261 lines
8.9 KiB
Text
261 lines
8.9 KiB
Text
NameVirtualHost *:80
|
|
|
|
<VirtualHost *:80>
|
|
ServerName fedorapeople.org
|
|
ServerAlias *.fedorapeople.org
|
|
ServerAlias ols.fedoraproject.org
|
|
ServerAlias people.fedoraproject.org
|
|
ServerAlias people1.fedoraproject.org
|
|
|
|
RewriteEngine on
|
|
RewriteCond %{SERVER_PORT} !^443$
|
|
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [L,R]
|
|
</VirtualHost>
|
|
|
|
<VirtualHost *:443>
|
|
##
|
|
# Domain: people.fedoraproject.org fedorapeople.org
|
|
# Owner: admin@fedoraproject.org
|
|
#
|
|
ServerName fedorapeople.org
|
|
ServerAlias *.fedorapeople.org
|
|
ServerAlias ols.fedoraproject.org
|
|
ServerAlias people.fedoraproject.org
|
|
ServerAlias people1.fedoraproject.org
|
|
ServerAdmin admin@fedoraproject.org
|
|
|
|
DocumentRoot /srv/people/site
|
|
|
|
SSLEngine on
|
|
SSLCertificateFile /etc/pki/tls/certs/wildcard-2017.fedorapeople.org.cert
|
|
SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2017.fedorapeople.org.key
|
|
SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2017.fedorapeople.org.intermediate.cert
|
|
SSLHonorCipherOrder On
|
|
SSLCipherSuite {{ ssl_ciphers }}
|
|
SSLProtocol {{ ssl_protocols }}
|
|
|
|
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
|
|
|
|
LogFormat "%V %h %l %u %t \"%r\" %s %b" vcommon
|
|
# ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/fedorapeople.org-error.log-%Y%m%d 86400 -l"
|
|
# CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/fedorapeople.org-access.log-%Y%m%d 86400 -l" vcommon
|
|
ErrorLog logs/fedorapeople.org-error.log
|
|
CustomLog logs/fedorapeople.org-access.log vcommon
|
|
|
|
<Location />
|
|
ExpiresActive On
|
|
ExpiresDefault "access plus 30 minutes"
|
|
</Location>
|
|
|
|
<Directory /srv/people/site>
|
|
Options Indexes FollowSymLinks
|
|
Require all granted
|
|
</Directory>
|
|
|
|
<Directory /usr/share/cgit>
|
|
Require all granted
|
|
</Directory>
|
|
|
|
UserDir public_html
|
|
<Directory "/home/fedora/*/public_html">
|
|
AllowOverride FileInfo AuthConfig Limit Indexes
|
|
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
|
|
#IndexOptions NameWidth=* FancyIndexing
|
|
Require all granted
|
|
Require method GET POST OPTIONS
|
|
</Directory>
|
|
|
|
<Directory "/home/fedora/*/public_git*">
|
|
Require all granted
|
|
Require method GET POST OPTIONS
|
|
</Directory>
|
|
|
|
<Directory /project>
|
|
AllowOverride FileInfo AuthConfig Limit Indexes
|
|
Options MultiViews Indexes FollowSymLinks IncludesNoExec
|
|
IndexOptions NameWidth=* FancyIndexing
|
|
Require method GET POST OPTIONS
|
|
</Directory>
|
|
|
|
# uncomment me after the people03 move
|
|
Alias /groups /project
|
|
|
|
Alias /404Error.html /srv/people/site/404Error.html
|
|
ErrorDocument 404 /404Error.html
|
|
|
|
RewriteEngine on
|
|
RewriteMap lowercase int:tolower
|
|
|
|
RewriteRule ^/icons/(.*)$ /usr/share/httpd/icons/$1 [L]
|
|
|
|
# redirect all favicons (not just DocRoot-level) to fedoraproject.org
|
|
# needs to terminate before other rewrite rules start
|
|
SSLProxyEngine On
|
|
SSLProxyCheckPeerCN on
|
|
SSLProxyCheckPeerExpire on
|
|
RewriteRule /favicon\.ico$ https://fedoraproject.org/static/images/favicon.ico [proxy]
|
|
|
|
|
|
# ols.fedoraproject.org
|
|
RewriteCond ${lowercase:%{SERVER_NAME}} ^ols\.fedoraproject\.org$
|
|
#RewriteRule ^(.*)$ /home/fedora/lockhart/proceedings/$1 [L]
|
|
# Content moved after lockhart's account was inactive 2011-12-15
|
|
RewriteRule ^(.*)$ /srv/web/ols/proceedings/$1 [L]
|
|
|
|
# skvidal lives on in his code
|
|
RewriteCond ${lowercase:%{SERVER_NAME}} ^skvidal\.fedorapeople\.org$
|
|
RewriteRule ^(.*)$ /srv/web/skvidal/public_html/$1 [L]
|
|
RewriteCond %{REQUEST_URI} /~skvidal/(.*) [OR]
|
|
RewriteRule ^/~skvidal/(.*)$ /srv/web/skvidal/public_html/$1 [L]
|
|
|
|
<Directory /srv/web/skvidal/public_html>
|
|
AllowOverride FileInfo AuthConfig Limit Indexes
|
|
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
|
|
HeaderName /_defaults/HEADER.shtml
|
|
ReadmeName /_defaults/FOOTER.shtml
|
|
|
|
IndexOptions +FoldersFirst +IgnoreCase +NameWidth=* +SuppressIcon +VersionSort
|
|
IndexOptions +XHTML +SuppressRules +SuppressHTMLPreamble
|
|
Require all granted
|
|
</Directory>
|
|
|
|
#<Directory /home/fedora/lockhart/proceedings>
|
|
# AllowOverride FileInfo AuthConfig Limit Indexes
|
|
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
|
|
#</Directory>
|
|
<Directory /srv/web/ols/proceedings>
|
|
AllowOverride FileInfo AuthConfig Limit Indexes
|
|
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
|
|
Require all granted
|
|
</Directory>
|
|
|
|
# the openstack folks need to symlink to a pkg to work
|
|
<Directory /srv/repos/openstack>
|
|
Options +FollowSymLinks
|
|
Require all granted
|
|
</Directory>
|
|
|
|
|
|
# www.fedorapeople.org
|
|
RewriteCond ${lowercase:%{SERVER_NAME}} ^www\.fedorapeople\.org$
|
|
RewriteRule ^/(.*)$ https://fedorapeople.org/$1 [R,L]
|
|
# rdo.fedorapeople.org -> repos.fedorapeople.org/repos/openstack
|
|
# for the rdo announce day - 2013-04-15 - skvidal
|
|
RewriteCond ${lowercase:%{SERVER_NAME}} ^rdo\.fedorapeople\.org$
|
|
RewriteRule ^/(.*)$ https://repos.fedorapeople.org/repos/openstack/$1 [R,L]
|
|
|
|
# [username].fedorapeople.org
|
|
# directory absolute header/readme path must be relative to document root
|
|
# so fake it with an alias chained to a rewrite before the URI rewrite
|
|
RewriteRule ^/_defaults/(.*) /_default/$1 [PT]
|
|
Alias /_default/ /srv/people/site/userdefs/
|
|
|
|
RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.fedorapeople\.org$
|
|
RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
|
|
RewriteRule ^repos\.fedorapeople\.org/repos/(.*) /project/repos/$1 [L]
|
|
RewriteRule ^repos\.fedorapeople\.org/(.*) /project/repos/$1 [L]
|
|
RewriteRule ^([a-z0-9-]+)\.fedorapeople\.org/(.*) /home/fedora/$1/public_html/$2 [L]
|
|
|
|
# Begin http git clone
|
|
# First, deny write access
|
|
RewriteCond %{QUERY_STRING} service=git-receive-pack [OR]
|
|
RewriteCond %{REQUEST_URI} /git-receive-pack$
|
|
RewriteRule ^/git/ - [E=AUTHREQUIRED:yes]
|
|
<Location /git>
|
|
<RequireAll>
|
|
Require not env AUTHREQUIRED
|
|
Require all granted
|
|
</RequireAll>
|
|
Options -Indexes +ExecCGI
|
|
</Location>
|
|
|
|
# Next up, determine which user owns this repo
|
|
SetEnvIf Request_URI ^/git/([a-zA-Z0-9]*)/.* GIT_PROJECT_ROOT=/home/fedora/$1/public_git
|
|
Header set X-GitProject "%{GIT_PROJECT_ROOT}e"
|
|
|
|
# Let's serve objects and packs directly from apache, very performant!
|
|
AliasMatch ^/git/([a-zA-Z0-9]*)/([a-zA-Z0-9]*)\.git(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /home/fedora/$1/public_git/$2.git/$3
|
|
AliasMatch ^/git/([a-zA-Z0-9]*)/([a-zA-Z0-9]*)\.git(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /home/fedora/$1/public_git/$2.git/$3
|
|
|
|
# And now for the magic, let's run the git cgi script
|
|
ScriptAliasMatch \
|
|
"(?x)^/git/([a-zA-Z0-9]*)/(.*/(HEAD | \
|
|
info/refs | \
|
|
objects/(info/[^/]+ | \
|
|
[0-9a-f]{2}/[0-9a-f]{38} | \
|
|
pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
|
|
git-(upload|receive)-pack))$" \
|
|
/usr/libexec/git-core/git-http-backend/$2
|
|
# End http git clone
|
|
|
|
<Directory /srv/people/site/userdefs>
|
|
Options IncludesNoExec
|
|
</Directory>
|
|
|
|
HeaderName /_defaults/HEADER.shtml
|
|
ReadmeName /_defaults/FOOTER.shtml
|
|
|
|
IndexOptions +FoldersFirst +IgnoreCase +NameWidth=* +SuppressIcon +VersionSort
|
|
IndexOptions +XHTML +SuppressRules +SuppressHTMLPreamble
|
|
ServerSignature Off
|
|
AddOutputFilter INCLUDES .html
|
|
#SetEnvIf Request_URI "(?x)^/git/([^/]*)(.*)$" \
|
|
# GIT_PROJECT_ROOT=/home/fedora/$1/public_git
|
|
|
|
# this takes care of user directories
|
|
#ScriptAliasMatch \
|
|
# "(?x)^/git/([^/]*)(/.*/(HEAD | \
|
|
# info/refs | \
|
|
# objects/(info/[^/]+ | \
|
|
# [0-9a-f]{2}/[0-9a-f]{38} | \
|
|
# pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
|
|
# git-(upload|receive)-pack))$" \
|
|
# /usr/libexec/git-core/git-http-backend/$2
|
|
</VirtualHost>
|
|
|
|
LoadModule deflate_module modules/mod_deflate.so
|
|
SetOutputFilter DEFLATE
|
|
|
|
# need this type
|
|
AddType video/webm .webm
|
|
AddType text/plain .spec
|
|
AddType application/vnd.android.package-archive .apk
|
|
AddOutputFilterByType DEFLATE text/text text/html text/plain text/xml text/css application/x-javascript application/javascript
|
|
<FilesMatch "\.gz$">
|
|
ForceType text/plain
|
|
Header set Content-Encoding: gzip
|
|
</FilesMatch>
|
|
|
|
<Location />
|
|
# Insert filter
|
|
SetOutputFilter DEFLATE
|
|
|
|
# Netscape 4.x has some problems...
|
|
BrowserMatch ^Mozilla/4 gzip-only-text/html
|
|
|
|
# Netscape 4.06-4.08 have some more problems
|
|
BrowserMatch ^Mozilla/4\.0[678] no-gzip
|
|
|
|
# MSIE masquerades as Netscape, but it is fine
|
|
# BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
|
|
|
|
# NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
|
|
# the above regex won't work. You can use the following
|
|
# workaround to get the desired effect:
|
|
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
|
|
|
|
# Don't compress images or already compressed files.
|
|
SetEnvIfNoCase Request_URI \
|
|
\.(?:gif|jpe?g|png|gz|bz2|tgz|xz|iso|rpm|sqlite|pdf)$ no-gzip dont-vary
|
|
|
|
# Make sure proxies don't deliver the wrong content
|
|
Header append Vary User-Agent env=!dont-vary
|
|
</Location>
|
|
|
|
<LocationMatch "/repos/.*\.(xml|xml\.gz|xml\.asc|sqlite.+)$">
|
|
Header set Cache-Control "must-revalidate"
|
|
ExpiresActive On
|
|
ExpiresDefault "now"
|
|
</LocationMatch>
|
|
|
|
FileETag MTime Size
|