type values when git-http-backend
                # fails to provide a Content-Type header in its output
                MimeMagicFile /dev/null
        </IfModule>

        AddHandler cgi-script .cgi

        DocumentRoot @@webroot@@
        <Directory @@webroot@@>
                # Add MultiViews only if pages are truly
                # offered in more than a single language
                Options FollowSymLinks ExecCGI
                AllowOverride All
                Order allow,deny
                Allow from all
                DirectoryIndex gitweb.cgi
                Satisfy all
        </Directory>

        ScriptAlias /w @@cgiroot@@/gitweb.cgi
        ScriptAlias /h @@cgiroot@@/html.cgi

        <IfModule rewrite_module>
                RewriteEngine On
                # Redirect bare /w requests without .git that name an existing repo...
                RewriteCond @@reporoot@@/$1.git/HEAD -f
                RewriteRule \
                        ^/w/((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
                        /w/$1.git [L,R=301]

                # ...and also make the leading /w optional for those types of requests
                RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
                RewriteCond @@reporoot@@/$1.git/HEAD -f
                RewriteRule \
                        ^/(?!w/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
                        /$1.git [L,R=301]

                # Make the leading /w optional if the rest names an existing repo
                RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
                RewriteCond @@reporoot@@/$1/HEAD -f
                # Might want to use [L,R] instead of [PT] maybe even [L,R=301]
                RewriteRule \
                        ^/(?!w/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)((?:/.*)?)$ \
                        /w/$1$2 [PT]
        </IfModule>

        <Directory @@reporoot@@>
                Options FollowSymLinks
                AllowOverride None
                Order allow,deny
                Allow from all
                Satisfy all

                <IfModule rewrite_module>
                        # Everything fetched over the non-smart git http
                        # protocol should be an existing file.  If the request
                        # is not for an existing file, just send back an error
                        # message without emitting anything into the error log.
                        RewriteEngine On
                        RewriteCond %{REQUEST_FILENAME} !-f
                        RewriteRule .* - [R=404,L]
                </IfModule>
        </Directory>

        <Directory @@basedir@@/bin>
                Options None
                AllowOverride None
                Order deny,allow
                Deny from all
                <Files git-http-backend-verify>
                        Options ExecCGI
                        Allow from all
                </Files>
                Satisfy all
        </Directory>

        # By default non-smart HTTP fetch access will be allowed, however
        # by defining SmartHTTPOnly (or changing the sense of the IfDefine tests)
        # non-smart HTTP requests can be denied directly by the web server

        <IfDefine !SmartHTTPOnly>
        # These accelerate non-smart HTTP access to loose objects and packs with the /r/ prefix
        # But not for projects starting with '_' to which access should never be allowed
        AliasMatch ^/r/([^_].*/objects/[0-9a-f]{2}/[0-9a-f]{38})$               @@reporoot@@/$1
        AliasMatch ^/r/([^_].*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$      @@reporoot@@/$1

        # These accelerate non-smart HTTP access for Git user agents without the /r/ prefix
        # But not for projects starting with '_' to which access should never be allowed
        <IfModule rewrite_module>
                        RewriteEngine On
                        RewriteCond %{HTTP_USER_AGENT} git/ [NC]
                        RewriteRule "(?x) ^/((?!r/)[^_].*/objects/(?: \
                                (?:[0-9a-f]{2}/[0-9a-f]{38}) | \
                                (?:pack/pack-[0-9a-f]{40}.(?:pack|idx)) ))$" \
                                @@reporoot@@/$1 [L]
        </IfModule>
        </IfDefine>

        <IfDefine SmartHTTPOnly>
        # Disable non-smart HTTP access
        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} !^POST$
        RewriteRule ^/r/.*(?<!/info/refs)$ - [F]
        RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
        RewriteCond %{HTTP_USER_AGENT} git/ [NC]
        RewriteCond %{REQUEST_METHOD} !^POST$
        RewriteRule ^/(?!r/).*(?<!/info/refs)$ - [F]
        RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
        RewriteRule ^/r/.*/info/refs$ - [F]
        RewriteCond %{HTTP_USER_AGENT} git/ [NC]
        RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
        RewriteRule ^/(?!r/).*/info/refs$ - [F]
        </IfDefine>

        # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
        # git-http-backend-verify denies all access to projects starting with '_'
        ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/

        # This allows HTTP access for Git user agents without the /r/ prefix
        <IfModule rewrite_module>
                        RewriteEngine On
                        RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
                        RewriteCond %{HTTP_USER_AGENT} git/ [NC]
                        RewriteRule ^/(?!r/)(.*)$ \
                                @@basedir@@/bin/git-http-backend-verify/$1 \
                                [L,H=cgi-script]
        </IfModule>

# ---- END LINES TO DUPLICATE ----

</VirtualHost>


# This comments out the following so this file can be used as-is
# for an http-only configuration.  Remove or change the sense of
# the test (by inserting a !) to activate the https virtual host.
<IfDefine EnableGiroccoHttpsVirtualHost>


# This is an example configuration of an https virtualhost running Girocco, as set
# up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
# It is not essential for Girocco to use a special virtualhost, however.
# The Config.pm $httpspushurl variable needs to be defined to properly enable
# https pushing.
<VirtualHost *:443>

        # These certificate files will all be automatically generated, but the
        # paths here may need to be corrected to match the paths
        # (especially $certsdir) from Config.pm

        SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
        SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
        SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
        # when using a paid www server cert, only the above three lines should
        # be changed.  Changing any of the below two lines (other than updating
        # the paths to match $certsdir) will likely break https client auth
        SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
        SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem

        SSLVerifyDepth 3
        SSLOptions +FakeBasicAuth +StrictRequire
        SSLEngine on

        # This configuration allows fetching over https without a certificate
        # while always requiring a certificate for pushing over https
        RewriteEngine On
        SSLVerifyClient optional
        RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
        RewriteRule ^/r/.*/info/refs$ - [env=client_auth_required:1]
        RewriteCond %{HTTP_USER_AGENT} git/ [NC]
        RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
        RewriteRule ^/(?!r/).*/info/refs$ - [env=client_auth_required:1]
        RewriteRule ^/r/.*/git-receive-pack$ - [env=client_auth_required:1]
        RewriteCond %{HTTP_USER_AGENT} git/ [NC]
        RewriteRule ^/(?!r/).*/git-receive-pack$ - [env=client_auth_required:1]
        RewriteCond %{ENV:client_auth_required} 1
        RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
        RewriteRule .* %{REQUEST_URI} [R=401]
        <Location />
                SSLRequireSSL
                Order deny,allow
                Deny from env=client_auth_required
                SSLOptions +FakeBasicAuth
                AuthName "Git Client Authentication"
                AuthType Basic
                AuthBasicProvider anon
                Anonymous *
                Require valid-user
                Satisfy any
        </Location>
        ErrorDocument 401 /authrequired.cgi

        # *** IMPORTANT ***
        #
        # ALL the entire contents from the <VirtualHost *:80> section at
        # the top of this file must be copied here.
        #
        # To avoid this duplication, the contents of the <VirtualHost *:80>
        # section above can be moved to a separate file and then included
        # both here and in the <VirtualHost *:80> section using an Include
        # directive.  Be careful not to place the new include file in one of the
        # directories the standard apache configuration blindly includes all
        # files from.

# ---- BEGIN DUPLICATE LINES ----

# ---- END DUPLICATE LINES ----

</VirtualHost>


# End commenting
</IfDefine>