| blob | afbd135c1f4d6bcc7c63b314303af7a24f334413 |
1 ## To convert this file to apache.conf using the current Girocco::Config values
2 ## either do "make" or "make apache.conf" or ./make-apache-conf.sh
3 ##
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, completely independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
7 <VirtualHost *:80>
9 # ---- BEGIN LINES TO DUPLICATE ----
11 ServerName @@httpdnsname@@
12 ServerAlias www.@@httpdnsname@@
13 ServerAdmin @@admin@@
15 ErrorLog /var/log/apache2/repo-error.log
16 CustomLog /var/log/apache2/repo-access.log combined
18 <IfModule mime_magic_module>
19 # Avoid spurious Content-Type values when git-http-backend
20 # fails to provide a Content-Type header in its output
21 MimeMagicFile /dev/null
22 </IfModule>
24 DocumentRoot @@webroot@@
25 <Directory @@webroot@@>
26 # Add MultiViews only if pages are truly
27 # offered in more than a single language
28 Options FollowSymLinks
29 AllowOverride All
30 Order allow,deny
31 Allow from all
32 DirectoryIndex w
33 Satisfy all
34 </Directory>
36 ScriptAlias /w @@cgiroot@@/gitweb.cgi
37 ScriptAlias /b @@cgiroot@@/bundles.cgi
38 ScriptAlias /h @@cgiroot@@/html.cgi
39 AliasMatch ^/(?!(?i)gitweb\.cgi|bundles\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
41 <IfModule rewrite_module>
42 RewriteEngine On
44 # Make the leading /h optional for requests that name an existing .html template
45 RewriteCond @@webroot@@/$1 !-f
46 RewriteCond @@cgiroot@@/$1 !-f
47 RewriteCond @@basedir@@/html/$1 -f
48 RewriteRule \
49 ^/(?![bchrw]/)(.*\.html)$ \
50 /h/$1 [PT]
52 # Redirect bare /w requests without .git that name an existing repo...
53 RewriteCond @@reporoot@@/$1.git/HEAD -f
54 RewriteRule \
55 ^/w/((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
56 /w/$1.git [L,R=301]
58 # ...and also make the leading /w optional for those types of requests
59 RewriteCond @@webroot@@/$1 !-f
60 RewriteCond @@cgiroot@@/$1 !-f
61 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
62 RewriteCond @@reporoot@@/$1.git/HEAD -f
63 RewriteRule \
64 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
65 /$1.git [L,R=301]
67 # Make the leading /w optional if the rest names an existing repo
68 # and it's not a request for a bundle or bundle listing
69 RewriteCond @@webroot@@/$1$2 !-f
70 RewriteCond @@cgiroot@@/$1$2 !-f
71 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
72 RewriteCond @@reporoot@@/$1/HEAD -f
73 # Might want to use [L,R] instead of [PT] maybe even [L,R=301]
74 RewriteRule \
75 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)(?!/(?:bundles|[a-zA-Z0-9+._-]+\.bundle)$)((?:/.*)?)$ \
76 /w/$1$2 [PT]
78 # Make the leading /b optional if the rest names an existing repo
79 # and it's a request for a bundle listing
80 RewriteCond @@webroot@@/$1 !-f
81 RewriteCond @@cgiroot@@/$1 !-f
82 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
83 RewriteCond @@reporoot@@/$1/HEAD -f
84 # Might want to use [L,R] instead of [PT] maybe even [L,R=301]
85 RewriteRule \
86 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)/bundles$ \
87 /b/$1 [PT]
88 </IfModule>
90 <Directory @@reporoot@@>
91 Options FollowSymLinks
92 AllowOverride None
93 Order allow,deny
94 Allow from all
95 Satisfy all
97 <IfModule rewrite_module>
98 # Everything fetched over the non-smart git http
99 # protocol should be an existing file. If the request
100 # is not for an existing file, just send back an error
101 # message without emitting anything into the error log.
102 RewriteEngine On
103 RewriteCond $1 !^$
104 RewriteCond @@webroot@@/$1 !-f
105 RewriteRule ^/(.*)$ - [R=404,L]
106 </IfModule>
107 </Directory>
109 <Directory @@cgiroot@@>
110 Options None
111 AllowOverride None
112 Order deny,allow
113 Deny from all
114 <Files gitweb.cgi>
115 Options ExecCGI
116 Allow from all
117 <IfModule !mod_fastcgi.c>
118 <IfModule !mod_fcgid.c>
119 SetHandler cgi-script
120 </IfModule>
121 </IfModule>
123 # Note that in testing mod_fastcgi (in dynamic mode)
124 # was found to be slightly faster than mod_fcgid.
125 #
126 # However, we prefer mod_fcgid if both are available
127 # because we cannot control the server-global settings
128 # of mod_fastcgi's "FastCgiConfig" options.
129 #
130 # In order for gitweb.cgi to run reasonably well as a
131 # mod_fastcgi dynamic FastCGI application, the
132 # "FastCgiConfig" option "-idle-timeout" value needs to
133 # be increased from the default value of "30" to at
134 # least "120", preferably more like "300". But that
135 # will affect ALL dynamic mod_fastcgi applications on
136 # the ENTIRE server, not just gitweb.cgi. Additionally
137 # the "FastCgiConfig" "-restart" option probably ought
138 # to be set as well. Also, unfortunately, there is no
139 # mod_fastcgi option corresponding to mod_fcgid's
140 # MaxRequestsPerProcess option and gitweb.cgi running
141 # in FastCGI mode (without using FCGI::ProcManager) will
142 # always exit after serving 100 requests (a good thing).
143 #
144 # The alternative is to make gitweb.cgi a static
145 # mod_fastcgi application (the "FastCgiServer"
146 # directive), but then the number of running instances
147 # will be fixed at whatever value is chosen for the
148 # "-processes" option rather than being dynamically
149 # adjusted based on load and that's probably undesirable
150 # in most cases unless you run gitweb.cgi under a
151 # front-end that dynamically forks multiple copies of
152 # gitweb.cgi based on the current load. See the CPAN
153 # FCGI::ProcManager::Dynamic module for an example of
154 # how to do this in Perl:
155 #
156 # http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
157 #
158 # So instead we prefer mod_fcgid because we can adjust
159 # the necessary options for good gitweb.cgi behavior
160 # while affecting only gitweb.cgi and having it remain
161 # a dynamic application whose total number of running
162 # instances is adjusted based on current server load.
164 <IfModule mod_fcgid.c>
165 SetHandler fcgid-script
166 </IfModule>
167 <IfModule !mod_fcgid.c>
168 <IfModule mod_fastcgi.c>
169 SetHandler fastcgi-script
170 </IfModule>
171 </IfModule>
172 </Files>
173 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
174 Options ExecCGI
175 SetHandler cgi-script
176 Allow from all
177 </FilesMatch>
178 Satisfy all
179 </Directory>
181 <IfModule mod_fcgid.c>
182 # mod_cgid benefits from some additional config for gitweb.cgi
183 # gitweb.cgi has a hard-coded maximum of 100 requests
184 # and we do not want to give up too soon in case Git is lagging
185 # Note that adding a 'MaxProcesses ...' option here may be valuable
186 # to limit the maximum number of gitweb.cgi processes that can be
187 # spawned (default is 100) -- perhaps to something much lower such
188 # as 1 or 2 times the number of CPU cores.
189 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
190 MaxRequestsPerProcess 100 IOTimeout 300
191 </IfModule>
193 <Directory @@basedir@@/bin>
194 Options None
195 AllowOverride None
196 Order deny,allow
197 Deny from all
198 <Files git-http-backend-verify>
199 Options ExecCGI
200 SetHandler cgi-script
201 Allow from all
202 </Files>
203 Satisfy all
204 </Directory>
206 # By default non-smart HTTP fetch access will be allowed, however
207 # by defining SmartHTTPOnly (or changing the sense of the IfDefine tests)
208 # non-smart HTTP requests can be denied directly by the web server
210 <IfDefine !SmartHTTPOnly>
211 # These accelerate non-smart HTTP access to loose objects and packs with the /r/ prefix
212 # But not for projects starting with '_' to which access should never be allowed
213 AliasMatch ^/r/([^_].*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ @@reporoot@@/$1
214 AliasMatch ^/r/([^_].*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ @@reporoot@@/$1
216 # These accelerate non-smart HTTP access for Git user agents without the /r/ prefix
217 # But not for projects starting with '_' to which access should never be allowed
218 <IfModule rewrite_module>
219 RewriteEngine On
220 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
221 RewriteRule "(?x) ^/((?![bchrw]/)[^_].*/objects/(?: \
222 (?:[0-9a-f]{2}/[0-9a-f]{38}) | \
223 (?:pack/pack-[0-9a-f]{40}.(?:pack|idx)) ))$" \
224 @@reporoot@@/$1 [L]
225 </IfModule>
226 </IfDefine>
228 <IfDefine SmartHTTPOnly>
229 # Disable non-smart HTTP access
230 RewriteEngine On
231 RewriteCond %{REQUEST_METHOD} !^POST$
232 RewriteCond %{REQUEST_URI} !/[a-zA-Z0-9+._-]+\.bundle$
233 RewriteRule ^/r/.*(?<!/info/refs)$ - [F]
234 RewriteCond %{REQUEST_METHOD} !^POST$
235 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
236 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
237 RewriteCond %{REQUEST_URI} !/[a-zA-Z0-9+._-]+\.bundle$
238 RewriteRule ^/(?![bchrw]/).*(?<!/info/refs)$ - [F]
239 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
240 RewriteRule ^/r/.*/info/refs$ - [F]
241 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
242 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
243 RewriteRule ^/(?![bchrw]/).*/info/refs$ - [F]
244 </IfDefine>
246 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
247 # git-http-backend-verify denies all access to projects starting with '_'
248 ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
250 <IfModule rewrite_module>
251 RewriteEngine On
253 # This allows HTTP access for Git user agents
254 # without the leading /r/ prefix
255 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
256 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
257 RewriteRule ^/(?![bchrw]/)(.*)$ \
258 @@basedir@@/bin/git-http-backend-verify/$1 \
259 [L,H=cgi-script]
261 # ...and this for access by all agents to *.bundle
262 # files without the /r/ prefix for names ending in .git
263 RewriteRule \
264 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git/[a-zA-Z0-9+._-]+\.bundle)$ \
265 @@basedir@@/bin/git-http-backend-verify/$1 \
266 [L,H=cgi-script]
268 # ...and finally this for access by all agents to
269 # *.bundle files without the /r/ prefix for names not
270 # ending in .git as long as the repository exists
271 RewriteCond @@reporoot@@$1.git/HEAD -f
272 RewriteRule \
273 ^(?!/[bchrw]/)((?:/[a-zA-Z0-9+._-]+(?<!\.git))+)(/[a-zA-Z0-9+._-]+\.bundle)$ \
274 @@basedir@@/bin/git-http-backend-verify$1$2 \
275 [L,H=cgi-script]
276 </IfModule>
278 # ---- END LINES TO DUPLICATE ----
280 </VirtualHost>
283 # This comments out the following so this file can be used as-is
284 # for an http-only configuration. Remove or change the sense of
285 # the test (by inserting a !) to activate the https virtual host.
286 <IfDefine EnableGiroccoHttpsVirtualHost>
289 # This is an example configuration of an https virtualhost running Girocco, as set
290 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
291 # It is not essential for Girocco to use a special virtualhost, however.
292 # The Config.pm $httpspushurl variable needs to be defined to properly enable
293 # https pushing.
294 <VirtualHost *:443>
296 # These certificate files will all be automatically generated, but the
297 # paths here may need to be corrected to match the paths
298 # (especially $certsdir) from Config.pm
300 SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
301 SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
302 SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
303 # when using a paid www server cert, only the above three lines should
304 # be changed. Changing any of the below two lines (other than updating
305 # the paths to match $certsdir) will likely break https client auth
306 SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
307 SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
309 SSLVerifyDepth 3
310 SSLOptions +FakeBasicAuth +StrictRequire
311 SSLEngine on
313 # This configuration allows fetching over https without a certificate
314 # while always requiring a certificate for pushing over https
315 RewriteEngine On
316 SSLVerifyClient optional
317 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
318 RewriteRule ^/r/.*/info/refs$ - [env=client_auth_required:1]
319 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
320 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
321 RewriteRule ^/(?!r/).*/info/refs$ - [env=client_auth_required:1]
322 RewriteRule ^/r/.*/git-receive-pack$ - [env=client_auth_required:1]
323 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
324 RewriteRule ^/(?!r/).*/git-receive-pack$ - [env=client_auth_required:1]
325 RewriteCond %{ENV:client_auth_required} 1
326 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
327 RewriteRule .* %{REQUEST_URI} [R=401]
328 <Location />
329 SSLRequireSSL
330 Order deny,allow
331 Deny from env=client_auth_required
332 SSLOptions +FakeBasicAuth
333 AuthName "Git Client Authentication"
334 AuthType Basic
335 AuthBasicProvider anon
336 Anonymous *
337 Require valid-user
338 Satisfy any
339 </Location>
340 ErrorDocument 401 /authrequired.cgi
342 # *** IMPORTANT ***
343 #
344 # ALL the entire contents from the <VirtualHost *:80> section at
345 # the top of this file must be copied here.
346 #
347 # To avoid this duplication, the contents of the <VirtualHost *:80>
348 # section above can be moved to a separate file and then included
349 # both here and in the <VirtualHost *:80> section using an Include
350 # directive. Be careful not to place the new include file in one of the
351 # directories the standard apache configuration blindly includes all
352 # files from.
354 # ---- BEGIN DUPLICATE LINES ----
356 # ---- END DUPLICATE LINES ----
358 </VirtualHost>
361 # End commenting
362 </IfDefine>