1 ## To convert this file to apache.conf using the current Girocco::Config values
2 ## either do "make" or "make apache.conf" or ./make-apache-conf.sh
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, completely independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
9 # ---- BEGIN LINES TO DUPLICATE ----
11 ServerName @@httpdnsname@@
12 ServerAlias www.@@httpdnsname@@
15 # This is the standard "combined" log format with :actual-server-port added to the end
16 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p" girocco
17 <IfModule logio_module>
18 # %I and %O are only available with the logio_module
19 LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p" girocco
22 ErrorLog /var/log/apache2/repo-error.log
23 CustomLog /var/log/apache2/repo-access.log girocco
25 <IfModule mime_magic_module>
26 # Avoid spurious Content-Type values when git-http-backend
27 # fails to provide a Content-Type header in its output
28 MimeMagicFile /dev/null
31 DocumentRoot @@webroot@@
32 <Directory @@webroot@@>
33 # Add MultiViews only if pages are truly
34 # offered in more than a single language
35 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
36 Options FollowSymLinks
37 # FileInfo (or All) must be enabled to activate .htaccess file mod_rewrite rules
45 ScriptAlias /w @@cgiroot@@/gitweb.cgi
46 ScriptAlias /b @@cgiroot@@/bundles.cgi
47 ScriptAlias /h @@cgiroot@@/html.cgi
48 AliasMatch ^/(?!(?i)gitweb\.cgi|bundles\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
50 <IfModule rewrite_module>
53 # Snapshot requests are only allowed via the PATH_INFO mechanism
54 RewriteCond %{QUERY_STRING} (^|[&;])a=snapshot([&;]|$) [NC]
55 RewriteRule .* - [NS,F,L]
57 # Redirect snapshot requests to snapshot.cgi
59 ^/(?![bchr]/)(?:w/)?((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git/snapshot(?:/.*|$)) \
60 @@cgiroot@@/snapshot.cgi/$1 [NS,L,H=cgi-script]
62 # Make the leading /h optional for requests that name an existing .html template
63 RewriteCond @@webroot@@/$1 !-f
64 RewriteCond @@cgiroot@@/$1 !-f
65 RewriteCond @@basedir@@/html/$1 -f
67 ^/(?![bchrw]/)(.*\.html)$ \
70 # Redirect bare /w requests without .git that name an existing repo...
71 RewriteCond @@reporoot@@/$1.git/HEAD -f
73 ^/w/((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
74 /w/$1.git [NS,L,R=301]
76 # ...and also make the leading /w optional for those types of requests
77 RewriteCond @@webroot@@/$1 !-f
78 RewriteCond @@cgiroot@@/$1 !-f
79 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
80 RewriteCond @@reporoot@@/$1.git/HEAD -f
82 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
85 # Make the leading /w optional if the rest names an existing repo
86 # and it's not a request for a bundle or bundle listing
87 RewriteCond @@webroot@@/$1$2 !-f
88 RewriteCond @@cgiroot@@/$1$2 !-f
89 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
90 RewriteCond @@reporoot@@/$1/HEAD -f
91 # Might want to use [NS,L,R] instead of [NS,PT] maybe even [NS,L,R=301]
93 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)(?!/(?:bundles|[a-zA-Z0-9+._-]+\.bundle)$)((?:/.*)?)$ \
96 # Make the leading /b optional if the rest names an existing repo
97 # and it's a request for a bundle listing
98 RewriteCond @@webroot@@/$1 !-f
99 RewriteCond @@cgiroot@@/$1 !-f
100 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
101 RewriteCond @@reporoot@@/$1/HEAD -f
102 # Might want to use [NS,L,R] instead of [NS,PT] maybe even [NS,L,R=301]
104 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)/bundles$ \
108 <Directory @@reporoot@@>
109 Options FollowSymLinks
115 <IfModule rewrite_module>
116 # Everything fetched over the non-smart git http
117 # protocol should be an existing file. If the request
118 # is not for an existing file, just send back an error
119 # message without emitting anything into the error log.
122 RewriteCond @@reporoot@@/$1 !-f
123 RewriteRule ^(.*)$ - [NS,R=404,L]
127 <Directory @@cgiroot@@>
128 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
129 Options SymLinksIfOwnerMatch
130 # FileInfo must be enabled to activate .htaccess file mod_rewrite rules
131 AllowOverride FileInfo
137 <IfModule !mod_fastcgi.c>
138 <IfModule !mod_fcgid.c>
139 SetHandler cgi-script
143 # Note that in testing mod_fastcgi (in dynamic mode)
144 # was found to be slightly faster than mod_fcgid.
146 # However, we prefer mod_fcgid if both are available
147 # because we cannot control the server-global settings
148 # of mod_fastcgi's "FastCgiConfig" options.
150 # In order for gitweb.cgi to run reasonably well as a
151 # mod_fastcgi dynamic FastCGI application, the
152 # "FastCgiConfig" option "-idle-timeout" value needs to
153 # be increased from the default value of "30" to at
154 # least "120", preferably more like "300". But that
155 # will affect ALL dynamic mod_fastcgi applications on
156 # the ENTIRE server, not just gitweb.cgi. Additionally
157 # the "FastCgiConfig" "-restart" option probably ought
158 # to be set as well. Also, unfortunately, there is no
159 # mod_fastcgi option corresponding to mod_fcgid's
160 # MaxRequestsPerProcess option and gitweb.cgi running
161 # in FastCGI mode (without using FCGI::ProcManager) will
162 # always exit after serving 100 requests (a good thing).
164 # The alternative is to make gitweb.cgi a static
165 # mod_fastcgi application (the "FastCgiServer"
166 # directive), but then the number of running instances
167 # will be fixed at whatever value is chosen for the
168 # "-processes" option rather than being dynamically
169 # adjusted based on load and that's probably undesirable
170 # in most cases unless you run gitweb.cgi under a
171 # front-end that dynamically forks multiple copies of
172 # gitweb.cgi based on the current load. See the CPAN
173 # FCGI::ProcManager::Dynamic module for an example of
174 # how to do this in Perl:
176 # http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
178 # So instead we prefer mod_fcgid because we can adjust
179 # the necessary options for good gitweb.cgi behavior
180 # while affecting only gitweb.cgi and having it remain
181 # a dynamic application whose total number of running
182 # instances is adjusted based on current server load.
184 <IfModule mod_fcgid.c>
185 SetHandler fcgid-script
187 <IfModule !mod_fcgid.c>
188 <IfModule mod_fastcgi.c>
189 SetHandler fastcgi-script
193 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
195 SetHandler cgi-script
201 <IfModule mod_fcgid.c>
202 # mod_cgid benefits from some additional config for gitweb.cgi
203 # gitweb.cgi has a hard-coded maximum of 100 requests
204 # and we do not want to give up too soon in case Git is lagging
205 # Note that adding a 'MaxProcesses ...' option here may be valuable
206 # to limit the maximum number of gitweb.cgi processes that can be
207 # spawned (default is 100) -- perhaps to something much lower such
208 # as 1 or 2 times the number of CPU cores. Also note that in the
209 # unlikely event all the children finish their 100 requests at the
210 # same time, the server's FcgidSpawnScoreUpLimit should be set
211 # to at least 3 times the MaxProcesses value chosen to allow them
212 # all to respawn immediately. It MUST be at least twice the chosen
213 # MaxProcesses value (assuming FcgidTerminationScore is still the
214 # default 2) in order to allow any child to respawn at all without
216 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
217 MaxRequestsPerProcess 100 IOTimeout 300
220 <Directory @@basedir@@/bin>
225 <Files git-http-backend-verify>
227 SetHandler cgi-script
233 # By default non-smart HTTP fetch access will be allowed, however
234 # by defining SmartHTTPOnly (or changing the sense of the IfDefine tests)
235 # non-smart HTTP requests can be denied directly by the web server
237 <IfDefine !SmartHTTPOnly>
238 # These accelerate non-smart HTTP access to loose objects and packs with the /r/ prefix
239 # But not for projects starting with '_' to which access should never be allowed
240 AliasMatch ^/r/([^_].*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ @@reporoot@@/$1
241 AliasMatch ^/r/([^_].*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ @@reporoot@@/$1
243 # These accelerate non-smart HTTP access for Git user agents without the /r/ prefix
244 # But not for projects starting with '_' to which access should never be allowed
245 <IfModule rewrite_module>
247 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
248 RewriteRule "(?x) ^/((?![bchrw]/)[^_].*/objects/(?: \
249 (?:[0-9a-f]{2}/[0-9a-f]{38}) | \
250 (?:pack/pack-[0-9a-f]{40}.(?:pack|idx)) ))$" \
251 @@reporoot@@/$1 [NS,L]
255 <IfDefine SmartHTTPOnly>
256 # Disable non-smart HTTP access
258 RewriteCond %{REQUEST_METHOD} !^POST$
259 RewriteCond %{REQUEST_URI} !/[a-zA-Z0-9+._-]+\.bundle$
260 RewriteRule ^/r/.*(?<!/info/refs)$ - [NS,F]
261 RewriteCond %{REQUEST_METHOD} !^POST$
262 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
263 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
264 RewriteCond %{REQUEST_URI} !/[a-zA-Z0-9+._-]+\.bundle$
265 RewriteRule ^/(?![bchrw]/).*(?<!/info/refs)$ - [NS,F]
266 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
267 RewriteRule ^/r/.*/info/refs$ - [NS,F]
268 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
269 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
270 RewriteRule ^/(?![bchrw]/).*/info/refs$ - [NS,F]
273 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
274 # git-http-backend-verify denies all access to projects starting with '_'
275 ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
277 <IfModule rewrite_module>
280 # This allows HTTP access for Git user agents
281 # without the leading /r/ prefix
282 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
283 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
284 RewriteRule ^/(?![bchrw]/)(.*)$ \
285 @@basedir@@/bin/git-http-backend-verify/$1 \
288 # ...and this for access by all agents to *.bundle
289 # files without the /r/ prefix for names ending in .git
291 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git/[a-zA-Z0-9+._-]+\.bundle)$ \
292 @@basedir@@/bin/git-http-backend-verify/$1 \
295 # ...and finally this for access by all agents to
296 # *.bundle files without the /r/ prefix for names not
297 # ending in .git as long as the repository exists
298 RewriteCond @@reporoot@@$1.git/HEAD -f
300 ^(?!/[bchrw]/)((?:/[a-zA-Z0-9+._-]+(?<!\.git))+)(/[a-zA-Z0-9+._-]+\.bundle)$ \
301 @@basedir@@/bin/git-http-backend-verify$1$2 \
305 # ---- END LINES TO DUPLICATE ----
310 # This comments out the following so this file can be used as-is
311 # for an http-only configuration. Remove or change the sense of
312 # the test (by inserting a !) to activate the https virtual host.
313 <IfDefine EnableGiroccoHttpsVirtualHost>
316 # This is an example configuration of an https virtualhost running Girocco, as set
317 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
318 # It is not essential for Girocco to use a special virtualhost, however.
319 # The Config.pm $httpspushurl variable needs to be defined to properly enable
323 # These certificate files will all be automatically generated, but the
324 # paths here may need to be corrected to match the paths
325 # (especially $certsdir) from Config.pm
327 SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
328 SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
329 SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
330 # when using a paid www server cert, only the above three lines should
331 # be changed. Changing any of the below two lines (other than updating
332 # the paths to match $certsdir) will likely break https client auth
333 SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
334 SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
337 SSLOptions +FakeBasicAuth +StrictRequire
340 # This configuration allows fetching over https without a certificate
341 # while always requiring a certificate for pushing over https
343 SSLVerifyClient optional
344 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
345 RewriteRule ^/r/.*/info/refs$ - [NS,env=client_auth_required:1]
346 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
347 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
348 RewriteRule ^/(?!r/).*/info/refs$ - [NS,env=client_auth_required:1]
349 RewriteRule ^/r/.*/git-receive-pack$ - [NS,env=client_auth_required:1]
350 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
351 RewriteRule ^/(?!r/).*/git-receive-pack$ - [NS,env=client_auth_required:1]
352 RewriteCond %{ENV:client_auth_required} 1
353 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
354 RewriteRule .* %{REQUEST_URI} [NS,R=401]
358 Deny from env=client_auth_required
359 SSLOptions +FakeBasicAuth
360 AuthName "Git Client Authentication"
362 AuthBasicProvider anon
367 ErrorDocument 401 /authrequired.cgi
371 # ALL the entire contents from the <VirtualHost *:80> section at
372 # the top of this file must be copied here.
374 # To avoid this duplication, the contents of the <VirtualHost *:80>
375 # section above can be moved to a separate file and then included
376 # both here and in the <VirtualHost *:80> section using an Include
377 # directive. Be careful not to place the new include file in one of the
378 # directories the standard apache configuration blindly includes all
381 # ---- BEGIN DUPLICATE LINES ----
383 # ---- END DUPLICATE LINES ----