| blob | 6545af225202b618b9db244f00f26747e885515e |
1 ## To convert this file to apache.conf using the current Girocco::Config
2 ## values either do "make" or "make apache.conf" or ./make-apache-conf.sh
3 ##
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, somewhat independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
7 <VirtualHost *:80>
9 # ---- BEGIN LINES TO DUPLICATE ----
11 ServerName @@httpdnsname@@
12 ServerAlias www.@@httpdnsname@@
13 ServerAdmin @@admin@@
15 # This is the standard "combined" log format with :actual-server-port added to the end
16 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p" girocco
17 <IfModule logio_module>
18 # %I and %O are only available with the logio_module
19 LogFormat "%h %l %u %t \"%r\" %>s %I->%O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p" girocco
20 </IfModule>
22 # If your distribution does not set APACHE_LOG_DIR before
23 # starting Apache you will need to edit the next two directives
24 ErrorLog "${APACHE_LOG_DIR}/@@nickname@@-error.log"
25 CustomLog "${APACHE_LOG_DIR}/@@nickname@@-access.log" girocco
27 <IfModule mime_magic_module>
28 # Avoid spurious Content-Type values when git-http-backend
29 # fails to provide a Content-Type header in its output
30 MimeMagicFile /dev/null
31 </IfModule>
33 DocumentRoot @@webroot@@
34 <Directory @@webroot@@>
35 # Add MultiViews only if pages are truly
36 # offered in more than a single language
37 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
38 Options FollowSymLinks
39 # FileInfo (or All) must be enabled to activate .htaccess file mod_rewrite rules
40 AllowOverride All
41 <IfVersion < 2.3>
42 Order allow,deny
43 Allow from all
44 Satisfy all
45 </IfVersion>
46 <IfVersion >= 2.3>
47 Require all granted
48 </IfVersion>
49 DirectoryIndex w
50 </Directory>
52 # The non-mod_rewrite items are handled first where the magic /[bchrw]
53 # prefix always forces selection of the prefix-indicated cgi handler.
55 ScriptAlias /w @@cgiroot@@/gitweb.cgi
56 ScriptAlias /b @@cgiroot@@/bundles.cgi
57 ScriptAlias /h @@cgiroot@@/html.cgi
58 ScriptAliasMatch ^/(?!(?i)gitweb\.cgi|bundles\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
60 # Any requests without the magic /[bchrw] are treated as Git requests if they
61 # are one of the few possible Git URLs otherwise they go to bundles or gitweb
63 # Change the setting of $SmartHTTPOnly in Girocco::Config.pm to
64 # change whether or not non-smart HTTP fetch access will be allowed.
66 <IfDefine !@@SmartHTTPOnly@@>
67 # This accelerates non-smart HTTP access to loose objects, packs and info
68 AliasMatch \
69 "(?x)^/(?![bchw]/)(?:r/)? \
70 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
71 HEAD | \
72 objects/info/alternates | \
73 objects/info/http-alternates | \
74 objects/info/packs | \
75 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
76 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
77 @@reporoot@@/$1.git/$2
78 </IfDefine>
80 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
81 ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
83 ScriptAliasMatch \
84 "(?x)^/(?![bchrw]/) \
85 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
86 info/refs | \
87 git-upload-pack | \
88 git-receive-pack | \
89 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
90 @@basedir@@/bin/git-http-backend-verify/$1.git/$2
92 # Everything else off to bundles.cgi or gitweb.cgi
93 ScriptAliasMatch \
94 "(?x)^/(?![bchrw]/) \
95 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/bundles)$" \
96 @@cgiroot@@/bundles.cgi/$1
97 ScriptAliasMatch \
98 "(?x)^/(?![bchrw]/) \
99 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git(?!/bundles)(?:/.*)?)$" \
100 @@cgiroot@@/gitweb.cgi/$1
102 # mod_rewrite is not strictly required for gitweb and fetch access, but
103 # if it's not available the trailing ".git" is never optional for
104 # gitweb, the leading /h is always required for *.html, snapshots are
105 # not throttled, some bogus Git http protocol requests will not be
106 # detected early and, if non-smart HTTP is allowed, access to the
107 # /info/refs file will not be accelerated in non-smart HTTP mode.
109 <IfModule rewrite_module>
110 RewriteEngine On
112 # Snapshot requests are only allowed via the PATH_INFO mechanism
113 RewriteCond %{QUERY_STRING} (^|[&;])a=snapshot([&;]|$) [NC]
114 RewriteRule .? - [NS,F,L]
116 # Redirect snapshot requests to snapshot.cgi
117 RewriteRule \
118 "(?x)^/(?![bchr]/)(?:w/)? \
119 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/ \
120 snapshot(?:/.*)?)$" \
121 @@cgiroot@@/snapshot.cgi/$1 [NS,L,H=cgi-script]
123 # Make the leading /h optional for requests that name an existing .html template
124 RewriteCond @@webroot@@/$1 !-f
125 RewriteCond @@cgiroot@@/$1 !-f
126 RewriteCond @@basedir@@/html/$1 -s
127 RewriteRule \
128 ^/(?![bchrw]/)(.*\.html)$ \
129 /h/$1 [NS,PT]
131 # Redirect bare gitweb requests without .git that name an existing repo...
132 RewriteCond @@webroot@@/$2 !-f
133 RewriteCond @@cgiroot@@/$2 !-f
134 RewriteCond @@reporoot@@/$2.git/HEAD -s
135 RewriteRule \
136 "(?x)^/(?![bchr]/)((?:w/)?) \
137 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git))$" \
138 /$1$2.git [NS,L,R=301]
140 # Of the 11 possible Git protocol URLs (i.e. passed to git-http-backend-verify),
141 # 9 are only valid with GET/HEAD and the other two are only valid with POST
142 # Furthermore, 7 are only valid when non-smart is allowed and
143 # 1 is only valid when smart-only is enabled if it has the correct query string.
145 # These two always require POST
146 RewriteCond %{REQUEST_METHOD} !=POST
147 RewriteRule \
148 "(?x)^/(?![bchw]/)(?:r/)? \
149 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
150 git-upload-pack | \
151 git-receive-pack )$" \
152 - [NS,F]
154 <IfDefine @@SmartHTTPOnly@@>
155 # These 7 are always forbidden when non-smart HTTP is disabled
156 RewriteRule \
157 "(?x)^/(?![bchw]/)(?:r/)? \
158 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
159 HEAD | \
160 objects/info/alternates | \
161 objects/info/http-alternates | \
162 objects/info/packs | \
163 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
164 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
165 - [NS,F]
166 # This one is forbidden without the magic query string when non-smart is disabled
167 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$ [OR]
168 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
169 RewriteRule \
170 "(?x)^/(?![bchw]/)(?:r/)? \
171 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
172 info/refs $" \
173 - [NS,F]
174 # This one requires GET (or HEAD)
175 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
176 RewriteRule \
177 "(?x)^/(?![bchw]/)(?:r/)? \
178 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
179 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle $" \
180 - [NS,F]
181 </IfDefine>
183 <IfDefine !@@SmartHTTPOnly@@>
184 # These 9 require GET (or HEAD)
185 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
186 RewriteRule \
187 "(?x)^/(?![bchw]/)(?:r/)? \
188 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
189 HEAD | \
190 info/refs | \
191 objects/info/alternates | \
192 objects/info/http-alternates | \
193 objects/info/packs | \
194 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
195 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) | \
196 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
197 - [NS,F]
198 # This one can be accelerated when accessed with non-smart HTTP
199 RewriteCond %{REQUEST_METHOD} ^(?:GET|HEAD)$
200 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
201 RewriteRule \
202 "(?x)^/(?![bchw]/)(?:r/)? \
203 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/ \
204 info/refs $" \
205 @@reporoot@@/$1.git/info/refs [NS,L]
206 </IfDefine>
207 </IfModule>
209 <Directory @@reporoot@@>
210 Options FollowSymLinks
211 AllowOverride None
212 <IfVersion < 2.3>
213 Order allow,deny
214 Allow from all
215 Satisfy all
216 </IfVersion>
217 <IfVersion >= 2.3>
218 Require all granted
219 </IfVersion>
221 <IfModule rewrite_module>
222 # Everything fetched over the non-smart git http
223 # protocol should be an existing file. If the request
224 # is not for an existing file, just send back an error
225 # message without emitting anything into the error log.
226 RewriteEngine On
227 RewriteBase /
228 RewriteCond @@reporoot@@/$1 !-f
229 RewriteRule ^(.*)$ - [NS,R=404,L]
230 </IfModule>
231 </Directory>
233 <Directory @@cgiroot@@>
234 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
235 Options SymLinksIfOwnerMatch
236 # FileInfo must be enabled to activate .htaccess file mod_rewrite rules
237 AllowOverride FileInfo
238 <IfVersion < 2.3>
239 Order deny,allow
240 Deny from all
241 Satisfy all
242 </IfVersion>
243 <IfVersion >= 2.3>
244 Require all denied
245 </IfVersion>
246 <Files gitweb.cgi>
247 Options +ExecCGI
248 <IfVersion < 2.3>
249 Order deny,allow
250 Allow from all
251 Satisfy all
252 </IfVersion>
253 <IfVersion >= 2.3>
254 Require all granted
255 </IfVersion>
256 <IfModule !mod_fastcgi.c>
257 <IfModule !mod_fcgid.c>
258 SetHandler cgi-script
259 </IfModule>
260 </IfModule>
262 # Note that in testing mod_fastcgi (in dynamic mode)
263 # was found to be slightly faster than mod_fcgid.
264 #
265 # However, we prefer mod_fcgid if both are available
266 # because we cannot control the server-global settings
267 # of mod_fastcgi's "FastCgiConfig" options.
268 #
269 # In order for gitweb.cgi to run reasonably well as a
270 # mod_fastcgi dynamic FastCGI application, the
271 # "FastCgiConfig" option "-idle-timeout" value needs to
272 # be increased from the default value of "30" to at
273 # least "120", preferably more like "300". But that
274 # will affect ALL dynamic mod_fastcgi applications on
275 # the ENTIRE server, not just gitweb.cgi. Additionally
276 # the "FastCgiConfig" "-restart" option probably ought
277 # to be set as well. Also, unfortunately, there is no
278 # mod_fastcgi option corresponding to mod_fcgid's
279 # MaxRequestsPerProcess option and gitweb.cgi running
280 # in FastCGI mode (without using FCGI::ProcManager) will
281 # always exit after serving 100 requests (a good thing).
282 #
283 # The alternative is to make gitweb.cgi a static
284 # mod_fastcgi application (the "FastCgiServer"
285 # directive), but then the number of running instances
286 # will be fixed at whatever value is chosen for the
287 # "-processes" option rather than being dynamically
288 # adjusted based on load and that's probably undesirable
289 # in most cases unless you run gitweb.cgi under a
290 # front-end that dynamically forks multiple copies of
291 # gitweb.cgi based on the current load. See the CPAN
292 # FCGI::ProcManager::Dynamic module for an example of
293 # how to do this in Perl:
294 #
295 # http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
296 #
297 # So instead we prefer mod_fcgid because we can adjust
298 # the necessary options for good gitweb.cgi behavior
299 # while affecting only gitweb.cgi and having it remain
300 # a dynamic application whose total number of running
301 # instances is adjusted based on current server load.
303 <IfModule mod_fcgid.c>
304 SetHandler fcgid-script
305 </IfModule>
306 <IfModule !mod_fcgid.c>
307 <IfModule mod_fastcgi.c>
308 SetHandler fastcgi-script
309 </IfModule>
310 </IfModule>
311 </Files>
312 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
313 Options +ExecCGI
314 SetHandler cgi-script
315 <IfVersion < 2.3>
316 Order deny,allow
317 Allow from all
318 Satisfy all
319 </IfVersion>
320 <IfVersion >= 2.3>
321 Require all granted
322 </IfVersion>
323 </FilesMatch>
324 </Directory>
326 <IfModule mod_fcgid.c>
327 # mod_fcgid benefits from some additional config for gitweb.cgi
328 # gitweb.cgi has a hard-coded maximum of 100 requests
329 # and we do not want to give up too soon in case Git is lagging.
330 # Note that adding a 'MaxProcesses ...' option here may be valuable
331 # to limit the maximum number of gitweb.cgi processes that can be
332 # spawned (default is 100) -- perhaps to something much lower such
333 # as 1 or 2 times the number of CPU cores. Also note that in the
334 # unlikely event all the children finish their 100 requests at the
335 # same time, the server's FcgidSpawnScoreUpLimit (which defaults
336 # to 10 if not set) should be set to at least 3 times the
337 # MaxProcesses value chosen to allow them all to respawn
338 # immediately. FcgidSpawnScoreUpLimit MUST be at least twice the
339 # chosen MaxProcesses value (assuming FcgidTerminationScore is
340 # still set to the default 2) in order to allow any child at all to
341 # respawn immediately in this case without a delay.
342 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
343 MaxRequestsPerProcess 100 IOTimeout 300
344 </IfModule>
346 <Directory @@basedir@@/bin>
347 Options None
348 AllowOverride None
349 <IfVersion < 2.3>
350 Order deny,allow
351 Deny from all
352 Satisfy all
353 </IfVersion>
354 <IfVersion >= 2.3>
355 Require all denied
356 </IfVersion>
357 <Files git-http-backend-verify>
358 Options ExecCGI
359 SetHandler cgi-script
360 <IfVersion < 2.3>
361 Order deny,allow
362 Allow from all
363 Satisfy all
364 </IfVersion>
365 <IfVersion >= 2.3>
366 Require all granted
367 </IfVersion>
368 </Files>
369 </Directory>
371 # ---- END LINES TO DUPLICATE ----
373 </VirtualHost>
376 # Change the setting of $TLSHost in Girocco::Config.pm to change
377 # whether or not the following https virtual host is enabled.
379 <IfDefine @@TLSHost@@>
381 # This is an example configuration of an https virtualhost running Girocco, as set
382 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
383 # It is not essential for Girocco to use a special virtualhost, however.
384 # The Config.pm $httpspushurl variable needs to be defined to properly enable
385 # https pushing.
386 <VirtualHost *:443>
388 # These certificate files will all be automatically generated, but the
389 # paths here may need to be corrected to match the paths
390 # (especially $certsdir) from Config.pm
392 SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
393 SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
394 SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
395 # when using a paid www server cert, only the above three lines should
396 # be changed. Changing any of the below two lines (other than updating
397 # the paths to match $certsdir) will likely break https client auth
398 SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
399 SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
401 SSLVerifyDepth 3
402 SSLOptions +FakeBasicAuth +StrictRequire
403 SSLEngine on
405 # This configuration allows fetching over https without a certificate
406 # while always requiring a certificate for pushing over https
407 RewriteEngine On
408 SSLVerifyClient optional
409 RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC]
410 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$) [NC]
411 RewriteRule /info/refs$ - [NC,NS,env=client_auth_required:1]
412 RewriteCond %{REQUEST_METHOD} =POST [NC]
413 RewriteRule /git-receive-pack$ - [NC,NS,env=client_auth_required:1]
414 RewriteCond %{ENV:client_auth_required} 1
415 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
416 RewriteRule .? %{REQUEST_URI} [NS,R=401]
417 <Location />
418 SSLRequireSSL
419 SSLOptions +FakeBasicAuth
420 AuthName "Git Client Authentication"
421 AuthType Basic
422 AuthBasicProvider anon
423 Anonymous *
424 <IfVersion < 2.3>
425 Order deny,allow
426 Deny from env=client_auth_required
427 Satisfy any
428 Require valid-user
429 </IfVersion>
430 <IfVersion >= 2.3>
431 <RequireAny>
432 <RequireAll>
433 Require all granted
434 Require not env client_auth_required
435 </RequireAll>
436 Require valid-user
437 </RequireAny>
438 </IfVersion>
439 </Location>
440 ErrorDocument 401 /authrequired.cgi
442 # ---- BEGIN DUPLICATE LINES ----
443 ##
444 ## *** IMPORTANT ***
445 ##
446 ## ALL the entire contents from the <VirtualHost *:80> section at the top of
447 ## this file must be copied here.
448 ##
449 ## To avoid this duplication, the contents of the <VirtualHost *:80> section
450 ## above can be moved to a separate file and then included both here and in
451 ## the <VirtualHost *:80> section using an Include directive. Be careful not
452 ## to place the new include file in one of the directories the standard apache
453 ## configuration blindly includes all files from.
454 ##
455 # ---- END DUPLICATE LINES ----
457 </VirtualHost>
459 </IfDefine>