| blob | 2f7500c5e85a0d1bcd0308e099b4cf665eab0b55 |
1 ## To convert this file to apache.conf using the current Girocco::Config values
2 ## either do "make" or "make apache.conf" or ./make-apache-conf.sh
3 ##
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, completely independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
7 <VirtualHost *:80>
9 # ---- BEGIN LINES TO DUPLICATE ----
11 ServerName @@httpdnsname@@
12 ServerAlias www.@@httpdnsname@@
13 ServerAdmin @@admin@@
15 ErrorLog /var/log/apache2/repo-error.log
16 CustomLog /var/log/apache2/repo-access.log combined
18 <IfModule mime_magic_module>
19 # Avoid spurious Content-Type values when git-http-backend
20 # fails to provide a Content-Type header in its output
21 MimeMagicFile /dev/null
22 </IfModule>
24 DocumentRoot @@webroot@@
25 <Directory @@webroot@@>
26 # Add MultiViews only if pages are truly
27 # offered in more than a single language
28 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
29 Options FollowSymLinks
30 # FileInfo (or All) must be enabled to activate .htaccess file mod_rewrite rules
31 AllowOverride All
32 Order allow,deny
33 Allow from all
34 DirectoryIndex w
35 Satisfy all
36 </Directory>
38 ScriptAlias /w @@cgiroot@@/gitweb.cgi
39 ScriptAlias /b @@cgiroot@@/bundles.cgi
40 ScriptAlias /h @@cgiroot@@/html.cgi
41 AliasMatch ^/(?!(?i)gitweb\.cgi|bundles\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
43 <IfModule rewrite_module>
44 RewriteEngine On
46 # Make the leading /h optional for requests that name an existing .html template
47 RewriteCond @@webroot@@/$1 !-f
48 RewriteCond @@cgiroot@@/$1 !-f
49 RewriteCond @@basedir@@/html/$1 -f
50 RewriteRule \
51 ^/(?![bchrw]/)(.*\.html)$ \
52 /h/$1 [NS,PT]
54 # Redirect bare /w requests without .git that name an existing repo...
55 RewriteCond @@reporoot@@/$1.git/HEAD -f
56 RewriteRule \
57 ^/w/((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
58 /w/$1.git [NS,L,R=301]
60 # ...and also make the leading /w optional for those types of requests
61 RewriteCond @@webroot@@/$1 !-f
62 RewriteCond @@cgiroot@@/$1 !-f
63 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
64 RewriteCond @@reporoot@@/$1.git/HEAD -f
65 RewriteRule \
66 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
67 /$1.git [NS,L,R=301]
69 # Make the leading /w optional if the rest names an existing repo
70 # and it's not a request for a bundle or bundle listing
71 RewriteCond @@webroot@@/$1$2 !-f
72 RewriteCond @@cgiroot@@/$1$2 !-f
73 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
74 RewriteCond @@reporoot@@/$1/HEAD -f
75 # Might want to use [NS,L,R] instead of [NS,PT] maybe even [NS,L,R=301]
76 RewriteRule \
77 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)(?!/(?:bundles|[a-zA-Z0-9+._-]+\.bundle)$)((?:/.*)?)$ \
78 /w/$1$2 [NS,PT]
80 # Make the leading /b optional if the rest names an existing repo
81 # and it's a request for a bundle listing
82 RewriteCond @@webroot@@/$1 !-f
83 RewriteCond @@cgiroot@@/$1 !-f
84 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
85 RewriteCond @@reporoot@@/$1/HEAD -f
86 # Might want to use [NS,L,R] instead of [NS,PT] maybe even [NS,L,R=301]
87 RewriteRule \
88 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)/bundles$ \
89 /b/$1 [NS,PT]
90 </IfModule>
92 <Directory @@reporoot@@>
93 Options FollowSymLinks
94 AllowOverride None
95 Order allow,deny
96 Allow from all
97 Satisfy all
99 <IfModule rewrite_module>
100 # Everything fetched over the non-smart git http
101 # protocol should be an existing file. If the request
102 # is not for an existing file, just send back an error
103 # message without emitting anything into the error log.
104 RewriteEngine On
105 RewriteBase /
106 RewriteCond @@reporoot@@/$1 !-f
107 RewriteRule ^(.*)$ - [NS,R=404,L]
108 </IfModule>
109 </Directory>
111 <Directory @@cgiroot@@>
112 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
113 Options SymLinksIfOwnerMatch
114 # FileInfo must be enabled to activate .htaccess file mod_rewrite rules
115 AllowOverride FileInfo
116 Order deny,allow
117 Deny from all
118 <Files gitweb.cgi>
119 Options +ExecCGI
120 Allow from all
121 <IfModule !mod_fastcgi.c>
122 <IfModule !mod_fcgid.c>
123 SetHandler cgi-script
124 </IfModule>
125 </IfModule>
127 # Note that in testing mod_fastcgi (in dynamic mode)
128 # was found to be slightly faster than mod_fcgid.
129 #
130 # However, we prefer mod_fcgid if both are available
131 # because we cannot control the server-global settings
132 # of mod_fastcgi's "FastCgiConfig" options.
133 #
134 # In order for gitweb.cgi to run reasonably well as a
135 # mod_fastcgi dynamic FastCGI application, the
136 # "FastCgiConfig" option "-idle-timeout" value needs to
137 # be increased from the default value of "30" to at
138 # least "120", preferably more like "300". But that
139 # will affect ALL dynamic mod_fastcgi applications on
140 # the ENTIRE server, not just gitweb.cgi. Additionally
141 # the "FastCgiConfig" "-restart" option probably ought
142 # to be set as well. Also, unfortunately, there is no
143 # mod_fastcgi option corresponding to mod_fcgid's
144 # MaxRequestsPerProcess option and gitweb.cgi running
145 # in FastCGI mode (without using FCGI::ProcManager) will
146 # always exit after serving 100 requests (a good thing).
147 #
148 # The alternative is to make gitweb.cgi a static
149 # mod_fastcgi application (the "FastCgiServer"
150 # directive), but then the number of running instances
151 # will be fixed at whatever value is chosen for the
152 # "-processes" option rather than being dynamically
153 # adjusted based on load and that's probably undesirable
154 # in most cases unless you run gitweb.cgi under a
155 # front-end that dynamically forks multiple copies of
156 # gitweb.cgi based on the current load. See the CPAN
157 # FCGI::ProcManager::Dynamic module for an example of
158 # how to do this in Perl:
159 #
160 # http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
161 #
162 # So instead we prefer mod_fcgid because we can adjust
163 # the necessary options for good gitweb.cgi behavior
164 # while affecting only gitweb.cgi and having it remain
165 # a dynamic application whose total number of running
166 # instances is adjusted based on current server load.
168 <IfModule mod_fcgid.c>
169 SetHandler fcgid-script
170 </IfModule>
171 <IfModule !mod_fcgid.c>
172 <IfModule mod_fastcgi.c>
173 SetHandler fastcgi-script
174 </IfModule>
175 </IfModule>
176 </Files>
177 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
178 Options +ExecCGI
179 SetHandler cgi-script
180 Allow from all
181 </FilesMatch>
182 Satisfy all
183 </Directory>
185 <IfModule mod_fcgid.c>
186 # mod_cgid benefits from some additional config for gitweb.cgi
187 # gitweb.cgi has a hard-coded maximum of 100 requests
188 # and we do not want to give up too soon in case Git is lagging
189 # Note that adding a 'MaxProcesses ...' option here may be valuable
190 # to limit the maximum number of gitweb.cgi processes that can be
191 # spawned (default is 100) -- perhaps to something much lower such
192 # as 1 or 2 times the number of CPU cores.
193 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
194 MaxRequestsPerProcess 100 IOTimeout 300
195 </IfModule>
197 <Directory @@basedir@@/bin>
198 Options None
199 AllowOverride None
200 Order deny,allow
201 Deny from all
202 <Files git-http-backend-verify>
203 Options ExecCGI
204 SetHandler cgi-script
205 Allow from all
206 </Files>
207 Satisfy all
208 </Directory>
210 # By default non-smart HTTP fetch access will be allowed, however
211 # by defining SmartHTTPOnly (or changing the sense of the IfDefine tests)
212 # non-smart HTTP requests can be denied directly by the web server
214 <IfDefine !SmartHTTPOnly>
215 # These accelerate non-smart HTTP access to loose objects and packs with the /r/ prefix
216 # But not for projects starting with '_' to which access should never be allowed
217 AliasMatch ^/r/([^_].*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ @@reporoot@@/$1
218 AliasMatch ^/r/([^_].*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ @@reporoot@@/$1
220 # These accelerate non-smart HTTP access for Git user agents without the /r/ prefix
221 # But not for projects starting with '_' to which access should never be allowed
222 <IfModule rewrite_module>
223 RewriteEngine On
224 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
225 RewriteRule "(?x) ^/((?![bchrw]/)[^_].*/objects/(?: \
226 (?:[0-9a-f]{2}/[0-9a-f]{38}) | \
227 (?:pack/pack-[0-9a-f]{40}.(?:pack|idx)) ))$" \
228 @@reporoot@@/$1 [NS,L]
229 </IfModule>
230 </IfDefine>
232 <IfDefine SmartHTTPOnly>
233 # Disable non-smart HTTP access
234 RewriteEngine On
235 RewriteCond %{REQUEST_METHOD} !^POST$
236 RewriteCond %{REQUEST_URI} !/[a-zA-Z0-9+._-]+\.bundle$
237 RewriteRule ^/r/.*(?<!/info/refs)$ - [NS,F]
238 RewriteCond %{REQUEST_METHOD} !^POST$
239 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
240 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
241 RewriteCond %{REQUEST_URI} !/[a-zA-Z0-9+._-]+\.bundle$
242 RewriteRule ^/(?![bchrw]/).*(?<!/info/refs)$ - [NS,F]
243 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
244 RewriteRule ^/r/.*/info/refs$ - [NS,F]
245 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
246 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
247 RewriteRule ^/(?![bchrw]/).*/info/refs$ - [NS,F]
248 </IfDefine>
250 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
251 # git-http-backend-verify denies all access to projects starting with '_'
252 ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
254 <IfModule rewrite_module>
255 RewriteEngine On
257 # This allows HTTP access for Git user agents
258 # without the leading /r/ prefix
259 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
260 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
261 RewriteRule ^/(?![bchrw]/)(.*)$ \
262 @@basedir@@/bin/git-http-backend-verify/$1 \
263 [NS,L,H=cgi-script]
265 # ...and this for access by all agents to *.bundle
266 # files without the /r/ prefix for names ending in .git
267 RewriteRule \
268 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git/[a-zA-Z0-9+._-]+\.bundle)$ \
269 @@basedir@@/bin/git-http-backend-verify/$1 \
270 [NS,L,H=cgi-script]
272 # ...and finally this for access by all agents to
273 # *.bundle files without the /r/ prefix for names not
274 # ending in .git as long as the repository exists
275 RewriteCond @@reporoot@@$1.git/HEAD -f
276 RewriteRule \
277 ^(?!/[bchrw]/)((?:/[a-zA-Z0-9+._-]+(?<!\.git))+)(/[a-zA-Z0-9+._-]+\.bundle)$ \
278 @@basedir@@/bin/git-http-backend-verify$1$2 \
279 [NS,L,H=cgi-script]
280 </IfModule>
282 # ---- END LINES TO DUPLICATE ----
284 </VirtualHost>
287 # This comments out the following so this file can be used as-is
288 # for an http-only configuration. Remove or change the sense of
289 # the test (by inserting a !) to activate the https virtual host.
290 <IfDefine EnableGiroccoHttpsVirtualHost>
293 # This is an example configuration of an https virtualhost running Girocco, as set
294 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
295 # It is not essential for Girocco to use a special virtualhost, however.
296 # The Config.pm $httpspushurl variable needs to be defined to properly enable
297 # https pushing.
298 <VirtualHost *:443>
300 # These certificate files will all be automatically generated, but the
301 # paths here may need to be corrected to match the paths
302 # (especially $certsdir) from Config.pm
304 SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
305 SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
306 SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
307 # when using a paid www server cert, only the above three lines should
308 # be changed. Changing any of the below two lines (other than updating
309 # the paths to match $certsdir) will likely break https client auth
310 SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
311 SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
313 SSLVerifyDepth 3
314 SSLOptions +FakeBasicAuth +StrictRequire
315 SSLEngine on
317 # This configuration allows fetching over https without a certificate
318 # while always requiring a certificate for pushing over https
319 RewriteEngine On
320 SSLVerifyClient optional
321 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
322 RewriteRule ^/r/.*/info/refs$ - [NS,env=client_auth_required:1]
323 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
324 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
325 RewriteRule ^/(?!r/).*/info/refs$ - [NS,env=client_auth_required:1]
326 RewriteRule ^/r/.*/git-receive-pack$ - [NS,env=client_auth_required:1]
327 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
328 RewriteRule ^/(?!r/).*/git-receive-pack$ - [NS,env=client_auth_required:1]
329 RewriteCond %{ENV:client_auth_required} 1
330 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
331 RewriteRule .* %{REQUEST_URI} [NS,R=401]
332 <Location />
333 SSLRequireSSL
334 Order deny,allow
335 Deny from env=client_auth_required
336 SSLOptions +FakeBasicAuth
337 AuthName "Git Client Authentication"
338 AuthType Basic
339 AuthBasicProvider anon
340 Anonymous *
341 Require valid-user
342 Satisfy any
343 </Location>
344 ErrorDocument 401 /authrequired.cgi
346 # *** IMPORTANT ***
347 #
348 # ALL the entire contents from the <VirtualHost *:80> section at
349 # the top of this file must be copied here.
350 #
351 # To avoid this duplication, the contents of the <VirtualHost *:80>
352 # section above can be moved to a separate file and then included
353 # both here and in the <VirtualHost *:80> section using an Include
354 # directive. Be careful not to place the new include file in one of the
355 # directories the standard apache configuration blindly includes all
356 # files from.
358 # ---- BEGIN DUPLICATE LINES ----
360 # ---- END DUPLICATE LINES ----
362 </VirtualHost>
365 # End commenting
366 </IfDefine>