Tag Archives: apache

GitWeb

December 16, 2024 cdstealer

Emerge git with the required USE flags:

emerge -aq dev-vcs/git curl gpg iconv nls pcre perl safe-directory webdav cgi cvs highlight keyring tk

Configure Apache vhosts (NO AUTH):

<VirtualHost *:443>
	  SSLEngine on
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
          SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory "/var/www/localhost/cgi-bin">
          SSLOptions +StdEnvVars
        </Directory>
          SSLCertificateFile /path/to/cert.crt
          SSLCertificateKeyFile /path/to/key.key
          ServerName git.example.com
          DocumentRoot /usr/share/gitweb
	  Options ExecCGI FollowSymLinks SymLinksIfOwnerMatch
	<Location />
	  SSLRequireSSL
	  Require all allowed
          RewriteOptions inherit
          AllowOverride All
	</Location>
        <Directory /usr/share/gitweb>
          Require all granted
          RewriteOptions inherit
          AllowOverride All
          Options ExecCGI FollowSymLinks SymLinksIfOwnerMatch
          <Files gitweb.cgi>
            SetHandler cgi-script
          </Files>
        </Directory>
	  DirectoryIndex gitweb.cgi
          SetEnv  GITWEB_CONFIG  /etc/gitweb.conf
        <IfModule headers_module>
          RequestHeader set X-HTTPS 1
        </IfModule>
</VirtualHost>

Basic /etc/gitweb.conf

$projectroot = '/path/to/gitroot';
@git_base_url_list = ( 'git@example.com', );
$site_name = "Smack my git up!";
$default_projects_order = "age";
$projects_list_group_categories = 1;
$feature{'blame'}{'default'} = [1];
$feature{'highlight'}{'default'} = [1];

Adjust git-daemon
Gitweb allows browsing repositories via HTTP, but if you will be pulling from your repositories using the git:// protocol, you'll also want to run git-daemon. On Gentoo, this is really easy, just edit /etc/conf.d/git-daemon as you see fit. eg:

GITDAEMON_OPTS="--syslog --enable=receive-pack --export-all"

This exports all repositories within the git root. It also allows pushing file to the server.

You will also need to ensure that any clients to connect to port tcp/9418 (default)

Setup the git user

useradd -m git -d /path/to/githome -s /usr/bin/git-shell
mkdir /path/to/githome/.ssh
cat /home/A_USER/.ssh/id_rsa.pub > /path/to/githome/.ssh/authorized_keys
chmod 700 /path/to/githome/.ssh
chmod 600 /path/to/githome/.ssh/authorized_keys
setfacl -PRdm u:apache:rwx /path/to/githome

Create an Empty Repository

su -s /bin/bash git
cd
mkdir name.git
cd name.git
git init --bare
echo "This is a test" > description
git remote add origin git@example.com:name.git

Set Configuration Options

Execute the following on a client (optional)
To see available options execute: git help --config

git config --global init.defaultBranch master
git config --global core.editor vim
git config --global alias.st status
git config --global alias.co checkout
git config --global alias.br branch
git config --global alias.up rebase
git config --global alias.ci commit
git config --global user.name "A_USER"
git config --global user.email A_USER@example.com
git config --global color.ui true
git config --global --add --bool push.autoSetupRemote true

Clone Repo

cd to local git
git clone git@example.com:name.git
cd name
touch README.md
git add README.md
git ci -m "Initial Setup"
git push
git br branch_name
git co branch_name
mkdir testdir
touch testdir/testfile
git add .
git ci -m "init"
git push # Pushes to your upstream branch
git push origin branch_name:master # Pushes to the master branch

Web Authentication

Note: I did not have any success using dbmmanage. Use htdbm instead.

Create the database file and add a user:
Do not store this in the root of web eg: /var/www/locahost/htdocs, but make sure apache can get to the file.

htdbm -cm -TGDBM <path/to/dbm_file> <user>

-c - create db
-m - use MD5 hashing
-T - set the format of the db file

Set the permission for apache:

chown apache: <path/to/dbm_file>
chmod 640 <path/to/dbm_file>

Add code to vhosts:
You can apply this to files, directories etc. Here I've done it for the whole subdomain. Replace the 3 highlighted italic lines above with the code below, excluding the start/end tags.

    <Location />
      AuthName "Private"
      AuthType Basic
      AuthBasicProvider dbm
      AuthDBMType GDBM
      AuthDBMUserFile "/path/to/dbm_file"
      Require valid-user 
      Require all denied
      RewriteOptions inherit
      AllowOverride All
    </Location>

Reload apache and browse to protected area and you should be prompted to authenticate.

A good explanation can be found here for the web config.

Linux

Apache Custom LogFormats

July 23, 2023 cdstealer

Take the leg work out of reading your apache logs by converting them to a structured format that's easy to read. Enter JSON :)

Create the file /etc/apache2/vhosts.d/00_default_logging.conf
You will also need to ensure the "logio_module" is enabled.

For the access log, I use the format: Apache doc.

LogFormat "{\"time\":\"%{msec}t\", \"bytes_in\":\"%I\", \"bytes_out\":\"%O\", \"cookie\":\"%{Cookie}i\", \"server\":\"%v\", \"dest_port\":\"%p\", \"http_content_type\":\"%{Content-type}i\", \"http_method\":\"%m\", \"http_referrer\":\"%{Referer}i\", \"http_user_agent\":\"%{User-agent}i\", \"ident\":\"%l\", \"response_time_microseconds\":\"%D\", \"client\":\"%h\", \"remoteAddr\":\"%a\", \"status\":\"%>s\", \"uri_path\":\"%U\", \"uri_query\":\"%q\", \"user\":\"%u\"}" apache_json

And for the error log, I use: Apache doc.

ErrorLogFormat "{\"time\":\"%{msec}t\", \"client\":\"%a\", \"log_level\":\"%l\", \"pid\":\"%P\", \"srcln\":\"%F\", \"error_code\":\"%E\", \"message\":\"%M\"}"

In the vhost.conf I have the following at the bottom of my VirtualHost block:

<VirtualHost>
    ...
    CustomLog "/var/log/apache2/ssl_access.log" apache_json
    ErrorLog /var/log/apache2/ssl_error.log
</VirtualHost>

Give the command to test the config is sane:

apachectl configtest

If nothing is returned, go ahead and restart apache.
This also makes importing the logs much easier into tools like ELK or Splunk.

Linux

HTTPS/HTTP Virtual Hosts

December 12, 2010 cdstealer

Sometimes there is a need to have vitual hosts (vhosts,Name-based virtual hosts) wikipedia

To enable https vhosts, use this example in /etc/apache2/vhosts.d/00_default_ssl_vhost.conf:

NameVirtualHost *:443

<VirtualHost *:443>
 SSLEngine on
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 SSLCertificateFile /path/to/your/cert.crt
 SSLCertificateKeyFile /path/to/your/cert.key

 ServerName vhost1.cdstealer.com
 SSLOptions StrictRequire
 SSLProtocol all -SSLv2

 DocumentRoot /path/to/your/htdocs/vhost
 <Directory /path/to/your/htdocs/vhost>
 SSLRequireSSL
 Order Deny,Allow
 Allow from All
 </Directory>

 <IfModule log_config_module>
 TransferLog /var/log/apache2/ssl_access_log
 </IfModule>

</VirtualHost>

To enable http vhosts, use this example in /etc/apache2/vhosts.d/00_default_vhost.conf:

NameVirtualHost *:80

<VirtualHost *:80>
 ServerName vhost1.cdstealer.com
 DocumentRoot /path/to/your/htdocs/vhost/
 <Directory /path/to/your/htdocs/vhost/>
 Allow from All
 </Directory>
 <IfModule mpm_peruser_module>
 ServerEnvironment apache apache
 </IfModule>
</VirtualHost>

However, doing this won't be enough. Your DNS host will also need a CNAME to point to your server.

A Single Failure Without A Point!