# Managed by ansible, do not edit.
ServerSignature Off
ServerTokens Prod

<VirtualHost *:80>
    ServerName {{ git_host }}
    ServerAlias {{ inventory_hostname }}
    ServerAlias git-geo.linaro.org
    ServerAdmin webmaster@linaro.org

    CustomLog ${APACHE_LOG_DIR}/{{ git_host }}-access.log "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D microseconds" env=!dontlog
    ErrorLog ${APACHE_LOG_DIR}/{{ git_host }}-error.log

    DocumentRoot    {{ apache_root }}/cgit

    ExpiresActive   On
    ExpiresDefault  "access plus 0 seconds"

    ExpiresByType   text/css        "access plus 1 month"
    ExpiresByType   text/javascript "access plus 1 month"
    ExpiresByType   image/png       "access plus 1 month"
    ExpiresByType   image/jpg       "access plus 1 month"
    ExpiresByType   image/jpeg      "access plus 1 month"
    ExpiresByType   image/x-icon    "access plus 1 month"

    Header append Cache-Control "no-transform"

    <FilesMatch "\.(html|htm)$">
        Header add Cache-Control "must-revalidate"
        SetOutputFilter DEFLATE

        BrowserMatch ^Mozilla/4 gzip-only-text/html
        BrowserMatch ^Mozilla/4\.0[678] no-gzip
        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

        Header append Vary User-Agent env=!dont-vary
    </FilesMatch>

    <FilesMatch "\.(js|css)$">
        Header add Cache-Control "max-age=5356800"
        SetOutputFilter DEFLATE

        BrowserMatch ^Mozilla/4 gzip-only-text/html
        BrowserMatch ^Mozilla/4\.0[678] no-gzip
        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

        Header append Vary User-Agent env=!dont-vary
    </FilesMatch>

    KeepAlive On
    KeepAliveTimeout 10
    MaxKeepAliveRequests 150

    RewriteEngine On
    # Following directives removed from Apache 2.4
    # http://httpd.apache.org/docs/2.4/mod/mod_rewrite.html#logging
    #RewriteLog ${APACHE_LOG_DIR}/{{ git_host }}-rewrite.log
    #RewriteLogLevel 0

    AllowEncodedSlashes On

    RewriteCond %{HTTP_USER_AGENT} (AhrefsBot|bingbot|Baidu|Baiduspider|360Spider|360) [nocase]
    RewriteRule ^(.*)$ - [forbidden,last]

    RewriteCond %{HTTP_USER_AGENT} !git [nocase]
    RewriteRule ^/gitweb/(.*)$ /$1 [nocase,noescape,redirect=301]

    RewriteCond %{HTTP_USER_AGENT} git [nocase]
    RewriteCond %{REQUEST_URI} !^/git/(.*)$
    RewriteCond %{REQUEST_URI} !^/git-ro/(.*)$
    RewriteRule ^/(.*)$ /git/$1 [nosubreq,nocase,passthrough]
    # we have things in ci and user bookmarks for gitweb URLs to raw file downloads like:
    #   curl -L  http://git.linaro.org/ci/publishing-api.git/blob_plain/HEAD:/linaro-cp.py
    RewriteRule ^/(.*)/blob_plain/HEAD:/(.*)$ $1/plain/$2 [R=301]

    AliasMatch ^/git-ro/(.*) {{ repo_root }}/$1
    AliasMatch ^/git-http/(.*) {{ repo_root }}/$1

    AliasMatch ^/git-ro/(.*)/clone.bundle$ {{ repo_root }}/$1/clone.bundle
    AliasMatch ^/git-http/(.*)/clone.bundle$ {{ repo_root }}/$1/clone.bundle
    AliasMatch ^/git/(.*)/clone.bundle$ {{ repo_root }}/$1/clone.bundle

    SetEnvIf User-Agent "Amazon Route 53 Health Check" dontlog

    AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ {{ repo_root }}/$1
    AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ {{ repo_root }}/$1
    Alias /manifest.js.gz {{ repo_root }}/manifest.js.gz

    ScriptAliasMatch "(?x)^/git/(.*/(HEAD | info/refs | objects/info/[^/]+ | git-(upload|receive)-pack))$" {{ apache_root }}/cgit/git-http-backend.cgi

    <Directory "{{ repo_root }}">
        AllowOverride None
        Require all granted
        Options +FollowSymLinks -ExecCGI +Indexes
        ExpiresActive Off
        FileEtag None
        Header set Cache-Control "no-cache, no-store, no-transform"
        <FilesMatch "\.(bundle)$">
            FileEtag MTime
            Header set Cache-Control "no-transform, must-revalidate, max-age=518400"
        </FilesMatch>
    </Directory>

    Alias /cgit-css "/var/www/cgit/cgit-css/"
    ScriptAlias / "{{ apache_root}}/cgit/cgit/"
    <Directory "{{ apache_root }}/cgit/">
        AllowOverride None
        Options ExecCGI FollowSymlinks
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:443>
    ServerName {{ git_host }}
    ServerAlias {{ inventory_hostname }}
    ServerAlias git-geo.linaro.org
    ServerAdmin webmaster@linaro.org

    SSLEngine On
    SSLProtocol All -SSLv2 -SSLv3
    SSLCompression Off
    SSLHonorCipherOrder On
    SSLOptions +StdEnvVars
    SSLCipherSuite "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\
    EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:\
    !aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:\
    CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"

    SSLCertificateFile {{ssl_cert}}
    SSLCertificateKeyFile {{ssl_key}}
    SSLCACertificateFile {{ssl_ca}}

    CustomLog ${APACHE_LOG_DIR}/{{ git_host }}-access.log "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D microseconds" env=!dontlog
    ErrorLog ${APACHE_LOG_DIR}/{{ git_host }}-error.log

    DocumentRoot    {{ apache_root }}/cgit

    ExpiresActive   On
    ExpiresDefault  "access plus 0 seconds"

    ExpiresByType   text/css        "access plus 1 month"
    ExpiresByType   text/javascript "access plus 1 month"
    ExpiresByType   image/png       "access plus 1 month"
    ExpiresByType   image/jpg       "access plus 1 month"
    ExpiresByType   image/jpeg      "access plus 1 month"
    ExpiresByType   image/x-icon    "access plus 1 month"

    Header always set Strict-Transport-Security "max-age=63072000"
    Header append Cache-Control "no-transform"

    <FilesMatch "\.(html|htm)$">
        Header add Cache-Control "must-revalidate"
        SetOutputFilter DEFLATE

        BrowserMatch ^Mozilla/4 gzip-only-text/html
        BrowserMatch ^Mozilla/4\.0[678] no-gzip
        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

        Header append Vary User-Agent env=!dont-vary
    </FilesMatch>

    <FilesMatch "\.(js|css)$">
        Header add Cache-Control "max-age=5356800"
        SetOutputFilter DEFLATE

        BrowserMatch ^Mozilla/4 gzip-only-text/html
        BrowserMatch ^Mozilla/4\.0[678] no-gzip
        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

        Header append Vary User-Agent env=!dont-vary
    </FilesMatch>

    KeepAlive On
    KeepAliveTimeout 9
    MaxKeepAliveRequests 150

    AllowEncodedSlashes On

    RewriteEngine On
    # Following directives removed from Apache 2.4
    # http://httpd.apache.org/docs/2.4/mod/mod_rewrite.html#logging
    #RewriteLog ${APACHE_LOG_DIR}/{{ git_host }}-rewrite.log
    #RewriteLogLevel 0

    RewriteCond %{HTTP_USER_AGENT} (AhrefsBot|bingbot|Baidu|Baiduspider|360Spider|360) [nocase]
    RewriteRule ^(.*)$ - [forbidden,last]

    RewriteCond %{HTTP_USER_AGENT} !git [nocase]
    RewriteRule ^/gitweb/(.*)$ /$1 [nocase,noescape,redirect=301]

    RewriteCond %{HTTP_USER_AGENT} git [nocase]
    RewriteCond %{REQUEST_URI} !^/git/(.*)$
    RewriteCond %{REQUEST_URI} !^/git-ro/(.*)$
    RewriteRule ^/(.*)$ /git/$1 [nocase,noescape,passthrough]
    # we have things in ci and user bookmarks for gitweb URLs to raw file downloads like:
    #   curl -L  http://git.linaro.org/ci/publishing-api.git/blob_plain/HEAD:/linaro-cp.py
    RewriteRule ^/(.*)/blob_plain/HEAD:/(.*)$ $1/plain/$2 [R=301]

    AliasMatch ^/git-ro/(.*) {{ repo_root }}/$1
    AliasMatch ^/git-http/(.*) {{ repo_root }}/$1

    AliasMatch ^/git-ro/(.*)/clone.bundle$ {{ repo_root }}/$1/clone.bundle
    AliasMatch ^/git-http/(.*)/clone.bundle$ {{ repo_root }}/$1/clone.bundle
    AliasMatch ^/git/(.*)/clone.bundle$ {{ repo_root }}/$1/clone.bundle
    Alias /manifest.js.gz {{ repo_root }}/manifest.js.gz

    SetEnvIf User-Agent "Amazon Route 53 Health Check" dontlog

    AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ {{ repo_root }}/$1
    AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ {{ repo_root }}/$1

    ScriptAliasMatch "(?x)^/git/(.*/(HEAD | info/refs | objects/info/[^/]+ | git-(upload|receive)-pack))$" {{ apache_root }}/cgit/git-http-backend.cgi

    <Directory "{{ repo_root }}/">
        AllowOverride None
        Require all granted
        Options +FollowSymLinks -ExecCGI +Indexes
        ExpiresActive Off
        FileEtag None
        Header set Cache-Control "no-cache, no-store, no-transform"
        <FilesMatch "\.(bundle)$">
            FileEtag MTime
            Header set Cache-Control "no-transform, must-revalidate, max-age=518400"
        </FilesMatch>
    </Directory>

    Alias /cgit-css "/var/www/cgit/cgit-css/"
    ScriptAlias / "{{ apache_root}}/cgit/cgit/"
    <Directory "{{ apache_root }}/cgit/">
        AllowOverride None
        Options ExecCGI FollowSymlinks
        Require all granted
    </Directory>
</VirtualHost>