| blob | ced92136972e62c5610f6d48e37f584c88659fa9 |
1 ## To convert this file to apache.conf using the current Girocco::Config values
2 ## either do "make" or "make apache.conf" or ./make-apache-conf.sh
3 ##
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, completely independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
7 <VirtualHost *:80>
9 # ---- BEGIN LINES TO DUPLICATE ----
11 ServerName @@httpdnsname@@
12 ServerAlias www.@@httpdnsname@@
13 ServerAdmin @@admin@@
15 ErrorLog /var/log/apache2/repo-error.log
16 CustomLog /var/log/apache2/repo-access.log combined
18 <IfModule mime_magic_module>
19 # Avoid spurious Content-Type values when git-http-backend
20 # fails to provide a Content-Type header in its output
21 MimeMagicFile /dev/null
22 </IfModule>
24 DocumentRoot @@webroot@@
25 <Directory @@webroot@@>
26 # Add MultiViews only if pages are truly
27 # offered in more than a single language
28 Options FollowSymLinks
29 AllowOverride All
30 Order allow,deny
31 Allow from all
32 DirectoryIndex w
33 Satisfy all
34 </Directory>
36 ScriptAlias /w @@cgiroot@@/gitweb.cgi
37 ScriptAlias /b @@cgiroot@@/bundles.cgi
38 ScriptAlias /h @@cgiroot@@/html.cgi
39 AliasMatch ^/(?!(?i)gitweb\.cgi|bundles\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
41 <IfModule rewrite_module>
42 RewriteEngine On
43 # Redirect bare /w requests without .git that name an existing repo...
44 RewriteCond @@reporoot@@/$1.git/HEAD -f
45 RewriteRule \
46 ^/w/((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
47 /w/$1.git [L,R=301]
49 # ...and also make the leading /w optional for those types of requests
50 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
51 RewriteCond @@reporoot@@/$1.git/HEAD -f
52 RewriteRule \
53 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
54 /$1.git [L,R=301]
56 # Make the leading /w optional if the rest names an existing repo
57 # and it's not a request for a bundle or bundle listing
58 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
59 RewriteCond @@reporoot@@/$1/HEAD -f
60 # Might want to use [L,R] instead of [PT] maybe even [L,R=301]
61 RewriteRule \
62 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)(?!/(?:bundles|[a-zA-Z0-9+._-]+\.bundle)$)((?:/.*)?)$ \
63 /w/$1$2 [PT]
65 # Make the leading /b optional if the rest names an existing repo
66 # and it's a request for a bundle listing
67 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
68 RewriteCond @@reporoot@@/$1/HEAD -f
69 # Might want to use [L,R] instead of [PT] maybe even [L,R=301]
70 RewriteRule \
71 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)/bundles$ \
72 /b/$1 [PT]
73 </IfModule>
75 <Directory @@reporoot@@>
76 Options FollowSymLinks
77 AllowOverride None
78 Order allow,deny
79 Allow from all
80 Satisfy all
82 <IfModule rewrite_module>
83 # Everything fetched over the non-smart git http
84 # protocol should be an existing file. If the request
85 # is not for an existing file, just send back an error
86 # message without emitting anything into the error log.
87 RewriteEngine On
88 RewriteCond %{REQUEST_FILENAME} !-f
89 RewriteRule .* - [R=404,L]
90 </IfModule>
91 </Directory>
93 <Directory @@cgiroot@@>
94 Options None
95 AllowOverride None
96 Order deny,allow
97 Deny from all
98 <Files gitweb.cgi>
99 Options ExecCGI
100 Allow from all
101 <IfModule !mod_fastcgi.c>
102 <IfModule !mod_fcgid.c>
103 SetHandler cgi-script
104 </IfModule>
105 </IfModule>
107 # Note that in testing mod_fastcgi (in dynamic mode)
108 # was found to be slightly faster than mod_fcgid.
109 #
110 # However, we prefer mod_fcgid if both are available
111 # because we cannot control the server-global settings
112 # of mod_fastcgi's "FastCgiConfig" options.
113 #
114 # In order for gitweb.cgi to run reasonably well as a
115 # mod_fastcgi dynamic FastCGI application, the
116 # "FastCgiConfig" option "-idle-timeout" value needs to
117 # be increased from the default value of "30" to at
118 # least "120", preferably more like "300". But that
119 # will affect ALL dynamic mod_fastcgi applications on
120 # the ENTIRE server, not just gitweb.cgi. Additionally
121 # the "FastCgiConfig" "-restart" option probably ought
122 # to be set as well. Also, unfortunately, there is no
123 # mod_fastcgi option corresponding to mod_fcgid's
124 # MaxRequestsPerProcess option and gitweb.cgi running
125 # in FastCGI mode (without using FCGI::ProcManager) will
126 # always exit after serving 100 requests (a good thing).
127 #
128 # The alternative is to make gitweb.cgi a static
129 # mod_fastcgi application (the "FastCgiServer"
130 # directive), but then the number of running instances
131 # will be fixed at whatever value is chosen for the
132 # "-processes" option rather than being dynamically
133 # adjusted based on load and that's probably undesirable
134 # in most cases unless you run gitweb.cgi under a
135 # front-end that dynamically forks multiple copies of
136 # gitweb.cgi based on the current load. See the CPAN
137 # FCGI::ProcManager::Dynamic module for an example of
138 # how to do this in Perl:
139 #
140 # http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
141 #
142 # So instead we prefer mod_fcgid because we can adjust
143 # the necessary options for good gitweb.cgi behavior
144 # while affecting only gitweb.cgi and having it remain
145 # a dynamic application whose total number of running
146 # instances is adjusted based on current server load.
148 <IfModule mod_fcgid.c>
149 SetHandler fcgid-script
150 </IfModule>
151 <IfModule !mod_fcgid.c>
152 <IfModule mod_fastcgi.c>
153 SetHandler fastcgi-script
154 </IfModule>
155 </IfModule>
156 </Files>
157 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
158 Options ExecCGI
159 SetHandler cgi-script
160 Allow from all
161 </FilesMatch>
162 Satisfy all
163 </Directory>
165 <IfModule mod_fcgid.c>
166 # mod_cgid benefits from some additional config for gitweb.cgi
167 # gitweb.cgi has a hard-coded maximum of 100 requests
168 # and we do not want to give up too soon in case Git is lagging
169 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
170 MaxRequestsPerProcess 100 IOTimeout 300
171 </IfModule>
173 <Directory @@basedir@@/bin>
174 Options None
175 AllowOverride None
176 Order deny,allow
177 Deny from all
178 <Files git-http-backend-verify>
179 Options ExecCGI
180 SetHandler cgi-script
181 Allow from all
182 </Files>
183 Satisfy all
184 </Directory>
186 # By default non-smart HTTP fetch access will be allowed, however
187 # by defining SmartHTTPOnly (or changing the sense of the IfDefine tests)
188 # non-smart HTTP requests can be denied directly by the web server
190 <IfDefine !SmartHTTPOnly>
191 # These accelerate non-smart HTTP access to loose objects and packs with the /r/ prefix
192 # But not for projects starting with '_' to which access should never be allowed
193 AliasMatch ^/r/([^_].*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ @@reporoot@@/$1
194 AliasMatch ^/r/([^_].*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ @@reporoot@@/$1
196 # These accelerate non-smart HTTP access for Git user agents without the /r/ prefix
197 # But not for projects starting with '_' to which access should never be allowed
198 <IfModule rewrite_module>
199 RewriteEngine On
200 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
201 RewriteRule "(?x) ^/((?![bchrw]/)[^_].*/objects/(?: \
202 (?:[0-9a-f]{2}/[0-9a-f]{38}) | \
203 (?:pack/pack-[0-9a-f]{40}.(?:pack|idx)) ))$" \
204 @@reporoot@@/$1 [L]
205 </IfModule>
206 </IfDefine>
208 <IfDefine SmartHTTPOnly>
209 # Disable non-smart HTTP access
210 RewriteEngine On
211 RewriteCond %{REQUEST_METHOD} !^POST$
212 RewriteCond %{REQUEST_URI} !/[a-zA-Z0-9+._-]+\.bundle$
213 RewriteRule ^/r/.*(?<!/info/refs)$ - [F]
214 RewriteCond %{REQUEST_METHOD} !^POST$
215 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
216 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
217 RewriteCond %{REQUEST_URI} !/[a-zA-Z0-9+._-]+\.bundle$
218 RewriteRule ^/(?![bchrw]/).*(?<!/info/refs)$ - [F]
219 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
220 RewriteRule ^/r/.*/info/refs$ - [F]
221 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
222 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
223 RewriteRule ^/(?![bchrw]/).*/info/refs$ - [F]
224 </IfDefine>
226 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
227 # git-http-backend-verify denies all access to projects starting with '_'
228 ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
230 <IfModule rewrite_module>
231 RewriteEngine On
233 # This allows HTTP access for Git user agents
234 # without the leading /r/ prefix
235 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
236 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
237 RewriteRule ^/(?![bchrw]/)(.*)$ \
238 @@basedir@@/bin/git-http-backend-verify/$1 \
239 [L,H=cgi-script]
241 # ...and this for access by all agents to *.bundle
242 # files without the /r/ prefix for names ending in .git
243 RewriteRule \
244 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git/[a-zA-Z0-9+._-]+\.bundle)$ \
245 @@basedir@@/bin/git-http-backend-verify/$1 \
246 [L,H=cgi-script]
248 # ...and finally this for access by all agents to
249 # *.bundle files without the /r/ prefix for names not
250 # ending in .git as long as the repository exists
251 RewriteCond @@reporoot@@$1.git/HEAD -f
252 RewriteRule \
253 ^(?!/[bchrw]/)((?:/[a-zA-Z0-9+._-]+(?<!\.git))+)(/[a-zA-Z0-9+._-]+\.bundle)$ \
254 @@basedir@@/bin/git-http-backend-verify$1$2 \
255 [L,H=cgi-script]
256 </IfModule>
258 # ---- END LINES TO DUPLICATE ----
260 </VirtualHost>
263 # This comments out the following so this file can be used as-is
264 # for an http-only configuration. Remove or change the sense of
265 # the test (by inserting a !) to activate the https virtual host.
266 <IfDefine EnableGiroccoHttpsVirtualHost>
269 # This is an example configuration of an https virtualhost running Girocco, as set
270 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
271 # It is not essential for Girocco to use a special virtualhost, however.
272 # The Config.pm $httpspushurl variable needs to be defined to properly enable
273 # https pushing.
274 <VirtualHost *:443>
276 # These certificate files will all be automatically generated, but the
277 # paths here may need to be corrected to match the paths
278 # (especially $certsdir) from Config.pm
280 SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
281 SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
282 SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
283 # when using a paid www server cert, only the above three lines should
284 # be changed. Changing any of the below two lines (other than updating
285 # the paths to match $certsdir) will likely break https client auth
286 SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
287 SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
289 SSLVerifyDepth 3
290 SSLOptions +FakeBasicAuth +StrictRequire
291 SSLEngine on
293 # This configuration allows fetching over https without a certificate
294 # while always requiring a certificate for pushing over https
295 RewriteEngine On
296 SSLVerifyClient optional
297 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
298 RewriteRule ^/r/.*/info/refs$ - [env=client_auth_required:1]
299 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
300 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
301 RewriteRule ^/(?!r/).*/info/refs$ - [env=client_auth_required:1]
302 RewriteRule ^/r/.*/git-receive-pack$ - [env=client_auth_required:1]
303 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
304 RewriteRule ^/(?!r/).*/git-receive-pack$ - [env=client_auth_required:1]
305 RewriteCond %{ENV:client_auth_required} 1
306 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
307 RewriteRule .* %{REQUEST_URI} [R=401]
308 <Location />
309 SSLRequireSSL
310 Order deny,allow
311 Deny from env=client_auth_required
312 SSLOptions +FakeBasicAuth
313 AuthName "Git Client Authentication"
314 AuthType Basic
315 AuthBasicProvider anon
316 Anonymous *
317 Require valid-user
318 Satisfy any
319 </Location>
320 ErrorDocument 401 /authrequired.cgi
322 # *** IMPORTANT ***
323 #
324 # ALL the entire contents from the <VirtualHost *:80> section at
325 # the top of this file must be copied here.
326 #
327 # To avoid this duplication, the contents of the <VirtualHost *:80>
328 # section above can be moved to a separate file and then included
329 # both here and in the <VirtualHost *:80> section using an Include
330 # directive. Be careful not to place the new include file in one of the
331 # directories the standard apache configuration blindly includes all
332 # files from.
334 # ---- BEGIN DUPLICATE LINES ----
336 # ---- END DUPLICATE LINES ----
338 </VirtualHost>
341 # End commenting
342 </IfDefine>