clone.sh/update.sh: detect all git-fast-import mirror packs
[girocco.git] / apache.conf.in
blob817c628bb281e3f5218e22a731304e7850a4573d
1 ##  To convert this file to apache.conf using the current Girocco::Config
2 ##  values either do "make" or "make apache.conf" or ./make-apache-conf.sh
3 ##
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, somewhat independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
7 <VirtualHost *:80>
9 # ---- BEGIN LINES TO DUPLICATE ----
11         ServerName @@httpdnsname@@
12         ServerAlias www.@@httpdnsname@@
13         ServerAdmin @@admin@@
15         # This is the standard "combined" log format with :actual-server-port added to the end
16         LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p" girocco
17         <IfModule logio_module>
18                 # %I and %O are only available with the logio_module
19                 LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p" girocco
20         </IfModule>
22         ErrorLog /var/log/apache2/repo-error.log
23         CustomLog /var/log/apache2/repo-access.log girocco
25         <IfModule mime_magic_module>
26                 # Avoid spurious Content-Type values when git-http-backend
27                 # fails to provide a Content-Type header in its output
28                 MimeMagicFile /dev/null
29         </IfModule>
31         DocumentRoot @@webroot@@
32         <Directory @@webroot@@>
33                 # Add MultiViews only if pages are truly
34                 # offered in more than a single language
35                 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
36                 Options FollowSymLinks
37                 # FileInfo (or All) must be enabled to activate .htaccess file mod_rewrite rules
38                 AllowOverride All
39                 <IfVersion < 2.3>
40                 Order allow,deny
41                 Allow from all
42                 Satisfy all
43                 </IfVersion>
44                 <IfVersion >= 2.3>
45                 Require all granted
46                 </IfVersion>
47                 DirectoryIndex w
48         </Directory>
50         # The non-mod_rewrite items are handled first where the magic /[bchrw]
51         # prefix always forces selection of the prefix-indicated cgi handler.
53         ScriptAlias /w @@cgiroot@@/gitweb.cgi
54         ScriptAlias /b @@cgiroot@@/bundles.cgi
55         ScriptAlias /h @@cgiroot@@/html.cgi
56         ScriptAliasMatch ^/(?!(?i)gitweb\.cgi|bundles\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
58         # Any requests without the magic /[bchrw] are treated as Git requests if they
59         # are one of the few possible Git URLs otherwise they go to bundles or gitweb
61         # Change the setting of $SmartHTTPOnly in Girocco::Config.pm to
62         # change whether or not non-smart HTTP fetch access will be allowed.
64         <IfDefine !@@SmartHTTPOnly@@>
65         # This accelerates non-smart HTTP access to loose objects, packs and info
66         AliasMatch \
67                 "(?x)^/(?![bchw]/)(?:r/)? \
68                 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
69                         HEAD | \
70                         objects/info/alternates | \
71                         objects/info/http-alternates | \
72                         objects/info/packs | \
73                         objects/[0-9a-f]{2}/[0-9a-f]{38} | \
74                         objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
75                 @@reporoot@@/$1.git/$2
76         </IfDefine>
78         # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
79         ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
81         ScriptAliasMatch \
82                 "(?x)^/(?![bchrw]/) \
83                 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
84                         info/refs | \
85                         git-upload-pack | \
86                         git-receive-pack | \
87                         [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
88                 @@basedir@@/bin/git-http-backend-verify/$1.git/$2
90         # Everything else off to bundles.cgi or gitweb.cgi
91         ScriptAliasMatch \
92                 "(?x)^/(?![bchrw]/) \
93                 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/bundles)$" \
94                 @@cgiroot@@/bundles.cgi/$1
95         ScriptAliasMatch \
96                 "(?x)^/(?![bchrw]/) \
97                 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git(?!/bundles)(?:/.*)?)$" \
98                 @@cgiroot@@/gitweb.cgi/$1
100         # mod_rewrite is not strictly required for gitweb and fetch access, but
101         # if it's not available the trailing ".git" is never optional for
102         # gitweb, the leading /h is always required for *.html, snapshots are
103         # not throttled, some bogus Git http protocol requests will not be
104         # detected early and, if non-smart HTTP is allowed, access to the
105         # /info/refs file will not be accelerated in non-smart HTTP mode.
107         <IfModule rewrite_module>
108                 RewriteEngine On
110                 # Snapshot requests are only allowed via the PATH_INFO mechanism
111                 RewriteCond %{QUERY_STRING}     (^|[&;])a=snapshot([&;]|$) [NC]
112                 RewriteRule .? - [NS,F,L]
114                 # Redirect snapshot requests to snapshot.cgi
115                 RewriteRule \
116                         "(?x)^/(?![bchr]/)(?:w/)? \
117                         ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/ \
118                                 snapshot(?:/.*)?)$" \
119                         @@cgiroot@@/snapshot.cgi/$1 [NS,L,H=cgi-script]
121                 # Make the leading /h optional for requests that name an existing .html template
122                 RewriteCond @@webroot@@/$1 !-f
123                 RewriteCond @@cgiroot@@/$1 !-f
124                 RewriteCond @@basedir@@/html/$1 -s
125                 RewriteRule \
126                         ^/(?![bchrw]/)(.*\.html)$ \
127                         /h/$1 [NS,PT]
129                 # Redirect bare gitweb requests without .git that name an existing repo...
130                 RewriteCond @@webroot@@/$2 !-f
131                 RewriteCond @@cgiroot@@/$2 !-f
132                 RewriteCond @@reporoot@@/$2.git/HEAD -s
133                 RewriteRule \
134                         "(?x)^/(?![bchr]/)((?:w/)?) \
135                         ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git))$" \
136                         /$1$2.git [NS,L,R=301]
138                 # Of the 11 possible Git protocol URLs (i.e. passed to git-http-backend-verify),
139                 # 9 are only valid with GET/HEAD and the other two are only valid with POST
140                 # Furthermore, 7 are only valid when non-smart is allowed and
141                 # 1 is only valid when smart-only is enabled if it has the correct query string.
143                 # These two always require POST
144                 RewriteCond %{REQUEST_METHOD} !=POST
145                 RewriteRule \
146                         "(?x)^/(?![bchw]/)(?:r/)? \
147                         (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
148                                 git-upload-pack | \
149                                 git-receive-pack )$" \
150                         - [NS,F]
152                 <IfDefine @@SmartHTTPOnly@@>
153                 # These 7 are always forbidden when non-smart HTTP is disabled
154                 RewriteRule \
155                         "(?x)^/(?![bchw]/)(?:r/)? \
156                         (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
157                                 HEAD | \
158                                 objects/info/alternates | \
159                                 objects/info/http-alternates | \
160                                 objects/info/packs | \
161                                 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
162                                 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
163                         - [NS,F]
164                 # This one is forbidden without the magic query string when non-smart is disabled
165                 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$ [OR]
166                 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
167                 RewriteRule \
168                         "(?x)^/(?![bchw]/)(?:r/)? \
169                         (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
170                                 info/refs $" \
171                         - [NS,F]
172                 # This one requires GET (or HEAD)
173                 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
174                 RewriteRule \
175                         "(?x)^/(?![bchw]/)(?:r/)? \
176                         (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
177                                 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle $" \
178                         - [NS,F]
179                 </IfDefine>
181                 <IfDefine !@@SmartHTTPOnly@@>
182                 # These 9 require GET (or HEAD)
183                 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
184                 RewriteRule \
185                         "(?x)^/(?![bchw]/)(?:r/)? \
186                         (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
187                                 HEAD | \
188                                 info/refs | \
189                                 objects/info/alternates | \
190                                 objects/info/http-alternates | \
191                                 objects/info/packs | \
192                                 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
193                                 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) | \
194                                 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
195                         - [NS,F]
196                 # This one can be accelerated when accessed with non-smart HTTP
197                 RewriteCond %{REQUEST_METHOD} ^(?:GET|HEAD)$
198                 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
199                 RewriteRule \
200                         "(?x)^/(?![bchw]/)(?:r/)? \
201                         ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/ \
202                                 info/refs $" \
203                         @@reporoot@@/$1.git/info/refs [NS,L]
204                 </IfDefine>
205         </IfModule>
207         <Directory @@reporoot@@>
208                 Options FollowSymLinks
209                 AllowOverride None
210                 <IfVersion < 2.3>
211                 Order allow,deny
212                 Allow from all
213                 Satisfy all
214                 </IfVersion>
215                 <IfVersion >= 2.3>
216                 Require all granted
217                 </IfVersion>
219                 <IfModule rewrite_module>
220                         # Everything fetched over the non-smart git http
221                         # protocol should be an existing file.  If the request
222                         # is not for an existing file, just send back an error
223                         # message without emitting anything into the error log.
224                         RewriteEngine On
225                         RewriteBase /
226                         RewriteCond @@reporoot@@/$1 !-f
227                         RewriteRule ^(.*)$ - [NS,R=404,L]
228                 </IfModule>
229         </Directory>
231         <Directory @@cgiroot@@>
232                 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
233                 Options SymLinksIfOwnerMatch
234                 # FileInfo must be enabled to activate .htaccess file mod_rewrite rules
235                 AllowOverride FileInfo
236                 <IfVersion < 2.3>
237                 Order deny,allow
238                 Deny from all
239                 Satisfy all
240                 </IfVersion>
241                 <IfVersion >= 2.3>
242                 Require all denied
243                 </IfVersion>
244                 <Files gitweb.cgi>
245                         Options +ExecCGI
246                         <IfVersion < 2.3>
247                         Order deny,allow
248                         Allow from all
249                         Satisfy all
250                         </IfVersion>
251                         <IfVersion >= 2.3>
252                         Require all granted
253                         </IfVersion>
254                         <IfModule !mod_fastcgi.c>
255                         <IfModule !mod_fcgid.c>
256                                 SetHandler cgi-script
257                         </IfModule>
258                         </IfModule>
260                         # Note that in testing mod_fastcgi (in dynamic mode)
261                         # was found to be slightly faster than mod_fcgid.
262                         #
263                         # However, we prefer mod_fcgid if both are available
264                         # because we cannot control the server-global settings
265                         # of mod_fastcgi's "FastCgiConfig" options.
266                         #
267                         # In order for gitweb.cgi to run reasonably well as a
268                         # mod_fastcgi dynamic FastCGI application, the
269                         # "FastCgiConfig" option "-idle-timeout" value needs to
270                         # be increased from the default value of "30" to at
271                         # least "120", preferably more like "300".  But that
272                         # will affect ALL dynamic mod_fastcgi applications on
273                         # the ENTIRE server, not just gitweb.cgi.  Additionally
274                         # the "FastCgiConfig" "-restart" option probably ought
275                         # to be set as well.  Also, unfortunately, there is no
276                         # mod_fastcgi option corresponding to mod_fcgid's
277                         # MaxRequestsPerProcess option and gitweb.cgi running
278                         # in FastCGI mode (without using FCGI::ProcManager) will
279                         # always exit after serving 100 requests (a good thing).
280                         #
281                         # The alternative is to make gitweb.cgi a static
282                         # mod_fastcgi application (the "FastCgiServer"
283                         # directive), but then the number of running instances
284                         # will be fixed at whatever value is chosen for the
285                         # "-processes" option rather than being dynamically
286                         # adjusted based on load and that's probably undesirable
287                         # in most cases unless you run gitweb.cgi under a
288                         # front-end that dynamically forks multiple copies of
289                         # gitweb.cgi based on the current load.  See the CPAN
290                         # FCGI::ProcManager::Dynamic module for an example of
291                         # how to do this in Perl:
292                         #
293                         #   http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
294                         #
295                         # So instead we prefer mod_fcgid because we can adjust
296                         # the necessary options for good gitweb.cgi behavior
297                         # while affecting only gitweb.cgi and having it remain
298                         # a dynamic application whose total number of running
299                         # instances is adjusted based on current server load.
301                         <IfModule mod_fcgid.c>
302                                 SetHandler fcgid-script
303                         </IfModule>
304                         <IfModule !mod_fcgid.c>
305                         <IfModule mod_fastcgi.c>
306                                 SetHandler fastcgi-script
307                         </IfModule>
308                         </IfModule>
309                 </Files>
310                 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
311                         Options +ExecCGI
312                         SetHandler cgi-script
313                         <IfVersion < 2.3>
314                         Order deny,allow
315                         Allow from all
316                         Satisfy all
317                         </IfVersion>
318                         <IfVersion >= 2.3>
319                         Require all granted
320                         </IfVersion>
321                 </FilesMatch>
322         </Directory>
324         <IfModule mod_fcgid.c>
325                 # mod_fcgid benefits from some additional config for gitweb.cgi
326                 # gitweb.cgi has a hard-coded maximum of 100 requests
327                 # and we do not want to give up too soon in case Git is lagging.
328                 # Note that adding a 'MaxProcesses ...' option here may be valuable
329                 # to limit the maximum number of gitweb.cgi processes that can be
330                 # spawned (default is 100) -- perhaps to something much lower such
331                 # as 1 or 2 times the number of CPU cores.  Also note that in the
332                 # unlikely event all the children finish their 100 requests at the
333                 # same time, the server's FcgidSpawnScoreUpLimit (which defaults
334                 # to 10 if not set) should be set to at least 3 times the
335                 # MaxProcesses value chosen to allow them all to respawn
336                 # immediately.  FcgidSpawnScoreUpLimit MUST be at least twice the
337                 # chosen MaxProcesses value (assuming FcgidTerminationScore is
338                 # still set to the default 2) in order to allow any child at all to
339                 # respawn immediately in this case without a delay.
340                 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
341                 MaxRequestsPerProcess 100 IOTimeout 300
342         </IfModule>
344         <Directory @@basedir@@/bin>
345                 Options None
346                 AllowOverride None
347                 <IfVersion < 2.3>
348                 Order deny,allow
349                 Deny from all
350                 Satisfy all
351                 </IfVersion>
352                 <IfVersion >= 2.3>
353                 Require all denied
354                 </IfVersion>
355                 <Files git-http-backend-verify>
356                         Options ExecCGI
357                         SetHandler cgi-script
358                         <IfVersion < 2.3>
359                         Order deny,allow
360                         Allow from all
361                         Satisfy all
362                         </IfVersion>
363                         <IfVersion >= 2.3>
364                         Require all granted
365                         </IfVersion>
366                 </Files>
367         </Directory>
369 # ---- END LINES TO DUPLICATE ----
371 </VirtualHost>
374 # Change the setting of $TLSHost in Girocco::Config.pm to change
375 # whether or not the following https virtual host is enabled.
377 <IfDefine @@TLSHost@@>
379 # This is an example configuration of an https virtualhost running Girocco, as set
380 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
381 # It is not essential for Girocco to use a special virtualhost, however.
382 # The Config.pm $httpspushurl variable needs to be defined to properly enable
383 # https pushing.
384 <VirtualHost *:443>
386         # These certificate files will all be automatically generated, but the
387         # paths here may need to be corrected to match the paths
388         # (especially $certsdir) from Config.pm
390         SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
391         SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
392         SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
393         # when using a paid www server cert, only the above three lines should
394         # be changed.  Changing any of the below two lines (other than updating
395         # the paths to match $certsdir) will likely break https client auth
396         SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
397         SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
399         SSLVerifyDepth 3
400         SSLOptions +FakeBasicAuth +StrictRequire
401         SSLEngine on
403         # This configuration allows fetching over https without a certificate
404         # while always requiring a certificate for pushing over https
405         RewriteEngine On
406         SSLVerifyClient optional
407         RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC]
408         RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$) [NC]
409         RewriteRule /info/refs$ - [NC,NS,env=client_auth_required:1]
410         RewriteCond %{REQUEST_METHOD} =POST [NC]
411         RewriteRule /git-receive-pack$ - [NC,NS,env=client_auth_required:1]
412         RewriteCond %{ENV:client_auth_required} 1
413         RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
414         RewriteRule .? %{REQUEST_URI} [NS,R=401]
415         <Location />
416                 SSLRequireSSL
417                 SSLOptions +FakeBasicAuth
418                 AuthName "Git Client Authentication"
419                 AuthType Basic
420                 AuthBasicProvider anon
421                 Anonymous *
422                 <IfVersion < 2.3>
423                 Order deny,allow
424                 Deny from env=client_auth_required
425                 Satisfy any
426                 Require valid-user
427                 </IfVersion>
428                 <IfVersion >= 2.3>
429                 <RequireAny>
430                 <RequireAll>
431                 Require all granted
432                 Require not env client_auth_required
433                 </RequireAll>
434                 Require valid-user
435                 </RequireAny>
436                 </IfVersion>
437         </Location>
438         ErrorDocument 401 /authrequired.cgi
440 # ---- BEGIN DUPLICATE LINES ----
442 ##  *** IMPORTANT ***
444 ##  ALL the entire contents from the <VirtualHost *:80> section at the top of
445 ##  this file must be copied here.
447 ##  To avoid this duplication, the contents of the <VirtualHost *:80> section
448 ##  above can be moved to a separate file and then included both here and in
449 ##  the <VirtualHost *:80> section using an Include directive.  Be careful not
450 ##  to place the new include file in one of the directories the standard apache
451 ##  configuration blindly includes all files from.
453 # ---- END DUPLICATE LINES ----
455 </VirtualHost>
457 </IfDefine>