| blob | ab3994666b156d4d92fe34a2ccf3e588c302d12a |
1 ## To convert this file to apache.conf using the current Girocco::Config values
2 ## either do "make" or "make apache.conf" or ./make-apache-conf.sh
3 ##
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, completely independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
7 <VirtualHost *:80>
9 # ---- BEGIN LINES TO DUPLICATE ----
11 ServerName @@httpdnsname@@
12 ServerAlias www.@@httpdnsname@@
13 ServerAdmin @@admin@@
15 # This is the standard "combined" log format with :actual-server-port added to the end
16 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p" girocco
17 <IfModule logio_module>
18 # %I and %O are only available with the logio_module
19 LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p" girocco
20 </IfModule>
22 ErrorLog /var/log/apache2/repo-error.log
23 CustomLog /var/log/apache2/repo-access.log girocco
25 <IfModule mime_magic_module>
26 # Avoid spurious Content-Type values when git-http-backend
27 # fails to provide a Content-Type header in its output
28 MimeMagicFile /dev/null
29 </IfModule>
31 DocumentRoot @@webroot@@
32 <Directory @@webroot@@>
33 # Add MultiViews only if pages are truly
34 # offered in more than a single language
35 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
36 Options FollowSymLinks
37 # FileInfo (or All) must be enabled to activate .htaccess file mod_rewrite rules
38 AllowOverride All
39 Order allow,deny
40 Allow from all
41 DirectoryIndex w
42 Satisfy all
43 </Directory>
45 ScriptAlias /w @@cgiroot@@/gitweb.cgi
46 ScriptAlias /b @@cgiroot@@/bundles.cgi
47 ScriptAlias /h @@cgiroot@@/html.cgi
48 AliasMatch ^/(?!(?i)gitweb\.cgi|bundles\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
50 <IfModule rewrite_module>
51 RewriteEngine On
53 # Make the leading /h optional for requests that name an existing .html template
54 RewriteCond @@webroot@@/$1 !-f
55 RewriteCond @@cgiroot@@/$1 !-f
56 RewriteCond @@basedir@@/html/$1 -f
57 RewriteRule \
58 ^/(?![bchrw]/)(.*\.html)$ \
59 /h/$1 [NS,PT]
61 # Redirect bare /w requests without .git that name an existing repo...
62 RewriteCond @@reporoot@@/$1.git/HEAD -f
63 RewriteRule \
64 ^/w/((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
65 /w/$1.git [NS,L,R=301]
67 # ...and also make the leading /w optional for those types of requests
68 RewriteCond @@webroot@@/$1 !-f
69 RewriteCond @@cgiroot@@/$1 !-f
70 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
71 RewriteCond @@reporoot@@/$1.git/HEAD -f
72 RewriteRule \
73 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
74 /$1.git [NS,L,R=301]
76 # Make the leading /w optional if the rest names an existing repo
77 # and it's not a request for a bundle or bundle listing
78 RewriteCond @@webroot@@/$1$2 !-f
79 RewriteCond @@cgiroot@@/$1$2 !-f
80 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
81 RewriteCond @@reporoot@@/$1/HEAD -f
82 # Might want to use [NS,L,R] instead of [NS,PT] maybe even [NS,L,R=301]
83 RewriteRule \
84 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)(?!/(?:bundles|[a-zA-Z0-9+._-]+\.bundle)$)((?:/.*)?)$ \
85 /w/$1$2 [NS,PT]
87 # Make the leading /b optional if the rest names an existing repo
88 # and it's a request for a bundle listing
89 RewriteCond @@webroot@@/$1 !-f
90 RewriteCond @@cgiroot@@/$1 !-f
91 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
92 RewriteCond @@reporoot@@/$1/HEAD -f
93 # Might want to use [NS,L,R] instead of [NS,PT] maybe even [NS,L,R=301]
94 RewriteRule \
95 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)/bundles$ \
96 /b/$1 [NS,PT]
97 </IfModule>
99 <Directory @@reporoot@@>
100 Options FollowSymLinks
101 AllowOverride None
102 Order allow,deny
103 Allow from all
104 Satisfy all
106 <IfModule rewrite_module>
107 # Everything fetched over the non-smart git http
108 # protocol should be an existing file. If the request
109 # is not for an existing file, just send back an error
110 # message without emitting anything into the error log.
111 RewriteEngine On
112 RewriteBase /
113 RewriteCond @@reporoot@@/$1 !-f
114 RewriteRule ^(.*)$ - [NS,R=404,L]
115 </IfModule>
116 </Directory>
118 <Directory @@cgiroot@@>
119 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
120 Options SymLinksIfOwnerMatch
121 # FileInfo must be enabled to activate .htaccess file mod_rewrite rules
122 AllowOverride FileInfo
123 Order deny,allow
124 Deny from all
125 <Files gitweb.cgi>
126 Options +ExecCGI
127 Allow from all
128 <IfModule !mod_fastcgi.c>
129 <IfModule !mod_fcgid.c>
130 SetHandler cgi-script
131 </IfModule>
132 </IfModule>
134 # Note that in testing mod_fastcgi (in dynamic mode)
135 # was found to be slightly faster than mod_fcgid.
136 #
137 # However, we prefer mod_fcgid if both are available
138 # because we cannot control the server-global settings
139 # of mod_fastcgi's "FastCgiConfig" options.
140 #
141 # In order for gitweb.cgi to run reasonably well as a
142 # mod_fastcgi dynamic FastCGI application, the
143 # "FastCgiConfig" option "-idle-timeout" value needs to
144 # be increased from the default value of "30" to at
145 # least "120", preferably more like "300". But that
146 # will affect ALL dynamic mod_fastcgi applications on
147 # the ENTIRE server, not just gitweb.cgi. Additionally
148 # the "FastCgiConfig" "-restart" option probably ought
149 # to be set as well. Also, unfortunately, there is no
150 # mod_fastcgi option corresponding to mod_fcgid's
151 # MaxRequestsPerProcess option and gitweb.cgi running
152 # in FastCGI mode (without using FCGI::ProcManager) will
153 # always exit after serving 100 requests (a good thing).
154 #
155 # The alternative is to make gitweb.cgi a static
156 # mod_fastcgi application (the "FastCgiServer"
157 # directive), but then the number of running instances
158 # will be fixed at whatever value is chosen for the
159 # "-processes" option rather than being dynamically
160 # adjusted based on load and that's probably undesirable
161 # in most cases unless you run gitweb.cgi under a
162 # front-end that dynamically forks multiple copies of
163 # gitweb.cgi based on the current load. See the CPAN
164 # FCGI::ProcManager::Dynamic module for an example of
165 # how to do this in Perl:
166 #
167 # http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
168 #
169 # So instead we prefer mod_fcgid because we can adjust
170 # the necessary options for good gitweb.cgi behavior
171 # while affecting only gitweb.cgi and having it remain
172 # a dynamic application whose total number of running
173 # instances is adjusted based on current server load.
175 <IfModule mod_fcgid.c>
176 SetHandler fcgid-script
177 </IfModule>
178 <IfModule !mod_fcgid.c>
179 <IfModule mod_fastcgi.c>
180 SetHandler fastcgi-script
181 </IfModule>
182 </IfModule>
183 </Files>
184 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
185 Options +ExecCGI
186 SetHandler cgi-script
187 Allow from all
188 </FilesMatch>
189 Satisfy all
190 </Directory>
192 <IfModule mod_fcgid.c>
193 # mod_cgid benefits from some additional config for gitweb.cgi
194 # gitweb.cgi has a hard-coded maximum of 100 requests
195 # and we do not want to give up too soon in case Git is lagging
196 # Note that adding a 'MaxProcesses ...' option here may be valuable
197 # to limit the maximum number of gitweb.cgi processes that can be
198 # spawned (default is 100) -- perhaps to something much lower such
199 # as 1 or 2 times the number of CPU cores.
200 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
201 MaxRequestsPerProcess 100 IOTimeout 300
202 </IfModule>
204 <Directory @@basedir@@/bin>
205 Options None
206 AllowOverride None
207 Order deny,allow
208 Deny from all
209 <Files git-http-backend-verify>
210 Options ExecCGI
211 SetHandler cgi-script
212 Allow from all
213 </Files>
214 Satisfy all
215 </Directory>
217 # By default non-smart HTTP fetch access will be allowed, however
218 # by defining SmartHTTPOnly (or changing the sense of the IfDefine tests)
219 # non-smart HTTP requests can be denied directly by the web server
221 <IfDefine !SmartHTTPOnly>
222 # These accelerate non-smart HTTP access to loose objects and packs with the /r/ prefix
223 # But not for projects starting with '_' to which access should never be allowed
224 AliasMatch ^/r/([^_].*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ @@reporoot@@/$1
225 AliasMatch ^/r/([^_].*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ @@reporoot@@/$1
227 # These accelerate non-smart HTTP access for Git user agents without the /r/ prefix
228 # But not for projects starting with '_' to which access should never be allowed
229 <IfModule rewrite_module>
230 RewriteEngine On
231 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
232 RewriteRule "(?x) ^/((?![bchrw]/)[^_].*/objects/(?: \
233 (?:[0-9a-f]{2}/[0-9a-f]{38}) | \
234 (?:pack/pack-[0-9a-f]{40}.(?:pack|idx)) ))$" \
235 @@reporoot@@/$1 [NS,L]
236 </IfModule>
237 </IfDefine>
239 <IfDefine SmartHTTPOnly>
240 # Disable non-smart HTTP access
241 RewriteEngine On
242 RewriteCond %{REQUEST_METHOD} !^POST$
243 RewriteCond %{REQUEST_URI} !/[a-zA-Z0-9+._-]+\.bundle$
244 RewriteRule ^/r/.*(?<!/info/refs)$ - [NS,F]
245 RewriteCond %{REQUEST_METHOD} !^POST$
246 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
247 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
248 RewriteCond %{REQUEST_URI} !/[a-zA-Z0-9+._-]+\.bundle$
249 RewriteRule ^/(?![bchrw]/).*(?<!/info/refs)$ - [NS,F]
250 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
251 RewriteRule ^/r/.*/info/refs$ - [NS,F]
252 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
253 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
254 RewriteRule ^/(?![bchrw]/).*/info/refs$ - [NS,F]
255 </IfDefine>
257 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
258 # git-http-backend-verify denies all access to projects starting with '_'
259 ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
261 <IfModule rewrite_module>
262 RewriteEngine On
264 # This allows HTTP access for Git user agents
265 # without the leading /r/ prefix
266 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
267 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
268 RewriteRule ^/(?![bchrw]/)(.*)$ \
269 @@basedir@@/bin/git-http-backend-verify/$1 \
270 [NS,L,H=cgi-script]
272 # ...and this for access by all agents to *.bundle
273 # files without the /r/ prefix for names ending in .git
274 RewriteRule \
275 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git/[a-zA-Z0-9+._-]+\.bundle)$ \
276 @@basedir@@/bin/git-http-backend-verify/$1 \
277 [NS,L,H=cgi-script]
279 # ...and finally this for access by all agents to
280 # *.bundle files without the /r/ prefix for names not
281 # ending in .git as long as the repository exists
282 RewriteCond @@reporoot@@$1.git/HEAD -f
283 RewriteRule \
284 ^(?!/[bchrw]/)((?:/[a-zA-Z0-9+._-]+(?<!\.git))+)(/[a-zA-Z0-9+._-]+\.bundle)$ \
285 @@basedir@@/bin/git-http-backend-verify$1$2 \
286 [NS,L,H=cgi-script]
287 </IfModule>
289 # ---- END LINES TO DUPLICATE ----
291 </VirtualHost>
294 # This comments out the following so this file can be used as-is
295 # for an http-only configuration. Remove or change the sense of
296 # the test (by inserting a !) to activate the https virtual host.
297 <IfDefine EnableGiroccoHttpsVirtualHost>
300 # This is an example configuration of an https virtualhost running Girocco, as set
301 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
302 # It is not essential for Girocco to use a special virtualhost, however.
303 # The Config.pm $httpspushurl variable needs to be defined to properly enable
304 # https pushing.
305 <VirtualHost *:443>
307 # These certificate files will all be automatically generated, but the
308 # paths here may need to be corrected to match the paths
309 # (especially $certsdir) from Config.pm
311 SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
312 SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
313 SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
314 # when using a paid www server cert, only the above three lines should
315 # be changed. Changing any of the below two lines (other than updating
316 # the paths to match $certsdir) will likely break https client auth
317 SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
318 SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
320 SSLVerifyDepth 3
321 SSLOptions +FakeBasicAuth +StrictRequire
322 SSLEngine on
324 # This configuration allows fetching over https without a certificate
325 # while always requiring a certificate for pushing over https
326 RewriteEngine On
327 SSLVerifyClient optional
328 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
329 RewriteRule ^/r/.*/info/refs$ - [NS,env=client_auth_required:1]
330 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
331 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$)
332 RewriteRule ^/(?!r/).*/info/refs$ - [NS,env=client_auth_required:1]
333 RewriteRule ^/r/.*/git-receive-pack$ - [NS,env=client_auth_required:1]
334 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
335 RewriteRule ^/(?!r/).*/git-receive-pack$ - [NS,env=client_auth_required:1]
336 RewriteCond %{ENV:client_auth_required} 1
337 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
338 RewriteRule .* %{REQUEST_URI} [NS,R=401]
339 <Location />
340 SSLRequireSSL
341 Order deny,allow
342 Deny from env=client_auth_required
343 SSLOptions +FakeBasicAuth
344 AuthName "Git Client Authentication"
345 AuthType Basic
346 AuthBasicProvider anon
347 Anonymous *
348 Require valid-user
349 Satisfy any
350 </Location>
351 ErrorDocument 401 /authrequired.cgi
353 # *** IMPORTANT ***
354 #
355 # ALL the entire contents from the <VirtualHost *:80> section at
356 # the top of this file must be copied here.
357 #
358 # To avoid this duplication, the contents of the <VirtualHost *:80>
359 # section above can be moved to a separate file and then included
360 # both here and in the <VirtualHost *:80> section using an Include
361 # directive. Be careful not to place the new include file in one of the
362 # directories the standard apache configuration blindly includes all
363 # files from.
365 # ---- BEGIN DUPLICATE LINES ----
367 # ---- END DUPLICATE LINES ----
369 </VirtualHost>
372 # End commenting
373 </IfDefine>