| blob | 7b9b676125dfb636fa08179b4d05211f73731d3a |
1 ## To convert this file to apache.conf using the current Girocco::Config
2 ## values either do "make" or "make apache.conf" or ./make-apache-conf.sh
3 ##
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, somewhat independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
7 <VirtualHost *:80>
9 # ---- BEGIN LINES TO DUPLICATE ----
11 ServerName @@httpdnsname@@
12 ServerAlias www.@@httpdnsname@@
13 ServerAdmin @@admin@@
15 # This is the standard "combined" log format with :actual-server-port added to the end
16 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p" girocco
17 <IfModule logio_module>
18 # %I and %O are only available with the logio_module
19 LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p" girocco
20 </IfModule>
22 ErrorLog /var/log/apache2/repo-error.log
23 CustomLog /var/log/apache2/repo-access.log girocco
25 <IfModule mime_magic_module>
26 # Avoid spurious Content-Type values when git-http-backend
27 # fails to provide a Content-Type header in its output
28 MimeMagicFile /dev/null
29 </IfModule>
31 DocumentRoot @@webroot@@
32 <Directory @@webroot@@>
33 # Add MultiViews only if pages are truly
34 # offered in more than a single language
35 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
36 Options FollowSymLinks
37 # FileInfo (or All) must be enabled to activate .htaccess file mod_rewrite rules
38 AllowOverride All
39 Order allow,deny
40 Allow from all
41 DirectoryIndex w
42 Satisfy all
43 </Directory>
45 # The non-mod_rewrite items are handled first where the magic /[bchrw]
46 # prefix always forces selection of the prefix-indicated cgi handler.
48 ScriptAlias /w @@cgiroot@@/gitweb.cgi
49 ScriptAlias /b @@cgiroot@@/bundles.cgi
50 ScriptAlias /h @@cgiroot@@/html.cgi
51 ScriptAliasMatch ^/(?!(?i)gitweb\.cgi|bundles\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
53 # Any requests without the magic /[bchrw] are treated as Git requests if they
54 # are one of the few possible Git URLs otherwise they go to bundles or gitweb
56 # Change the setting of $SmartHTTPOnly in Girocco::Config.pm to
57 # change whether or not non-smart HTTP fetch access will be allowed.
59 <IfDefine !@@SmartHTTPOnly@@>
60 # This accelerates non-smart HTTP access to loose objects, packs and info
61 AliasMatch \
62 "(?x)^/(?![bchw]/)(?:r/)? \
63 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
64 HEAD | \
65 objects/info/alternates | \
66 objects/info/http-alternates | \
67 objects/info/packs | \
68 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
69 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
70 @@reporoot@@/$1.git/$2
71 </IfDefine>
73 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
74 ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
76 ScriptAliasMatch \
77 "(?x)^/(?![bchrw]/) \
78 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
79 info/refs | \
80 git-upload-pack | \
81 git-receive-pack | \
82 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
83 @@basedir@@/bin/git-http-backend-verify/$1.git/$2
85 # Everything else off to bundles.cgi or gitweb.cgi
86 ScriptAliasMatch \
87 "(?x)^/(?![bchrw]/) \
88 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/bundles)$" \
89 @@cgiroot@@/bundles.cgi/$1
90 ScriptAliasMatch \
91 "(?x)^/(?![bchrw]/) \
92 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git(?!/bundles)(?:/.*)?)$" \
93 @@cgiroot@@/gitweb.cgi/$1
95 # mod_rewrite is not strictly required for gitweb and fetch access, but
96 # if it's not available the trailing ".git" is never optional for
97 # gitweb, the leading /h is always required for *.html, snapshots are
98 # not throttled, some bogus Git http protocol requests will not be
99 # detected early and, if non-smart HTTP is allowed, access to the
100 # /info/refs file will not be accelerated in non-smart HTTP mode.
102 <IfModule rewrite_module>
103 RewriteEngine On
105 # Snapshot requests are only allowed via the PATH_INFO mechanism
106 RewriteCond %{QUERY_STRING} (^|[&;])a=snapshot([&;]|$) [NC]
107 RewriteRule .? - [NS,F,L]
109 # Redirect snapshot requests to snapshot.cgi
110 RewriteRule \
111 "(?x)^/(?![bchr]/)(?:w/)? \
112 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/ \
113 snapshot(?:/.*)?)$" \
114 @@cgiroot@@/snapshot.cgi/$1 [NS,L,H=cgi-script]
116 # Make the leading /h optional for requests that name an existing .html template
117 RewriteCond @@webroot@@/$1 !-f
118 RewriteCond @@cgiroot@@/$1 !-f
119 RewriteCond @@basedir@@/html/$1 -s
120 RewriteRule \
121 ^/(?![bchrw]/)(.*\.html)$ \
122 /h/$1 [NS,PT]
124 # Redirect bare gitweb requests without .git that name an existing repo...
125 RewriteCond @@webroot@@/$2 !-f
126 RewriteCond @@cgiroot@@/$2 !-f
127 RewriteCond @@reporoot@@/$2.git/HEAD -s
128 RewriteRule \
129 "(?x)^/(?![bchr]/)((?:w/)?) \
130 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git))$" \
131 /$1$2.git [NS,L,R=301]
133 # Of the 11 possible Git protocol URLs (i.e. passed to git-http-backend-verify),
134 # 9 are only valid with GET/HEAD and the other two are only valid with POST
135 # Furthermore, 7 are only valid when non-smart is allowed and
136 # 1 is only valid when smart-only is enabled if it has the correct query string.
138 # These two always require POST
139 RewriteCond %{REQUEST_METHOD} !=POST
140 RewriteRule \
141 "(?x)^/(?![bchw]/)(?:r/)? \
142 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
143 git-upload-pack | \
144 git-receive-pack )$" \
145 - [NS,F]
147 <IfDefine @@SmartHTTPOnly@@>
148 # These 7 are always forbidden when non-smart HTTP is disabled
149 RewriteRule \
150 "(?x)^/(?![bchw]/)(?:r/)? \
151 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
152 HEAD | \
153 objects/info/alternates | \
154 objects/info/http-alternates | \
155 objects/info/packs | \
156 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
157 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
158 - [NS,F]
159 # This one is forbidden without the magic query string when non-smart is disabled
160 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$ [OR]
161 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
162 RewriteRule \
163 "(?x)^/(?![bchw]/)(?:r/)? \
164 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
165 info/refs $" \
166 - [NS,F]
167 # This one requires GET (or HEAD)
168 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
169 RewriteRule \
170 "(?x)^/(?![bchw]/)(?:r/)? \
171 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
172 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle $" \
173 - [NS,F]
174 </IfDefine>
176 <IfDefine !@@SmartHTTPOnly@@>
177 # These 9 require GET (or HEAD)
178 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
179 RewriteRule \
180 "(?x)^/(?![bchw]/)(?:r/)? \
181 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
182 HEAD | \
183 info/refs | \
184 objects/info/alternates | \
185 objects/info/http-alternates | \
186 objects/info/packs | \
187 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
188 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) | \
189 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
190 - [NS,F]
191 # This one can be accelerated when accessed with non-smart HTTP
192 RewriteCond %{REQUEST_METHOD} ^(?:GET|HEAD)$
193 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
194 RewriteRule \
195 "(?x)^/(?![bchw]/)(?:r/)? \
196 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/ \
197 info/refs $" \
198 @@reporoot@@/$1.git/info/refs [NS,L]
199 </IfDefine>
200 </IfModule>
202 <Directory @@reporoot@@>
203 Options FollowSymLinks
204 AllowOverride None
205 Order allow,deny
206 Allow from all
207 Satisfy all
209 <IfModule rewrite_module>
210 # Everything fetched over the non-smart git http
211 # protocol should be an existing file. If the request
212 # is not for an existing file, just send back an error
213 # message without emitting anything into the error log.
214 RewriteEngine On
215 RewriteBase /
216 RewriteCond @@reporoot@@/$1 !-f
217 RewriteRule ^(.*)$ - [NS,R=404,L]
218 </IfModule>
219 </Directory>
221 <Directory @@cgiroot@@>
222 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
223 Options SymLinksIfOwnerMatch
224 # FileInfo must be enabled to activate .htaccess file mod_rewrite rules
225 AllowOverride FileInfo
226 Order deny,allow
227 Deny from all
228 <Files gitweb.cgi>
229 Options +ExecCGI
230 Allow from all
231 <IfModule !mod_fastcgi.c>
232 <IfModule !mod_fcgid.c>
233 SetHandler cgi-script
234 </IfModule>
235 </IfModule>
237 # Note that in testing mod_fastcgi (in dynamic mode)
238 # was found to be slightly faster than mod_fcgid.
239 #
240 # However, we prefer mod_fcgid if both are available
241 # because we cannot control the server-global settings
242 # of mod_fastcgi's "FastCgiConfig" options.
243 #
244 # In order for gitweb.cgi to run reasonably well as a
245 # mod_fastcgi dynamic FastCGI application, the
246 # "FastCgiConfig" option "-idle-timeout" value needs to
247 # be increased from the default value of "30" to at
248 # least "120", preferably more like "300". But that
249 # will affect ALL dynamic mod_fastcgi applications on
250 # the ENTIRE server, not just gitweb.cgi. Additionally
251 # the "FastCgiConfig" "-restart" option probably ought
252 # to be set as well. Also, unfortunately, there is no
253 # mod_fastcgi option corresponding to mod_fcgid's
254 # MaxRequestsPerProcess option and gitweb.cgi running
255 # in FastCGI mode (without using FCGI::ProcManager) will
256 # always exit after serving 100 requests (a good thing).
257 #
258 # The alternative is to make gitweb.cgi a static
259 # mod_fastcgi application (the "FastCgiServer"
260 # directive), but then the number of running instances
261 # will be fixed at whatever value is chosen for the
262 # "-processes" option rather than being dynamically
263 # adjusted based on load and that's probably undesirable
264 # in most cases unless you run gitweb.cgi under a
265 # front-end that dynamically forks multiple copies of
266 # gitweb.cgi based on the current load. See the CPAN
267 # FCGI::ProcManager::Dynamic module for an example of
268 # how to do this in Perl:
269 #
270 # http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
271 #
272 # So instead we prefer mod_fcgid because we can adjust
273 # the necessary options for good gitweb.cgi behavior
274 # while affecting only gitweb.cgi and having it remain
275 # a dynamic application whose total number of running
276 # instances is adjusted based on current server load.
278 <IfModule mod_fcgid.c>
279 SetHandler fcgid-script
280 </IfModule>
281 <IfModule !mod_fcgid.c>
282 <IfModule mod_fastcgi.c>
283 SetHandler fastcgi-script
284 </IfModule>
285 </IfModule>
286 </Files>
287 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
288 Options +ExecCGI
289 SetHandler cgi-script
290 Allow from all
291 </FilesMatch>
292 Satisfy all
293 </Directory>
295 <IfModule mod_fcgid.c>
296 # mod_cgid benefits from some additional config for gitweb.cgi
297 # gitweb.cgi has a hard-coded maximum of 100 requests
298 # and we do not want to give up too soon in case Git is lagging
299 # Note that adding a 'MaxProcesses ...' option here may be valuable
300 # to limit the maximum number of gitweb.cgi processes that can be
301 # spawned (default is 100) -- perhaps to something much lower such
302 # as 1 or 2 times the number of CPU cores. Also note that in the
303 # unlikely event all the children finish their 100 requests at the
304 # same time, the server's FcgidSpawnScoreUpLimit should be set
305 # to at least 3 times the MaxProcesses value chosen to allow them
306 # all to respawn immediately. It MUST be at least twice the chosen
307 # MaxProcesses value (assuming FcgidTerminationScore is still the
308 # default 2) in order to allow any child to respawn at all without
309 # a delay.
310 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
311 MaxRequestsPerProcess 100 IOTimeout 300
312 </IfModule>
314 <Directory @@basedir@@/bin>
315 Options None
316 AllowOverride None
317 Order deny,allow
318 Deny from all
319 <Files git-http-backend-verify>
320 Options ExecCGI
321 SetHandler cgi-script
322 Allow from all
323 </Files>
324 Satisfy all
325 </Directory>
327 # ---- END LINES TO DUPLICATE ----
329 </VirtualHost>
332 # Change the setting of $TLSHost in Girocco::Config.pm to change
333 # whether or not the following https virtual host is enabled.
335 <IfDefine @@TLSHost@@>
337 # This is an example configuration of an https virtualhost running Girocco, as set
338 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
339 # It is not essential for Girocco to use a special virtualhost, however.
340 # The Config.pm $httpspushurl variable needs to be defined to properly enable
341 # https pushing.
342 <VirtualHost *:443>
344 # These certificate files will all be automatically generated, but the
345 # paths here may need to be corrected to match the paths
346 # (especially $certsdir) from Config.pm
348 SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
349 SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
350 SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
351 # when using a paid www server cert, only the above three lines should
352 # be changed. Changing any of the below two lines (other than updating
353 # the paths to match $certsdir) will likely break https client auth
354 SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
355 SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
357 SSLVerifyDepth 3
358 SSLOptions +FakeBasicAuth +StrictRequire
359 SSLEngine on
361 # This configuration allows fetching over https without a certificate
362 # while always requiring a certificate for pushing over https
363 RewriteEngine On
364 SSLVerifyClient optional
365 RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC]
366 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$) [NC]
367 RewriteRule /info/refs$ - [NC,NS,env=client_auth_required:1]
368 RewriteCond %{REQUEST_METHOD} =POST [NC]
369 RewriteRule /git-receive-pack$ - [NC,NS,env=client_auth_required:1]
370 RewriteCond %{ENV:client_auth_required} 1
371 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
372 RewriteRule .? %{REQUEST_URI} [NS,R=401]
373 <Location />
374 SSLRequireSSL
375 Order deny,allow
376 Deny from env=client_auth_required
377 SSLOptions +FakeBasicAuth
378 AuthName "Git Client Authentication"
379 AuthType Basic
380 AuthBasicProvider anon
381 Anonymous *
382 Require valid-user
383 Satisfy any
384 </Location>
385 ErrorDocument 401 /authrequired.cgi
387 # ---- BEGIN DUPLICATE LINES ----
388 ##
389 ## *** IMPORTANT ***
390 ##
391 ## ALL the entire contents from the <VirtualHost *:80> section at the top of
392 ## this file must be copied here.
393 ##
394 ## To avoid this duplication, the contents of the <VirtualHost *:80> section
395 ## above can be moved to a separate file and then included both here and in
396 ## the <VirtualHost *:80> section using an Include directive. Be careful not
397 ## to place the new include file in one of the directories the standard apache
398 ## configuration blindly includes all files from.
399 ##
400 # ---- END DUPLICATE LINES ----
402 </VirtualHost>
404 </IfDefine>