summaryrefslogtreecommitdiff
path: root/files/apache/dev-private-git.linaro.org.conf
blob: 8334226b29487b01a5a03d87d9754a23c8a3aae3 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142

# Managed by ansible, do not edit.
ServerSignature Off
ServerTokens Prod

LDAPCacheEntries 2048
LDAPCacheTTL 36000
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 36000

<VirtualHost *:80>
    ServerName {{ git_host }}
    ServerAdmin webmaster@linaro.org

    Redirect permanent / https://{{ git_host }}
</VirtualHost>

# Support for deprecated *.git.linaro.org subdomains
<VirtualHost *:443>
    ServerName dev-private.git.linaro.org
    ServerAlias zte.git.linaro.org

    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^zte.git.linaro.org [nocase]
    RewriteRule ^(.*) https://zte-git.linaro.org$1 [redirect=301,noescape,last]
    RewriteRule ^(.*) https://{{ git_host }}$1 [redirect=301,noescape,last]

    SSLEngine On
    SSLProtocol All -SSLv2 -SSLv3
    SSLCompression Off
    SSLHonorCipherOrder On
    SSLOptions +StdEnvVars
    SSLCipherSuite "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\
    EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:\
    !aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:\
    CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"

    SSLCertificateFile {{ssl_cert}}
    SSLCertificateKeyFile {{ssl_key}}
    SSLCACertificateFile {{ssl_ca}}
</VirtualHost>

<VirtualHost *:443>
    ServerName {{ git_host }}
    ServerAlias zte-git.linaro.org
    ServerAlias northstar-git.linaro.org
    ServerAlias socionext-customer-git.linaro.org
    ServerAlias acadine-git.linaro.org
    ServerAdmin webmaster@linaro.org

    SSLEngine On
    SSLProtocol All -SSLv2 -SSLv3
    SSLCompression Off
    SSLHonorCipherOrder On
    SSLOptions +StdEnvVars
    SSLCipherSuite "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\
    EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:\
    !aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:\
    CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"

    SSLCertificateFile {{ssl_cert}}
    SSLCertificateKeyFile {{ssl_key}}
    SSLCACertificateFile {{ssl_ca}}

    CustomLog ${APACHE_LOG_DIR}/{{ git_host }}-access.log combined
    ErrorLog ${APACHE_LOG_DIR}/{{ git_host }}-error.log
    LogLevel warn

    DocumentRoot {{ apache_root }}/{{ git_host }}

    ExpiresActive   On
    ExpiresDefault  "access plus 0 seconds"

    ExpiresByType   image/png       "access plus 1 month"
    ExpiresByType   image/jpg       "access plus 1 month"
    ExpiresByType   image/jpeg      "access plus 1 month"
    ExpiresByType   image/x-icon    "access plus 1 month"

    Header always set Strict-Transport-Security "max-age=63072000"
    Header append Cache-Control "no-transform"

    <FilesMatch "\.(html|htm)$">
        Header add Cache-Control "must-revalidate"
        SetOutputFilter DEFLATE

        BrowserMatch ^Mozilla/4 gzip-only-text/html
        BrowserMatch ^Mozilla/4\.0[678] no-gzip
        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

        Header append Vary User-Agent env=!dont-vary
    </FilesMatch>

    <FilesMatch "\.(js|css)$">
        Header add Cache-Control "max-age=5356800"
        SetOutputFilter DEFLATE

        BrowserMatch ^Mozilla/4 gzip-only-text/html
        BrowserMatch ^Mozilla/4\.0[678] no-gzip
        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

        Header append Vary User-Agent env=!dont-vary
    </FilesMatch>

    KeepAlive On
    KeepAliveTimeout 10
    MaxKeepAliveRequests 150

    AllowEncodedSlashes On
    EnableSendfile On
    AcceptPathInfo On

    DefineExternalGroup linaro-groups pipe /usr/local/bin/grpcheck.cgi

    <Files "robots.txt">
        Satisfy any
    </Files>

    <Location "/">

        AuthType Basic
        AuthName "{{ host_site_name }}"
        AuthBasicProvider ldap

        AuthLDAPUrl "{{ apache_ldap_url }}"
        AuthLDAPBindDN "{{ apache_ldap_bind }}"
        AuthLDAPBindPassword {{ apache_ldap_bind_pwd }}
        AuthLDAPRemoteUserAttribute uid

        GroupExternal linaro-groups
        <RequireAll>
            Require valid-user
            Require external-group {{ security_groups }}
        </RequireAll>
    </Location>

    Alias /cgit-css "{{ apache_root}}/cgit/cgit-css/"
    ScriptAlias / "{{ apache_root}}/cgit/cgit/"
    <Directory "{{ apache_root }}/cgit/">
        AllowOverride None
        Options ExecCGI FollowSymlinks
        Require all granted
    </Directory>
</VirtualHost>
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-26 00:50:28 +0000