1 ## To convert this file to apache.conf using the current Girocco::Config values
2 ## either do "make" or "make apache.conf" or ./make-apache-conf.sh
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, completely independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
9 # ---- BEGIN LINES TO DUPLICATE ----
11 ServerName @@httpdnsname@@
12 ServerAlias www.@@httpdnsname@@
15 ErrorLog /var/log/apache2/repo-error.log
16 CustomLog /var/log/apache2/repo-access.log combined
18 <IfModule mime_magic_module>
19 # Avoid spurious Content-Type values when git-http-backend
20 # fails to provide a Content-Type header in its output
21 MimeMagicFile /dev/null
24 DocumentRoot @@webroot@@
25 <Directory @@webroot@@>
26 # Add MultiViews only if pages are truly
27 # offered in more than a single language
28 Options FollowSymLinks
36 ScriptAlias /w @@cgiroot@@/gitweb.cgi
37 ScriptAlias /h @@cgiroot@@/html.cgi
38 AliasMatch ^/(?!(?i)gitweb\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
40 <IfModule rewrite_module>
42 # Redirect bare /w requests without .git that name an existing repo...
43 RewriteCond @@reporoot@@/$1.git/HEAD -f
45 ^/w/((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
48 # ...and also make the leading /w optional for those types of requests
49 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
50 RewriteCond @@reporoot@@/$1.git/HEAD -f
52 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
55 # Make the leading /w optional if the rest names an existing repo
56 # and it's not a request for a bundle or bundle listing
57 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
58 RewriteCond @@reporoot@@/$1/HEAD -f
59 # Might want to use [L,R] instead of [PT] maybe even [L,R=301]
61 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)(?!/(?:bundles|[a-zA-Z0-9+._-]+\.bundle)$)((?:/.*)?)$ \
65 <Directory @@reporoot@@>
66 Options FollowSymLinks
72 <IfModule rewrite_module>
73 # Everything fetched over the non-smart git http
74 # protocol should be an existing file. If the request
75 # is not for an existing file, just send back an error
76 # message without emitting anything into the error log.
78 RewriteCond %{REQUEST_FILENAME} !-f
79 RewriteRule .* - [R=404,L]
83 <Directory @@cgiroot@@>
91 <IfModule !mod_fastcgi.c>
92 <IfModule !mod_fcgid.c>
97 # Note that in testing mod_fastcgi (in dynamic mode)
98 # was found to be slightly faster than mod_fcgid.
100 # However, we prefer mod_fcgid if both are available
101 # because we cannot control the server-global settings
102 # of mod_fastcgi's "FastCgiConfig" options.
104 # In order for gitweb.cgi to run reasonably well as a
105 # mod_fastcgi dynamic FastCGI application, the
106 # "FastCgiConfig" option "-idle-timeout" value needs to
107 # be increased from the default value of "30" to at
108 # least "120", preferably more like "300". But that
109 # will affect ALL dynamic mod_fastcgi applications on
110 # the ENTIRE server, not just gitweb.cgi. Additionally
111 # the "FastCgiConfig" "-restart" option probably ought
112 # to be set as well. Also, unfortunately, there is no
113 # mod_fastcgi option corresponding to mod_fcgid's
114 # MaxRequestsPerProcess option and gitweb.cgi running
115 # in FastCGI mode (without using FCGI::ProcManager) will
116 # always exit after serving 100 requests (a good thing).
118 # The alternative is to make gitweb.cgi a static
119 # mod_fastcgi application (the "FastCgiServer"
120 # directive), but then the number of running instances
121 # will be fixed at whatever value is chosen for the
122 # "-processes" option rather than being dynamically
123 # adjusted based on load and that's probably undesirable
124 # in most cases unless you run gitweb.cgi under a
125 # front-end that dynamically forks multiple copies of
126 # gitweb.cgi based on the current load. See the CPAN
127 # FCGI::ProcManager::Dynamic module for an example of
128 # how to do this in Perl:
130 # http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
132 # So instead we prefer mod_fcgid because we can adjust
133 # the necessary options for good gitweb.cgi behavior
134 # while affecting only gitweb.cgi and having it remain
135 # a dynamic application whose total number of running
136 # instances is adjusted based on current server load.
138 <IfModule mod_fcgid.c>
139 SetHandler fcgid-script
141 <IfModule !mod_fcgid.c>
142 <IfModule mod_fastcgi.c>
143 SetHandler fastcgi-script
147 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
149 SetHandler cgi-script
155 <IfModule mod_fcgid.c>
156 # mod_cgid benefits from some additional config for gitweb.cgi
157 # gitweb.cgi has a hard-coded maximum of 100 requests
158 # and we do not want to give up too soon in case Git is lagging
159 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
160 MaxRequestsPerProcess 100 IOTimeout 300
163 <Directory @@basedir@@/bin>
168 <Files git-http-backend-verify>
170 SetHandler cgi-script
176 # By default non-smart HTTP fetch access will be allowed, however
177 # by defining SmartHTTPOnly (or changing the sense of the IfDefine tests)
178 # non-smart HTTP requests can be denied directly by the web server
180 <IfDefine !SmartHTTPOnly>
181 # These accelerate non-smart HTTP access to loose objects and packs with the /r/ prefix
182 # But not for projects starting with '_' to which access should never be allowed
183 AliasMatch ^/r/([^_].*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ @@reporoot@@/$1
184 AliasMatch ^/r/([^_].*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ @@reporoot@@/$1
186 # These accelerate non-smart HTTP access for Git user agents without the /r/ prefix
187 # But not for projects starting with '_' to which access should never be allowed
188 <IfModule rewrite_module>
190 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
191 RewriteRule "(?x) ^/((?![bchrw]/)[^_].*/objects/(?: \
192 (?:[0-9a-f]{2}/[0-9a-f]{38}) | \
193 (?:pack/pack-[0-9a-f]{40}.(?:pack|idx)) ))$" \
198 <IfDefine SmartHTTPOnly>
199 # Disable non-smart HTTP access
201 RewriteCond %{REQUEST_METHOD} !^POST$
202 RewriteCond %{REQUEST_URI} !/[a-zA-Z0-9+._-]+\.bundle$
203 RewriteRule ^/r/.*(?<!/info/refs)$ - [F]
204 RewriteCond %{REQUEST_METHOD} !^POST$
205 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
206 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
207 RewriteCond %{REQUEST_URI} !/[a-zA-Z0-9+._-]+\.bundle$
208 RewriteRule ^/(?![bchrw]/).*(?<!/info/refs)$ - [F]
209 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
210 RewriteRule ^/r/.*/info/refs$ - [F]
211 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
212 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
213 RewriteRule ^/(?![bchrw]/).*/info/refs$ - [F]
216 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
217 # git-http-backend-verify denies all access to projects starting with '_'
218 ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
220 <IfModule rewrite_module>
223 # This allows HTTP access for Git user agents
224 # without the leading /r/ prefix
225 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
226 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
227 RewriteRule ^/(?![bchrw]/)(.*)$ \
228 @@basedir@@/bin/git-http-backend-verify/$1 \
231 # ...and this for access by all agents to *.bundle
232 # files without the /r/ prefix for names ending in .git
234 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git/[a-zA-Z0-9+._-]+\.bundle)$ \
235 @@basedir@@/bin/git-http-backend-verify/$1 \
238 # ...and finally this for access by all agents to
239 # *.bundle files without the /r/ prefix for names not
240 # ending in .git as long as the repository exists
241 RewriteCond @@reporoot@@$1.git/HEAD -f
243 ^(?!/[bchrw]/)((?:/[a-zA-Z0-9+._-]+(?<!\.git))+)(/[a-zA-Z0-9+._-]+\.bundle)$ \
244 @@basedir@@/bin/git-http-backend-verify$1$2 \
248 # ---- END LINES TO DUPLICATE ----
253 # This comments out the following so this file can be used as-is
254 # for an http-only configuration. Remove or change the sense of
255 # the test (by inserting a !) to activate the https virtual host.
256 <IfDefine EnableGiroccoHttpsVirtualHost>
259 # This is an example configuration of an https virtualhost running Girocco, as set
260 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
261 # It is not essential for Girocco to use a special virtualhost, however.
262 # The Config.pm $httpspushurl variable needs to be defined to properly enable
266 # These certificate files will all be automatically generated, but the
267 # paths here may need to be corrected to match the paths
268 # (especially $certsdir) from Config.pm
270 SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
271 SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
272 SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
273 # when using a paid www server cert, only the above three lines should
274 # be changed. Changing any of the below two lines (other than updating
275 # the paths to match $certsdir) will likely break https client auth
276 SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
277 SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
280 SSLOptions +FakeBasicAuth +StrictRequire
283 # This configuration allows fetching over https without a certificate
284 # while always requiring a certificate for pushing over https
286 SSLVerifyClient optional
287 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
288 RewriteRule ^/r/.*/info/refs$ - [env=client_auth_required:1]
289 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
290 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
291 RewriteRule ^/(?!r/).*/info/refs$ - [env=client_auth_required:1]
292 RewriteRule ^/r/.*/git-receive-pack$ - [env=client_auth_required:1]
293 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
294 RewriteRule ^/(?!r/).*/git-receive-pack$ - [env=client_auth_required:1]
295 RewriteCond %{ENV:client_auth_required} 1
296 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
297 RewriteRule .* %{REQUEST_URI} [R=401]
301 Deny from env=client_auth_required
302 SSLOptions +FakeBasicAuth
303 AuthName "Git Client Authentication"
305 AuthBasicProvider anon
310 ErrorDocument 401 /authrequired.cgi
314 # ALL the entire contents from the <VirtualHost *:80> section at
315 # the top of this file must be copied here.
317 # To avoid this duplication, the contents of the <VirtualHost *:80>
318 # section above can be moved to a separate file and then included
319 # both here and in the <VirtualHost *:80> section using an Include
320 # directive. Be careful not to place the new include file in one of the
321 # directories the standard apache configuration blindly includes all
324 # ---- BEGIN DUPLICATE LINES ----
326 # ---- END DUPLICATE LINES ----