| blob | 8429c2b84813f806ca71f195266fb4067d3d10fc |
1 ## To convert this file to apache.conf using the current Girocco::Config
2 ## values either do "make" or "make apache.conf" or ./make-apache-conf.sh
3 ##
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, somewhat independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
7 <VirtualHost *:80>
9 # ---- BEGIN LINES TO DUPLICATE ----
11 ServerName @@httpdnsname@@
12 ServerAlias www.@@httpdnsname@@
13 ServerAdmin @@admin@@
15 # This is the standard "combined" log format modified as follows:
16 # the received time is shown as [YYYY-mm-dd_HH:MM:SS +hhmm] (almost RFC 3339 format)
17 # -- this is one character shorter than the default but sorts so much better
18 # when the logio_module is present (almost always) the %O value is prefixed with:
19 # %I-> -- <bytes-received-including-request-and-headers>
20 # the first line of the request ("%r") is prefixed with
21 # %X%k: -- <connection-status><keepalive-request-num>
22 # <keepalive-request-num> will be omitted if apache < 2.2.11
23 # these fields are added to the end:
24 # :%{local}p -- :<actual-server-port>
25 # %Dus -- <request-time-in-microseconds>
26 # "%o{Content-Range}" -- <outgoing Content-Range header>
27 <IfVersion >= 2.2.11>
28 LogFormat "%h %l %u %{[%F_%T %z]}t %X%k:\"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
29 </IfVersion>
30 <IfVersion !>= 2.2.11>
31 LogFormat "%h %l %u %{[%F_%T %z]}t %X:\"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
32 </IfVersion>
33 <IfModule logio_module>
34 # %I and %O are only available with the logio_module
35 <IfVersion >= 2.2.11>
36 LogFormat "%h %l %u %{[%F_%T %z]}t %X%k:\"%r\" %>s %I->%O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
37 </IfVersion>
38 <IfVersion !>= 2.2.11>
39 LogFormat "%h %l %u %{[%F_%T %z]}t %X:\"%r\" %>s %I->%O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
40 </IfVersion>
41 </IfModule>
43 # If your distribution does not set APACHE_LOG_DIR before
44 # starting Apache you will need to edit the next two directives
45 ErrorLog "/var/log/apache2/repo-error.log"
46 CustomLog "/var/log/apache2/repo-access.log" girocco
48 <IfModule mime_magic_module>
49 # Avoid spurious Content-Type values when git-http-backend
50 # fails to provide a Content-Type header in its output
51 MimeMagicFile /dev/null
52 </IfModule>
54 DocumentRoot @@webroot@@
55 <Directory @@webroot@@>
56 # Add MultiViews only if pages are truly
57 # offered in more than a single language
58 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
59 Options FollowSymLinks
60 # FileInfo (or All) must be enabled to activate .htaccess file mod_rewrite rules
61 AllowOverride All
62 <IfVersion < 2.3>
63 Order allow,deny
64 Allow from all
65 Satisfy all
66 </IfVersion>
67 <IfVersion >= 2.3>
68 Require all granted
69 </IfVersion>
70 DirectoryIndex w
71 </Directory>
73 # The non-mod_rewrite items are handled first where the magic /[bchrw]
74 # prefix always forces selection of the prefix-indicated cgi handler.
76 ScriptAlias /w @@cgiroot@@/gitweb.cgi
77 ScriptAlias /b @@cgiroot@@/bundles.cgi
78 ScriptAlias /h @@cgiroot@@/html.cgi
79 ScriptAliasMatch ^/(?!(?i)gitweb\.cgi|bundles\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
81 # Any requests without the magic /[bchrw] are treated as Git requests if they
82 # are one of the few possible Git URLs otherwise they go to bundles or gitweb
84 # Change the setting of $SmartHTTPOnly in Girocco::Config.pm to
85 # change whether or not non-smart HTTP fetch access will be allowed.
87 <IfDefine !@@SmartHTTPOnly@@>
88 # This accelerates non-smart HTTP access to loose objects, packs and info
89 AliasMatch \
90 "(?x)^/(?![bchw]/)(?:r/)? \
91 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
92 HEAD | \
93 objects/info/alternates | \
94 objects/info/http-alternates | \
95 objects/info/packs | \
96 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
97 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
98 @@reporoot@@/$1.git/$2
99 </IfDefine>
101 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
102 ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
104 ScriptAliasMatch \
105 "(?x)^/(?![bchrw]/) \
106 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
107 info/refs | \
108 git-upload-pack | \
109 git-receive-pack | \
110 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
111 @@basedir@@/bin/git-http-backend-verify/$1.git/$2
113 # Everything else off to bundles.cgi or gitweb.cgi
114 ScriptAliasMatch \
115 "(?x)^/(?![bchrw]/) \
116 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/bundles)$" \
117 @@cgiroot@@/bundles.cgi/$1
118 ScriptAliasMatch \
119 "(?x)^/(?![bchrw]/) \
120 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git(?!/bundles)(?:/.*)?)$" \
121 @@cgiroot@@/gitweb.cgi/$1
123 # mod_rewrite is not strictly required for gitweb and fetch access, but
124 # if it's not available the trailing ".git" is never optional for
125 # gitweb, the leading /h is always required for *.html, snapshots are
126 # not throttled, some bogus Git http protocol requests will not be
127 # detected early and, if non-smart HTTP is allowed, access to the
128 # /info/refs file will not be accelerated in non-smart HTTP mode.
130 <IfModule rewrite_module>
131 RewriteEngine On
133 # Snapshot requests are only allowed via the PATH_INFO mechanism
134 RewriteCond %{QUERY_STRING} (^|[&;])a=snapshot([&;]|$) [NC]
135 RewriteRule .? - [NS,F,L]
137 # Redirect snapshot requests to snapshot.cgi
138 RewriteRule \
139 "(?x)^/(?![bchr]/)(?:w/)? \
140 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/ \
141 snapshot(?:/.*)?)$" \
142 @@cgiroot@@/snapshot.cgi/$1 [NS,L,H=cgi-script]
144 # Make the leading /h optional for requests that name an existing .html template
145 RewriteCond @@webroot@@/$1 !-f
146 RewriteCond @@cgiroot@@/$1 !-f
147 RewriteCond @@basedir@@/html/$1 -s
148 RewriteRule \
149 ^/(?![bchrw]/)(.*\.html)$ \
150 /h/$1 [NS,PT]
152 # Redirect bare gitweb requests without .git that name an existing repo...
153 RewriteCond @@webroot@@/$2 !-f
154 RewriteCond @@cgiroot@@/$2 !-f
155 RewriteCond @@reporoot@@/$2.git/HEAD -s
156 RewriteRule \
157 "(?x)^/(?![bchr]/)((?:w/)?) \
158 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git))$" \
159 /$1$2.git [NS,L,R=301]
161 # Of the 11 possible Git protocol URLs (i.e. passed to git-http-backend-verify),
162 # 9 are only valid with GET/HEAD and the other two are only valid with POST
163 # Furthermore, 7 are only valid when non-smart is allowed and
164 # 1 is only valid when smart-only is enabled if it has the correct query string.
166 # These two always require POST
167 RewriteCond %{REQUEST_METHOD} !=POST
168 RewriteRule \
169 "(?x)^/(?![bchw]/)(?:r/)? \
170 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
171 git-upload-pack | \
172 git-receive-pack )$" \
173 - [NS,F]
175 <IfDefine @@SmartHTTPOnly@@>
176 # These 7 are always forbidden when non-smart HTTP is disabled
177 RewriteRule \
178 "(?x)^/(?![bchw]/)(?:r/)? \
179 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
180 HEAD | \
181 objects/info/alternates | \
182 objects/info/http-alternates | \
183 objects/info/packs | \
184 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
185 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
186 - [NS,F]
187 # This one is forbidden without the magic query string when non-smart is disabled
188 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$ [OR]
189 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
190 RewriteRule \
191 "(?x)^/(?![bchw]/)(?:r/)? \
192 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
193 info/refs $" \
194 - [NS,F]
195 # This one requires GET (or HEAD)
196 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
197 RewriteRule \
198 "(?x)^/(?![bchw]/)(?:r/)? \
199 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
200 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle $" \
201 - [NS,F]
202 </IfDefine>
204 <IfDefine !@@SmartHTTPOnly@@>
205 # These 9 require GET (or HEAD)
206 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
207 RewriteRule \
208 "(?x)^/(?![bchw]/)(?:r/)? \
209 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
210 HEAD | \
211 info/refs | \
212 objects/info/alternates | \
213 objects/info/http-alternates | \
214 objects/info/packs | \
215 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
216 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) | \
217 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
218 - [NS,F]
219 # This one can be accelerated when accessed with non-smart HTTP
220 RewriteCond %{REQUEST_METHOD} ^(?:GET|HEAD)$
221 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
222 RewriteRule \
223 "(?x)^/(?![bchw]/)(?:r/)? \
224 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/ \
225 info/refs $" \
226 @@reporoot@@/$1.git/info/refs [NS,L]
227 </IfDefine>
228 </IfModule>
230 <Directory @@reporoot@@>
231 Options FollowSymLinks
232 AllowOverride None
233 <IfVersion < 2.3>
234 Order allow,deny
235 Allow from all
236 Satisfy all
237 </IfVersion>
238 <IfVersion >= 2.3>
239 Require all granted
240 </IfVersion>
242 <IfModule rewrite_module>
243 # Everything fetched over the non-smart git http
244 # protocol should be an existing file. If the request
245 # is not for an existing file, just send back an error
246 # message without emitting anything into the error log.
247 RewriteEngine On
248 RewriteBase /
249 RewriteCond @@reporoot@@/$1 !-f
250 RewriteRule ^(.*)$ - [NS,R=404,L]
251 </IfModule>
252 </Directory>
254 <Directory @@cgiroot@@>
255 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
256 Options SymLinksIfOwnerMatch
257 # FileInfo must be enabled to activate .htaccess file mod_rewrite rules
258 AllowOverride FileInfo
259 <IfVersion < 2.3>
260 Order deny,allow
261 Deny from all
262 Satisfy all
263 </IfVersion>
264 <IfVersion >= 2.3>
265 Require all denied
266 </IfVersion>
267 <Files gitweb.cgi>
268 Options +ExecCGI
269 <IfVersion < 2.3>
270 Order deny,allow
271 Allow from all
272 Satisfy all
273 </IfVersion>
274 <IfVersion >= 2.3>
275 Require all granted
276 </IfVersion>
277 <IfModule !mod_fastcgi.c>
278 <IfModule !mod_fcgid.c>
279 SetHandler cgi-script
280 </IfModule>
281 </IfModule>
283 # Note that in testing mod_fastcgi (in dynamic mode)
284 # was found to be slightly faster than mod_fcgid.
285 #
286 # However, we prefer mod_fcgid if both are available
287 # because we cannot control the server-global settings
288 # of mod_fastcgi's "FastCgiConfig" options.
289 #
290 # In order for gitweb.cgi to run reasonably well as a
291 # mod_fastcgi dynamic FastCGI application, the
292 # "FastCgiConfig" option "-idle-timeout" value needs to
293 # be increased from the default value of "30" to at
294 # least "120", preferably more like "300". But that
295 # will affect ALL dynamic mod_fastcgi applications on
296 # the ENTIRE server, not just gitweb.cgi. Additionally
297 # the "FastCgiConfig" "-restart" option probably ought
298 # to be set as well. Also, unfortunately, there is no
299 # mod_fastcgi option corresponding to mod_fcgid's
300 # MaxRequestsPerProcess option and gitweb.cgi running
301 # in FastCGI mode (without using FCGI::ProcManager) will
302 # always exit after serving 100 requests (a good thing).
303 #
304 # The alternative is to make gitweb.cgi a static
305 # mod_fastcgi application (the "FastCgiServer"
306 # directive), but then the number of running instances
307 # will be fixed at whatever value is chosen for the
308 # "-processes" option rather than being dynamically
309 # adjusted based on load and that's probably undesirable
310 # in most cases unless you run gitweb.cgi under a
311 # front-end that dynamically forks multiple copies of
312 # gitweb.cgi based on the current load. See the CPAN
313 # FCGI::ProcManager::Dynamic module for an example of
314 # how to do this in Perl:
315 #
316 # http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
317 #
318 # So instead we prefer mod_fcgid because we can adjust
319 # the necessary options for good gitweb.cgi behavior
320 # while affecting only gitweb.cgi and having it remain
321 # a dynamic application whose total number of running
322 # instances is adjusted based on current server load.
324 <IfModule mod_fcgid.c>
325 SetHandler fcgid-script
326 </IfModule>
327 <IfModule !mod_fcgid.c>
328 <IfModule mod_fastcgi.c>
329 SetHandler fastcgi-script
330 </IfModule>
331 </IfModule>
332 </Files>
333 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
334 Options +ExecCGI
335 SetHandler cgi-script
336 <IfVersion < 2.3>
337 Order deny,allow
338 Allow from all
339 Satisfy all
340 </IfVersion>
341 <IfVersion >= 2.3>
342 Require all granted
343 </IfVersion>
344 </FilesMatch>
345 </Directory>
347 <IfModule mod_fcgid.c>
348 # mod_fcgid benefits from some additional config for gitweb.cgi
349 # gitweb.cgi has a hard-coded maximum of 100 requests
350 # and we do not want to give up too soon in case Git is lagging.
351 # Note that adding a 'MaxProcesses ...' option here may be valuable
352 # to limit the maximum number of gitweb.cgi processes that can be
353 # spawned (default is 100) -- perhaps to something much lower such
354 # as 1 or 2 times the number of CPU cores. Also note that in the
355 # unlikely event all the children finish their 100 requests at the
356 # same time, the server's FcgidSpawnScoreUpLimit (which defaults
357 # to 10 if not set) should be set to at least 3 times the
358 # MaxProcesses value chosen to allow them all to respawn
359 # immediately. FcgidSpawnScoreUpLimit MUST be at least twice the
360 # chosen MaxProcesses value (assuming FcgidTerminationScore is
361 # still set to the default 2) in order to allow any child at all to
362 # respawn immediately in this case without a delay.
363 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
364 MaxProcesses 8 MinProcesses 5 \
365 MaxRequestsPerProcess 100 IOTimeout 300
366 </IfModule>
368 <Directory @@basedir@@/bin>
369 Options None
370 AllowOverride None
371 <IfVersion < 2.3>
372 Order deny,allow
373 Deny from all
374 Satisfy all
375 </IfVersion>
376 <IfVersion >= 2.3>
377 Require all denied
378 </IfVersion>
379 <Files git-http-backend-verify>
380 Options ExecCGI
381 SetHandler cgi-script
382 <IfVersion < 2.3>
383 Order deny,allow
384 Allow from all
385 Satisfy all
386 </IfVersion>
387 <IfVersion >= 2.3>
388 Require all granted
389 </IfVersion>
390 </Files>
391 </Directory>
393 # ---- END LINES TO DUPLICATE ----
395 </VirtualHost>
398 # Change the setting of $TLSHost in Girocco::Config.pm to change
399 # whether or not the following https virtual host is enabled.
401 <IfDefine @@TLSHost@@>
403 # This is an example configuration of an https virtualhost running Girocco, as set
404 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
405 # It is not essential for Girocco to use a special virtualhost, however.
406 # The Config.pm $httpspushurl variable needs to be defined to properly enable
407 # https pushing.
408 <VirtualHost *:443>
410 # These certificate files will all be automatically generated, but the
411 # paths here may need to be corrected to match the paths
412 # (especially $certsdir) from Config.pm
414 SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
415 SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
416 SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
417 # when using a paid www server cert, only the above three lines should
418 # be changed. Changing any of the below two lines (other than updating
419 # the paths to match $certsdir) will likely break https client auth
420 SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
421 SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
423 SSLVerifyDepth 3
424 SSLOptions +FakeBasicAuth +StrictRequire
425 SSLEngine on
427 # This configuration allows fetching over https without a certificate
428 # while always requiring a certificate for pushing over https
429 RewriteEngine On
430 SSLVerifyClient optional
431 RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC]
432 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$) [NC]
433 RewriteRule /info/refs$ - [NC,NS,env=client_auth_required:1]
434 RewriteCond %{REQUEST_METHOD} =POST [NC]
435 RewriteRule /git-receive-pack$ - [NC,NS,env=client_auth_required:1]
436 RewriteCond %{ENV:client_auth_required} 1
437 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
438 RewriteRule .? %{REQUEST_URI} [NS,R=401]
439 <Location />
440 SSLRequireSSL
441 SSLOptions +FakeBasicAuth
442 AuthName "Git Client Authentication"
443 AuthType Basic
444 AuthBasicProvider anon
445 Anonymous *
446 <IfVersion < 2.3>
447 Order deny,allow
448 Deny from env=client_auth_required
449 Satisfy any
450 Require valid-user
451 </IfVersion>
452 <IfVersion >= 2.3>
453 <RequireAny>
454 <RequireAll>
455 Require all granted
456 Require not env client_auth_required
457 </RequireAll>
458 Require valid-user
459 </RequireAny>
460 </IfVersion>
461 </Location>
462 ErrorDocument 401 /authrequired.cgi
464 # ---- BEGIN DUPLICATE LINES ----
465 ##
466 ## *** IMPORTANT ***
467 ##
468 ## ALL the entire contents from the <VirtualHost *:80> section at the top of
469 ## this file must be copied here.
470 ##
471 ## To avoid this duplication, the contents of the <VirtualHost *:80> section
472 ## above can be moved to a separate file and then included both here and in
473 ## the <VirtualHost *:80> section using an Include directive. Be careful not
474 ## to place the new include file in one of the directories the standard apache
475 ## configuration blindly includes all files from.
476 ##
477 # ---- END DUPLICATE LINES ----
479 </VirtualHost>
481 </IfDefine>