From fabeb6ab749b176508bd4c46288a08bd721de925 Mon Sep 17 00:00:00 2001
From: Axilleas Pipinellis <axilleas@archlinux.gr>
Date: Mon, 5 Aug 2013 14:15:25 +0300
Subject: [PATCH] Enhance existing apache config. Implement #50 and #79

Beware that adding `ProxyPass /uploads !` would be a security issue,
since uploads are publicly available without any authentification by default.

See: https://github.com/gitlabhq/gitlabhq/issues/348#issuecomment-21682402
---
 web-server/apache/gitlab | 35 +++++++++++++++++++++++++++++------
 1 file changed, 29 insertions(+), 6 deletions(-)

diff --git a/web-server/apache/gitlab b/web-server/apache/gitlab
index 3e4bbe3..b2cd452 100644
--- a/web-server/apache/gitlab
+++ b/web-server/apache/gitlab
@@ -1,20 +1,36 @@
-# require apache module mod_proxy and mod_proxy_http
+# Requires apache modules: mod_proxy and mod_proxy_http
+# In Debian based distros enable with: sudo a2enmod mod_proxy mod_proxy_http
+# Change ServerName to your fqdn
+
 <VirtualHost *:80>
 	ServerName gitlab.example.com
 	#ServerAlias git.example.com
 
-	# Uncomment if you want redirect from HTTP to HTTPS
+	# Uncomment the following 3 lines if you want to redirect HTTP to HTTPS
+
 	#RewriteEngine   on
 	#RewriteCond     %{SERVER_PORT} ^80$
 	#RewriteRule     ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
 	
+	ProxyPass /uploads !
+	ProxyPass /error !
 	ProxyPass / http://127.0.0.1:3000/
 	ProxyPassReverse / http://127.0.0.1:3000/
 	ProxyPreserveHost On
 
 	CustomLog /var/log/apache2/gitlab/access.log combined
 	ErrorLog  /var/log/apache2/gitlab/error.log
+
+	# Modify path to your needs (needed for downloading attachments)
+	DocumentRoot /home/git/gitlab/public
+
+	<Location />
+		Order allow,deny
+		Allow from all
+	</Location>
+
 </VirtualHost>
+
 <VirtualHost *:443>
 	ServerName gitlab.example.com
 	ServerAdmin gitlab@example.com
@@ -22,15 +38,22 @@
 	SSLEngine On
 	SSLCertificateFile /etc/apache2/ssl/server.crt
 	SSLCertificateKeyFile /etc/apache2/ssl/server.key
-	#SSLCertificateChainFile /etc/apache2/ssl/cacert.pem
-
-	# Uncomment the following line to prevent redirects to http on https only vhosts
-	#RequestHeader set X-Forwarded-Proto "https"
 
+	ProxyPass /uploads !
+	ProxyPass /error !
 	ProxyPass / http://127.0.0.1:3000/
 	ProxyPassReverse / http://127.0.0.1:3000/
 	ProxyPreserveHost On
 
 	CustomLog /var/log/apache2/gitlab/access.log combined
 	ErrorLog  /var/log/apache2/gitlab/error.log
+
+	# Modify path to your needs (needed for downloading attachments)
+	DocumentRoot /home/git/gitlab/public
+
+	<Location />
+		Order allow,deny
+		Allow from all
+	</Location>
+
 </VirtualHost>