# This is the apache configuration file for RocketGit
<Directory "/usr/share/rocketgit/root">
AllowOverride None
Order allow,deny
Allow from all
<IfModule mod_authz_core.c>
# apache 2.4
Require all granted
</IfModule>
# Cache at will
<FilesMatch "(?i)^.*\.(ico|jpg|jpeg|png|gif|js|css)$">
FileETag MTime Size
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 day"
</IfModule>
</FilesMatch>
</Directory>
<VirtualHost *:80>
# Set ServerName correctly, else, this VirtualHost will not match
#ServerName rg.domain.tld
#ServerAlias rg www.rg.domain.tld x.domain.tld y.domain.tld
DocumentRoot /usr/share/rocketgit/root/
ErrorLog logs/rocketgit-error_log
CustomLog logs/rocketgit-access_log combined
KeepAlive On
MaxKeepAliveRequests 1000
KeepAliveTimeout 10
TraceEnable off
ServerSignature Off
UseCanonicalName On
UseCanonicalPhysicalPort On
LogLevel info
RewriteEngine On
#LogLevel rewrite:trace8
# Allow .ico, 'themes' folder and robots.txt
# Also, avoid scripts that are looking for exploits
RewriteCond %{REQUEST_URI} ^/(favicon\.ico|themes/.*|robots\.txt|\.well-known/.*)$ [nocase]
RewriteRule .* - [last]
# Force the use of only one name even if we have more aliases.
# https://httpd.apache.org/docs/2.4/rewrite/remapping.html
#RewriteCond expr "%{HTTP_HOST} != %{SERVER_NAME}" [nocase]
#RewriteRule "^/?(.*)" "http://%{SERVER_NAME}:%{SERVER_PORT}/$1" [last,redirect=301,noescape]
# all rest
RewriteRule (.*) /index.php [last]
<IfModule mod_headers.c>
# Security (ClickJacking)
Header always append X-Frame-Options DENY
</IfModule>
# Compress
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/x-javascript
DeflateBufferSize 81920
<FilesMatch "\.php$">
SetHandler "proxy:unix:/run/rocketgit.sock|fcgi://localhost"
</FilesMatch>
</VirtualHost>
<VirtualHost *:443>
# Set ServerName correctly, else, this VirtualHost will not match
#ServerName rg.domain.tld
#ServerAlias rg www.rg.domain.tld
DocumentRoot /usr/share/rocketgit/root/
ErrorLog logs/rocketgit-ssl_error_log
CustomLog logs/rocketgit-ssl_access_log combined
KeepAlive On
MaxKeepAliveRequests 1000
KeepAliveTimeout 10
TraceEnable off
ServerSignature Off
UseCanonicalName On
UseCanonicalPhysicalPort On
LogLevel info
RewriteEngine On
#LogLevel rewrite:trace8
# Allow .ico, 'themes' folder and robots.txt
RewriteCond %{REQUEST_URI} ^/(favicon\.ico|themes/.*|robots\.txt|\.well-known/.*)$ [nocase]
RewriteRule .* - [last]
# Force the use of only one name even if we have more aliases.
# https://httpd.apache.org/docs/2.4/rewrite/remapping.html
#RewriteCond expr "%{HTTP_HOST} != %{SERVER_NAME}" [nocase]
#RewriteRule "^/?(.*)" "https://%{SERVER_NAME}:%{SERVER_PORT}/$1" [last,redirect=301,noescape,nocase]
# all rest
RewriteRule (.*) /index.php [last]
<IfModule mod_headers.c>
# Security (ClickJacking)
Header always append X-Frame-Options DENY
# Security (STS)
Header set Strict-Transport-Security "max-age=31536000"
</IfModule>
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# Specify the cyphers to get an A+ on Qualys (ssllabs.com)
# https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrecy.htm
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
SSLHonorCipherOrder on
# Below is "Configure without RC4" configuration and is recommended.
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
# or, respect the system settings:
# Pay attention on next line! It fails on RedHat6!
#SSLCipherSuite PROFILE=SYSTEM
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# TODO
#SSLUseStapling on
#SSLStaplingResponderTimeout 5
#SSLStaplingReturnResponderErrors off
# Another line here must be 'SSLCACertificateFile ...'
# below line must be outside of VirtualHost section
# SSLStaplingCache shmcb:/run/httpd/ocsp(128000)
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
# To generate pin-sha256 string: openssl s_client -servername <server> -connect <server>:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# Header always set Public-Key-Pins "pin-sha256=\"base64+primary==\"; pin-sha256=\"base64+backup==\"; max-age=5184000; includeSubDomains; report-uri=\"https://www.example.org/hpkp-report\""
# Header always set Public-Key-Pins-Report-Only ... # to not block users!
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
# Compress
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/x-javascript
DeflateBufferSize 81920
<FilesMatch "\.php$">
SetHandler "proxy:unix:/run/rocketgit.sock|fcgi://localhost"
</FilesMatch>
</VirtualHost>
Before first commit, do not forget to setup your git environment:
git config --global user.name "your_name_here"
git config --global user.email "your@email_here"
Clone this repository using HTTP(S):
git clone https://code.reversed.top/user/xaizek/rocketgit
Clone this repository using ssh (do not forget to upload a key first):
git clone ssh://rocketgit@code.reversed.top/user/xaizek/rocketgit
You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a
pull request:
... clone the repository ...
... make some changes and some commits ...
git push origin master