1 ## To convert this file to apache.conf using the current Girocco::Config values
2 ## either do "make" or "make apache.conf" or ./make-apache-conf.sh
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, completely independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
9 # ---- BEGIN LINES TO DUPLICATE ----
11 ServerName @@httpdnsname@@
12 ServerAlias www.@@httpdnsname@@
15 # This is the standard "combined" log format with :actual-server-port added to the end
16 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p" girocco
17 <IfModule logio_module>
18 # %I and %O are only available with the logio_module
19 LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p" girocco
22 ErrorLog /var/log/apache2/repo-error.log
23 CustomLog /var/log/apache2/repo-access.log girocco
25 <IfModule mime_magic_module>
26 # Avoid spurious Content-Type values when git-http-backend
27 # fails to provide a Content-Type header in its output
28 MimeMagicFile /dev/null
31 DocumentRoot @@webroot@@
32 <Directory @@webroot@@>
33 # Add MultiViews only if pages are truly
34 # offered in more than a single language
35 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
36 Options FollowSymLinks
37 # FileInfo (or All) must be enabled to activate .htaccess file mod_rewrite rules
45 ScriptAlias /w @@cgiroot@@/gitweb.cgi
46 ScriptAlias /b @@cgiroot@@/bundles.cgi
47 ScriptAlias /h @@cgiroot@@/html.cgi
48 AliasMatch ^/(?!(?i)gitweb\.cgi|bundles\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
50 <IfModule rewrite_module>
53 # Make the leading /h optional for requests that name an existing .html template
54 RewriteCond @@webroot@@/$1 !-f
55 RewriteCond @@cgiroot@@/$1 !-f
56 RewriteCond @@basedir@@/html/$1 -f
58 ^/(?![bchrw]/)(.*\.html)$ \
61 # Redirect bare /w requests without .git that name an existing repo...
62 RewriteCond @@reporoot@@/$1.git/HEAD -f
64 ^/w/((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
65 /w/$1.git [NS,L,R=301]
67 # ...and also make the leading /w optional for those types of requests
68 RewriteCond @@webroot@@/$1 !-f
69 RewriteCond @@cgiroot@@/$1 !-f
70 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
71 RewriteCond @@reporoot@@/$1.git/HEAD -f
73 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
76 # Make the leading /w optional if the rest names an existing repo
77 # and it's not a request for a bundle or bundle listing
78 RewriteCond @@webroot@@/$1$2 !-f
79 RewriteCond @@cgiroot@@/$1$2 !-f
80 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
81 RewriteCond @@reporoot@@/$1/HEAD -f
82 # Might want to use [NS,L,R] instead of [NS,PT] maybe even [NS,L,R=301]
84 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)(?!/(?:bundles|[a-zA-Z0-9+._-]+\.bundle)$)((?:/.*)?)$ \
87 # Make the leading /b optional if the rest names an existing repo
88 # and it's a request for a bundle listing
89 RewriteCond @@webroot@@/$1 !-f
90 RewriteCond @@cgiroot@@/$1 !-f
91 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
92 RewriteCond @@reporoot@@/$1/HEAD -f
93 # Might want to use [NS,L,R] instead of [NS,PT] maybe even [NS,L,R=301]
95 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)/bundles$ \
99 <Directory @@reporoot@@>
100 Options FollowSymLinks
106 <IfModule rewrite_module>
107 # Everything fetched over the non-smart git http
108 # protocol should be an existing file. If the request
109 # is not for an existing file, just send back an error
110 # message without emitting anything into the error log.
113 RewriteCond @@reporoot@@/$1 !-f
114 RewriteRule ^(.*)$ - [NS,R=404,L]
118 <Directory @@cgiroot@@>
119 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
120 Options SymLinksIfOwnerMatch
121 # FileInfo must be enabled to activate .htaccess file mod_rewrite rules
122 AllowOverride FileInfo
128 <IfModule !mod_fastcgi.c>
129 <IfModule !mod_fcgid.c>
130 SetHandler cgi-script
134 # Note that in testing mod_fastcgi (in dynamic mode)
135 # was found to be slightly faster than mod_fcgid.
137 # However, we prefer mod_fcgid if both are available
138 # because we cannot control the server-global settings
139 # of mod_fastcgi's "FastCgiConfig" options.
141 # In order for gitweb.cgi to run reasonably well as a
142 # mod_fastcgi dynamic FastCGI application, the
143 # "FastCgiConfig" option "-idle-timeout" value needs to
144 # be increased from the default value of "30" to at
145 # least "120", preferably more like "300". But that
146 # will affect ALL dynamic mod_fastcgi applications on
147 # the ENTIRE server, not just gitweb.cgi. Additionally
148 # the "FastCgiConfig" "-restart" option probably ought
149 # to be set as well. Also, unfortunately, there is no
150 # mod_fastcgi option corresponding to mod_fcgid's
151 # MaxRequestsPerProcess option and gitweb.cgi running
152 # in FastCGI mode (without using FCGI::ProcManager) will
153 # always exit after serving 100 requests (a good thing).
155 # The alternative is to make gitweb.cgi a static
156 # mod_fastcgi application (the "FastCgiServer"
157 # directive), but then the number of running instances
158 # will be fixed at whatever value is chosen for the
159 # "-processes" option rather than being dynamically
160 # adjusted based on load and that's probably undesirable
161 # in most cases unless you run gitweb.cgi under a
162 # front-end that dynamically forks multiple copies of
163 # gitweb.cgi based on the current load. See the CPAN
164 # FCGI::ProcManager::Dynamic module for an example of
165 # how to do this in Perl:
167 # http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
169 # So instead we prefer mod_fcgid because we can adjust
170 # the necessary options for good gitweb.cgi behavior
171 # while affecting only gitweb.cgi and having it remain
172 # a dynamic application whose total number of running
173 # instances is adjusted based on current server load.
175 <IfModule mod_fcgid.c>
176 SetHandler fcgid-script
178 <IfModule !mod_fcgid.c>
179 <IfModule mod_fastcgi.c>
180 SetHandler fastcgi-script
184 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
186 SetHandler cgi-script
192 <IfModule mod_fcgid.c>
193 # mod_cgid benefits from some additional config for gitweb.cgi
194 # gitweb.cgi has a hard-coded maximum of 100 requests
195 # and we do not want to give up too soon in case Git is lagging
196 # Note that adding a 'MaxProcesses ...' option here may be valuable
197 # to limit the maximum number of gitweb.cgi processes that can be
198 # spawned (default is 100) -- perhaps to something much lower such
199 # as 1 or 2 times the number of CPU cores. Also note that in the
200 # unlikely event all the children finish their 100 requests at the
201 # same time, the server's FcgidSpawnScoreUpLimit should be set
202 # to at least 3 times the MaxProcesses value chosen to allow them
203 # all to respawn immediately. It MUST be at least twice the chosen
204 # MaxProcesses value (assuming FcgidTerminationScore is still the
205 # default 2) in order to allow any child to respawn at all without
207 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
208 MaxRequestsPerProcess 100 IOTimeout 300
211 <Directory @@basedir@@/bin>
216 <Files git-http-backend-verify>
218 SetHandler cgi-script
224 # By default non-smart HTTP fetch access will be allowed, however
225 # by defining SmartHTTPOnly (or changing the sense of the IfDefine tests)
226 # non-smart HTTP requests can be denied directly by the web server
228 <IfDefine !SmartHTTPOnly>
229 # These accelerate non-smart HTTP access to loose objects and packs with the /r/ prefix
230 # But not for projects starting with '_' to which access should never be allowed
231 AliasMatch ^/r/([^_].*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ @@reporoot@@/$1
232 AliasMatch ^/r/([^_].*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ @@reporoot@@/$1
234 # These accelerate non-smart HTTP access for Git user agents without the /r/ prefix
235 # But not for projects starting with '_' to which access should never be allowed
236 <IfModule rewrite_module>
238 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
239 RewriteRule "(?x) ^/((?![bchrw]/)[^_].*/objects/(?: \
240 (?:[0-9a-f]{2}/[0-9a-f]{38}) | \
241 (?:pack/pack-[0-9a-f]{40}.(?:pack|idx)) ))$" \
242 @@reporoot@@/$1 [NS,L]
246 <IfDefine SmartHTTPOnly>
247 # Disable non-smart HTTP access
249 RewriteCond %{REQUEST_METHOD} !^POST$
250 RewriteCond %{REQUEST_URI} !/[a-zA-Z0-9+._-]+\.bundle$
251 RewriteRule ^/r/.*(?<!/info/refs)$ - [NS,F]
252 RewriteCond %{REQUEST_METHOD} !^POST$
253 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
254 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
255 RewriteCond %{REQUEST_URI} !/[a-zA-Z0-9+._-]+\.bundle$
256 RewriteRule ^/(?![bchrw]/).*(?<!/info/refs)$ - [NS,F]
257 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
258 RewriteRule ^/r/.*/info/refs$ - [NS,F]
259 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
260 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
261 RewriteRule ^/(?![bchrw]/).*/info/refs$ - [NS,F]
264 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
265 # git-http-backend-verify denies all access to projects starting with '_'
266 ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
268 <IfModule rewrite_module>
271 # This allows HTTP access for Git user agents
272 # without the leading /r/ prefix
273 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
274 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
275 RewriteRule ^/(?![bchrw]/)(.*)$ \
276 @@basedir@@/bin/git-http-backend-verify/$1 \
279 # ...and this for access by all agents to *.bundle
280 # files without the /r/ prefix for names ending in .git
282 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git/[a-zA-Z0-9+._-]+\.bundle)$ \
283 @@basedir@@/bin/git-http-backend-verify/$1 \
286 # ...and finally this for access by all agents to
287 # *.bundle files without the /r/ prefix for names not
288 # ending in .git as long as the repository exists
289 RewriteCond @@reporoot@@$1.git/HEAD -f
291 ^(?!/[bchrw]/)((?:/[a-zA-Z0-9+._-]+(?<!\.git))+)(/[a-zA-Z0-9+._-]+\.bundle)$ \
292 @@basedir@@/bin/git-http-backend-verify$1$2 \
296 # ---- END LINES TO DUPLICATE ----
301 # This comments out the following so this file can be used as-is
302 # for an http-only configuration. Remove or change the sense of
303 # the test (by inserting a !) to activate the https virtual host.
304 <IfDefine EnableGiroccoHttpsVirtualHost>
307 # This is an example configuration of an https virtualhost running Girocco, as set
308 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
309 # It is not essential for Girocco to use a special virtualhost, however.
310 # The Config.pm $httpspushurl variable needs to be defined to properly enable
314 # These certificate files will all be automatically generated, but the
315 # paths here may need to be corrected to match the paths
316 # (especially $certsdir) from Config.pm
318 SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
319 SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
320 SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
321 # when using a paid www server cert, only the above three lines should
322 # be changed. Changing any of the below two lines (other than updating
323 # the paths to match $certsdir) will likely break https client auth
324 SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
325 SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
328 SSLOptions +FakeBasicAuth +StrictRequire
331 # This configuration allows fetching over https without a certificate
332 # while always requiring a certificate for pushing over https
334 SSLVerifyClient optional
335 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
336 RewriteRule ^/r/.*/info/refs$ - [NS,env=client_auth_required:1]
337 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
338 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
339 RewriteRule ^/(?!r/).*/info/refs$ - [NS,env=client_auth_required:1]
340 RewriteRule ^/r/.*/git-receive-pack$ - [NS,env=client_auth_required:1]
341 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
342 RewriteRule ^/(?!r/).*/git-receive-pack$ - [NS,env=client_auth_required:1]
343 RewriteCond %{ENV:client_auth_required} 1
344 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
345 RewriteRule .* %{REQUEST_URI} [NS,R=401]
349 Deny from env=client_auth_required
350 SSLOptions +FakeBasicAuth
351 AuthName "Git Client Authentication"
353 AuthBasicProvider anon
358 ErrorDocument 401 /authrequired.cgi
362 # ALL the entire contents from the <VirtualHost *:80> section at
363 # the top of this file must be copied here.
365 # To avoid this duplication, the contents of the <VirtualHost *:80>
366 # section above can be moved to a separate file and then included
367 # both here and in the <VirtualHost *:80> section using an Include
368 # directive. Be careful not to place the new include file in one of the
369 # directories the standard apache configuration blindly includes all
372 # ---- BEGIN DUPLICATE LINES ----
374 # ---- END DUPLICATE LINES ----