| blob | 817c628bb281e3f5218e22a731304e7850a4573d |
1 ## To convert this file to apache.conf using the current Girocco::Config
2 ## values either do "make" or "make apache.conf" or ./make-apache-conf.sh
3 ##
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, somewhat independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
7 <VirtualHost *:80>
9 # ---- BEGIN LINES TO DUPLICATE ----
11 ServerName @@httpdnsname@@
12 ServerAlias www.@@httpdnsname@@
13 ServerAdmin @@admin@@
15 # This is the standard "combined" log format with :actual-server-port added to the end
16 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p" girocco
17 <IfModule logio_module>
18 # %I and %O are only available with the logio_module
19 LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p" girocco
20 </IfModule>
22 ErrorLog /var/log/apache2/repo-error.log
23 CustomLog /var/log/apache2/repo-access.log girocco
25 <IfModule mime_magic_module>
26 # Avoid spurious Content-Type values when git-http-backend
27 # fails to provide a Content-Type header in its output
28 MimeMagicFile /dev/null
29 </IfModule>
31 DocumentRoot @@webroot@@
32 <Directory @@webroot@@>
33 # Add MultiViews only if pages are truly
34 # offered in more than a single language
35 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
36 Options FollowSymLinks
37 # FileInfo (or All) must be enabled to activate .htaccess file mod_rewrite rules
38 AllowOverride All
39 <IfVersion < 2.3>
40 Order allow,deny
41 Allow from all
42 Satisfy all
43 </IfVersion>
44 <IfVersion >= 2.3>
45 Require all granted
46 </IfVersion>
47 DirectoryIndex w
48 </Directory>
50 # The non-mod_rewrite items are handled first where the magic /[bchrw]
51 # prefix always forces selection of the prefix-indicated cgi handler.
53 ScriptAlias /w @@cgiroot@@/gitweb.cgi
54 ScriptAlias /b @@cgiroot@@/bundles.cgi
55 ScriptAlias /h @@cgiroot@@/html.cgi
56 ScriptAliasMatch ^/(?!(?i)gitweb\.cgi|bundles\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
58 # Any requests without the magic /[bchrw] are treated as Git requests if they
59 # are one of the few possible Git URLs otherwise they go to bundles or gitweb
61 # Change the setting of $SmartHTTPOnly in Girocco::Config.pm to
62 # change whether or not non-smart HTTP fetch access will be allowed.
64 <IfDefine !@@SmartHTTPOnly@@>
65 # This accelerates non-smart HTTP access to loose objects, packs and info
66 AliasMatch \
67 "(?x)^/(?![bchw]/)(?:r/)? \
68 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
69 HEAD | \
70 objects/info/alternates | \
71 objects/info/http-alternates | \
72 objects/info/packs | \
73 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
74 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
75 @@reporoot@@/$1.git/$2
76 </IfDefine>
78 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
79 ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
81 ScriptAliasMatch \
82 "(?x)^/(?![bchrw]/) \
83 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
84 info/refs | \
85 git-upload-pack | \
86 git-receive-pack | \
87 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
88 @@basedir@@/bin/git-http-backend-verify/$1.git/$2
90 # Everything else off to bundles.cgi or gitweb.cgi
91 ScriptAliasMatch \
92 "(?x)^/(?![bchrw]/) \
93 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/bundles)$" \
94 @@cgiroot@@/bundles.cgi/$1
95 ScriptAliasMatch \
96 "(?x)^/(?![bchrw]/) \
97 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git(?!/bundles)(?:/.*)?)$" \
98 @@cgiroot@@/gitweb.cgi/$1
100 # mod_rewrite is not strictly required for gitweb and fetch access, but
101 # if it's not available the trailing ".git" is never optional for
102 # gitweb, the leading /h is always required for *.html, snapshots are
103 # not throttled, some bogus Git http protocol requests will not be
104 # detected early and, if non-smart HTTP is allowed, access to the
105 # /info/refs file will not be accelerated in non-smart HTTP mode.
107 <IfModule rewrite_module>
108 RewriteEngine On
110 # Snapshot requests are only allowed via the PATH_INFO mechanism
111 RewriteCond %{QUERY_STRING} (^|[&;])a=snapshot([&;]|$) [NC]
112 RewriteRule .? - [NS,F,L]
114 # Redirect snapshot requests to snapshot.cgi
115 RewriteRule \
116 "(?x)^/(?![bchr]/)(?:w/)? \
117 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/ \
118 snapshot(?:/.*)?)$" \
119 @@cgiroot@@/snapshot.cgi/$1 [NS,L,H=cgi-script]
121 # Make the leading /h optional for requests that name an existing .html template
122 RewriteCond @@webroot@@/$1 !-f
123 RewriteCond @@cgiroot@@/$1 !-f
124 RewriteCond @@basedir@@/html/$1 -s
125 RewriteRule \
126 ^/(?![bchrw]/)(.*\.html)$ \
127 /h/$1 [NS,PT]
129 # Redirect bare gitweb requests without .git that name an existing repo...
130 RewriteCond @@webroot@@/$2 !-f
131 RewriteCond @@cgiroot@@/$2 !-f
132 RewriteCond @@reporoot@@/$2.git/HEAD -s
133 RewriteRule \
134 "(?x)^/(?![bchr]/)((?:w/)?) \
135 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git))$" \
136 /$1$2.git [NS,L,R=301]
138 # Of the 11 possible Git protocol URLs (i.e. passed to git-http-backend-verify),
139 # 9 are only valid with GET/HEAD and the other two are only valid with POST
140 # Furthermore, 7 are only valid when non-smart is allowed and
141 # 1 is only valid when smart-only is enabled if it has the correct query string.
143 # These two always require POST
144 RewriteCond %{REQUEST_METHOD} !=POST
145 RewriteRule \
146 "(?x)^/(?![bchw]/)(?:r/)? \
147 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
148 git-upload-pack | \
149 git-receive-pack )$" \
150 - [NS,F]
152 <IfDefine @@SmartHTTPOnly@@>
153 # These 7 are always forbidden when non-smart HTTP is disabled
154 RewriteRule \
155 "(?x)^/(?![bchw]/)(?:r/)? \
156 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
157 HEAD | \
158 objects/info/alternates | \
159 objects/info/http-alternates | \
160 objects/info/packs | \
161 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
162 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
163 - [NS,F]
164 # This one is forbidden without the magic query string when non-smart is disabled
165 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$ [OR]
166 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
167 RewriteRule \
168 "(?x)^/(?![bchw]/)(?:r/)? \
169 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
170 info/refs $" \
171 - [NS,F]
172 # This one requires GET (or HEAD)
173 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
174 RewriteRule \
175 "(?x)^/(?![bchw]/)(?:r/)? \
176 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
177 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle $" \
178 - [NS,F]
179 </IfDefine>
181 <IfDefine !@@SmartHTTPOnly@@>
182 # These 9 require GET (or HEAD)
183 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
184 RewriteRule \
185 "(?x)^/(?![bchw]/)(?:r/)? \
186 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
187 HEAD | \
188 info/refs | \
189 objects/info/alternates | \
190 objects/info/http-alternates | \
191 objects/info/packs | \
192 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
193 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) | \
194 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
195 - [NS,F]
196 # This one can be accelerated when accessed with non-smart HTTP
197 RewriteCond %{REQUEST_METHOD} ^(?:GET|HEAD)$
198 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
199 RewriteRule \
200 "(?x)^/(?![bchw]/)(?:r/)? \
201 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/ \
202 info/refs $" \
203 @@reporoot@@/$1.git/info/refs [NS,L]
204 </IfDefine>
205 </IfModule>
207 <Directory @@reporoot@@>
208 Options FollowSymLinks
209 AllowOverride None
210 <IfVersion < 2.3>
211 Order allow,deny
212 Allow from all
213 Satisfy all
214 </IfVersion>
215 <IfVersion >= 2.3>
216 Require all granted
217 </IfVersion>
219 <IfModule rewrite_module>
220 # Everything fetched over the non-smart git http
221 # protocol should be an existing file. If the request
222 # is not for an existing file, just send back an error
223 # message without emitting anything into the error log.
224 RewriteEngine On
225 RewriteBase /
226 RewriteCond @@reporoot@@/$1 !-f
227 RewriteRule ^(.*)$ - [NS,R=404,L]
228 </IfModule>
229 </Directory>
231 <Directory @@cgiroot@@>
232 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
233 Options SymLinksIfOwnerMatch
234 # FileInfo must be enabled to activate .htaccess file mod_rewrite rules
235 AllowOverride FileInfo
236 <IfVersion < 2.3>
237 Order deny,allow
238 Deny from all
239 Satisfy all
240 </IfVersion>
241 <IfVersion >= 2.3>
242 Require all denied
243 </IfVersion>
244 <Files gitweb.cgi>
245 Options +ExecCGI
246 <IfVersion < 2.3>
247 Order deny,allow
248 Allow from all
249 Satisfy all
250 </IfVersion>
251 <IfVersion >= 2.3>
252 Require all granted
253 </IfVersion>
254 <IfModule !mod_fastcgi.c>
255 <IfModule !mod_fcgid.c>
256 SetHandler cgi-script
257 </IfModule>
258 </IfModule>
260 # Note that in testing mod_fastcgi (in dynamic mode)
261 # was found to be slightly faster than mod_fcgid.
262 #
263 # However, we prefer mod_fcgid if both are available
264 # because we cannot control the server-global settings
265 # of mod_fastcgi's "FastCgiConfig" options.
266 #
267 # In order for gitweb.cgi to run reasonably well as a
268 # mod_fastcgi dynamic FastCGI application, the
269 # "FastCgiConfig" option "-idle-timeout" value needs to
270 # be increased from the default value of "30" to at
271 # least "120", preferably more like "300". But that
272 # will affect ALL dynamic mod_fastcgi applications on
273 # the ENTIRE server, not just gitweb.cgi. Additionally
274 # the "FastCgiConfig" "-restart" option probably ought
275 # to be set as well. Also, unfortunately, there is no
276 # mod_fastcgi option corresponding to mod_fcgid's
277 # MaxRequestsPerProcess option and gitweb.cgi running
278 # in FastCGI mode (without using FCGI::ProcManager) will
279 # always exit after serving 100 requests (a good thing).
280 #
281 # The alternative is to make gitweb.cgi a static
282 # mod_fastcgi application (the "FastCgiServer"
283 # directive), but then the number of running instances
284 # will be fixed at whatever value is chosen for the
285 # "-processes" option rather than being dynamically
286 # adjusted based on load and that's probably undesirable
287 # in most cases unless you run gitweb.cgi under a
288 # front-end that dynamically forks multiple copies of
289 # gitweb.cgi based on the current load. See the CPAN
290 # FCGI::ProcManager::Dynamic module for an example of
291 # how to do this in Perl:
292 #
293 # http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
294 #
295 # So instead we prefer mod_fcgid because we can adjust
296 # the necessary options for good gitweb.cgi behavior
297 # while affecting only gitweb.cgi and having it remain
298 # a dynamic application whose total number of running
299 # instances is adjusted based on current server load.
301 <IfModule mod_fcgid.c>
302 SetHandler fcgid-script
303 </IfModule>
304 <IfModule !mod_fcgid.c>
305 <IfModule mod_fastcgi.c>
306 SetHandler fastcgi-script
307 </IfModule>
308 </IfModule>
309 </Files>
310 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
311 Options +ExecCGI
312 SetHandler cgi-script
313 <IfVersion < 2.3>
314 Order deny,allow
315 Allow from all
316 Satisfy all
317 </IfVersion>
318 <IfVersion >= 2.3>
319 Require all granted
320 </IfVersion>
321 </FilesMatch>
322 </Directory>
324 <IfModule mod_fcgid.c>
325 # mod_fcgid benefits from some additional config for gitweb.cgi
326 # gitweb.cgi has a hard-coded maximum of 100 requests
327 # and we do not want to give up too soon in case Git is lagging.
328 # Note that adding a 'MaxProcesses ...' option here may be valuable
329 # to limit the maximum number of gitweb.cgi processes that can be
330 # spawned (default is 100) -- perhaps to something much lower such
331 # as 1 or 2 times the number of CPU cores. Also note that in the
332 # unlikely event all the children finish their 100 requests at the
333 # same time, the server's FcgidSpawnScoreUpLimit (which defaults
334 # to 10 if not set) should be set to at least 3 times the
335 # MaxProcesses value chosen to allow them all to respawn
336 # immediately. FcgidSpawnScoreUpLimit MUST be at least twice the
337 # chosen MaxProcesses value (assuming FcgidTerminationScore is
338 # still set to the default 2) in order to allow any child at all to
339 # respawn immediately in this case without a delay.
340 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
341 MaxRequestsPerProcess 100 IOTimeout 300
342 </IfModule>
344 <Directory @@basedir@@/bin>
345 Options None
346 AllowOverride None
347 <IfVersion < 2.3>
348 Order deny,allow
349 Deny from all
350 Satisfy all
351 </IfVersion>
352 <IfVersion >= 2.3>
353 Require all denied
354 </IfVersion>
355 <Files git-http-backend-verify>
356 Options ExecCGI
357 SetHandler cgi-script
358 <IfVersion < 2.3>
359 Order deny,allow
360 Allow from all
361 Satisfy all
362 </IfVersion>
363 <IfVersion >= 2.3>
364 Require all granted
365 </IfVersion>
366 </Files>
367 </Directory>
369 # ---- END LINES TO DUPLICATE ----
371 </VirtualHost>
374 # Change the setting of $TLSHost in Girocco::Config.pm to change
375 # whether or not the following https virtual host is enabled.
377 <IfDefine @@TLSHost@@>
379 # This is an example configuration of an https virtualhost running Girocco, as set
380 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
381 # It is not essential for Girocco to use a special virtualhost, however.
382 # The Config.pm $httpspushurl variable needs to be defined to properly enable
383 # https pushing.
384 <VirtualHost *:443>
386 # These certificate files will all be automatically generated, but the
387 # paths here may need to be corrected to match the paths
388 # (especially $certsdir) from Config.pm
390 SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
391 SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
392 SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
393 # when using a paid www server cert, only the above three lines should
394 # be changed. Changing any of the below two lines (other than updating
395 # the paths to match $certsdir) will likely break https client auth
396 SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
397 SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
399 SSLVerifyDepth 3
400 SSLOptions +FakeBasicAuth +StrictRequire
401 SSLEngine on
403 # This configuration allows fetching over https without a certificate
404 # while always requiring a certificate for pushing over https
405 RewriteEngine On
406 SSLVerifyClient optional
407 RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC]
408 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$) [NC]
409 RewriteRule /info/refs$ - [NC,NS,env=client_auth_required:1]
410 RewriteCond %{REQUEST_METHOD} =POST [NC]
411 RewriteRule /git-receive-pack$ - [NC,NS,env=client_auth_required:1]
412 RewriteCond %{ENV:client_auth_required} 1
413 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
414 RewriteRule .? %{REQUEST_URI} [NS,R=401]
415 <Location />
416 SSLRequireSSL
417 SSLOptions +FakeBasicAuth
418 AuthName "Git Client Authentication"
419 AuthType Basic
420 AuthBasicProvider anon
421 Anonymous *
422 <IfVersion < 2.3>
423 Order deny,allow
424 Deny from env=client_auth_required
425 Satisfy any
426 Require valid-user
427 </IfVersion>
428 <IfVersion >= 2.3>
429 <RequireAny>
430 <RequireAll>
431 Require all granted
432 Require not env client_auth_required
433 </RequireAll>
434 Require valid-user
435 </RequireAny>
436 </IfVersion>
437 </Location>
438 ErrorDocument 401 /authrequired.cgi
440 # ---- BEGIN DUPLICATE LINES ----
441 ##
442 ## *** IMPORTANT ***
443 ##
444 ## ALL the entire contents from the <VirtualHost *:80> section at the top of
445 ## this file must be copied here.
446 ##
447 ## To avoid this duplication, the contents of the <VirtualHost *:80> section
448 ## above can be moved to a separate file and then included both here and in
449 ## the <VirtualHost *:80> section using an Include directive. Be careful not
450 ## to place the new include file in one of the directories the standard apache
451 ## configuration blindly includes all files from.
452 ##
453 # ---- END DUPLICATE LINES ----
455 </VirtualHost>
457 </IfDefine>