| blob | 2f3427802d0ec8e03a7df262a519d6649df0c79e |
1 # This is example configuration of a virtualhost running Girocco, as set up
2 # at repo.or.cz; unfortunately, completely independent from Girocco::Config.
3 # It is not essential for Girocco to use a special virtualhost, however.
4 <VirtualHost *:80>
6 ServerName repo.or.cz
7 ServerAlias www.repo.or.cz
8 ServerAdmin admin@repo.or.cz
10 ErrorLog /var/log/apache2/repo-error.log
11 CustomLog /var/log/apache2/repo-access.log combined
13 AddHandler cgi-script .cgi
15 DocumentRoot /home/repo/WWW
16 <Directory /home/repo/WWW>
17 Options Indexes FollowSymLinks MultiViews ExecCGI
18 AllowOverride All
19 Order allow,deny
20 Allow from all
21 DirectoryIndex gitweb.cgi
22 Satisfy all
23 </Directory>
25 ScriptAlias /w /home/repo/WWW/gitweb.cgi
26 ScriptAlias /h /home/repo/WWW/html.cgi
28 <Directory /srv/git>
29 Options FollowSymLinks
30 AllowOverride None
31 Order allow,deny
32 Allow from all
33 Satisfy all
35 <IfModule rewrite_module>
36 # Everything fetched over the non-smart git http
37 # protocol should be an existing file. If the request
38 # is not for an existing file, just send back an error
39 # message without emitting anything into the error log.
40 RewriteEngine On
41 RewriteCond %{REQUEST_FILENAME} !-f
42 RewriteRule .* - [R=404,L]
43 </IfModule>
44 </Directory>
46 <Directory /home/repo/repomgr/bin>
47 Options None
48 AllowOverride None
49 Order deny,allow
50 Deny from all
51 <Files git-http-backend-verify>
52 Allow from all
53 </Files>
54 Satisfy all
55 </Directory>
57 SetEnv GIT_PROJECT_ROOT /srv/git
58 SetEnv GIT_HTTP_EXPORT_ALL 1
60 # By default non-smart HTTP fetch access will be allowed, however
61 # by defining SmartHTTPOnly (or changing the sense of the IfDefine tests)
62 # non-smart HTTP requests can be denied directly by the web server
64 <IfDefine !SmartHTTPOnly>
65 # These accelerate non-smart HTTP access to loose objects and packs
66 AliasMatch ^/r/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /srv/git/$1
67 AliasMatch ^/r/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /srv/git/$1
68 </IfDefine>
70 <IfDefine SmartHTTPOnly>
71 # Disable non-smart HTTP access
72 RewriteEngine On
73 RewriteCond %{REQUEST_METHOD} !^POST$
74 RewriteRule ^/r/.*(?<!/info/refs)$ - [F]
75 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
76 RewriteRule ^/r/.*/info/refs$ - [F]
77 </IfDefine>
79 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
80 ScriptAlias /r/ /home/repo/repomgr/bin/git-http-backend-verify/
82 </VirtualHost>
85 # This comments out the following so this file can be used as-is
86 <IfDefine DummyThatIsNotDefined>
89 # This is example configuration of an https virtualhost running Girocco, as set
90 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
91 # It is not essential for Girocco to use a special virtualhost, however.
92 # The Config.pm $httpspushurl variable needs to be defined to properly enable
93 # https pushing.
94 <VirtualHost *:443>
96 # These certificate files will all be automatically generated, but the
97 # paths here may need to be corrected to match the paths
98 # (especially $certsdir) from Config.pm
100 SSLCertificateFile /home/repo/certs/girocco_www_crt.pem
101 SSLCertificateKeyFile /home/repo/certs/girocco_www_key.pem
102 SSLCertificateChainFile /home/repo/certs/girocco_www_chain.pem
103 # when using a paid www server cert, only the above three lines should
104 # be changed. Changing any of the below two lines (other than updating
105 # the paths to match $certsdir) will likely break https client auth
106 SSLCACertificateFile /home/repo/certs/girocco_root_crt.pem
107 SSLCADNRequestFile /home/repo/certs/girocco_client_crt.pem
109 SSLVerifyDepth 3
110 SSLOptions +FakeBasicAuth +StrictRequire
111 SSLEngine on
112 <Location />
113 SSLRequireSSL
114 </Location>
116 # This configuration allows fetching over https without a certificate
117 # while always requiring a certificate for pushing over https
118 RewriteEngine On
119 SSLVerifyClient optional
120 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
121 RewriteRule ^/r/.*/info/refs$ - [env=client_auth_required:1]
122 RewriteRule ^/r/.*/git-receive-pack$ - [env=client_auth_required:1]
123 RewriteCond %{ENV:client_auth_required} 1
124 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
125 RewriteRule .* %{REQUEST_URI} [R=401]
126 <LocationMatch ^/r/>
127 Order deny,allow
128 Deny from env=client_auth_required
129 SSLOptions +FakeBasicAuth
130 AuthName "Git Client Authentication"
131 AuthType Basic
132 AuthBasicProvider anon
133 Anonymous *
134 Require valid-user
135 Satisfy any
136 </LocationMatch>
138 # *** IMPORTANT ***
139 #
140 # ALL the entire contents from the <VirtualHost *:80> section at
141 # the top of this file must be copied here.
142 #
143 # To avoid this duplication, the contents of the <VirtualHost *:80>
144 # section above can be moved to a separate file and then included
145 # both here and in the <VirtualHost *:80> section using an Include
146 # directive. Be careful not to place the new include file in one of the
147 # directories the standard apache configuration blindly includes all
148 # files from.
150 </VirtualHost>
153 # End commenting
154 </IfDefine>