| blob | 58cf1dc77c43c5bbba50cd6032cbe05966dca649 |
1 ## To convert this file to apache.conf using the current Girocco::Config
2 ## values either do "make" or "make apache.conf" or ./make-apache-conf.sh
3 ##
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, somewhat independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
7 <VirtualHost *:80>
8 <IfModule rewrite_module>
9 RewriteEngine on
10 RewriteCond %{SERVER_NAME} !=@@httpdnsname@@
11 RewriteRule ^ http://@@httpdnsname@@%{REQUEST_URI} [L,NE,R=301]
12 <IfDefine @@TLSHost@@>
13 RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
14 RewriteCond %{SERVER_NAME} =@@httpdnsname@@
15 RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE,R=301]
16 </IfDefine>
17 </IfModule>
19 Alias /.well-known/acme-challenge/ @@certsdir@@/acme/.well-known/acme-challenge/
20 <Directory "@@certsdir@@/acme/.well-known/acme-challenge/">
21 Options None
22 AllowOverride None
23 ForceType text/plain
24 <IfVersion < 2.3>
25 Order allow,deny
26 Allow from all
27 Satisfy all
28 </IfVersion>
29 <IfVersion >= 2.3>
30 Require all granted
31 </IfVersion>
32 </Directory>
34 # ---- BEGIN LINES TO DUPLICATE ----
36 ServerName @@httpdnsname@@
37 ServerAlias www.@@httpdnsname@@
38 ServerAdmin @@admin@@
40 # This is the standard "combined" log format modified as follows:
41 # the REMOTE_USER (%u) has double-quotes around it
42 # the received time is shown as [YYYY-mm-dd_HH:MM:SS +hhmm] (almost RFC 3339 format)
43 # -- this is one character shorter than the default but sorts so much better
44 # when the logio_module is present (almost always) the %O value is prefixed with:
45 # %I-> -- <bytes-received-including-request-and-headers>
46 # the first line of the request ("%r") is prefixed with
47 # %X%k: -- <connection-status><keepalive-request-num>
48 # <keepalive-request-num> will be omitted if apache < 2.2.11
49 # these fields are added to the end:
50 # :%{local}p -- :<actual-server-port>
51 # %Dus -- <request-time-in-microseconds>
52 # "%o{Content-Range}" -- <outgoing Content-Range header>
53 <IfVersion >= 2.2.11>
54 LogFormat "%h %l \"%u\" %{[%F_%T %z]}t %X%k:\"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
55 </IfVersion>
56 <IfVersion !>= 2.2.11>
57 LogFormat "%h %l \"%u\" %{[%F_%T %z]}t %X:\"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
58 </IfVersion>
59 <IfModule logio_module>
60 # %I and %O are only available with the logio_module
61 <IfVersion >= 2.2.11>
62 LogFormat "%h %l \"%u\" %{[%F_%T %z]}t %X%k:\"%r\" %>s %I->%O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
63 </IfVersion>
64 <IfVersion !>= 2.2.11>
65 LogFormat "%h %l \"%u\" %{[%F_%T %z]}t %X:\"%r\" %>s %I->%O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
66 </IfVersion>
67 </IfModule>
69 # If your distribution does not set APACHE_LOG_DIR before
70 # starting Apache you will need to edit the next two directives
71 ErrorLog "/var/log/apache2/repo-error.log"
72 CustomLog "/var/log/apache2/repo-access.log" girocco
74 <IfModule mime_magic_module>
75 # Avoid spurious Content-Type values when git-http-backend
76 # fails to provide a Content-Type header in its output
77 MimeMagicFile /dev/null
78 </IfModule>
80 DocumentRoot @@webroot@@
81 <Directory @@webroot@@>
82 # Add MultiViews only if pages are truly
83 # offered in more than a single language
84 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
85 Options FollowSymLinks
86 # FileInfo (or All) must be enabled to activate .htaccess file mod_rewrite rules
87 AllowOverride All
88 <IfVersion < 2.3>
89 Order allow,deny
90 Allow from all
91 Satisfy all
92 </IfVersion>
93 <IfVersion >= 2.3>
94 Require all granted
95 </IfVersion>
96 DirectoryIndex w
97 </Directory>
99 # The non-mod_rewrite items are handled first where the magic /[bchrw]
100 # prefix always forces selection of the prefix-indicated cgi handler.
102 ScriptAlias /w @@cgiroot@@/gitweb.cgi
103 ScriptAlias /b @@cgiroot@@/bundles.cgi
104 AliasMatch ^/h/(.*\.html)$ @@cgiroot@@/html/$1
105 ScriptAliasMatch ^/(?!(?i)gitweb\.cgi|bundles\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
107 # Any requests without the magic /[bchrw] are treated as Git requests if they
108 # are one of the few possible Git URLs otherwise they go to bundles or gitweb
110 # Change the setting of $SmartHTTPOnly in Girocco::Config.pm to
111 # change whether or not non-smart HTTP fetch access will be allowed.
113 <IfDefine !@@SmartHTTPOnly@@>
114 # This accelerates non-smart HTTP access to loose objects, packs and info
115 AliasMatch \
116 "(?x)^/(?![bchw]/)(?:r/)? \
117 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
118 HEAD | \
119 objects/info/alternates | \
120 objects/info/http-alternates | \
121 objects/info/packs | \
122 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
123 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
124 @@reporoot@@/$1.git/$2
125 </IfDefine>
127 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
128 ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
130 ScriptAliasMatch \
131 "(?x)^/(?![bchrw]/) \
132 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
133 info/refs | \
134 git-upload-pack | \
135 git-receive-pack | \
136 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
137 @@basedir@@/bin/git-http-backend-verify/$1.git/$2
139 # Everything else off to bundles.cgi or gitweb.cgi
140 ScriptAliasMatch \
141 "(?x)^/(?![bchrw]/) \
142 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/bundles)$" \
143 @@cgiroot@@/bundles.cgi/$1
144 ScriptAliasMatch \
145 "(?x)^/(?![bchrw]/) \
146 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git(?!/bundles)(?:/.*)?)$" \
147 @@cgiroot@@/gitweb.cgi/$1
149 # mod_rewrite is not strictly required for gitweb and fetch access, but
150 # if it's not available the trailing ".git" is never optional for
151 # gitweb, the leading /h is always required for *.html, snapshots are
152 # not throttled, some bogus Git http protocol requests will not be
153 # detected early and, if non-smart HTTP is allowed, access to the
154 # /info/refs file will not be accelerated in non-smart HTTP mode.
156 <IfModule rewrite_module>
157 RewriteEngine On
159 # Snapshot/blob_plain requests are only allowed via the PATH_INFO mechanism
160 RewriteCond %{QUERY_STRING} (^|[&;])a=(?:snapshot|blob_plain)([&;]|$) [NC]
161 RewriteRule .? - [NS,F,L]
163 # Redirect snapshot requests to snapshot.cgi
164 RewriteRule \
165 "(?x)^/(?![bchr]/)(?:w/)? \
166 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/ \
167 snapshot(?:/.*)?)$" \
168 @@cgiroot@@/snapshot.cgi/$1 [NS,L,H=cgi-script]
170 # Detect blob_plain requests with is_blob_plain
171 RewriteRule \
172 "(?x)^/(?![bchr]/)(?:w/)? \
173 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git)/ \
174 blob_plain(?:/.*)?$" \
175 - [E=is_blob_plain:$1]
177 # Reject blob_plain requests if .no_blob_plain file exists and is not zero bytes
178 RewriteCond "%{ENV:is_blob_plain}" !=""
179 RewriteCond "@@reporoot@@/%{ENV:is_blob_plain}/.no_blob_plain" -s
180 RewriteRule ^ - [NS,F]
182 # Reject blob_plain requests if .no_blob_plain file exists AND mismatched Referer
183 # We require the referer host and port and git project to match the current request
184 RewriteCond "%{ENV:is_blob_plain}" !=""
185 RewriteCond "@@reporoot@@/%{ENV:is_blob_plain}/.no_blob_plain" -f
186 RewriteRule ^ - [C,E=is_blob_ref:1]
187 RewriteRule ^ - [C,E=ref_host:]
188 RewriteRule ^ - [E=ref_path:]
189 RewriteCond "%{ENV:is_blob_ref}" =1
190 RewriteCond "%{HTTP_REFERER}" "^https?://(?:[^@/]*@)?([^@:/?#]+(?::[0-9]+)?)"
191 RewriteRule ^ - [E=ref_host:%1]
192 RewriteCond "%{ENV:is_blob_ref}" =1
193 RewriteCond "%{HTTP_REFERER}" "^https?://(?:[^@/]*@)?[^@:/?#]+(?::[0-9]*)?(?:/w)?(.*)$"
194 RewriteRule ^ - [E=ref_path:%1]
195 RewriteCond "%{ENV:is_blob_ref}" =1
196 RewriteCond "@%{HTTP_HOST}=%{ENV:ref_host}@" "!^@([^=]*)=\1@$" [NC,OR]
197 RewriteCond "@/%{ENV:is_blob_plain}=%{ENV:ref_path}" "!^@([^=]*)=\1(?:[/?#]|$)"
198 RewriteRule ^ - [NS,F]
200 # Make the leading /h optional for requests that name an existing .html template
201 RewriteCond @@webroot@@/$1 !-f
202 RewriteCond @@cgiroot@@/$1 !-f
203 RewriteCond @@cgiroot@@/html/$1 -s
204 RewriteRule \
205 ^/(?![bchrw]/)(.*\.html)$ \
206 /h/$1 [NS,PT]
208 # Redirect bare gitweb requests without .git that name an existing repo...
209 RewriteCond @@webroot@@/$2 !-f
210 RewriteCond @@cgiroot@@/$2 !-f
211 RewriteCond @@reporoot@@/$2.git/HEAD -s
212 RewriteRule \
213 "(?x)^/(?![bchr]/)((?:w/)?) \
214 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git))$" \
215 /$1$2.git [NS,L,R=301]
217 # Of the 11 possible Git protocol URLs (i.e. passed to git-http-backend-verify),
218 # 9 are only valid with GET/HEAD and the other two are only valid with POST
219 # Furthermore, 7 are only valid when non-smart is allowed and
220 # 1 is only valid when smart-only is enabled if it has the correct query string.
222 # These two always require POST
223 RewriteCond %{REQUEST_METHOD} !=POST
224 RewriteRule \
225 "(?x)^/(?![bchw]/)(?:r/)? \
226 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
227 git-upload-pack | \
228 git-receive-pack )$" \
229 - [NS,F]
231 <IfDefine @@SmartHTTPOnly@@>
232 # These 7 are always forbidden when non-smart HTTP is disabled
233 RewriteRule \
234 "(?x)^/(?![bchw]/)(?:r/)? \
235 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
236 HEAD | \
237 objects/info/alternates | \
238 objects/info/http-alternates | \
239 objects/info/packs | \
240 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
241 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
242 - [NS,F]
243 # This one is forbidden without the magic query string when non-smart is disabled
244 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$ [OR]
245 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
246 RewriteRule \
247 "(?x)^/(?![bchw]/)(?:r/)? \
248 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
249 info/refs $" \
250 - [NS,F]
251 # This one requires GET (or HEAD)
252 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
253 RewriteRule \
254 "(?x)^/(?![bchw]/)(?:r/)? \
255 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
256 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle $" \
257 - [NS,F]
258 </IfDefine>
260 <IfDefine !@@SmartHTTPOnly@@>
261 # These 9 require GET (or HEAD)
262 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
263 RewriteRule \
264 "(?x)^/(?![bchw]/)(?:r/)? \
265 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
266 HEAD | \
267 info/refs | \
268 objects/info/alternates | \
269 objects/info/http-alternates | \
270 objects/info/packs | \
271 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
272 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) | \
273 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
274 - [NS,F]
275 # This one can be accelerated when accessed with non-smart HTTP
276 RewriteCond %{REQUEST_METHOD} ^(?:GET|HEAD)$
277 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
278 RewriteRule \
279 "(?x)^/(?![bchw]/)(?:r/)? \
280 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/ \
281 info/refs $" \
282 @@reporoot@@/$1.git/info/refs [NS,L]
283 </IfDefine>
284 </IfModule>
286 <Directory @@reporoot@@>
287 Options FollowSymLinks
288 AllowOverride None
289 <IfVersion < 2.3>
290 Order allow,deny
291 Allow from all
292 Satisfy all
293 </IfVersion>
294 <IfVersion >= 2.3>
295 Require all granted
296 </IfVersion>
298 <IfModule rewrite_module>
299 # Everything fetched over the non-smart git http
300 # protocol should be an existing file. If the request
301 # is not for an existing file, just send back an error
302 # message without emitting anything into the error log.
303 RewriteEngine On
304 RewriteBase /
305 RewriteCond @@reporoot@@/$1 !-f
306 RewriteRule ^(.*)$ - [NS,R=404,L]
307 </IfModule>
308 </Directory>
310 <Directory @@cgiroot@@>
311 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
312 Options SymLinksIfOwnerMatch
313 # FileInfo must be enabled to activate .htaccess file mod_rewrite rules
314 AllowOverride FileInfo
315 <IfVersion < 2.3>
316 Order deny,allow
317 Deny from all
318 Satisfy all
319 </IfVersion>
320 <IfVersion >= 2.3>
321 Require all denied
322 </IfVersion>
323 <Files gitweb.cgi>
324 Options +ExecCGI
325 <IfVersion < 2.3>
326 Order deny,allow
327 Allow from all
328 Satisfy all
329 </IfVersion>
330 <IfVersion >= 2.3>
331 Require all granted
332 </IfVersion>
333 <IfModule !mod_fastcgi.c>
334 <IfModule !mod_fcgid.c>
335 SetHandler cgi-script
336 </IfModule>
337 </IfModule>
339 # Note that in testing mod_fastcgi (in dynamic mode)
340 # was found to be slightly faster than mod_fcgid.
341 #
342 # However, we prefer mod_fcgid if both are available
343 # because we cannot control the server-global settings
344 # of mod_fastcgi's "FastCgiConfig" options.
345 #
346 # In order for gitweb.cgi to run reasonably well as a
347 # mod_fastcgi dynamic FastCGI application, the
348 # "FastCgiConfig" option "-idle-timeout" value needs to
349 # be increased from the default value of "30" to at
350 # least "120", preferably more like "300". But that
351 # will affect ALL dynamic mod_fastcgi applications on
352 # the ENTIRE server, not just gitweb.cgi. Additionally
353 # the "FastCgiConfig" "-restart" option probably ought
354 # to be set as well. Also, unfortunately, there is no
355 # mod_fastcgi option corresponding to mod_fcgid's
356 # MaxRequestsPerProcess option and gitweb.cgi running
357 # in FastCGI mode (without using FCGI::ProcManager) will
358 # always exit after serving 100 requests (a good thing).
359 #
360 # The alternative is to make gitweb.cgi a static
361 # mod_fastcgi application (the "FastCgiServer"
362 # directive), but then the number of running instances
363 # will be fixed at whatever value is chosen for the
364 # "-processes" option rather than being dynamically
365 # adjusted based on load and that's probably undesirable
366 # in most cases unless you run gitweb.cgi under a
367 # front-end that dynamically forks multiple copies of
368 # gitweb.cgi based on the current load. See the CPAN
369 # FCGI::ProcManager::Dynamic module for an example of
370 # how to do this in Perl:
371 #
372 # http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
373 #
374 # So instead we prefer mod_fcgid because we can adjust
375 # the necessary options for good gitweb.cgi behavior
376 # while affecting only gitweb.cgi and having it remain
377 # a dynamic application whose total number of running
378 # instances is adjusted based on current server load.
380 <IfModule mod_fcgid.c>
381 SetHandler fcgid-script
382 </IfModule>
383 <IfModule !mod_fcgid.c>
384 <IfModule mod_fastcgi.c>
385 SetHandler fastcgi-script
386 </IfModule>
387 </IfModule>
388 </Files>
389 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
390 Options +ExecCGI
391 SetHandler cgi-script
392 <IfVersion < 2.3>
393 Order deny,allow
394 Allow from all
395 Satisfy all
396 </IfVersion>
397 <IfVersion >= 2.3>
398 Require all granted
399 </IfVersion>
400 </FilesMatch>
401 </Directory>
402 <Directory @@cgiroot@@/html>
403 <IfVersion < 2.3>
404 Order deny,allow
405 Allow from all
406 Satisfy all
407 </IfVersion>
408 <IfVersion >= 2.3>
409 Require all granted
410 </IfVersion>
411 <Files *.html>
412 ForceType "text/html; charset=utf-8"
413 </Files>
414 </Directory>
416 <IfModule mod_fcgid.c>
417 # mod_fcgid benefits from some additional config for gitweb.cgi
418 # gitweb.cgi has a hard-coded maximum of 100 requests
419 # and we do not want to give up too soon in case Git is lagging.
420 # Note that adding a 'MaxProcesses ...' option here may be valuable
421 # to limit the maximum number of gitweb.cgi processes that can be
422 # spawned (default is 100) -- perhaps to something much lower such
423 # as 1 or 2 times the number of CPU cores. Also note that in the
424 # unlikely event all the children finish their 100 requests at the
425 # same time, the server's FcgidSpawnScoreUpLimit (which defaults
426 # to 10 if not set) should be set to at least 3 times the
427 # MaxProcesses value chosen to allow them all to respawn
428 # immediately. FcgidSpawnScoreUpLimit MUST be at least twice the
429 # chosen MaxProcesses value (assuming FcgidTerminationScore is
430 # still set to the default 2) in order to allow any child at all to
431 # respawn immediately in this case without a delay.
432 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
433 MaxProcesses 8 MinProcesses 5 \
434 MaxRequestsPerProcess 100 IOTimeout 300
435 </IfModule>
437 <Directory @@basedir@@/bin>
438 Options None
439 AllowOverride None
440 <IfVersion < 2.3>
441 Order deny,allow
442 Deny from all
443 Satisfy all
444 </IfVersion>
445 <IfVersion >= 2.3>
446 Require all denied
447 </IfVersion>
448 <Files git-http-backend-verify>
449 Options ExecCGI
450 SetHandler cgi-script
451 <IfVersion < 2.3>
452 Order deny,allow
453 Allow from all
454 Satisfy all
455 </IfVersion>
456 <IfVersion >= 2.3>
457 Require all granted
458 </IfVersion>
459 </Files>
460 </Directory>
462 # ---- END LINES TO DUPLICATE ----
464 </VirtualHost>
467 # Change the setting of $TLSHost in Girocco::Config.pm to change
468 # whether or not the following https virtual host is enabled.
470 <IfDefine @@TLSHost@@>
472 # This is an example configuration of an https virtualhost running Girocco, as set
473 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
474 # It is not essential for Girocco to use a special virtualhost, however.
475 # The Config.pm $httpspushurl variable needs to be defined to properly enable
476 # https pushing.
477 <VirtualHost *:443>
479 # These certificate files will all be automatically generated, but the
480 # paths here may need to be corrected to match the paths
481 # (especially $certsdir) from Config.pm
483 SSLCertificateFile @@certsdir@@/acme/girocco_www_crt.pem
484 SSLCertificateKeyFile @@certsdir@@/acme/girocco_www_key.pem
485 SSLCertificateChainFile @@certsdir@@/acme/girocco_www_chain.pem
486 # When using a www server cert signed by a pre-trusted root, only
487 # the above three lines should be changed. Changing either of the
488 # below two lines will likely break https client authentication.
489 SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
490 SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
492 SSLVerifyDepth 3
493 SSLOptions +FakeBasicAuth +StrictRequire
494 SSLEngine on
496 # This configuration allows fetching over https without a certificate
497 # while always requiring a certificate for pushing over https
498 RewriteEngine On
499 SSLVerifyClient optional
501 # these are left over git.or.cz links that may end up here by default
502 # as the old git.or.cz site does not have a TLS certificate.
503 # send them on to the same place that the old git.or.cz site would.
504 # anything without an exact match on the old site goes to git-scm.com.
505 RewriteCond %{SERVER_NAME} (^|\.)git.or.cz$ [NC]
506 RewriteRule ^/man/(.*) https://www.kernel.org/pub/software/scm/git/docs/$1.html [L,NE,R=301]
507 RewriteCond %{SERVER_NAME} (^|\.)git.or.cz$ [NC]
508 RewriteRule ^/gitwiki(/.*)? https://git.wiki.kernel.org/index.php$1 [L,NE,R=301]
509 RewriteCond %{SERVER_NAME} (^|\.)git.or.cz$ [NC]
510 RewriteRule ^ https://git-scm.com/ [L,NE,R=301]
512 RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC]
513 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$) [NC]
514 RewriteRule /info/refs$ - [NC,NS,env=client_auth_required:1]
515 RewriteCond %{REQUEST_METHOD} =POST [NC]
516 RewriteRule /git-receive-pack$ - [NC,NS,env=client_auth_required:1]
517 RewriteCond %{ENV:client_auth_required} 1
518 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
519 RewriteRule .? %{REQUEST_URI} [NS,R=401]
520 <Location />
521 SSLRequireSSL
522 SSLOptions +FakeBasicAuth
523 AuthName "Git Client Authentication"
524 AuthType Basic
525 AuthBasicProvider anon
526 Anonymous *
527 <IfVersion < 2.3>
528 Order deny,allow
529 Deny from env=client_auth_required
530 Satisfy any
531 Require valid-user
532 </IfVersion>
533 <IfVersion >= 2.3>
534 <RequireAny>
535 <RequireAll>
536 Require all granted
537 Require not env client_auth_required
538 </RequireAll>
539 Require valid-user
540 </RequireAny>
541 </IfVersion>
542 </Location>
543 ErrorDocument 401 /authrequired.cgi
545 # ---- BEGIN DUPLICATE LINES ----
546 ##
547 ## *** IMPORTANT ***
548 ##
549 ## ALL the entire contents from the <VirtualHost *:80> section at the top of
550 ## this file must be copied here.
551 ##
552 ## To avoid this duplication, the contents of the <VirtualHost *:80> section
553 ## above can be moved to a separate file and then included both here and in
554 ## the <VirtualHost *:80> section using an Include directive. Be careful not
555 ## to place the new include file in one of the directories the standard apache
556 ## configuration blindly includes all files from.
557 ##
558 # ---- END DUPLICATE LINES ----
560 </VirtualHost>
562 </IfDefine>