5 files changed, 185 insertions, 21 deletions
diff --git a/etc/httpd/conf.d/git-http-apcf.conf b/etc/httpd/conf.d/git-http-apcf.conf
new file mode 100644
index 0000000..d781aea
--- /dev/null
+++ b/etc/httpd/conf.d/git-http-apcf.conf
@@ -0,0 +1,27 @@
+#
+#
+# Git Smart HTTP Support (authenticated read/write)
+# git push, clone, fetch — ALL authenticated
+
+SetEnv GIT_PROJECT_ROOT /srv/git
+SetEnv GIT_HTTP_EXPORT_ALL 1
+
+# Expose all of the endpoints.
+ScriptAliasMatch "^(/.+/(git-upload-pack|git-receive-pack|info/refs))$" \
+  /usr/libexec/git-core/git-http-backend$1
+
+# Globally authenticate for each endpoint.
+<LocationMatch "^/.+/(git-upload-pack|git-receive-pack|info/refs)$">
+    AuthType Basic
+    AuthName "Git Access"
+    AuthUserFile ${GIT_HTTP_AUTH_FILE}
+    Require valid-user
+</LocationMatch>
+
+# info/refs strictly scoped
+<LocationMatch "^/.+/info/refs$">
+    <RequireAny>
+        Require expr %{QUERY_STRING} == "service=git-upload-pack"
+        Require expr %{QUERY_STRING} == "service=git-receive-pack"
+    </RequireAny>
+</LocationMatch>
diff --git a/etc/httpd/conf.d/git-http-cf.conf b/etc/httpd/conf.d/git-http-cf.conf
new file mode 100644
index 0000000..0d4302e
--- /dev/null
+++ b/etc/httpd/conf.d/git-http-cf.conf
@@ -0,0 +1,26 @@
+#
+#
+# Git Smart HTTP Support (readonly)
+# clone/fetch ONLY
+
+SetEnv GIT_PROJECT_ROOT /srv/git
+SetEnv GIT_HTTP_EXPORT_ALL 1
+
+# Expose git-upload-pack and info/refs.
+ScriptAliasMatch "^(/.+/(git-upload-pack|info/refs))$" \
+  /usr/libexec/git-core/git-http-backend$1
+
+# No authentication needed for git clone/fetch.
+<LocationMatch "^/.+/git-upload-pack$">
+    Require all granted
+</LocationMatch>
+
+# Only allow info/refs for git clone/fetch.
+<LocationMatch "^/.+/info/refs$">
+    Require expr %{QUERY_STRING} == "service=git-upload-pack"
+</LocationMatch>
+
+# Explicitly deny git push just in case.
+<LocationMatch "^/.+/git-receive-pack$">
+    Require all denied
+</LocationMatch>
diff --git a/etc/httpd/conf.d/git-http-p.conf b/etc/httpd/conf.d/git-http-p.conf
new file mode 100644
index 0000000..b30ad47
--- /dev/null
+++ b/etc/httpd/conf.d/git-http-p.conf
@@ -0,0 +1,35 @@
+#
+#
+# Git Smart HTTP Support
+# git push ONLY
+
+SetEnv GIT_PROJECT_ROOT /srv/git
+SetEnv GIT_HTTP_EXPORT_ALL 1
+
+# Expose git-receive-pack and info/refs.
+ScriptAliasMatch "^(/.+/(git-receive-pack|info/refs))$" \
+  /usr/libexec/git-core/git-http-backend$1
+
+# Authenticate against git push.
+<LocationMatch "^/.+/(git-receive-pack)$">
+    AuthType Basic
+    AuthName "Git Push Access"
+    AuthUserFile ${GIT_HTTP_AUTH_FILE}
+    Require valid-user
+</LocationMatch>
+
+# Deny info/refs push unless it's for git push.
+<LocationMatch "^/.+/info/refs$">
+    AuthType Basic
+    AuthName "Git Push Access"
+    AuthUserFile ${GIT_HTTP_AUTH_FILE}
+    <RequireAll>
+        Require expr %{QUERY_STRING} == "service=git-receive-pack"
+        Require valid-user
+    </RequireAll>
+</LocationMatch>
+
+# Explicitly deny git clone/fetch just in case.
+<LocationMatch "^/.+/git-upload-pack$">
+    Require all denied
+</LocationMatch>
diff --git a/etc/httpd/conf.d/git-http-pcf.conf b/etc/httpd/conf.d/git-http-pcf.conf
new file mode 100644
index 0000000..d343443
--- /dev/null
+++ b/etc/httpd/conf.d/git-http-pcf.conf
@@ -0,0 +1,42 @@
+#
+#
+# Git Smart HTTP Support (read/write)
+# git push, clone and fetch allowed
+
+SetEnv GIT_PROJECT_ROOT /srv/git
+SetEnv GIT_HTTP_EXPORT_ALL 1
+
+# Expose git-upload/receive-pack and info/refs.
+ScriptAliasMatch "^(/.+/(git-upload-pack|git-receive-pack|info/refs))$" \
+  /usr/libexec/git-core/git-http-backend$1
+
+# Authenticate against git push.
+<LocationMatch "^/.+/git-receive-pack$">
+    AuthType Basic
+    AuthName "Git Push Access"
+    AuthUserFile ${GIT_HTTP_AUTH_FILE}
+    Require valid-user
+</LocationMatch>
+
+# Only allow git-upload-pack or git-receive-pack services and nothing else.
+<LocationMatch "^/.+/info/refs$">
+    AuthType Basic
+    AuthName "Git Push Access"
+    AuthUserFile ${GIT_HTTP_AUTH_FILE}
+
+    <RequireAny>
+        # git clone/fetch, no auth
+        Require expr %{QUERY_STRING} == "service=git-upload-pack"
+
+        # git push, authenticated
+        <RequireAll>
+            Require expr %{QUERY_STRING} == "service=git-receive-pack"
+            Require valid-user
+        </RequireAll>
+    </RequireAny>
+</LocationMatch>
+
+# Allow git clone/fetch w/o auth.
+<LocationMatch "^/.+/git-upload-pack$">
+    Require all granted
+</LocationMatch>
+\ No newline at end of file
diff --git a/etc/httpd/conf/httpd.conf b/etc/httpd/conf/httpd.conf
index 3b6da71..675241d 100644
--- a/etc/httpd/conf/httpd.conf
+++ b/etc/httpd/conf/httpd.conf
@@ -16,7 +16,14 @@ LoadModule dir_module modules/mod_dir.so
 LoadModule rewrite_module modules/mod_rewrite.so
 LoadModule alias_module modules/mod_alias.so
 LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
-
+LoadModule env_module modules/mod_env.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule expires_module modules/mod_expires.so
+# And Basic Auth Modules
+LoadModule auth_basic_module modules/mod_auth_basic.so
+LoadModule authn_core_module modules/mod_authn_core.so
+LoadModule authn_file_module modules/mod_authn_file.so
+LoadModule authz_user_module modules/mod_authz_user.so
 # Load CGI Module
 <IfModule !mpm_prefork_module>
    LoadModule cgid_module modules/mod_cgid.so
@@ -25,41 +32,68 @@ LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
    LoadModule cgi_module modules/mod_cgi.so
 </IfModule>
 
-# And Basic Auth Modules
-LoadModule auth_basic_module modules/mod_auth_basic.so
-LoadModule authn_core_module modules/mod_authn_core.so
-LoadModule authn_file_module modules/mod_authn_file.so
-LoadModule authz_user_module modules/mod_authz_user.so
-
 #
 # Server config
-Listen 0.0.0.0:80
+Listen 80
 ServerName localhost
-ServerAdmin root@localhost
 EnableSendFile on
 AddDefaultCharset UTF-8
 TypesConfig /etc/mime.types
 MIMEMagicFile conf/magic
 AddHandler cgi-script .cgi
 
+#
+# Log Config
+LogLevel warn
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %b" common
+ErrorLog "logs/error_log"
+ScriptLog logs/git-http-debug.log
+CustomLog "logs/access_log" combined
+
+#
+# Git Smart HTTP Support (if enabled)
+PassEnv GIT_HTTP_AUTH_FILE
+IncludeOptional conf.d/git-http.conf
+
+#
 # Always wear protection.
 <Directory />
-    Require all denied
+    Require all granted
 </Directory>
 
-# NOTE: Alias matcher MUST end in /, not /cgit.cgi. It WILL break otherwise.
-# ALSO: "cgitrc must have a virtual-root=/".
-# Remove /cgit.cgi/ from url paths.
-ScriptAlias "/" "/srv/www/htdocs/cgit/cgit.cgi/"
-<Directory "/srv/www/htdocs/cgit/">
-    DirectoryIndex cgit.cgi
-    AllowOverride None
-    Options +ExecCGI +FollowSymLinks
-    SetHandler cgi-script
+#
+# ALSO: cgitrc must have this: virtual-root=/
+DocumentRoot "/srv/www/htdocs/cgit"
+<Directory "/srv/www/htdocs/cgit">
     Require all granted
+    # -Indexes here is not strictly necessary;
+    # Added for good hygiene
+    Options +ExecCGI -Indexes
+    DirectoryIndex cgit.cgi
+    AllowOverride All
+
+    RewriteEngine On
+    
+    # Hard stop: never rewrite Git HTTP requests.
+    RewriteRule ^.+/(git-upload-pack|git-receive-pack|info/refs)$ - [END]
+    
+    # Serve static files directly.
+    RewriteCond %{REQUEST_FILENAME} -f
+    RewriteRule ^ - [END]
+
+    # Let cgit handle everything else (and stay off my url).
+    RewriteRule ^(.*)$ cgit.cgi/$1 [END]
+
+    # Cache static assets
+    ExpiresActive On
+    <FilesMatch "\.(css|js|png|ico)$">
+        ExpiresDefault "access plus 30 days"
+        Header set Cache-Control "public, max-age=2592000, immutable"
+    </FilesMatch>
 </Directory>
 
-# Deny access to .htaccess/.htpasswd
+# Deny access to .htaccess/.htpasswd.
 <Files ".ht">
     Require all denied
-</Files>
-\ No newline at end of file
+</Files>