blob: 8334226b29487b01a5a03d87d9754a23c8a3aae3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
# Managed by ansible, do not edit.
ServerSignature Off
ServerTokens Prod
LDAPCacheEntries 2048
LDAPCacheTTL 36000
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 36000
<VirtualHost *:80>
ServerName {{ git_host }}
ServerAdmin webmaster@linaro.org
Redirect permanent / https://{{ git_host }}
</VirtualHost>
# Support for deprecated *.git.linaro.org subdomains
<VirtualHost *:443>
ServerName dev-private.git.linaro.org
ServerAlias zte.git.linaro.org
RewriteEngine On
RewriteCond %{HTTP_HOST} ^zte.git.linaro.org [nocase]
RewriteRule ^(.*) https://zte-git.linaro.org$1 [redirect=301,noescape,last]
RewriteRule ^(.*) https://{{ git_host }}$1 [redirect=301,noescape,last]
SSLEngine On
SSLProtocol All -SSLv2 -SSLv3
SSLCompression Off
SSLHonorCipherOrder On
SSLOptions +StdEnvVars
SSLCipherSuite "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\
EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:\
!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:\
CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
SSLCertificateFile {{ssl_cert}}
SSLCertificateKeyFile {{ssl_key}}
SSLCACertificateFile {{ssl_ca}}
</VirtualHost>
<VirtualHost *:443>
ServerName {{ git_host }}
ServerAlias zte-git.linaro.org
ServerAlias northstar-git.linaro.org
ServerAlias socionext-customer-git.linaro.org
ServerAlias acadine-git.linaro.org
ServerAdmin webmaster@linaro.org
SSLEngine On
SSLProtocol All -SSLv2 -SSLv3
SSLCompression Off
SSLHonorCipherOrder On
SSLOptions +StdEnvVars
SSLCipherSuite "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\
EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:\
!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:\
CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
SSLCertificateFile {{ssl_cert}}
SSLCertificateKeyFile {{ssl_key}}
SSLCACertificateFile {{ssl_ca}}
CustomLog ${APACHE_LOG_DIR}/{{ git_host }}-access.log combined
ErrorLog ${APACHE_LOG_DIR}/{{ git_host }}-error.log
LogLevel warn
DocumentRoot {{ apache_root }}/{{ git_host }}
ExpiresActive On
ExpiresDefault "access plus 0 seconds"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 month"
Header always set Strict-Transport-Security "max-age=63072000"
Header append Cache-Control "no-transform"
<FilesMatch "\.(html|htm)$">
Header add Cache-Control "must-revalidate"
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent env=!dont-vary
</FilesMatch>
<FilesMatch "\.(js|css)$">
Header add Cache-Control "max-age=5356800"
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent env=!dont-vary
</FilesMatch>
KeepAlive On
KeepAliveTimeout 10
MaxKeepAliveRequests 150
AllowEncodedSlashes On
EnableSendfile On
AcceptPathInfo On
DefineExternalGroup linaro-groups pipe /usr/local/bin/grpcheck.cgi
<Files "robots.txt">
Satisfy any
</Files>
<Location "/">
AuthType Basic
AuthName "{{ host_site_name }}"
AuthBasicProvider ldap
AuthLDAPUrl "{{ apache_ldap_url }}"
AuthLDAPBindDN "{{ apache_ldap_bind }}"
AuthLDAPBindPassword {{ apache_ldap_bind_pwd }}
AuthLDAPRemoteUserAttribute uid
GroupExternal linaro-groups
<RequireAll>
Require valid-user
Require external-group {{ security_groups }}
</RequireAll>
</Location>
Alias /cgit-css "{{ apache_root}}/cgit/cgit-css/"
ScriptAlias / "{{ apache_root}}/cgit/cgit/"
<Directory "{{ apache_root }}/cgit/">
AllowOverride None
Options ExecCGI FollowSymlinks
Require all granted
</Directory>
</VirtualHost>
|