1 ## To convert this file to apache.conf using the current Girocco::Config values
2 ## either do "make" or "make apache.conf" or ./make-apache-conf.sh
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, completely independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
9 # ---- BEGIN LINES TO DUPLICATE ----
11 ServerName @@httpdnsname@@
12 ServerAlias www.@@httpdnsname@@
15 ErrorLog /var/log/apache2/repo-error.log
16 CustomLog /var/log/apache2/repo-access.log combined
18 <IfModule mime_magic_module>
19 # Avoid spurious Content-Type values when git-http-backend
20 # fails to provide a Content-Type header in its output
21 MimeMagicFile /dev/null
24 DocumentRoot @@webroot@@
25 <Directory @@webroot@@>
26 # Add MultiViews only if pages are truly
27 # offered in more than a single language
28 Options FollowSymLinks
36 ScriptAlias /w @@cgiroot@@/gitweb.cgi
37 ScriptAlias /b @@cgiroot@@/bundles.cgi
38 ScriptAlias /h @@cgiroot@@/html.cgi
39 AliasMatch ^/(?!(?i)gitweb\.cgi|bundles\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
41 <IfModule rewrite_module>
43 # Redirect bare /w requests without .git that name an existing repo...
44 RewriteCond @@reporoot@@/$1.git/HEAD -f
46 ^/w/((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
49 # ...and also make the leading /w optional for those types of requests
50 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
51 RewriteCond @@reporoot@@/$1.git/HEAD -f
53 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
56 # Make the leading /w optional if the rest names an existing repo
57 # and it's not a request for a bundle or bundle listing
58 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
59 RewriteCond @@reporoot@@/$1/HEAD -f
60 # Might want to use [L,R] instead of [PT] maybe even [L,R=301]
62 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)(?!/(?:bundles|[a-zA-Z0-9+._-]+\.bundle)$)((?:/.*)?)$ \
65 # Make the leading /b optional if the rest names an existing repo
66 # and it's a request for a bundle listing
67 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
68 RewriteCond @@reporoot@@/$1/HEAD -f
69 # Might want to use [L,R] instead of [PT] maybe even [L,R=301]
71 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)/bundles$ \
75 <Directory @@reporoot@@>
76 Options FollowSymLinks
82 <IfModule rewrite_module>
83 # Everything fetched over the non-smart git http
84 # protocol should be an existing file. If the request
85 # is not for an existing file, just send back an error
86 # message without emitting anything into the error log.
88 RewriteCond %{REQUEST_FILENAME} !-f
89 RewriteRule .* - [R=404,L]
93 <Directory @@cgiroot@@>
101 <IfModule !mod_fastcgi.c>
102 <IfModule !mod_fcgid.c>
103 SetHandler cgi-script
107 # Note that in testing mod_fastcgi (in dynamic mode)
108 # was found to be slightly faster than mod_fcgid.
110 # However, we prefer mod_fcgid if both are available
111 # because we cannot control the server-global settings
112 # of mod_fastcgi's "FastCgiConfig" options.
114 # In order for gitweb.cgi to run reasonably well as a
115 # mod_fastcgi dynamic FastCGI application, the
116 # "FastCgiConfig" option "-idle-timeout" value needs to
117 # be increased from the default value of "30" to at
118 # least "120", preferably more like "300". But that
119 # will affect ALL dynamic mod_fastcgi applications on
120 # the ENTIRE server, not just gitweb.cgi. Additionally
121 # the "FastCgiConfig" "-restart" option probably ought
122 # to be set as well. Also, unfortunately, there is no
123 # mod_fastcgi option corresponding to mod_fcgid's
124 # MaxRequestsPerProcess option and gitweb.cgi running
125 # in FastCGI mode (without using FCGI::ProcManager) will
126 # always exit after serving 100 requests (a good thing).
128 # The alternative is to make gitweb.cgi a static
129 # mod_fastcgi application (the "FastCgiServer"
130 # directive), but then the number of running instances
131 # will be fixed at whatever value is chosen for the
132 # "-processes" option rather than being dynamically
133 # adjusted based on load and that's probably undesirable
134 # in most cases unless you run gitweb.cgi under a
135 # front-end that dynamically forks multiple copies of
136 # gitweb.cgi based on the current load. See the CPAN
137 # FCGI::ProcManager::Dynamic module for an example of
138 # how to do this in Perl:
140 # http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
142 # So instead we prefer mod_fcgid because we can adjust
143 # the necessary options for good gitweb.cgi behavior
144 # while affecting only gitweb.cgi and having it remain
145 # a dynamic application whose total number of running
146 # instances is adjusted based on current server load.
148 <IfModule mod_fcgid.c>
149 SetHandler fcgid-script
151 <IfModule !mod_fcgid.c>
152 <IfModule mod_fastcgi.c>
153 SetHandler fastcgi-script
157 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
159 SetHandler cgi-script
165 <IfModule mod_fcgid.c>
166 # mod_cgid benefits from some additional config for gitweb.cgi
167 # gitweb.cgi has a hard-coded maximum of 100 requests
168 # and we do not want to give up too soon in case Git is lagging
169 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
170 MaxRequestsPerProcess 100 IOTimeout 300
173 <Directory @@basedir@@/bin>
178 <Files git-http-backend-verify>
180 SetHandler cgi-script
186 # By default non-smart HTTP fetch access will be allowed, however
187 # by defining SmartHTTPOnly (or changing the sense of the IfDefine tests)
188 # non-smart HTTP requests can be denied directly by the web server
190 <IfDefine !SmartHTTPOnly>
191 # These accelerate non-smart HTTP access to loose objects and packs with the /r/ prefix
192 # But not for projects starting with '_' to which access should never be allowed
193 AliasMatch ^/r/([^_].*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ @@reporoot@@/$1
194 AliasMatch ^/r/([^_].*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ @@reporoot@@/$1
196 # These accelerate non-smart HTTP access for Git user agents without the /r/ prefix
197 # But not for projects starting with '_' to which access should never be allowed
198 <IfModule rewrite_module>
200 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
201 RewriteRule "(?x) ^/((?![bchrw]/)[^_].*/objects/(?: \
202 (?:[0-9a-f]{2}/[0-9a-f]{38}) | \
203 (?:pack/pack-[0-9a-f]{40}.(?:pack|idx)) ))$" \
208 <IfDefine SmartHTTPOnly>
209 # Disable non-smart HTTP access
211 RewriteCond %{REQUEST_METHOD} !^POST$
212 RewriteCond %{REQUEST_URI} !/[a-zA-Z0-9+._-]+\.bundle$
213 RewriteRule ^/r/.*(?<!/info/refs)$ - [F]
214 RewriteCond %{REQUEST_METHOD} !^POST$
215 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
216 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
217 RewriteCond %{REQUEST_URI} !/[a-zA-Z0-9+._-]+\.bundle$
218 RewriteRule ^/(?![bchrw]/).*(?<!/info/refs)$ - [F]
219 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
220 RewriteRule ^/r/.*/info/refs$ - [F]
221 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
222 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
223 RewriteRule ^/(?![bchrw]/).*/info/refs$ - [F]
226 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
227 # git-http-backend-verify denies all access to projects starting with '_'
228 ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
230 <IfModule rewrite_module>
233 # This allows HTTP access for Git user agents
234 # without the leading /r/ prefix
235 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
236 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
237 RewriteRule ^/(?![bchrw]/)(.*)$ \
238 @@basedir@@/bin/git-http-backend-verify/$1 \
241 # ...and this for access by all agents to *.bundle
242 # files without the /r/ prefix for names ending in .git
244 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git/[a-zA-Z0-9+._-]+\.bundle)$ \
245 @@basedir@@/bin/git-http-backend-verify/$1 \
248 # ...and finally this for access by all agents to
249 # *.bundle files without the /r/ prefix for names not
250 # ending in .git as long as the repository exists
251 RewriteCond @@reporoot@@$1.git/HEAD -f
253 ^(?!/[bchrw]/)((?:/[a-zA-Z0-9+._-]+(?<!\.git))+)(/[a-zA-Z0-9+._-]+\.bundle)$ \
254 @@basedir@@/bin/git-http-backend-verify$1$2 \
258 # ---- END LINES TO DUPLICATE ----
263 # This comments out the following so this file can be used as-is
264 # for an http-only configuration. Remove or change the sense of
265 # the test (by inserting a !) to activate the https virtual host.
266 <IfDefine EnableGiroccoHttpsVirtualHost>
269 # This is an example configuration of an https virtualhost running Girocco, as set
270 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
271 # It is not essential for Girocco to use a special virtualhost, however.
272 # The Config.pm $httpspushurl variable needs to be defined to properly enable
276 # These certificate files will all be automatically generated, but the
277 # paths here may need to be corrected to match the paths
278 # (especially $certsdir) from Config.pm
280 SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
281 SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
282 SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
283 # when using a paid www server cert, only the above three lines should
284 # be changed. Changing any of the below two lines (other than updating
285 # the paths to match $certsdir) will likely break https client auth
286 SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
287 SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
290 SSLOptions +FakeBasicAuth +StrictRequire
293 # This configuration allows fetching over https without a certificate
294 # while always requiring a certificate for pushing over https
296 SSLVerifyClient optional
297 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
298 RewriteRule ^/r/.*/info/refs$ - [env=client_auth_required:1]
299 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
300 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
301 RewriteRule ^/(?!r/).*/info/refs$ - [env=client_auth_required:1]
302 RewriteRule ^/r/.*/git-receive-pack$ - [env=client_auth_required:1]
303 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
304 RewriteRule ^/(?!r/).*/git-receive-pack$ - [env=client_auth_required:1]
305 RewriteCond %{ENV:client_auth_required} 1
306 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
307 RewriteRule .* %{REQUEST_URI} [R=401]
311 Deny from env=client_auth_required
312 SSLOptions +FakeBasicAuth
313 AuthName "Git Client Authentication"
315 AuthBasicProvider anon
320 ErrorDocument 401 /authrequired.cgi
324 # ALL the entire contents from the <VirtualHost *:80> section at
325 # the top of this file must be copied here.
327 # To avoid this duplication, the contents of the <VirtualHost *:80>
328 # section above can be moved to a separate file and then included
329 # both here and in the <VirtualHost *:80> section using an Include
330 # directive. Be careful not to place the new include file in one of the
331 # directories the standard apache configuration blindly includes all
334 # ---- BEGIN DUPLICATE LINES ----
336 # ---- END DUPLICATE LINES ----