taskd.pl: make sure scheduled jobd restart closes fds 0, 1 & 2
[girocco.git] / apache.conf.in
blob6545af225202b618b9db244f00f26747e885515e
1 ##  To convert this file to apache.conf using the current Girocco::Config
2 ##  values either do "make" or "make apache.conf" or ./make-apache-conf.sh
3 ##
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, somewhat independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
7 <VirtualHost *:80>
9 # ---- BEGIN LINES TO DUPLICATE ----
11         ServerName @@httpdnsname@@
12         ServerAlias www.@@httpdnsname@@
13         ServerAdmin @@admin@@
15         # This is the standard "combined" log format with :actual-server-port added to the end
16         LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p" girocco
17         <IfModule logio_module>
18                 # %I and %O are only available with the logio_module
19                 LogFormat "%h %l %u %t \"%r\" %>s %I->%O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p" girocco
20         </IfModule>
22         # If your distribution does not set APACHE_LOG_DIR before
23         # starting Apache you will need to edit the next two directives
24         ErrorLog "${APACHE_LOG_DIR}/@@nickname@@-error.log"
25         CustomLog "${APACHE_LOG_DIR}/@@nickname@@-access.log" girocco
27         <IfModule mime_magic_module>
28                 # Avoid spurious Content-Type values when git-http-backend
29                 # fails to provide a Content-Type header in its output
30                 MimeMagicFile /dev/null
31         </IfModule>
33         DocumentRoot @@webroot@@
34         <Directory @@webroot@@>
35                 # Add MultiViews only if pages are truly
36                 # offered in more than a single language
37                 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
38                 Options FollowSymLinks
39                 # FileInfo (or All) must be enabled to activate .htaccess file mod_rewrite rules
40                 AllowOverride All
41                 <IfVersion < 2.3>
42                 Order allow,deny
43                 Allow from all
44                 Satisfy all
45                 </IfVersion>
46                 <IfVersion >= 2.3>
47                 Require all granted
48                 </IfVersion>
49                 DirectoryIndex w
50         </Directory>
52         # The non-mod_rewrite items are handled first where the magic /[bchrw]
53         # prefix always forces selection of the prefix-indicated cgi handler.
55         ScriptAlias /w @@cgiroot@@/gitweb.cgi
56         ScriptAlias /b @@cgiroot@@/bundles.cgi
57         ScriptAlias /h @@cgiroot@@/html.cgi
58         ScriptAliasMatch ^/(?!(?i)gitweb\.cgi|bundles\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
60         # Any requests without the magic /[bchrw] are treated as Git requests if they
61         # are one of the few possible Git URLs otherwise they go to bundles or gitweb
63         # Change the setting of $SmartHTTPOnly in Girocco::Config.pm to
64         # change whether or not non-smart HTTP fetch access will be allowed.
66         <IfDefine !@@SmartHTTPOnly@@>
67         # This accelerates non-smart HTTP access to loose objects, packs and info
68         AliasMatch \
69                 "(?x)^/(?![bchw]/)(?:r/)? \
70                 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
71                         HEAD | \
72                         objects/info/alternates | \
73                         objects/info/http-alternates | \
74                         objects/info/packs | \
75                         objects/[0-9a-f]{2}/[0-9a-f]{38} | \
76                         objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
77                 @@reporoot@@/$1.git/$2
78         </IfDefine>
80         # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
81         ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
83         ScriptAliasMatch \
84                 "(?x)^/(?![bchrw]/) \
85                 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
86                         info/refs | \
87                         git-upload-pack | \
88                         git-receive-pack | \
89                         [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
90                 @@basedir@@/bin/git-http-backend-verify/$1.git/$2
92         # Everything else off to bundles.cgi or gitweb.cgi
93         ScriptAliasMatch \
94                 "(?x)^/(?![bchrw]/) \
95                 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/bundles)$" \
96                 @@cgiroot@@/bundles.cgi/$1
97         ScriptAliasMatch \
98                 "(?x)^/(?![bchrw]/) \
99                 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git(?!/bundles)(?:/.*)?)$" \
100                 @@cgiroot@@/gitweb.cgi/$1
102         # mod_rewrite is not strictly required for gitweb and fetch access, but
103         # if it's not available the trailing ".git" is never optional for
104         # gitweb, the leading /h is always required for *.html, snapshots are
105         # not throttled, some bogus Git http protocol requests will not be
106         # detected early and, if non-smart HTTP is allowed, access to the
107         # /info/refs file will not be accelerated in non-smart HTTP mode.
109         <IfModule rewrite_module>
110                 RewriteEngine On
112                 # Snapshot requests are only allowed via the PATH_INFO mechanism
113                 RewriteCond %{QUERY_STRING}     (^|[&;])a=snapshot([&;]|$) [NC]
114                 RewriteRule .? - [NS,F,L]
116                 # Redirect snapshot requests to snapshot.cgi
117                 RewriteRule \
118                         "(?x)^/(?![bchr]/)(?:w/)? \
119                         ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/ \
120                                 snapshot(?:/.*)?)$" \
121                         @@cgiroot@@/snapshot.cgi/$1 [NS,L,H=cgi-script]
123                 # Make the leading /h optional for requests that name an existing .html template
124                 RewriteCond @@webroot@@/$1 !-f
125                 RewriteCond @@cgiroot@@/$1 !-f
126                 RewriteCond @@basedir@@/html/$1 -s
127                 RewriteRule \
128                         ^/(?![bchrw]/)(.*\.html)$ \
129                         /h/$1 [NS,PT]
131                 # Redirect bare gitweb requests without .git that name an existing repo...
132                 RewriteCond @@webroot@@/$2 !-f
133                 RewriteCond @@cgiroot@@/$2 !-f
134                 RewriteCond @@reporoot@@/$2.git/HEAD -s
135                 RewriteRule \
136                         "(?x)^/(?![bchr]/)((?:w/)?) \
137                         ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git))$" \
138                         /$1$2.git [NS,L,R=301]
140                 # Of the 11 possible Git protocol URLs (i.e. passed to git-http-backend-verify),
141                 # 9 are only valid with GET/HEAD and the other two are only valid with POST
142                 # Furthermore, 7 are only valid when non-smart is allowed and
143                 # 1 is only valid when smart-only is enabled if it has the correct query string.
145                 # These two always require POST
146                 RewriteCond %{REQUEST_METHOD} !=POST
147                 RewriteRule \
148                         "(?x)^/(?![bchw]/)(?:r/)? \
149                         (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
150                                 git-upload-pack | \
151                                 git-receive-pack )$" \
152                         - [NS,F]
154                 <IfDefine @@SmartHTTPOnly@@>
155                 # These 7 are always forbidden when non-smart HTTP is disabled
156                 RewriteRule \
157                         "(?x)^/(?![bchw]/)(?:r/)? \
158                         (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
159                                 HEAD | \
160                                 objects/info/alternates | \
161                                 objects/info/http-alternates | \
162                                 objects/info/packs | \
163                                 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
164                                 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
165                         - [NS,F]
166                 # This one is forbidden without the magic query string when non-smart is disabled
167                 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$ [OR]
168                 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
169                 RewriteRule \
170                         "(?x)^/(?![bchw]/)(?:r/)? \
171                         (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
172                                 info/refs $" \
173                         - [NS,F]
174                 # This one requires GET (or HEAD)
175                 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
176                 RewriteRule \
177                         "(?x)^/(?![bchw]/)(?:r/)? \
178                         (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
179                                 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle $" \
180                         - [NS,F]
181                 </IfDefine>
183                 <IfDefine !@@SmartHTTPOnly@@>
184                 # These 9 require GET (or HEAD)
185                 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
186                 RewriteRule \
187                         "(?x)^/(?![bchw]/)(?:r/)? \
188                         (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
189                                 HEAD | \
190                                 info/refs | \
191                                 objects/info/alternates | \
192                                 objects/info/http-alternates | \
193                                 objects/info/packs | \
194                                 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
195                                 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) | \
196                                 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
197                         - [NS,F]
198                 # This one can be accelerated when accessed with non-smart HTTP
199                 RewriteCond %{REQUEST_METHOD} ^(?:GET|HEAD)$
200                 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
201                 RewriteRule \
202                         "(?x)^/(?![bchw]/)(?:r/)? \
203                         ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/ \
204                                 info/refs $" \
205                         @@reporoot@@/$1.git/info/refs [NS,L]
206                 </IfDefine>
207         </IfModule>
209         <Directory @@reporoot@@>
210                 Options FollowSymLinks
211                 AllowOverride None
212                 <IfVersion < 2.3>
213                 Order allow,deny
214                 Allow from all
215                 Satisfy all
216                 </IfVersion>
217                 <IfVersion >= 2.3>
218                 Require all granted
219                 </IfVersion>
221                 <IfModule rewrite_module>
222                         # Everything fetched over the non-smart git http
223                         # protocol should be an existing file.  If the request
224                         # is not for an existing file, just send back an error
225                         # message without emitting anything into the error log.
226                         RewriteEngine On
227                         RewriteBase /
228                         RewriteCond @@reporoot@@/$1 !-f
229                         RewriteRule ^(.*)$ - [NS,R=404,L]
230                 </IfModule>
231         </Directory>
233         <Directory @@cgiroot@@>
234                 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
235                 Options SymLinksIfOwnerMatch
236                 # FileInfo must be enabled to activate .htaccess file mod_rewrite rules
237                 AllowOverride FileInfo
238                 <IfVersion < 2.3>
239                 Order deny,allow
240                 Deny from all
241                 Satisfy all
242                 </IfVersion>
243                 <IfVersion >= 2.3>
244                 Require all denied
245                 </IfVersion>
246                 <Files gitweb.cgi>
247                         Options +ExecCGI
248                         <IfVersion < 2.3>
249                         Order deny,allow
250                         Allow from all
251                         Satisfy all
252                         </IfVersion>
253                         <IfVersion >= 2.3>
254                         Require all granted
255                         </IfVersion>
256                         <IfModule !mod_fastcgi.c>
257                         <IfModule !mod_fcgid.c>
258                                 SetHandler cgi-script
259                         </IfModule>
260                         </IfModule>
262                         # Note that in testing mod_fastcgi (in dynamic mode)
263                         # was found to be slightly faster than mod_fcgid.
264                         #
265                         # However, we prefer mod_fcgid if both are available
266                         # because we cannot control the server-global settings
267                         # of mod_fastcgi's "FastCgiConfig" options.
268                         #
269                         # In order for gitweb.cgi to run reasonably well as a
270                         # mod_fastcgi dynamic FastCGI application, the
271                         # "FastCgiConfig" option "-idle-timeout" value needs to
272                         # be increased from the default value of "30" to at
273                         # least "120", preferably more like "300".  But that
274                         # will affect ALL dynamic mod_fastcgi applications on
275                         # the ENTIRE server, not just gitweb.cgi.  Additionally
276                         # the "FastCgiConfig" "-restart" option probably ought
277                         # to be set as well.  Also, unfortunately, there is no
278                         # mod_fastcgi option corresponding to mod_fcgid's
279                         # MaxRequestsPerProcess option and gitweb.cgi running
280                         # in FastCGI mode (without using FCGI::ProcManager) will
281                         # always exit after serving 100 requests (a good thing).
282                         #
283                         # The alternative is to make gitweb.cgi a static
284                         # mod_fastcgi application (the "FastCgiServer"
285                         # directive), but then the number of running instances
286                         # will be fixed at whatever value is chosen for the
287                         # "-processes" option rather than being dynamically
288                         # adjusted based on load and that's probably undesirable
289                         # in most cases unless you run gitweb.cgi under a
290                         # front-end that dynamically forks multiple copies of
291                         # gitweb.cgi based on the current load.  See the CPAN
292                         # FCGI::ProcManager::Dynamic module for an example of
293                         # how to do this in Perl:
294                         #
295                         #   http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
296                         #
297                         # So instead we prefer mod_fcgid because we can adjust
298                         # the necessary options for good gitweb.cgi behavior
299                         # while affecting only gitweb.cgi and having it remain
300                         # a dynamic application whose total number of running
301                         # instances is adjusted based on current server load.
303                         <IfModule mod_fcgid.c>
304                                 SetHandler fcgid-script
305                         </IfModule>
306                         <IfModule !mod_fcgid.c>
307                         <IfModule mod_fastcgi.c>
308                                 SetHandler fastcgi-script
309                         </IfModule>
310                         </IfModule>
311                 </Files>
312                 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
313                         Options +ExecCGI
314                         SetHandler cgi-script
315                         <IfVersion < 2.3>
316                         Order deny,allow
317                         Allow from all
318                         Satisfy all
319                         </IfVersion>
320                         <IfVersion >= 2.3>
321                         Require all granted
322                         </IfVersion>
323                 </FilesMatch>
324         </Directory>
326         <IfModule mod_fcgid.c>
327                 # mod_fcgid benefits from some additional config for gitweb.cgi
328                 # gitweb.cgi has a hard-coded maximum of 100 requests
329                 # and we do not want to give up too soon in case Git is lagging.
330                 # Note that adding a 'MaxProcesses ...' option here may be valuable
331                 # to limit the maximum number of gitweb.cgi processes that can be
332                 # spawned (default is 100) -- perhaps to something much lower such
333                 # as 1 or 2 times the number of CPU cores.  Also note that in the
334                 # unlikely event all the children finish their 100 requests at the
335                 # same time, the server's FcgidSpawnScoreUpLimit (which defaults
336                 # to 10 if not set) should be set to at least 3 times the
337                 # MaxProcesses value chosen to allow them all to respawn
338                 # immediately.  FcgidSpawnScoreUpLimit MUST be at least twice the
339                 # chosen MaxProcesses value (assuming FcgidTerminationScore is
340                 # still set to the default 2) in order to allow any child at all to
341                 # respawn immediately in this case without a delay.
342                 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
343                 MaxRequestsPerProcess 100 IOTimeout 300
344         </IfModule>
346         <Directory @@basedir@@/bin>
347                 Options None
348                 AllowOverride None
349                 <IfVersion < 2.3>
350                 Order deny,allow
351                 Deny from all
352                 Satisfy all
353                 </IfVersion>
354                 <IfVersion >= 2.3>
355                 Require all denied
356                 </IfVersion>
357                 <Files git-http-backend-verify>
358                         Options ExecCGI
359                         SetHandler cgi-script
360                         <IfVersion < 2.3>
361                         Order deny,allow
362                         Allow from all
363                         Satisfy all
364                         </IfVersion>
365                         <IfVersion >= 2.3>
366                         Require all granted
367                         </IfVersion>
368                 </Files>
369         </Directory>
371 # ---- END LINES TO DUPLICATE ----
373 </VirtualHost>
376 # Change the setting of $TLSHost in Girocco::Config.pm to change
377 # whether or not the following https virtual host is enabled.
379 <IfDefine @@TLSHost@@>
381 # This is an example configuration of an https virtualhost running Girocco, as set
382 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
383 # It is not essential for Girocco to use a special virtualhost, however.
384 # The Config.pm $httpspushurl variable needs to be defined to properly enable
385 # https pushing.
386 <VirtualHost *:443>
388         # These certificate files will all be automatically generated, but the
389         # paths here may need to be corrected to match the paths
390         # (especially $certsdir) from Config.pm
392         SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
393         SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
394         SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
395         # when using a paid www server cert, only the above three lines should
396         # be changed.  Changing any of the below two lines (other than updating
397         # the paths to match $certsdir) will likely break https client auth
398         SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
399         SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
401         SSLVerifyDepth 3
402         SSLOptions +FakeBasicAuth +StrictRequire
403         SSLEngine on
405         # This configuration allows fetching over https without a certificate
406         # while always requiring a certificate for pushing over https
407         RewriteEngine On
408         SSLVerifyClient optional
409         RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC]
410         RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$) [NC]
411         RewriteRule /info/refs$ - [NC,NS,env=client_auth_required:1]
412         RewriteCond %{REQUEST_METHOD} =POST [NC]
413         RewriteRule /git-receive-pack$ - [NC,NS,env=client_auth_required:1]
414         RewriteCond %{ENV:client_auth_required} 1
415         RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
416         RewriteRule .? %{REQUEST_URI} [NS,R=401]
417         <Location />
418                 SSLRequireSSL
419                 SSLOptions +FakeBasicAuth
420                 AuthName "Git Client Authentication"
421                 AuthType Basic
422                 AuthBasicProvider anon
423                 Anonymous *
424                 <IfVersion < 2.3>
425                 Order deny,allow
426                 Deny from env=client_auth_required
427                 Satisfy any
428                 Require valid-user
429                 </IfVersion>
430                 <IfVersion >= 2.3>
431                 <RequireAny>
432                 <RequireAll>
433                 Require all granted
434                 Require not env client_auth_required
435                 </RequireAll>
436                 Require valid-user
437                 </RequireAny>
438                 </IfVersion>
439         </Location>
440         ErrorDocument 401 /authrequired.cgi
442 # ---- BEGIN DUPLICATE LINES ----
444 ##  *** IMPORTANT ***
446 ##  ALL the entire contents from the <VirtualHost *:80> section at the top of
447 ##  this file must be copied here.
449 ##  To avoid this duplication, the contents of the <VirtualHost *:80> section
450 ##  above can be moved to a separate file and then included both here and in
451 ##  the <VirtualHost *:80> section using an Include directive.  Be careful not
452 ##  to place the new include file in one of the directories the standard apache
453 ##  configuration blindly includes all files from.
455 # ---- END DUPLICATE LINES ----
457 </VirtualHost>
459 </IfDefine>