| blob | d2fbd9ba0c5af30ce34e6cb936abf19365c272be |
1 ## To convert this file to apache.conf using the current Girocco::Config
2 ## values either do "make" or "make apache.conf" or ./make-apache-conf.sh
3 ##
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, somewhat independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
7 <VirtualHost *:80>
8 <IfDefine @@TLSHost@@>
9 <IfModule rewrite_module>
10 RewriteEngine on
11 RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
12 RewriteCond %{SERVER_NAME} =@@httpdnsname@@
13 RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE,R=301]
14 </IfModule>
15 </IfDefine>
17 Alias /.well-known/acme-challenge/ @@webroot@@/../certs/acme/.well-known/acme-challenge/
18 <Directory "@@webroot@@/../certs/acme/.well-known/acme-challenge/">
19 Options None
20 AllowOverride None
21 ForceType text/plain
22 <IfVersion < 2.3>
23 Order allow,deny
24 Allow from all
25 Satisfy all
26 </IfVersion>
27 <IfVersion >= 2.3>
28 Require all granted
29 </IfVersion>
30 </Directory>
32 # ---- BEGIN LINES TO DUPLICATE ----
34 ServerName @@httpdnsname@@
35 ServerAlias www.@@httpdnsname@@
36 ServerAdmin @@admin@@
38 # This is the standard "combined" log format modified as follows:
39 # the REMOTE_USER (%u) has double-quotes around it
40 # the received time is shown as [YYYY-mm-dd_HH:MM:SS +hhmm] (almost RFC 3339 format)
41 # -- this is one character shorter than the default but sorts so much better
42 # when the logio_module is present (almost always) the %O value is prefixed with:
43 # %I-> -- <bytes-received-including-request-and-headers>
44 # the first line of the request ("%r") is prefixed with
45 # %X%k: -- <connection-status><keepalive-request-num>
46 # <keepalive-request-num> will be omitted if apache < 2.2.11
47 # these fields are added to the end:
48 # :%{local}p -- :<actual-server-port>
49 # %Dus -- <request-time-in-microseconds>
50 # "%o{Content-Range}" -- <outgoing Content-Range header>
51 <IfVersion >= 2.2.11>
52 LogFormat "%h %l \"%u\" %{[%F_%T %z]}t %X%k:\"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
53 </IfVersion>
54 <IfVersion !>= 2.2.11>
55 LogFormat "%h %l \"%u\" %{[%F_%T %z]}t %X:\"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
56 </IfVersion>
57 <IfModule logio_module>
58 # %I and %O are only available with the logio_module
59 <IfVersion >= 2.2.11>
60 LogFormat "%h %l \"%u\" %{[%F_%T %z]}t %X%k:\"%r\" %>s %I->%O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
61 </IfVersion>
62 <IfVersion !>= 2.2.11>
63 LogFormat "%h %l \"%u\" %{[%F_%T %z]}t %X:\"%r\" %>s %I->%O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
64 </IfVersion>
65 </IfModule>
67 # If your distribution does not set APACHE_LOG_DIR before
68 # starting Apache you will need to edit the next two directives
69 ErrorLog "/var/log/apache2/repo-error.log"
70 CustomLog "/var/log/apache2/repo-access.log" girocco
72 <IfModule mime_magic_module>
73 # Avoid spurious Content-Type values when git-http-backend
74 # fails to provide a Content-Type header in its output
75 MimeMagicFile /dev/null
76 </IfModule>
78 DocumentRoot @@webroot@@
79 <Directory @@webroot@@>
80 # Add MultiViews only if pages are truly
81 # offered in more than a single language
82 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
83 Options FollowSymLinks
84 # FileInfo (or All) must be enabled to activate .htaccess file mod_rewrite rules
85 AllowOverride All
86 <IfVersion < 2.3>
87 Order allow,deny
88 Allow from all
89 Satisfy all
90 </IfVersion>
91 <IfVersion >= 2.3>
92 Require all granted
93 </IfVersion>
94 DirectoryIndex w
95 </Directory>
97 # The non-mod_rewrite items are handled first where the magic /[bchrw]
98 # prefix always forces selection of the prefix-indicated cgi handler.
100 ScriptAlias /w @@cgiroot@@/gitweb.cgi
101 ScriptAlias /b @@cgiroot@@/bundles.cgi
102 ScriptAlias /h @@cgiroot@@/html.cgi
103 ScriptAliasMatch ^/(?!(?i)gitweb\.cgi|bundles\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
105 # Any requests without the magic /[bchrw] are treated as Git requests if they
106 # are one of the few possible Git URLs otherwise they go to bundles or gitweb
108 # Change the setting of $SmartHTTPOnly in Girocco::Config.pm to
109 # change whether or not non-smart HTTP fetch access will be allowed.
111 <IfDefine !@@SmartHTTPOnly@@>
112 # This accelerates non-smart HTTP access to loose objects, packs and info
113 AliasMatch \
114 "(?x)^/(?![bchw]/)(?:r/)? \
115 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
116 HEAD | \
117 objects/info/alternates | \
118 objects/info/http-alternates | \
119 objects/info/packs | \
120 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
121 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
122 @@reporoot@@/$1.git/$2
123 </IfDefine>
125 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
126 ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
128 ScriptAliasMatch \
129 "(?x)^/(?![bchrw]/) \
130 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
131 info/refs | \
132 git-upload-pack | \
133 git-receive-pack | \
134 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
135 @@basedir@@/bin/git-http-backend-verify/$1.git/$2
137 # Everything else off to bundles.cgi or gitweb.cgi
138 ScriptAliasMatch \
139 "(?x)^/(?![bchrw]/) \
140 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/bundles)$" \
141 @@cgiroot@@/bundles.cgi/$1
142 ScriptAliasMatch \
143 "(?x)^/(?![bchrw]/) \
144 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git(?!/bundles)(?:/.*)?)$" \
145 @@cgiroot@@/gitweb.cgi/$1
147 # mod_rewrite is not strictly required for gitweb and fetch access, but
148 # if it's not available the trailing ".git" is never optional for
149 # gitweb, the leading /h is always required for *.html, snapshots are
150 # not throttled, some bogus Git http protocol requests will not be
151 # detected early and, if non-smart HTTP is allowed, access to the
152 # /info/refs file will not be accelerated in non-smart HTTP mode.
154 <IfModule rewrite_module>
155 RewriteEngine On
157 # Snapshot requests are only allowed via the PATH_INFO mechanism
158 RewriteCond %{QUERY_STRING} (^|[&;])a=snapshot([&;]|$) [NC]
159 RewriteRule .? - [NS,F,L]
161 # Redirect snapshot requests to snapshot.cgi
162 RewriteRule \
163 "(?x)^/(?![bchr]/)(?:w/)? \
164 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/ \
165 snapshot(?:/.*)?)$" \
166 @@cgiroot@@/snapshot.cgi/$1 [NS,L,H=cgi-script]
168 # Make the leading /h optional for requests that name an existing .html template
169 RewriteCond @@webroot@@/$1 !-f
170 RewriteCond @@cgiroot@@/$1 !-f
171 RewriteCond @@basedir@@/html/$1 -s
172 RewriteRule \
173 ^/(?![bchrw]/)(.*\.html)$ \
174 /h/$1 [NS,PT]
176 # Redirect bare gitweb requests without .git that name an existing repo...
177 RewriteCond @@webroot@@/$2 !-f
178 RewriteCond @@cgiroot@@/$2 !-f
179 RewriteCond @@reporoot@@/$2.git/HEAD -s
180 RewriteRule \
181 "(?x)^/(?![bchr]/)((?:w/)?) \
182 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git))$" \
183 /$1$2.git [NS,L,R=301]
185 # Of the 11 possible Git protocol URLs (i.e. passed to git-http-backend-verify),
186 # 9 are only valid with GET/HEAD and the other two are only valid with POST
187 # Furthermore, 7 are only valid when non-smart is allowed and
188 # 1 is only valid when smart-only is enabled if it has the correct query string.
190 # These two always require POST
191 RewriteCond %{REQUEST_METHOD} !=POST
192 RewriteRule \
193 "(?x)^/(?![bchw]/)(?:r/)? \
194 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
195 git-upload-pack | \
196 git-receive-pack )$" \
197 - [NS,F]
199 <IfDefine @@SmartHTTPOnly@@>
200 # These 7 are always forbidden when non-smart HTTP is disabled
201 RewriteRule \
202 "(?x)^/(?![bchw]/)(?:r/)? \
203 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
204 HEAD | \
205 objects/info/alternates | \
206 objects/info/http-alternates | \
207 objects/info/packs | \
208 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
209 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
210 - [NS,F]
211 # This one is forbidden without the magic query string when non-smart is disabled
212 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$ [OR]
213 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
214 RewriteRule \
215 "(?x)^/(?![bchw]/)(?:r/)? \
216 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
217 info/refs $" \
218 - [NS,F]
219 # This one requires GET (or HEAD)
220 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
221 RewriteRule \
222 "(?x)^/(?![bchw]/)(?:r/)? \
223 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
224 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle $" \
225 - [NS,F]
226 </IfDefine>
228 <IfDefine !@@SmartHTTPOnly@@>
229 # These 9 require GET (or HEAD)
230 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
231 RewriteRule \
232 "(?x)^/(?![bchw]/)(?:r/)? \
233 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
234 HEAD | \
235 info/refs | \
236 objects/info/alternates | \
237 objects/info/http-alternates | \
238 objects/info/packs | \
239 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
240 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) | \
241 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
242 - [NS,F]
243 # This one can be accelerated when accessed with non-smart HTTP
244 RewriteCond %{REQUEST_METHOD} ^(?:GET|HEAD)$
245 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
246 RewriteRule \
247 "(?x)^/(?![bchw]/)(?:r/)? \
248 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/ \
249 info/refs $" \
250 @@reporoot@@/$1.git/info/refs [NS,L]
251 </IfDefine>
252 </IfModule>
254 <Directory @@reporoot@@>
255 Options FollowSymLinks
256 AllowOverride None
257 <IfVersion < 2.3>
258 Order allow,deny
259 Allow from all
260 Satisfy all
261 </IfVersion>
262 <IfVersion >= 2.3>
263 Require all granted
264 </IfVersion>
266 <IfModule rewrite_module>
267 # Everything fetched over the non-smart git http
268 # protocol should be an existing file. If the request
269 # is not for an existing file, just send back an error
270 # message without emitting anything into the error log.
271 RewriteEngine On
272 RewriteBase /
273 RewriteCond @@reporoot@@/$1 !-f
274 RewriteRule ^(.*)$ - [NS,R=404,L]
275 </IfModule>
276 </Directory>
278 <Directory @@cgiroot@@>
279 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
280 Options SymLinksIfOwnerMatch
281 # FileInfo must be enabled to activate .htaccess file mod_rewrite rules
282 AllowOverride FileInfo
283 <IfVersion < 2.3>
284 Order deny,allow
285 Deny from all
286 Satisfy all
287 </IfVersion>
288 <IfVersion >= 2.3>
289 Require all denied
290 </IfVersion>
291 <Files gitweb.cgi>
292 Options +ExecCGI
293 <IfVersion < 2.3>
294 Order deny,allow
295 Allow from all
296 Satisfy all
297 </IfVersion>
298 <IfVersion >= 2.3>
299 Require all granted
300 </IfVersion>
301 <IfModule !mod_fastcgi.c>
302 <IfModule !mod_fcgid.c>
303 SetHandler cgi-script
304 </IfModule>
305 </IfModule>
307 # Note that in testing mod_fastcgi (in dynamic mode)
308 # was found to be slightly faster than mod_fcgid.
309 #
310 # However, we prefer mod_fcgid if both are available
311 # because we cannot control the server-global settings
312 # of mod_fastcgi's "FastCgiConfig" options.
313 #
314 # In order for gitweb.cgi to run reasonably well as a
315 # mod_fastcgi dynamic FastCGI application, the
316 # "FastCgiConfig" option "-idle-timeout" value needs to
317 # be increased from the default value of "30" to at
318 # least "120", preferably more like "300". But that
319 # will affect ALL dynamic mod_fastcgi applications on
320 # the ENTIRE server, not just gitweb.cgi. Additionally
321 # the "FastCgiConfig" "-restart" option probably ought
322 # to be set as well. Also, unfortunately, there is no
323 # mod_fastcgi option corresponding to mod_fcgid's
324 # MaxRequestsPerProcess option and gitweb.cgi running
325 # in FastCGI mode (without using FCGI::ProcManager) will
326 # always exit after serving 100 requests (a good thing).
327 #
328 # The alternative is to make gitweb.cgi a static
329 # mod_fastcgi application (the "FastCgiServer"
330 # directive), but then the number of running instances
331 # will be fixed at whatever value is chosen for the
332 # "-processes" option rather than being dynamically
333 # adjusted based on load and that's probably undesirable
334 # in most cases unless you run gitweb.cgi under a
335 # front-end that dynamically forks multiple copies of
336 # gitweb.cgi based on the current load. See the CPAN
337 # FCGI::ProcManager::Dynamic module for an example of
338 # how to do this in Perl:
339 #
340 # http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
341 #
342 # So instead we prefer mod_fcgid because we can adjust
343 # the necessary options for good gitweb.cgi behavior
344 # while affecting only gitweb.cgi and having it remain
345 # a dynamic application whose total number of running
346 # instances is adjusted based on current server load.
348 <IfModule mod_fcgid.c>
349 SetHandler fcgid-script
350 </IfModule>
351 <IfModule !mod_fcgid.c>
352 <IfModule mod_fastcgi.c>
353 SetHandler fastcgi-script
354 </IfModule>
355 </IfModule>
356 </Files>
357 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
358 Options +ExecCGI
359 SetHandler cgi-script
360 <IfVersion < 2.3>
361 Order deny,allow
362 Allow from all
363 Satisfy all
364 </IfVersion>
365 <IfVersion >= 2.3>
366 Require all granted
367 </IfVersion>
368 </FilesMatch>
369 </Directory>
371 <IfModule mod_fcgid.c>
372 # mod_fcgid benefits from some additional config for gitweb.cgi
373 # gitweb.cgi has a hard-coded maximum of 100 requests
374 # and we do not want to give up too soon in case Git is lagging.
375 # Note that adding a 'MaxProcesses ...' option here may be valuable
376 # to limit the maximum number of gitweb.cgi processes that can be
377 # spawned (default is 100) -- perhaps to something much lower such
378 # as 1 or 2 times the number of CPU cores. Also note that in the
379 # unlikely event all the children finish their 100 requests at the
380 # same time, the server's FcgidSpawnScoreUpLimit (which defaults
381 # to 10 if not set) should be set to at least 3 times the
382 # MaxProcesses value chosen to allow them all to respawn
383 # immediately. FcgidSpawnScoreUpLimit MUST be at least twice the
384 # chosen MaxProcesses value (assuming FcgidTerminationScore is
385 # still set to the default 2) in order to allow any child at all to
386 # respawn immediately in this case without a delay.
387 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
388 MaxProcesses 8 MinProcesses 5 \
389 MaxRequestsPerProcess 100 IOTimeout 300
390 </IfModule>
392 <Directory @@basedir@@/bin>
393 Options None
394 AllowOverride None
395 <IfVersion < 2.3>
396 Order deny,allow
397 Deny from all
398 Satisfy all
399 </IfVersion>
400 <IfVersion >= 2.3>
401 Require all denied
402 </IfVersion>
403 <Files git-http-backend-verify>
404 Options ExecCGI
405 SetHandler cgi-script
406 <IfVersion < 2.3>
407 Order deny,allow
408 Allow from all
409 Satisfy all
410 </IfVersion>
411 <IfVersion >= 2.3>
412 Require all granted
413 </IfVersion>
414 </Files>
415 </Directory>
417 # ---- END LINES TO DUPLICATE ----
419 </VirtualHost>
422 # Change the setting of $TLSHost in Girocco::Config.pm to change
423 # whether or not the following https virtual host is enabled.
425 <IfDefine @@TLSHost@@>
427 # This is an example configuration of an https virtualhost running Girocco, as set
428 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
429 # It is not essential for Girocco to use a special virtualhost, however.
430 # The Config.pm $httpspushurl variable needs to be defined to properly enable
431 # https pushing.
432 <VirtualHost *:443>
434 # These certificate files will all be automatically generated, but the
435 # paths here may need to be corrected to match the paths
436 # (especially $certsdir) from Config.pm
438 SSLCertificateFile @@certsdir@@/acme/girocco_www_crt.pem
439 SSLCertificateKeyFile @@certsdir@@/acme/girocco_www_key.pem
440 SSLCertificateChainFile @@certsdir@@/acme/girocco_www_chain.pem
441 # when using a paid www server cert, only the above three lines should
442 # be changed. Changing any of the below two lines (other than updating
443 # the paths to match $certsdir) will likely break https client auth
444 SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
445 SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
447 SSLVerifyDepth 3
448 SSLOptions +FakeBasicAuth +StrictRequire
449 SSLEngine on
451 # This configuration allows fetching over https without a certificate
452 # while always requiring a certificate for pushing over https
453 RewriteEngine On
454 SSLVerifyClient optional
455 RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC]
456 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$) [NC]
457 RewriteRule /info/refs$ - [NC,NS,env=client_auth_required:1]
458 RewriteCond %{REQUEST_METHOD} =POST [NC]
459 RewriteRule /git-receive-pack$ - [NC,NS,env=client_auth_required:1]
460 RewriteCond %{ENV:client_auth_required} 1
461 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
462 RewriteRule .? %{REQUEST_URI} [NS,R=401]
463 <Location />
464 SSLRequireSSL
465 SSLOptions +FakeBasicAuth
466 AuthName "Git Client Authentication"
467 AuthType Basic
468 AuthBasicProvider anon
469 Anonymous *
470 <IfVersion < 2.3>
471 Order deny,allow
472 Deny from env=client_auth_required
473 Satisfy any
474 Require valid-user
475 </IfVersion>
476 <IfVersion >= 2.3>
477 <RequireAny>
478 <RequireAll>
479 Require all granted
480 Require not env client_auth_required
481 </RequireAll>
482 Require valid-user
483 </RequireAny>
484 </IfVersion>
485 </Location>
486 ErrorDocument 401 /authrequired.cgi
488 # ---- BEGIN DUPLICATE LINES ----
489 ##
490 ## *** IMPORTANT ***
491 ##
492 ## ALL the entire contents from the <VirtualHost *:80> section at the top of
493 ## this file must be copied here.
494 ##
495 ## To avoid this duplication, the contents of the <VirtualHost *:80> section
496 ## above can be moved to a separate file and then included both here and in
497 ## the <VirtualHost *:80> section using an Include directive. Be careful not
498 ## to place the new include file in one of the directories the standard apache
499 ## configuration blindly includes all files from.
500 ##
501 # ---- END DUPLICATE LINES ----
503 </VirtualHost>
505 </IfDefine>