| blob | e2945dae71cdc380fbe8629ec583796398dda8ea |
1 ## To convert this file to apache.conf using the current Girocco::Config
2 ## values either do "make" or "make apache.conf" or ./make-apache-conf.sh
3 ##
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, somewhat independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
7 <VirtualHost *:80>
8 Alias /.well-known/acme-challenge/ @@webroot@@/../certs/acme/.well-known/acme-challenge/
9 <Directory "@@webroot@@/../certs/acme/.well-known/acme-challenge/">
10 Options None
11 AllowOverride None
12 ForceType text/plain
13 </Directory>
15 # ---- BEGIN LINES TO DUPLICATE ----
17 ServerName @@httpdnsname@@
18 ServerAlias www.@@httpdnsname@@
19 ServerAdmin @@admin@@
21 # This is the standard "combined" log format modified as follows:
22 # the received time is shown as [YYYY-mm-dd_HH:MM:SS +hhmm] (almost RFC 3339 format)
23 # -- this is one character shorter than the default but sorts so much better
24 # when the logio_module is present (almost always) the %O value is prefixed with:
25 # %I-> -- <bytes-received-including-request-and-headers>
26 # the first line of the request ("%r") is prefixed with
27 # %X%k: -- <connection-status><keepalive-request-num>
28 # <keepalive-request-num> will be omitted if apache < 2.2.11
29 # these fields are added to the end:
30 # :%{local}p -- :<actual-server-port>
31 # %Dus -- <request-time-in-microseconds>
32 # "%o{Content-Range}" -- <outgoing Content-Range header>
33 <IfVersion >= 2.2.11>
34 LogFormat "%h %l %u %{[%F_%T %z]}t %X%k:\"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
35 </IfVersion>
36 <IfVersion !>= 2.2.11>
37 LogFormat "%h %l %u %{[%F_%T %z]}t %X:\"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
38 </IfVersion>
39 <IfModule logio_module>
40 # %I and %O are only available with the logio_module
41 <IfVersion >= 2.2.11>
42 LogFormat "%h %l %u %{[%F_%T %z]}t %X%k:\"%r\" %>s %I->%O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
43 </IfVersion>
44 <IfVersion !>= 2.2.11>
45 LogFormat "%h %l %u %{[%F_%T %z]}t %X:\"%r\" %>s %I->%O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
46 </IfVersion>
47 </IfModule>
49 # If your distribution does not set APACHE_LOG_DIR before
50 # starting Apache you will need to edit the next two directives
51 ErrorLog "/var/log/apache2/repo-error.log"
52 CustomLog "/var/log/apache2/repo-access.log" girocco
54 <IfModule mime_magic_module>
55 # Avoid spurious Content-Type values when git-http-backend
56 # fails to provide a Content-Type header in its output
57 MimeMagicFile /dev/null
58 </IfModule>
60 DocumentRoot @@webroot@@
61 <Directory @@webroot@@>
62 # Add MultiViews only if pages are truly
63 # offered in more than a single language
64 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
65 Options FollowSymLinks
66 # FileInfo (or All) must be enabled to activate .htaccess file mod_rewrite rules
67 AllowOverride All
68 <IfVersion < 2.3>
69 Order allow,deny
70 Allow from all
71 Satisfy all
72 </IfVersion>
73 <IfVersion >= 2.3>
74 Require all granted
75 </IfVersion>
76 DirectoryIndex w
77 </Directory>
79 # The non-mod_rewrite items are handled first where the magic /[bchrw]
80 # prefix always forces selection of the prefix-indicated cgi handler.
82 ScriptAlias /w @@cgiroot@@/gitweb.cgi
83 ScriptAlias /b @@cgiroot@@/bundles.cgi
84 ScriptAlias /h @@cgiroot@@/html.cgi
85 ScriptAliasMatch ^/(?!(?i)gitweb\.cgi|bundles\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
87 # Any requests without the magic /[bchrw] are treated as Git requests if they
88 # are one of the few possible Git URLs otherwise they go to bundles or gitweb
90 # Change the setting of $SmartHTTPOnly in Girocco::Config.pm to
91 # change whether or not non-smart HTTP fetch access will be allowed.
93 <IfDefine !@@SmartHTTPOnly@@>
94 # This accelerates non-smart HTTP access to loose objects, packs and info
95 AliasMatch \
96 "(?x)^/(?![bchw]/)(?:r/)? \
97 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
98 HEAD | \
99 objects/info/alternates | \
100 objects/info/http-alternates | \
101 objects/info/packs | \
102 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
103 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
104 @@reporoot@@/$1.git/$2
105 </IfDefine>
107 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
108 ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
110 ScriptAliasMatch \
111 "(?x)^/(?![bchrw]/) \
112 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
113 info/refs | \
114 git-upload-pack | \
115 git-receive-pack | \
116 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
117 @@basedir@@/bin/git-http-backend-verify/$1.git/$2
119 # Everything else off to bundles.cgi or gitweb.cgi
120 ScriptAliasMatch \
121 "(?x)^/(?![bchrw]/) \
122 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/bundles)$" \
123 @@cgiroot@@/bundles.cgi/$1
124 ScriptAliasMatch \
125 "(?x)^/(?![bchrw]/) \
126 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git(?!/bundles)(?:/.*)?)$" \
127 @@cgiroot@@/gitweb.cgi/$1
129 # mod_rewrite is not strictly required for gitweb and fetch access, but
130 # if it's not available the trailing ".git" is never optional for
131 # gitweb, the leading /h is always required for *.html, snapshots are
132 # not throttled, some bogus Git http protocol requests will not be
133 # detected early and, if non-smart HTTP is allowed, access to the
134 # /info/refs file will not be accelerated in non-smart HTTP mode.
136 <IfModule rewrite_module>
137 RewriteEngine On
139 # Snapshot requests are only allowed via the PATH_INFO mechanism
140 RewriteCond %{QUERY_STRING} (^|[&;])a=snapshot([&;]|$) [NC]
141 RewriteRule .? - [NS,F,L]
143 # Redirect snapshot requests to snapshot.cgi
144 RewriteRule \
145 "(?x)^/(?![bchr]/)(?:w/)? \
146 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/ \
147 snapshot(?:/.*)?)$" \
148 @@cgiroot@@/snapshot.cgi/$1 [NS,L,H=cgi-script]
150 # Make the leading /h optional for requests that name an existing .html template
151 RewriteCond @@webroot@@/$1 !-f
152 RewriteCond @@cgiroot@@/$1 !-f
153 RewriteCond @@basedir@@/html/$1 -s
154 RewriteRule \
155 ^/(?![bchrw]/)(.*\.html)$ \
156 /h/$1 [NS,PT]
158 # Redirect bare gitweb requests without .git that name an existing repo...
159 RewriteCond @@webroot@@/$2 !-f
160 RewriteCond @@cgiroot@@/$2 !-f
161 RewriteCond @@reporoot@@/$2.git/HEAD -s
162 RewriteRule \
163 "(?x)^/(?![bchr]/)((?:w/)?) \
164 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git))$" \
165 /$1$2.git [NS,L,R=301]
167 # Of the 11 possible Git protocol URLs (i.e. passed to git-http-backend-verify),
168 # 9 are only valid with GET/HEAD and the other two are only valid with POST
169 # Furthermore, 7 are only valid when non-smart is allowed and
170 # 1 is only valid when smart-only is enabled if it has the correct query string.
172 # These two always require POST
173 RewriteCond %{REQUEST_METHOD} !=POST
174 RewriteRule \
175 "(?x)^/(?![bchw]/)(?:r/)? \
176 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
177 git-upload-pack | \
178 git-receive-pack )$" \
179 - [NS,F]
181 <IfDefine @@SmartHTTPOnly@@>
182 # These 7 are always forbidden when non-smart HTTP is disabled
183 RewriteRule \
184 "(?x)^/(?![bchw]/)(?:r/)? \
185 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
186 HEAD | \
187 objects/info/alternates | \
188 objects/info/http-alternates | \
189 objects/info/packs | \
190 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
191 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
192 - [NS,F]
193 # This one is forbidden without the magic query string when non-smart is disabled
194 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$ [OR]
195 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
196 RewriteRule \
197 "(?x)^/(?![bchw]/)(?:r/)? \
198 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
199 info/refs $" \
200 - [NS,F]
201 # This one requires GET (or HEAD)
202 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
203 RewriteRule \
204 "(?x)^/(?![bchw]/)(?:r/)? \
205 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
206 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle $" \
207 - [NS,F]
208 </IfDefine>
210 <IfDefine !@@SmartHTTPOnly@@>
211 # These 9 require GET (or HEAD)
212 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
213 RewriteRule \
214 "(?x)^/(?![bchw]/)(?:r/)? \
215 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
216 HEAD | \
217 info/refs | \
218 objects/info/alternates | \
219 objects/info/http-alternates | \
220 objects/info/packs | \
221 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
222 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) | \
223 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
224 - [NS,F]
225 # This one can be accelerated when accessed with non-smart HTTP
226 RewriteCond %{REQUEST_METHOD} ^(?:GET|HEAD)$
227 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
228 RewriteRule \
229 "(?x)^/(?![bchw]/)(?:r/)? \
230 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/ \
231 info/refs $" \
232 @@reporoot@@/$1.git/info/refs [NS,L]
233 </IfDefine>
234 </IfModule>
236 <Directory @@reporoot@@>
237 Options FollowSymLinks
238 AllowOverride None
239 <IfVersion < 2.3>
240 Order allow,deny
241 Allow from all
242 Satisfy all
243 </IfVersion>
244 <IfVersion >= 2.3>
245 Require all granted
246 </IfVersion>
248 <IfModule rewrite_module>
249 # Everything fetched over the non-smart git http
250 # protocol should be an existing file. If the request
251 # is not for an existing file, just send back an error
252 # message without emitting anything into the error log.
253 RewriteEngine On
254 RewriteBase /
255 RewriteCond @@reporoot@@/$1 !-f
256 RewriteRule ^(.*)$ - [NS,R=404,L]
257 </IfModule>
258 </Directory>
260 <Directory @@cgiroot@@>
261 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
262 Options SymLinksIfOwnerMatch
263 # FileInfo must be enabled to activate .htaccess file mod_rewrite rules
264 AllowOverride FileInfo
265 <IfVersion < 2.3>
266 Order deny,allow
267 Deny from all
268 Satisfy all
269 </IfVersion>
270 <IfVersion >= 2.3>
271 Require all denied
272 </IfVersion>
273 <Files gitweb.cgi>
274 Options +ExecCGI
275 <IfVersion < 2.3>
276 Order deny,allow
277 Allow from all
278 Satisfy all
279 </IfVersion>
280 <IfVersion >= 2.3>
281 Require all granted
282 </IfVersion>
283 <IfModule !mod_fastcgi.c>
284 <IfModule !mod_fcgid.c>
285 SetHandler cgi-script
286 </IfModule>
287 </IfModule>
289 # Note that in testing mod_fastcgi (in dynamic mode)
290 # was found to be slightly faster than mod_fcgid.
291 #
292 # However, we prefer mod_fcgid if both are available
293 # because we cannot control the server-global settings
294 # of mod_fastcgi's "FastCgiConfig" options.
295 #
296 # In order for gitweb.cgi to run reasonably well as a
297 # mod_fastcgi dynamic FastCGI application, the
298 # "FastCgiConfig" option "-idle-timeout" value needs to
299 # be increased from the default value of "30" to at
300 # least "120", preferably more like "300". But that
301 # will affect ALL dynamic mod_fastcgi applications on
302 # the ENTIRE server, not just gitweb.cgi. Additionally
303 # the "FastCgiConfig" "-restart" option probably ought
304 # to be set as well. Also, unfortunately, there is no
305 # mod_fastcgi option corresponding to mod_fcgid's
306 # MaxRequestsPerProcess option and gitweb.cgi running
307 # in FastCGI mode (without using FCGI::ProcManager) will
308 # always exit after serving 100 requests (a good thing).
309 #
310 # The alternative is to make gitweb.cgi a static
311 # mod_fastcgi application (the "FastCgiServer"
312 # directive), but then the number of running instances
313 # will be fixed at whatever value is chosen for the
314 # "-processes" option rather than being dynamically
315 # adjusted based on load and that's probably undesirable
316 # in most cases unless you run gitweb.cgi under a
317 # front-end that dynamically forks multiple copies of
318 # gitweb.cgi based on the current load. See the CPAN
319 # FCGI::ProcManager::Dynamic module for an example of
320 # how to do this in Perl:
321 #
322 # http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
323 #
324 # So instead we prefer mod_fcgid because we can adjust
325 # the necessary options for good gitweb.cgi behavior
326 # while affecting only gitweb.cgi and having it remain
327 # a dynamic application whose total number of running
328 # instances is adjusted based on current server load.
330 <IfModule mod_fcgid.c>
331 SetHandler fcgid-script
332 </IfModule>
333 <IfModule !mod_fcgid.c>
334 <IfModule mod_fastcgi.c>
335 SetHandler fastcgi-script
336 </IfModule>
337 </IfModule>
338 </Files>
339 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
340 Options +ExecCGI
341 SetHandler cgi-script
342 <IfVersion < 2.3>
343 Order deny,allow
344 Allow from all
345 Satisfy all
346 </IfVersion>
347 <IfVersion >= 2.3>
348 Require all granted
349 </IfVersion>
350 </FilesMatch>
351 </Directory>
353 <IfModule mod_fcgid.c>
354 # mod_fcgid benefits from some additional config for gitweb.cgi
355 # gitweb.cgi has a hard-coded maximum of 100 requests
356 # and we do not want to give up too soon in case Git is lagging.
357 # Note that adding a 'MaxProcesses ...' option here may be valuable
358 # to limit the maximum number of gitweb.cgi processes that can be
359 # spawned (default is 100) -- perhaps to something much lower such
360 # as 1 or 2 times the number of CPU cores. Also note that in the
361 # unlikely event all the children finish their 100 requests at the
362 # same time, the server's FcgidSpawnScoreUpLimit (which defaults
363 # to 10 if not set) should be set to at least 3 times the
364 # MaxProcesses value chosen to allow them all to respawn
365 # immediately. FcgidSpawnScoreUpLimit MUST be at least twice the
366 # chosen MaxProcesses value (assuming FcgidTerminationScore is
367 # still set to the default 2) in order to allow any child at all to
368 # respawn immediately in this case without a delay.
369 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
370 MaxProcesses 8 MinProcesses 5 \
371 MaxRequestsPerProcess 100 IOTimeout 300
372 </IfModule>
374 <Directory @@basedir@@/bin>
375 Options None
376 AllowOverride None
377 <IfVersion < 2.3>
378 Order deny,allow
379 Deny from all
380 Satisfy all
381 </IfVersion>
382 <IfVersion >= 2.3>
383 Require all denied
384 </IfVersion>
385 <Files git-http-backend-verify>
386 Options ExecCGI
387 SetHandler cgi-script
388 <IfVersion < 2.3>
389 Order deny,allow
390 Allow from all
391 Satisfy all
392 </IfVersion>
393 <IfVersion >= 2.3>
394 Require all granted
395 </IfVersion>
396 </Files>
397 </Directory>
399 # ---- END LINES TO DUPLICATE ----
401 <IfDefine @@TLSHost@@>
402 <IfModule rewrite_module>
403 RewriteEngine on
404 RewriteCond %{SERVER_NAME} =repo.or.cz
405 RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE]
406 </IfModule>
407 </IfDefine>
409 </VirtualHost>
412 # Change the setting of $TLSHost in Girocco::Config.pm to change
413 # whether or not the following https virtual host is enabled.
415 <IfDefine @@TLSHost@@>
417 # This is an example configuration of an https virtualhost running Girocco, as set
418 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
419 # It is not essential for Girocco to use a special virtualhost, however.
420 # The Config.pm $httpspushurl variable needs to be defined to properly enable
421 # https pushing.
422 <VirtualHost *:443>
424 # These certificate files will all be automatically generated, but the
425 # paths here may need to be corrected to match the paths
426 # (especially $certsdir) from Config.pm
428 SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
429 SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
430 SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
431 # when using a paid www server cert, only the above three lines should
432 # be changed. Changing any of the below two lines (other than updating
433 # the paths to match $certsdir) will likely break https client auth
434 SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
435 SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
437 SSLVerifyDepth 3
438 SSLOptions +FakeBasicAuth +StrictRequire
439 SSLEngine on
441 # This configuration allows fetching over https without a certificate
442 # while always requiring a certificate for pushing over https
443 RewriteEngine On
444 SSLVerifyClient optional
445 RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC]
446 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$) [NC]
447 RewriteRule /info/refs$ - [NC,NS,env=client_auth_required:1]
448 RewriteCond %{REQUEST_METHOD} =POST [NC]
449 RewriteRule /git-receive-pack$ - [NC,NS,env=client_auth_required:1]
450 RewriteCond %{ENV:client_auth_required} 1
451 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
452 RewriteRule .? %{REQUEST_URI} [NS,R=401]
453 <Location />
454 SSLRequireSSL
455 SSLOptions +FakeBasicAuth
456 AuthName "Git Client Authentication"
457 AuthType Basic
458 AuthBasicProvider anon
459 Anonymous *
460 <IfVersion < 2.3>
461 Order deny,allow
462 Deny from env=client_auth_required
463 Satisfy any
464 Require valid-user
465 </IfVersion>
466 <IfVersion >= 2.3>
467 <RequireAny>
468 <RequireAll>
469 Require all granted
470 Require not env client_auth_required
471 </RequireAll>
472 Require valid-user
473 </RequireAny>
474 </IfVersion>
475 </Location>
476 ErrorDocument 401 /authrequired.cgi
478 # ---- BEGIN DUPLICATE LINES ----
479 ##
480 ## *** IMPORTANT ***
481 ##
482 ## ALL the entire contents from the <VirtualHost *:80> section at the top of
483 ## this file must be copied here.
484 ##
485 ## To avoid this duplication, the contents of the <VirtualHost *:80> section
486 ## above can be moved to a separate file and then included both here and in
487 ## the <VirtualHost *:80> section using an Include directive. Be careful not
488 ## to place the new include file in one of the directories the standard apache
489 ## configuration blindly includes all files from.
490 ##
491 # ---- END DUPLICATE LINES ----
493 </VirtualHost>
495 </IfDefine>