blob: 5d98b4f0d291340966cf85ff23c2a8bb4f42a88c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
Mutex default rewrite-map
<VirtualHost *:80>
ServerName {{ git_host }}
ServerAlias {{ inventory_hostname }}
ServerAlias android.git.linaro.org
Alias "/.well-known/acme-challenge" "/tmp/.well-known/acme-challenge"
<Directory /tmp/.well-known/acme-challenge>
Require all granted
</Directory>
AllowEncodedSlashes On
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
RewriteRule ^(.*)$ https://{{ git_host }}$1 [R=301,L]
</VirtualHost>
{% if inventory_hostname == 'android-git-us.linaro.org' %}
# Support for deprecated android.git.linaro.org subdomain
<VirtualHost *:443>
ServerName android.git.linaro.org
RewriteEngine On
RewriteRule ^(.*) https://android-git.linaro.org$1 [redirect=301,noescape,last]
AllowEncodedSlashes On
SSLEngine On
SSLOptions +StdEnvVars
SSLProtocol All -SSLv2 -SSLv3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\
EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:\
!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:\
CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
SSLCertificateFile /etc/letsencrypt/live/android-git-us.linaro.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/android-git-us.linaro.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/android-git-us.linaro.org/chain.pem
</VirtualHost>
{% endif %}
<VirtualHost *:443>
ServerName {{ git_host }}
ServerAlias {{ inventory_hostname }}
ServerAlias android-us.git.linaro.org
ServerAdmin webmaster@linaro.org
CustomLog ${APACHE_LOG_DIR}/{{ git_host }}-access.log "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D microseconds" env=!dontlog
ErrorLog ${APACHE_LOG_DIR}/{{ git_host }}-error.log
DocumentRoot {{ apache_root }}/{{ git_host }}
ExpiresActive On
ExpiresDefault "access plus 0 seconds"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 month"
Header append Cache-Control "no-transform"
<FilesMatch "\.(html|htm)$">
Header add Cache-Control "must-revalidate"
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent env=!dont-vary
</FilesMatch>
<FilesMatch "\.(js|css)$">
Header add Cache-Control "max-age=5356800"
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent env=!dont-vary
</FilesMatch>
KeepAlive On
KeepAliveTimeout 9
MaxKeepAliveRequests 150
AllowEncodedSlashes On
SSLEngine On
SSLProxyEngine On
SSLOptions +StdEnvVars
SSLProtocol All -SSLv2 -SSLv3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\
EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:\
!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:\
CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
SSLCertificateFile {{ssl_cert}}
SSLCertificateKeyFile {{ssl_key}}
SSLCACertificateFile {{ssl_ca}}
RewriteEngine On
# Following directives removed from Apache 2.4
# http://httpd.apache.org/docs/2.4/mod/mod_rewrite.html#logging
#RewriteLog ${APACHE_LOG_DIR}/{{ git_host }}-rewrite.log
#RewriteLogLevel 0
RewriteMap gitdirs prg:{{tools_checkout_dir}}/linaro-git-tools/git-repo-url-rewrite/git-directory-rewritemap.py
RewriteRule ^/git-ro/(.*) /git-http/${gitdirs:$1} [P,L]
RewriteCond %{HTTP_USER_AGENT} (googlebot|bingbot|Baiduspider) [NC]
RewriteRule .* - [R=403,L]
SetEnvIf User-Agent "Amazon Route 53 Health Check" dontlog
Alias /git-http/ {{ repo_root }}/
AliasMatch ^/git/(.*)/clone.bundle$ {{ repo_root }}/$1/clone.bundle
AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ {{ repo_root }}/$1
AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ {{ repo_root }}/$1
Alias /manifest.js.gz {{ repo_root }}/manifest.js.gz
ScriptAliasMatch "(?x)^/git/(.*/(HEAD | info/refs | objects/info/[^/]+ | git-(upload|receive)-pack))$" {{ apache_root }}/cgit/git-http-backend.cgi
<Directory "{{ repo_root }}">
AllowOverride None
Require all granted
Options +FollowSymLinks -ExecCGI
ExpiresActive Off
FileEtag None
Header set Cache-Control "no-cache, no-store, no-transform"
<FilesMatch "\.(bundle)$">
FileEtag MTime
Header set Cache-Control "no-transform, must-revalidate, max-age=518400"
</FilesMatch>
</Directory>
# We have to keep an alias around for gitweb because we used to have a
# redirect permanent rule for / -> /gitweb
RewriteRule ^/gitweb(.*)$ $1 [P,L]
# We have things in ci and user bookmarks for gitweb URLs to raw file downloads like:
# curl -L http://git.linaro.org/ci/publishing-api.git/blob_plain/HEAD:/linaro-cp.py
RewriteRule ^/(.*)/blob_plain/HEAD:/(.*)$ $1/plain/$2 [R=301]
Alias /cgit-css "/var/www/cgit/cgit-css/"
ScriptAlias / "{{ apache_root}}/cgit/cgit/"
<Directory "{{ apache_root }}/cgit/">
AllowOverride None
Options ExecCGI FollowSymlinks
Require all granted
</Directory>
</VirtualHost>
|