Chris@1601: 
Chris@1601: # Apache config with SSL and admin auth stubbed in. You must provide
Chris@1601: # the key/cert and auth files.
Chris@1601: 
Chris@1601: # Note this has been updated for Apache 2.4, which introduced a number
Chris@1601: # of (welcome) changes to access control directives.
Chris@1601: 
Chris@1601: PerlLoadModule Apache::Authn::SoundSoftware
Chris@1601: 
Chris@1601: <VirtualHost *:80>
Chris@1601:         ServerName code.soundsoftware.ac.uk
Chris@1601:         ServerAdmin chris.cannam@soundsoftware.ac.uk
Chris@1601: 
Chris@1601:         DocumentRoot /var/www/code/public
Chris@1601:         PassengerRestartDir restart_files
Chris@1601:         PassengerHighPerformance on
Chris@1601:         PassengerMaxRequests 50000
Chris@1601:         PassengerStatThrottleRate 5
Chris@1601: 	PassengerFriendlyErrorPages off
Chris@1601:         RailsSpawnMethod smart
Chris@1601:         ExpiresDefault "access plus 1 minute"
Chris@1601: 
Chris@1601:         # Redirect all activity to secure site
Chris@1601:         Redirect seeother / "https://code.soundsoftware.ac.uk/"
Chris@1601: 
Chris@1601:         <DirectoryMatch "^/.*/\.svn/">
Chris@1601:                 Require all denied
Chris@1601:         </DirectoryMatch>
Chris@1601: 
Chris@1601:         <DirectoryMatch "^/.*/\.hg/">
Chris@1601:                 Require all denied
Chris@1601:         </DirectoryMatch>
Chris@1601: 
Chris@1601:         <DirectoryMatch "^/.*/\.git/">
Chris@1601:                 Require all denied
Chris@1601:         </DirectoryMatch>
Chris@1601: 
Chris@1601:         <Directory /var/www/code/public>
Chris@1601:                 Options -MultiViews
Chris@1601: 	</Directory>
Chris@1601: 
Chris@1601: 	ErrorLog /var/log/apache2/code-error.log
Chris@1601: 	CustomLog /var/log/apache2/code-access.log vhost_combined
Chris@1601: 
Chris@1601:         LogLevel warn
Chris@1601:         ServerSignature Off
Chris@1601: </VirtualHost>
Chris@1601: 
Chris@1605: <VirtualHost *:443>
Chris@1601:         ServerName code.soundsoftware.ac.uk
Chris@1601:         ServerAdmin chris.cannam@soundsoftware.ac.uk
Chris@1601: 
Chris@1605:         SSLEngine on
Chris@1605: 	SSLCertificateFile /etc/apache2/certs/code.soundsoftware.ac.uk.crt
Chris@1605: 	SSLCertificateKeyFile /etc/apache2/certs/code.soundsoftware.ac.uk.key
Chris@1605: 	SSLCertificateChainFile /etc/apache2/certs/code.soundsoftware.ac.uk.ca-bundle
Chris@1605: 	SSLVerifyClient none
Chris@1605: 	SSLProtocol all -SSLv2 -SSLv3
Chris@1605: 	SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW	
Chris@1605: 
Chris@1601:         DocumentRoot /var/www/code/public
Chris@1601:         PassengerRestartDir restart_files
Chris@1601:         PassengerHighPerformance on
Chris@1601:         PassengerMaxRequests 50000
Chris@1601:         PassengerStatThrottleRate 5
Chris@1601: 	PassengerStartTimeout 60
Chris@1601: 	PassengerFriendlyErrorPages off
Chris@1601:         RailsSpawnMethod smart
Chris@1601:         ExpiresDefault "access plus 1 minute"
Chris@1601: 
Chris@1601:         <Location /sys>
Chris@1601: 		AuthType Basic
Chris@1601: 		AuthUserFile "/etc/apache2/auth/user.htpasswd"
Chris@1601: 		AuthName "code.soundsoftware.ac.uk"
Chris@1601: 		Require user user
Chris@1601: 	</Location>
Chris@1601: 
Chris@1601: 	<Location /admin>
Chris@1601: 		AuthType Digest
Chris@1601: 		AuthUserFile "/etc/apache2/auth/admin.htdigest"
Chris@1601: 		AuthName "code.soundsoftware.ac.uk admin interface"
Chris@1601: 		Require user admin
Chris@1601: 	</Location>
Chris@1601: 
Chris@1601:         <DirectoryMatch "^/.*/\.svn/">
Chris@1601:                 Require all denied
Chris@1601:         </DirectoryMatch>
Chris@1601: 
Chris@1601:         <DirectoryMatch "^/.*/\.hg/">
Chris@1601:                 Require all denied
Chris@1601:         </DirectoryMatch>
Chris@1601: 
Chris@1601:         <DirectoryMatch "^/.*/\.git/">
Chris@1601:                 Require all denied
Chris@1601:         </DirectoryMatch>
Chris@1601: 
Chris@1601:         <Directory /var/www/code/public>
Chris@1601:                 Options -MultiViews
Chris@1601: 	</Directory>
Chris@1601: 
Chris@1601:         <Directory /var/www/code/public/themes/soundsoftware/stylesheets/fonts>
Chris@1601: 		# Avoid other sites embedding our fonts
Chris@1601: 		RewriteEngine on
Chris@1601: 		RewriteCond %{HTTP_REFERER} !^$
Chris@1601: 		RewriteCond %{HTTP_REFERER} !^http(s)?://code.soundsoftware.ac.uk/.*$ [NC]
Chris@1601: 		RewriteRule \.(ttf|woff|eot|otf|svg|zip|gz|html|txt)$ - [F]
Chris@1601: 	</Directory>
Chris@1601: 
Chris@1601: 	ScriptAlias /hg "/var/hg/index.cgi"
Chris@1601: 
Chris@1601: 	<Location /hg>
Chris@1601:                	AuthName "Mercurial"
Chris@1601:                 AuthType Basic
Chris@1601:                 Require valid-user
Chris@1601: 		PerlAccessHandler Apache::Authn::SoundSoftware::access_handler
Chris@1601:       		PerlAuthenHandler Apache::Authn::SoundSoftware::authen_handler
Chris@1601: 		PerlSetVar HTTPS "on"
Chris@1601: 		SoundSoftwareDSN "dbi:Pg:database=code;host=localhost"
Chris@1601:     		SoundSoftwareDbUser "code"
Chris@1601:      		SoundSoftwareDbPass "INSERT_DATABASE_PASSWORD_HERE"
Chris@1601: 		SoundSoftwareRepoPrefix "/var/hg/"
Chris@1601:                 SoundSoftwareSslRequired "on"
Chris@1601: 		Options +ExecCGI
Chris@1601: 		AddHandler cgi-script .cgi
Chris@1601: 		ExpiresDefault now
Chris@1601:         </Location>
Chris@1601: 
Chris@1601: 	Alias /git "/var/files/git-mirror"	
Chris@1601: 
Chris@1601: 	<Directory "/var/files/git-mirror">
Chris@1601: 		Options -Indexes +FollowSymLinks
Chris@1601:                 Require all granted
Chris@1601: 	</Directory>
Chris@1601: 	<Directory ~ "/var/files/git-mirror/.*\.workdir">
Chris@1601:                 Require all denied
Chris@1601: 	</Directory>
Chris@1601: 	<Directory ~ "/var/files/git-mirror/__.*">
Chris@1601:                 Require all denied
Chris@1601: 	</Directory>
Chris@1601: 
Chris@1601: 	ErrorLog /var/log/apache2/code-error.log
Chris@1601: 	CustomLog /var/log/apache2/code-access.log vhost_combined
Chris@1601: 
Chris@1601:         LogLevel warn
Chris@1601:         ServerSignature Off
Chris@1601:         
Chris@1601: </VirtualHost>
Chris@1601: