usertool.pl: match recent key length updates
[girocco.git] / apache.conf.in
blob73532e3ba3a0938c57fe051a431552faa84d9cb0
1 ##  To convert this file to apache.conf using the current Girocco::Config
2 ##  values either do "make" or "make apache.conf" or ./make-apache-conf.sh
3 ##
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, somewhat independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
7 <VirtualHost *:80>
9 # ---- BEGIN LINES TO DUPLICATE ----
11         ServerName @@httpdnsname@@
12         ServerAlias www.@@httpdnsname@@
13         ServerAdmin @@admin@@
15         # This is the standard "combined" log format modified as follows:
16         #    the received time is shown as [YYYY-mm-dd_HH:MM:SS +hhmm] (almost RFC 3339 format)
17         #        -- this is one character shorter than the default but sorts so much better
18         #    when the logio_module is present (almost always) the %O value is prefixed with:
19         #        %I->  -- <bytes-received-including-request-and-headers>
20         #    the first line of the request ("%r") is prefixed with
21         #        %X%k: -- <connection-status><keepalive-request-num>
22         #                 <keepalive-request-num> will be omitted if apache < 2.2.11
23         #    these fields are added to the end:
24         #        :%{local}p   -- :<actual-server-port>
25         #        %Dus         -- <request-time-in-microseconds>
26         #        "%o{Content-Range}" -- <outgoing Content-Range header>
27         <IfVersion >= 2.2.11>
28         LogFormat "%h %l %u %{[%F_%T %z]}t %X%k:\"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
29         </IfVersion>
30         <IfVersion !>= 2.2.11>
31         LogFormat "%h %l %u %{[%F_%T %z]}t %X:\"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
32         </IfVersion>
33         <IfModule logio_module>
34                 # %I and %O are only available with the logio_module
35                 <IfVersion >= 2.2.11>
36                 LogFormat "%h %l %u %{[%F_%T %z]}t %X%k:\"%r\" %>s %I->%O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
37                 </IfVersion>
38                 <IfVersion !>= 2.2.11>
39                 LogFormat "%h %l %u %{[%F_%T %z]}t %X:\"%r\" %>s %I->%O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
40                 </IfVersion>
41         </IfModule>
43         # If your distribution does not set APACHE_LOG_DIR before
44         # starting Apache you will need to edit the next two directives
45         ErrorLog "${APACHE_LOG_DIR}/@@nickname@@-error.log"
46         CustomLog "${APACHE_LOG_DIR}/@@nickname@@-access.log" girocco
48         <IfModule mime_magic_module>
49                 # Avoid spurious Content-Type values when git-http-backend
50                 # fails to provide a Content-Type header in its output
51                 MimeMagicFile /dev/null
52         </IfModule>
54         DocumentRoot @@webroot@@
55         <Directory @@webroot@@>
56                 # Add MultiViews only if pages are truly
57                 # offered in more than a single language
58                 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
59                 Options FollowSymLinks
60                 # FileInfo (or All) must be enabled to activate .htaccess file mod_rewrite rules
61                 AllowOverride All
62                 <IfVersion < 2.3>
63                 Order allow,deny
64                 Allow from all
65                 Satisfy all
66                 </IfVersion>
67                 <IfVersion >= 2.3>
68                 Require all granted
69                 </IfVersion>
70                 DirectoryIndex w
71         </Directory>
73         # The non-mod_rewrite items are handled first where the magic /[bchrw]
74         # prefix always forces selection of the prefix-indicated cgi handler.
76         ScriptAlias /w @@cgiroot@@/gitweb.cgi
77         ScriptAlias /b @@cgiroot@@/bundles.cgi
78         ScriptAlias /h @@cgiroot@@/html.cgi
79         ScriptAliasMatch ^/(?!(?i)gitweb\.cgi|bundles\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
81         # Any requests without the magic /[bchrw] are treated as Git requests if they
82         # are one of the few possible Git URLs otherwise they go to bundles or gitweb
84         # Change the setting of $SmartHTTPOnly in Girocco::Config.pm to
85         # change whether or not non-smart HTTP fetch access will be allowed.
87         <IfDefine !@@SmartHTTPOnly@@>
88         # This accelerates non-smart HTTP access to loose objects, packs and info
89         AliasMatch \
90                 "(?x)^/(?![bchw]/)(?:r/)? \
91                 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
92                         HEAD | \
93                         objects/info/alternates | \
94                         objects/info/http-alternates | \
95                         objects/info/packs | \
96                         objects/[0-9a-f]{2}/[0-9a-f]{38} | \
97                         objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
98                 @@reporoot@@/$1.git/$2
99         </IfDefine>
101         # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
102         ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
104         ScriptAliasMatch \
105                 "(?x)^/(?![bchrw]/) \
106                 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
107                         info/refs | \
108                         git-upload-pack | \
109                         git-receive-pack | \
110                         [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
111                 @@basedir@@/bin/git-http-backend-verify/$1.git/$2
113         # Everything else off to bundles.cgi or gitweb.cgi
114         ScriptAliasMatch \
115                 "(?x)^/(?![bchrw]/) \
116                 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/bundles)$" \
117                 @@cgiroot@@/bundles.cgi/$1
118         ScriptAliasMatch \
119                 "(?x)^/(?![bchrw]/) \
120                 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git(?!/bundles)(?:/.*)?)$" \
121                 @@cgiroot@@/gitweb.cgi/$1
123         # mod_rewrite is not strictly required for gitweb and fetch access, but
124         # if it's not available the trailing ".git" is never optional for
125         # gitweb, the leading /h is always required for *.html, snapshots are
126         # not throttled, some bogus Git http protocol requests will not be
127         # detected early and, if non-smart HTTP is allowed, access to the
128         # /info/refs file will not be accelerated in non-smart HTTP mode.
130         <IfModule rewrite_module>
131                 RewriteEngine On
133                 # Snapshot requests are only allowed via the PATH_INFO mechanism
134                 RewriteCond %{QUERY_STRING}     (^|[&;])a=snapshot([&;]|$) [NC]
135                 RewriteRule .? - [NS,F,L]
137                 # Redirect snapshot requests to snapshot.cgi
138                 RewriteRule \
139                         "(?x)^/(?![bchr]/)(?:w/)? \
140                         ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/ \
141                                 snapshot(?:/.*)?)$" \
142                         @@cgiroot@@/snapshot.cgi/$1 [NS,L,H=cgi-script]
144                 # Make the leading /h optional for requests that name an existing .html template
145                 RewriteCond @@webroot@@/$1 !-f
146                 RewriteCond @@cgiroot@@/$1 !-f
147                 RewriteCond @@basedir@@/html/$1 -s
148                 RewriteRule \
149                         ^/(?![bchrw]/)(.*\.html)$ \
150                         /h/$1 [NS,PT]
152                 # Redirect bare gitweb requests without .git that name an existing repo...
153                 RewriteCond @@webroot@@/$2 !-f
154                 RewriteCond @@cgiroot@@/$2 !-f
155                 RewriteCond @@reporoot@@/$2.git/HEAD -s
156                 RewriteRule \
157                         "(?x)^/(?![bchr]/)((?:w/)?) \
158                         ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git))$" \
159                         /$1$2.git [NS,L,R=301]
161                 # Of the 11 possible Git protocol URLs (i.e. passed to git-http-backend-verify),
162                 # 9 are only valid with GET/HEAD and the other two are only valid with POST
163                 # Furthermore, 7 are only valid when non-smart is allowed and
164                 # 1 is only valid when smart-only is enabled if it has the correct query string.
166                 # These two always require POST
167                 RewriteCond %{REQUEST_METHOD} !=POST
168                 RewriteRule \
169                         "(?x)^/(?![bchw]/)(?:r/)? \
170                         (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
171                                 git-upload-pack | \
172                                 git-receive-pack )$" \
173                         - [NS,F]
175                 <IfDefine @@SmartHTTPOnly@@>
176                 # These 7 are always forbidden when non-smart HTTP is disabled
177                 RewriteRule \
178                         "(?x)^/(?![bchw]/)(?:r/)? \
179                         (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
180                                 HEAD | \
181                                 objects/info/alternates | \
182                                 objects/info/http-alternates | \
183                                 objects/info/packs | \
184                                 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
185                                 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
186                         - [NS,F]
187                 # This one is forbidden without the magic query string when non-smart is disabled
188                 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$ [OR]
189                 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
190                 RewriteRule \
191                         "(?x)^/(?![bchw]/)(?:r/)? \
192                         (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
193                                 info/refs $" \
194                         - [NS,F]
195                 # This one requires GET (or HEAD)
196                 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
197                 RewriteRule \
198                         "(?x)^/(?![bchw]/)(?:r/)? \
199                         (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
200                                 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle $" \
201                         - [NS,F]
202                 </IfDefine>
204                 <IfDefine !@@SmartHTTPOnly@@>
205                 # These 9 require GET (or HEAD)
206                 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
207                 RewriteRule \
208                         "(?x)^/(?![bchw]/)(?:r/)? \
209                         (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
210                                 HEAD | \
211                                 info/refs | \
212                                 objects/info/alternates | \
213                                 objects/info/http-alternates | \
214                                 objects/info/packs | \
215                                 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
216                                 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) | \
217                                 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
218                         - [NS,F]
219                 # This one can be accelerated when accessed with non-smart HTTP
220                 RewriteCond %{REQUEST_METHOD} ^(?:GET|HEAD)$
221                 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
222                 RewriteRule \
223                         "(?x)^/(?![bchw]/)(?:r/)? \
224                         ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/ \
225                                 info/refs $" \
226                         @@reporoot@@/$1.git/info/refs [NS,L]
227                 </IfDefine>
228         </IfModule>
230         <Directory @@reporoot@@>
231                 Options FollowSymLinks
232                 AllowOverride None
233                 <IfVersion < 2.3>
234                 Order allow,deny
235                 Allow from all
236                 Satisfy all
237                 </IfVersion>
238                 <IfVersion >= 2.3>
239                 Require all granted
240                 </IfVersion>
242                 <IfModule rewrite_module>
243                         # Everything fetched over the non-smart git http
244                         # protocol should be an existing file.  If the request
245                         # is not for an existing file, just send back an error
246                         # message without emitting anything into the error log.
247                         RewriteEngine On
248                         RewriteBase /
249                         RewriteCond @@reporoot@@/$1 !-f
250                         RewriteRule ^(.*)$ - [NS,R=404,L]
251                 </IfModule>
252         </Directory>
254         <Directory @@cgiroot@@>
255                 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
256                 Options SymLinksIfOwnerMatch
257                 # FileInfo must be enabled to activate .htaccess file mod_rewrite rules
258                 AllowOverride FileInfo
259                 <IfVersion < 2.3>
260                 Order deny,allow
261                 Deny from all
262                 Satisfy all
263                 </IfVersion>
264                 <IfVersion >= 2.3>
265                 Require all denied
266                 </IfVersion>
267                 <Files gitweb.cgi>
268                         Options +ExecCGI
269                         <IfVersion < 2.3>
270                         Order deny,allow
271                         Allow from all
272                         Satisfy all
273                         </IfVersion>
274                         <IfVersion >= 2.3>
275                         Require all granted
276                         </IfVersion>
277                         <IfModule !mod_fastcgi.c>
278                         <IfModule !mod_fcgid.c>
279                                 SetHandler cgi-script
280                         </IfModule>
281                         </IfModule>
283                         # Note that in testing mod_fastcgi (in dynamic mode)
284                         # was found to be slightly faster than mod_fcgid.
285                         #
286                         # However, we prefer mod_fcgid if both are available
287                         # because we cannot control the server-global settings
288                         # of mod_fastcgi's "FastCgiConfig" options.
289                         #
290                         # In order for gitweb.cgi to run reasonably well as a
291                         # mod_fastcgi dynamic FastCGI application, the
292                         # "FastCgiConfig" option "-idle-timeout" value needs to
293                         # be increased from the default value of "30" to at
294                         # least "120", preferably more like "300".  But that
295                         # will affect ALL dynamic mod_fastcgi applications on
296                         # the ENTIRE server, not just gitweb.cgi.  Additionally
297                         # the "FastCgiConfig" "-restart" option probably ought
298                         # to be set as well.  Also, unfortunately, there is no
299                         # mod_fastcgi option corresponding to mod_fcgid's
300                         # MaxRequestsPerProcess option and gitweb.cgi running
301                         # in FastCGI mode (without using FCGI::ProcManager) will
302                         # always exit after serving 100 requests (a good thing).
303                         #
304                         # The alternative is to make gitweb.cgi a static
305                         # mod_fastcgi application (the "FastCgiServer"
306                         # directive), but then the number of running instances
307                         # will be fixed at whatever value is chosen for the
308                         # "-processes" option rather than being dynamically
309                         # adjusted based on load and that's probably undesirable
310                         # in most cases unless you run gitweb.cgi under a
311                         # front-end that dynamically forks multiple copies of
312                         # gitweb.cgi based on the current load.  See the CPAN
313                         # FCGI::ProcManager::Dynamic module for an example of
314                         # how to do this in Perl:
315                         #
316                         #   http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
317                         #
318                         # So instead we prefer mod_fcgid because we can adjust
319                         # the necessary options for good gitweb.cgi behavior
320                         # while affecting only gitweb.cgi and having it remain
321                         # a dynamic application whose total number of running
322                         # instances is adjusted based on current server load.
324                         <IfModule mod_fcgid.c>
325                                 SetHandler fcgid-script
326                         </IfModule>
327                         <IfModule !mod_fcgid.c>
328                         <IfModule mod_fastcgi.c>
329                                 SetHandler fastcgi-script
330                         </IfModule>
331                         </IfModule>
332                 </Files>
333                 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
334                         Options +ExecCGI
335                         SetHandler cgi-script
336                         <IfVersion < 2.3>
337                         Order deny,allow
338                         Allow from all
339                         Satisfy all
340                         </IfVersion>
341                         <IfVersion >= 2.3>
342                         Require all granted
343                         </IfVersion>
344                 </FilesMatch>
345         </Directory>
347         <IfModule mod_fcgid.c>
348                 # mod_fcgid benefits from some additional config for gitweb.cgi
349                 # gitweb.cgi has a hard-coded maximum of 100 requests
350                 # and we do not want to give up too soon in case Git is lagging.
351                 # Note that adding a 'MaxProcesses ...' option here may be valuable
352                 # to limit the maximum number of gitweb.cgi processes that can be
353                 # spawned (default is 100) -- perhaps to something much lower such
354                 # as 1 or 2 times the number of CPU cores.  Also note that in the
355                 # unlikely event all the children finish their 100 requests at the
356                 # same time, the server's FcgidSpawnScoreUpLimit (which defaults
357                 # to 10 if not set) should be set to at least 3 times the
358                 # MaxProcesses value chosen to allow them all to respawn
359                 # immediately.  FcgidSpawnScoreUpLimit MUST be at least twice the
360                 # chosen MaxProcesses value (assuming FcgidTerminationScore is
361                 # still set to the default 2) in order to allow any child at all to
362                 # respawn immediately in this case without a delay.
363                 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
364                 MaxRequestsPerProcess 100 IOTimeout 300
365         </IfModule>
367         <Directory @@basedir@@/bin>
368                 Options None
369                 AllowOverride None
370                 <IfVersion < 2.3>
371                 Order deny,allow
372                 Deny from all
373                 Satisfy all
374                 </IfVersion>
375                 <IfVersion >= 2.3>
376                 Require all denied
377                 </IfVersion>
378                 <Files git-http-backend-verify>
379                         Options ExecCGI
380                         SetHandler cgi-script
381                         <IfVersion < 2.3>
382                         Order deny,allow
383                         Allow from all
384                         Satisfy all
385                         </IfVersion>
386                         <IfVersion >= 2.3>
387                         Require all granted
388                         </IfVersion>
389                 </Files>
390         </Directory>
392 # ---- END LINES TO DUPLICATE ----
394 </VirtualHost>
397 # Change the setting of $TLSHost in Girocco::Config.pm to change
398 # whether or not the following https virtual host is enabled.
400 <IfDefine @@TLSHost@@>
402 # This is an example configuration of an https virtualhost running Girocco, as set
403 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
404 # It is not essential for Girocco to use a special virtualhost, however.
405 # The Config.pm $httpspushurl variable needs to be defined to properly enable
406 # https pushing.
407 <VirtualHost *:443>
409         # These certificate files will all be automatically generated, but the
410         # paths here may need to be corrected to match the paths
411         # (especially $certsdir) from Config.pm
413         SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
414         SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
415         SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
416         # when using a paid www server cert, only the above three lines should
417         # be changed.  Changing any of the below two lines (other than updating
418         # the paths to match $certsdir) will likely break https client auth
419         SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
420         SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
422         SSLVerifyDepth 3
423         SSLOptions +FakeBasicAuth +StrictRequire
424         SSLEngine on
426         # This configuration allows fetching over https without a certificate
427         # while always requiring a certificate for pushing over https
428         RewriteEngine On
429         SSLVerifyClient optional
430         RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC]
431         RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$) [NC]
432         RewriteRule /info/refs$ - [NC,NS,env=client_auth_required:1]
433         RewriteCond %{REQUEST_METHOD} =POST [NC]
434         RewriteRule /git-receive-pack$ - [NC,NS,env=client_auth_required:1]
435         RewriteCond %{ENV:client_auth_required} 1
436         RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
437         RewriteRule .? %{REQUEST_URI} [NS,R=401]
438         <Location />
439                 SSLRequireSSL
440                 SSLOptions +FakeBasicAuth
441                 AuthName "Git Client Authentication"
442                 AuthType Basic
443                 AuthBasicProvider anon
444                 Anonymous *
445                 <IfVersion < 2.3>
446                 Order deny,allow
447                 Deny from env=client_auth_required
448                 Satisfy any
449                 Require valid-user
450                 </IfVersion>
451                 <IfVersion >= 2.3>
452                 <RequireAny>
453                 <RequireAll>
454                 Require all granted
455                 Require not env client_auth_required
456                 </RequireAll>
457                 Require valid-user
458                 </RequireAny>
459                 </IfVersion>
460         </Location>
461         ErrorDocument 401 /authrequired.cgi
463 # ---- BEGIN DUPLICATE LINES ----
465 ##  *** IMPORTANT ***
467 ##  ALL the entire contents from the <VirtualHost *:80> section at the top of
468 ##  this file must be copied here.
470 ##  To avoid this duplication, the contents of the <VirtualHost *:80> section
471 ##  above can be moved to a separate file and then included both here and in
472 ##  the <VirtualHost *:80> section using an Include directive.  Be careful not
473 ##  to place the new include file in one of the directories the standard apache
474 ##  configuration blindly includes all files from.
476 # ---- END DUPLICATE LINES ----
478 </VirtualHost>
480 </IfDefine>