| blob | 5e25d44613485aa99f30277de4a9d3dfcd7bdd00 |
1 ## To convert this file to apache.conf using the current Girocco::Config
2 ## values either do "make" or "make apache.conf" or ./make-apache-conf.sh
3 ##
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, somewhat independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
7 <VirtualHost *:80>
8 Alias /.well-known/acme-challenge/ @@webroot@@/../certs/acme/.well-known/acme-challenge/
9 <Directory "@@webroot@@/../certs/acme/.well-known/acme-challenge/">
10 Options None
11 AllowOverride None
12 ForceType text/plain
13 <IfVersion < 2.3>
14 Order allow,deny
15 Allow from all
16 Satisfy all
17 </IfVersion>
18 <IfVersion >= 2.3>
19 Require all granted
20 </IfVersion>
21 </Directory>
23 # ---- BEGIN LINES TO DUPLICATE ----
25 ServerName @@httpdnsname@@
26 ServerAlias www.@@httpdnsname@@
27 ServerAdmin @@admin@@
29 # This is the standard "combined" log format modified as follows:
30 # the REMOTE_USER (%u) has double-quotes around it
31 # the received time is shown as [YYYY-mm-dd_HH:MM:SS +hhmm] (almost RFC 3339 format)
32 # -- this is one character shorter than the default but sorts so much better
33 # when the logio_module is present (almost always) the %O value is prefixed with:
34 # %I-> -- <bytes-received-including-request-and-headers>
35 # the first line of the request ("%r") is prefixed with
36 # %X%k: -- <connection-status><keepalive-request-num>
37 # <keepalive-request-num> will be omitted if apache < 2.2.11
38 # these fields are added to the end:
39 # :%{local}p -- :<actual-server-port>
40 # %Dus -- <request-time-in-microseconds>
41 # "%o{Content-Range}" -- <outgoing Content-Range header>
42 <IfVersion >= 2.2.11>
43 LogFormat "%h %l \"%u\" %{[%F_%T %z]}t %X%k:\"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
44 </IfVersion>
45 <IfVersion !>= 2.2.11>
46 LogFormat "%h %l \"%u\" %{[%F_%T %z]}t %X:\"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
47 </IfVersion>
48 <IfModule logio_module>
49 # %I and %O are only available with the logio_module
50 <IfVersion >= 2.2.11>
51 LogFormat "%h %l \"%u\" %{[%F_%T %z]}t %X%k:\"%r\" %>s %I->%O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
52 </IfVersion>
53 <IfVersion !>= 2.2.11>
54 LogFormat "%h %l \"%u\" %{[%F_%T %z]}t %X:\"%r\" %>s %I->%O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p %Dus \"%{Content-Range}o\"" girocco
55 </IfVersion>
56 </IfModule>
58 # If your distribution does not set APACHE_LOG_DIR before
59 # starting Apache you will need to edit the next two directives
60 ErrorLog "/var/log/apache2/repo-error.log"
61 CustomLog "/var/log/apache2/repo-access.log" girocco
63 <IfModule mime_magic_module>
64 # Avoid spurious Content-Type values when git-http-backend
65 # fails to provide a Content-Type header in its output
66 MimeMagicFile /dev/null
67 </IfModule>
69 DocumentRoot @@webroot@@
70 <Directory @@webroot@@>
71 # Add MultiViews only if pages are truly
72 # offered in more than a single language
73 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
74 Options FollowSymLinks
75 # FileInfo (or All) must be enabled to activate .htaccess file mod_rewrite rules
76 AllowOverride All
77 <IfVersion < 2.3>
78 Order allow,deny
79 Allow from all
80 Satisfy all
81 </IfVersion>
82 <IfVersion >= 2.3>
83 Require all granted
84 </IfVersion>
85 DirectoryIndex w
86 </Directory>
88 # The non-mod_rewrite items are handled first where the magic /[bchrw]
89 # prefix always forces selection of the prefix-indicated cgi handler.
91 ScriptAlias /w @@cgiroot@@/gitweb.cgi
92 ScriptAlias /b @@cgiroot@@/bundles.cgi
93 ScriptAlias /h @@cgiroot@@/html.cgi
94 ScriptAliasMatch ^/(?!(?i)gitweb\.cgi|bundles\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
96 # Any requests without the magic /[bchrw] are treated as Git requests if they
97 # are one of the few possible Git URLs otherwise they go to bundles or gitweb
99 # Change the setting of $SmartHTTPOnly in Girocco::Config.pm to
100 # change whether or not non-smart HTTP fetch access will be allowed.
102 <IfDefine !@@SmartHTTPOnly@@>
103 # This accelerates non-smart HTTP access to loose objects, packs and info
104 AliasMatch \
105 "(?x)^/(?![bchw]/)(?:r/)? \
106 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
107 HEAD | \
108 objects/info/alternates | \
109 objects/info/http-alternates | \
110 objects/info/packs | \
111 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
112 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
113 @@reporoot@@/$1.git/$2
114 </IfDefine>
116 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
117 ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
119 ScriptAliasMatch \
120 "(?x)^/(?![bchrw]/) \
121 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/( \
122 info/refs | \
123 git-upload-pack | \
124 git-receive-pack | \
125 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
126 @@basedir@@/bin/git-http-backend-verify/$1.git/$2
128 # Everything else off to bundles.cgi or gitweb.cgi
129 ScriptAliasMatch \
130 "(?x)^/(?![bchrw]/) \
131 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/bundles)$" \
132 @@cgiroot@@/bundles.cgi/$1
133 ScriptAliasMatch \
134 "(?x)^/(?![bchrw]/) \
135 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git(?!/bundles)(?:/.*)?)$" \
136 @@cgiroot@@/gitweb.cgi/$1
138 # mod_rewrite is not strictly required for gitweb and fetch access, but
139 # if it's not available the trailing ".git" is never optional for
140 # gitweb, the leading /h is always required for *.html, snapshots are
141 # not throttled, some bogus Git http protocol requests will not be
142 # detected early and, if non-smart HTTP is allowed, access to the
143 # /info/refs file will not be accelerated in non-smart HTTP mode.
145 <IfModule rewrite_module>
146 RewriteEngine On
148 # Snapshot requests are only allowed via the PATH_INFO mechanism
149 RewriteCond %{QUERY_STRING} (^|[&;])a=snapshot([&;]|$) [NC]
150 RewriteRule .? - [NS,F,L]
152 # Redirect snapshot requests to snapshot.cgi
153 RewriteRule \
154 "(?x)^/(?![bchr]/)(?:w/)? \
155 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?\.git/ \
156 snapshot(?:/.*)?)$" \
157 @@cgiroot@@/snapshot.cgi/$1 [NS,L,H=cgi-script]
159 # Make the leading /h optional for requests that name an existing .html template
160 RewriteCond @@webroot@@/$1 !-f
161 RewriteCond @@cgiroot@@/$1 !-f
162 RewriteCond @@basedir@@/html/$1 -s
163 RewriteRule \
164 ^/(?![bchrw]/)(.*\.html)$ \
165 /h/$1 [NS,PT]
167 # Redirect bare gitweb requests without .git that name an existing repo...
168 RewriteCond @@webroot@@/$2 !-f
169 RewriteCond @@cgiroot@@/$2 !-f
170 RewriteCond @@reporoot@@/$2.git/HEAD -s
171 RewriteRule \
172 "(?x)^/(?![bchr]/)((?:w/)?) \
173 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git))$" \
174 /$1$2.git [NS,L,R=301]
176 # Of the 11 possible Git protocol URLs (i.e. passed to git-http-backend-verify),
177 # 9 are only valid with GET/HEAD and the other two are only valid with POST
178 # Furthermore, 7 are only valid when non-smart is allowed and
179 # 1 is only valid when smart-only is enabled if it has the correct query string.
181 # These two always require POST
182 RewriteCond %{REQUEST_METHOD} !=POST
183 RewriteRule \
184 "(?x)^/(?![bchw]/)(?:r/)? \
185 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
186 git-upload-pack | \
187 git-receive-pack )$" \
188 - [NS,F]
190 <IfDefine @@SmartHTTPOnly@@>
191 # These 7 are always forbidden when non-smart HTTP is disabled
192 RewriteRule \
193 "(?x)^/(?![bchw]/)(?:r/)? \
194 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
195 HEAD | \
196 objects/info/alternates | \
197 objects/info/http-alternates | \
198 objects/info/packs | \
199 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
200 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) )$" \
201 - [NS,F]
202 # This one is forbidden without the magic query string when non-smart is disabled
203 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$ [OR]
204 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
205 RewriteRule \
206 "(?x)^/(?![bchw]/)(?:r/)? \
207 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
208 info/refs $" \
209 - [NS,F]
210 # This one requires GET (or HEAD)
211 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
212 RewriteRule \
213 "(?x)^/(?![bchw]/)(?:r/)? \
214 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/ \
215 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle $" \
216 - [NS,F]
217 </IfDefine>
219 <IfDefine !@@SmartHTTPOnly@@>
220 # These 9 require GET (or HEAD)
221 RewriteCond %{REQUEST_METHOD} !^(?:GET|HEAD)$
222 RewriteRule \
223 "(?x)^/(?![bchw]/)(?:r/)? \
224 (?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?(?:\.git)?/(?: \
225 HEAD | \
226 info/refs | \
227 objects/info/alternates | \
228 objects/info/http-alternates | \
229 objects/info/packs | \
230 objects/[0-9a-f]{2}/[0-9a-f]{38} | \
231 objects/pack/pack-[0-9a-f]{40}\.(?:pack|idx) | \
232 [a-zA-Z0-9][a-zA-Z0-9+._-]*\.bundle )$" \
233 - [NS,F]
234 # This one can be accelerated when accessed with non-smart HTTP
235 RewriteCond %{REQUEST_METHOD} ^(?:GET|HEAD)$
236 RewriteCond %{QUERY_STRING} !(^|&)service=git-(?:upload|receive)-pack(&|$)
237 RewriteRule \
238 "(?x)^/(?![bchw]/)(?:r/)? \
239 ((?:[a-zA-Z0-9][a-zA-Z0-9+._-]*(?<!\.git)/)*[a-zA-Z0-9][a-zA-Z0-9+._-]*?)(?:\.git)?/ \
240 info/refs $" \
241 @@reporoot@@/$1.git/info/refs [NS,L]
242 </IfDefine>
243 </IfModule>
245 <Directory @@reporoot@@>
246 Options FollowSymLinks
247 AllowOverride None
248 <IfVersion < 2.3>
249 Order allow,deny
250 Allow from all
251 Satisfy all
252 </IfVersion>
253 <IfVersion >= 2.3>
254 Require all granted
255 </IfVersion>
257 <IfModule rewrite_module>
258 # Everything fetched over the non-smart git http
259 # protocol should be an existing file. If the request
260 # is not for an existing file, just send back an error
261 # message without emitting anything into the error log.
262 RewriteEngine On
263 RewriteBase /
264 RewriteCond @@reporoot@@/$1 !-f
265 RewriteRule ^(.*)$ - [NS,R=404,L]
266 </IfModule>
267 </Directory>
269 <Directory @@cgiroot@@>
270 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
271 Options SymLinksIfOwnerMatch
272 # FileInfo must be enabled to activate .htaccess file mod_rewrite rules
273 AllowOverride FileInfo
274 <IfVersion < 2.3>
275 Order deny,allow
276 Deny from all
277 Satisfy all
278 </IfVersion>
279 <IfVersion >= 2.3>
280 Require all denied
281 </IfVersion>
282 <Files gitweb.cgi>
283 Options +ExecCGI
284 <IfVersion < 2.3>
285 Order deny,allow
286 Allow from all
287 Satisfy all
288 </IfVersion>
289 <IfVersion >= 2.3>
290 Require all granted
291 </IfVersion>
292 <IfModule !mod_fastcgi.c>
293 <IfModule !mod_fcgid.c>
294 SetHandler cgi-script
295 </IfModule>
296 </IfModule>
298 # Note that in testing mod_fastcgi (in dynamic mode)
299 # was found to be slightly faster than mod_fcgid.
300 #
301 # However, we prefer mod_fcgid if both are available
302 # because we cannot control the server-global settings
303 # of mod_fastcgi's "FastCgiConfig" options.
304 #
305 # In order for gitweb.cgi to run reasonably well as a
306 # mod_fastcgi dynamic FastCGI application, the
307 # "FastCgiConfig" option "-idle-timeout" value needs to
308 # be increased from the default value of "30" to at
309 # least "120", preferably more like "300". But that
310 # will affect ALL dynamic mod_fastcgi applications on
311 # the ENTIRE server, not just gitweb.cgi. Additionally
312 # the "FastCgiConfig" "-restart" option probably ought
313 # to be set as well. Also, unfortunately, there is no
314 # mod_fastcgi option corresponding to mod_fcgid's
315 # MaxRequestsPerProcess option and gitweb.cgi running
316 # in FastCGI mode (without using FCGI::ProcManager) will
317 # always exit after serving 100 requests (a good thing).
318 #
319 # The alternative is to make gitweb.cgi a static
320 # mod_fastcgi application (the "FastCgiServer"
321 # directive), but then the number of running instances
322 # will be fixed at whatever value is chosen for the
323 # "-processes" option rather than being dynamically
324 # adjusted based on load and that's probably undesirable
325 # in most cases unless you run gitweb.cgi under a
326 # front-end that dynamically forks multiple copies of
327 # gitweb.cgi based on the current load. See the CPAN
328 # FCGI::ProcManager::Dynamic module for an example of
329 # how to do this in Perl:
330 #
331 # http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
332 #
333 # So instead we prefer mod_fcgid because we can adjust
334 # the necessary options for good gitweb.cgi behavior
335 # while affecting only gitweb.cgi and having it remain
336 # a dynamic application whose total number of running
337 # instances is adjusted based on current server load.
339 <IfModule mod_fcgid.c>
340 SetHandler fcgid-script
341 </IfModule>
342 <IfModule !mod_fcgid.c>
343 <IfModule mod_fastcgi.c>
344 SetHandler fastcgi-script
345 </IfModule>
346 </IfModule>
347 </Files>
348 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
349 Options +ExecCGI
350 SetHandler cgi-script
351 <IfVersion < 2.3>
352 Order deny,allow
353 Allow from all
354 Satisfy all
355 </IfVersion>
356 <IfVersion >= 2.3>
357 Require all granted
358 </IfVersion>
359 </FilesMatch>
360 </Directory>
362 <IfModule mod_fcgid.c>
363 # mod_fcgid benefits from some additional config for gitweb.cgi
364 # gitweb.cgi has a hard-coded maximum of 100 requests
365 # and we do not want to give up too soon in case Git is lagging.
366 # Note that adding a 'MaxProcesses ...' option here may be valuable
367 # to limit the maximum number of gitweb.cgi processes that can be
368 # spawned (default is 100) -- perhaps to something much lower such
369 # as 1 or 2 times the number of CPU cores. Also note that in the
370 # unlikely event all the children finish their 100 requests at the
371 # same time, the server's FcgidSpawnScoreUpLimit (which defaults
372 # to 10 if not set) should be set to at least 3 times the
373 # MaxProcesses value chosen to allow them all to respawn
374 # immediately. FcgidSpawnScoreUpLimit MUST be at least twice the
375 # chosen MaxProcesses value (assuming FcgidTerminationScore is
376 # still set to the default 2) in order to allow any child at all to
377 # respawn immediately in this case without a delay.
378 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
379 MaxProcesses 8 MinProcesses 5 \
380 MaxRequestsPerProcess 100 IOTimeout 300
381 </IfModule>
383 <Directory @@basedir@@/bin>
384 Options None
385 AllowOverride None
386 <IfVersion < 2.3>
387 Order deny,allow
388 Deny from all
389 Satisfy all
390 </IfVersion>
391 <IfVersion >= 2.3>
392 Require all denied
393 </IfVersion>
394 <Files git-http-backend-verify>
395 Options ExecCGI
396 SetHandler cgi-script
397 <IfVersion < 2.3>
398 Order deny,allow
399 Allow from all
400 Satisfy all
401 </IfVersion>
402 <IfVersion >= 2.3>
403 Require all granted
404 </IfVersion>
405 </Files>
406 </Directory>
408 # ---- END LINES TO DUPLICATE ----
410 <IfDefine @@TLSHost@@>
411 <IfModule rewrite_module>
412 RewriteEngine on
413 RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
414 RewriteCond %{SERVER_NAME} =@@httpdnsname@@
415 RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE,R=301]
416 </IfModule>
417 </IfDefine>
419 </VirtualHost>
422 # Change the setting of $TLSHost in Girocco::Config.pm to change
423 # whether or not the following https virtual host is enabled.
425 <IfDefine @@TLSHost@@>
427 # This is an example configuration of an https virtualhost running Girocco, as set
428 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
429 # It is not essential for Girocco to use a special virtualhost, however.
430 # The Config.pm $httpspushurl variable needs to be defined to properly enable
431 # https pushing.
432 <VirtualHost *:443>
434 # These certificate files will all be automatically generated, but the
435 # paths here may need to be corrected to match the paths
436 # (especially $certsdir) from Config.pm
438 SSLCertificateFile @@certsdir@@/acme/girocco_www_crt.pem
439 SSLCertificateKeyFile @@certsdir@@/acme/girocco_www_key.pem
440 SSLCertificateChainFile @@certsdir@@/acme/girocco_www_chain.pem
441 # when using a paid www server cert, only the above three lines should
442 # be changed. Changing any of the below two lines (other than updating
443 # the paths to match $certsdir) will likely break https client auth
444 SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
445 SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
447 SSLVerifyDepth 3
448 SSLOptions +FakeBasicAuth +StrictRequire
449 SSLEngine on
451 # This configuration allows fetching over https without a certificate
452 # while always requiring a certificate for pushing over https
453 RewriteEngine On
454 SSLVerifyClient optional
455 RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC]
456 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$) [NC]
457 RewriteRule /info/refs$ - [NC,NS,env=client_auth_required:1]
458 RewriteCond %{REQUEST_METHOD} =POST [NC]
459 RewriteRule /git-receive-pack$ - [NC,NS,env=client_auth_required:1]
460 RewriteCond %{ENV:client_auth_required} 1
461 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
462 RewriteRule .? %{REQUEST_URI} [NS,R=401]
463 <Location />
464 SSLRequireSSL
465 SSLOptions +FakeBasicAuth
466 AuthName "Git Client Authentication"
467 AuthType Basic
468 AuthBasicProvider anon
469 Anonymous *
470 <IfVersion < 2.3>
471 Order deny,allow
472 Deny from env=client_auth_required
473 Satisfy any
474 Require valid-user
475 </IfVersion>
476 <IfVersion >= 2.3>
477 <RequireAny>
478 <RequireAll>
479 Require all granted
480 Require not env client_auth_required
481 </RequireAll>
482 Require valid-user
483 </RequireAny>
484 </IfVersion>
485 </Location>
486 ErrorDocument 401 /authrequired.cgi
488 # ---- BEGIN DUPLICATE LINES ----
489 ##
490 ## *** IMPORTANT ***
491 ##
492 ## ALL the entire contents from the <VirtualHost *:80> section at the top of
493 ## this file must be copied here.
494 ##
495 ## To avoid this duplication, the contents of the <VirtualHost *:80> section
496 ## above can be moved to a separate file and then included both here and in
497 ## the <VirtualHost *:80> section using an Include directive. Be careful not
498 ## to place the new include file in one of the directories the standard apache
499 ## configuration blindly includes all files from.
500 ##
501 # ---- END DUPLICATE LINES ----
503 </VirtualHost>
505 </IfDefine>