From acb63a082e9497e3a1e2541f5e44587eada7c60b Mon Sep 17 00:00:00 2001 From: James Moger <james.moger@gitblit.com> Date: Wed, 05 Dec 2012 17:29:39 -0500 Subject: [PATCH] Added server setting to specify keystore alias for ssl certificate (issue 98) --- distrib/gitblit.properties | 250 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 248 insertions(+), 2 deletions(-) diff --git a/distrib/gitblit.properties b/distrib/gitblit.properties index 440414e..ce269d2 100644 --- a/distrib/gitblit.properties +++ b/distrib/gitblit.properties @@ -12,6 +12,17 @@ # RESTART REQUIRED git.repositoriesFolder = git +# Build the available repository list at startup and cache this list for reuse. +# This reduces disk io when presenting the repositories page, responding to rpcs, +# etc, but it means that Gitblit will not automatically identify repositories +# added or deleted by external tools. +# +# For this case you can use curl, wget, etc to issue an rpc request to clear the +# cache (e.g. https://localhost/rpc?req=CLEAR_REPOSITORY_CACHE) +# +# SINCE 1.1.0 +git.cacheRepositoryList = true + # Search the repositories folder subfolders for other repositories. # Repositories MAY NOT be nested (i.e. one repository within another) # but they may be grouped together in subfolders. @@ -20,6 +31,34 @@ # # SINCE 0.5.0 git.searchRepositoriesSubfolders = true + +# Maximum number of folders to recurse into when searching for repositories. +# The default value, -1, disables depth limits. +# +# SINCE 1.1.0 +git.searchRecursionDepth = -1 + +# List of regex exclusion patterns to match against folders found in +# *git.repositoriesFolder*. +# Use forward slashes even on Windows!! +# e.g. test/jgit\.git +# +# SPACE-DELIMITED +# CASE-SENSITIVE +# SINCE 1.1.0 +git.searchExclusions = + +# List of regex url patterns for extracting a repository name when locating +# submodules. +# e.g. git.submoduleUrlPatterns = .*?://github.com/(.*) will extract +# *gitblit/gitblit.git* from *git://github.com/gitblit/gitblit.git* +# If no matches are found then the submodule repository name is assumed to be +# whatever trails the last / character. (e.g. gitblit.git). +# +# SPACE-DELIMITED +# CASE-SENSITIVE +# SINCE 1.1.0 +git.submoduleUrlPatterns = .*?://github.com/(.*) # Allow push/pull over http/https with JGit servlet. # If you do NOT want to allow Git clients to clone/push to Gitblit set this @@ -30,12 +69,48 @@ # SINCE 0.5.0 git.enableGitServlet = true +# If you want to restrict all git servlet access to those with valid X509 client +# certificates then set this value to true. +# +# SINCE 1.2.0 +git.requiresClientCertificate = false + +# Enforce date checks on client certificates to ensure that they are not being +# used prematurely and that they have not expired. +# +# SINCE 1.2.0 +git.enforceCertificateValidity = true + +# List of OIDs to extract from a client certificate DN to map a certificate to +# an account username. +# +# e.g. git.certificateUsernameOIDs = CN +# e.g. git.certificateUsernameOIDs = FirstName LastName +# +# SPACE-DELIMITED +# SINCE 1.2.0 +git.certificateUsernameOIDs = CN + # Only serve/display bare repositories. # If there are non-bare repositories in git.repositoriesFolder and this setting # is true, they will be excluded from the ui. # # SINCE 0.9.0 git.onlyAccessBareRepositories = false + +# Allow an authenticated user to create a destination repository on a push if +# the repository does not already exist. +# +# Administrator accounts can create a repository in any project. +# These repositories are created with the default access restriction and authorization +# control values. The pushing account is set as the owner. +# +# Non-administrator accounts with the CREATE role may create personal repositories. +# These repositories are created as VIEW restricted for NAMED users. +# The pushing account is set as the owner. +# +# SINCE 1.2.0 +git.allowCreateOnPush = true # The default access restriction for new repositories. # Valid values are NONE, PUSH, CLONE, VIEW @@ -47,6 +122,75 @@ # SINCE 1.0.0 git.defaultAccessRestriction = NONE +# The default authorization control for new repositories. +# Valid values are AUTHENTICATED and NAMED +# AUTHENTICATED = any authenticated user is granted restricted access +# NAMED = only named users/teams are granted restricted access +# +# SINCE 1.1.0 +git.defaultAuthorizationControl = NAMED + +# Enable JGit-based garbage collection. (!!EXPERIMENTAL!!) +# +# USE AT YOUR OWN RISK! +# +# If enabled, the garbage collection executor scans all repositories once a day +# at the hour of your choosing. The GC executor will take each repository "offline", +# one-at-a-time, to check if the repository satisfies it's GC trigger requirements. +# +# While the repository is offline it will be inaccessible from the web UI or from +# any of the other services (git, rpc, rss, etc). +# +# Gitblit's GC Executor MAY NOT PLAY NICE with the other Git kids on the block, +# especially on Windows systems, so if you are using other tools please coordinate +# their usage with your GC Executor schedule or do not use this feature. +# +# The GC algorithm complex and the JGit team advises caution when using their +# young implementation of GC. +# +# http://wiki.eclipse.org/EGit/New_and_Noteworthy/2.1#Garbage_Collector_and_Repository_Storage_Statistics +# +# EXPERIMENTAL +# SINCE 1.2.0 +# RESTART REQUIRED +git.enableGarbageCollection = false + +# Hour of the day for the GC Executor to scan repositories. +# This value is in 24-hour time. +# +# SINCE 1.2.0 +git.garbageCollectionHour = 0 + +# The default minimum total filesize of loose objects to trigger early garbage +# collection. +# +# You may specify a custom threshold for a repository in the repository's settings. +# Common unit suffixes of k, m, or g are supported. +# +# SINCE 1.2.0 +git.defaultGarbageCollectionThreshold = 500k + +# The default period, in days, between GCs for a repository. If the total filesize +# of the loose object exceeds *git.garbageCollectionThreshold* or the repository's +# custom threshold, this period will be short-circuited. +# +# e.g. if a repository collects 100KB of loose objects every day with a 500KB +# threshold and a period of 7 days, it will take 5 days for the loose objects to +# be collected, packed, and pruned. +# +# OR +# +# if a repository collects 10KB of loose objects every day with a 500KB threshold +# and a period of 7 days, it will take the full 7 days for the loose objects to be +# collected, packed, and pruned. +# +# You may specify a custom period for a repository in the repository's settings. +# +# The minimum value is 1 day since the GC Executor only runs once a day. +# +# SINCE 1.2.0 +git.defaultGarbageCollectionPeriod = 7 + # Number of bytes of a pack file to load into memory in a single read operation. # This is the "page size" of the JGit buffer cache, used for all pack access # operations. All disk IO occurs as single window reads. Setting this too large @@ -56,6 +200,7 @@ # Default on JGit is 8 KiB on all platforms. # # Common unit suffixes of k, m, or g are supported. +# Documentation courtesy of the Gerrit project. # # SINCE 1.0.0 # RESTART REQUIRED @@ -72,6 +217,7 @@ # Default on JGit is 10 MiB on all platforms. # # Common unit suffixes of k, m, or g are supported. +# Documentation courtesy of the Gerrit project. # # SINCE 1.0.0 # RESTART REQUIRED @@ -85,6 +231,7 @@ # this value. # # Common unit suffixes of k, m, or g are supported. +# Documentation courtesy of the Gerrit project. # # SINCE 1.0.0 # RESTART REQUIRED @@ -98,6 +245,7 @@ # available for network sockets and other repository data manipulation. # # Default on JGit is 128 file descriptors on all platforms. +# Documentation courtesy of the Gerrit project. # # SINCE 1.0.0 # RESTART REQUIRED @@ -118,6 +266,7 @@ # Default is 50 MiB on all platforms. # # Common unit suffixes of k, m, or g are supported. +# Documentation courtesy of the Gerrit project. # # SINCE 1.0.0 # RESTART REQUIRED @@ -134,6 +283,7 @@ # # Default on JGit is false. Although potentially slower, it yields much more # predictable behavior. +# Documentation courtesy of the Gerrit project. # # SINCE 1.0.0 # RESTART REQUIRED @@ -150,6 +300,13 @@ # RESTART REQUIRED # SINCE 0.8.0 groovy.scriptsFolder = groovy + +# Specify the directory Grape uses for downloading libraries. +# http://groovy.codehaus.org/Grape +# +# RESTART REQUIRED +# SINCE 1.0.0 +groovy.grapeFolder = groovy/grape # Scripts to execute on Pre-Receive. # @@ -230,12 +387,18 @@ # SINCE 0.5.0 web.allowCookieAuthentication = true +# Config file for storing project metadata +# +# SINCE 1.2.0 +web.projectsFile = projects.conf + # Either the full path to a user config file (users.conf) # OR the full path to a simple user properties file (users.properties) # OR a fully qualified class name that implements the IUserService interface. # # Alternative user services: # com.gitblit.LdapUserService +# com.gitblit.RedmineUserService # # Any custom user service implementation must have a public default constructor. # @@ -295,6 +458,13 @@ # SINCE 0.7.0 web.enableRpcAdministration = false +# Full path to a configurable robots.txt file. With this file you can control +# what parts of your Gitblit server respectable robots are allowed to traverse. +# http://googlewebmastercentral.blogspot.com/2008/06/improving-on-robots-exclusion-protocol.html +# +# SINCE 1.0.0 +web.robots.txt = + # If true, the web ui layout will respond and adapt to the browser's dimensions. # if false, the web ui will use a 940px fixed-width layout. # http://twitter.github.com/bootstrap/scaffolding.html#responsive @@ -312,6 +482,19 @@ # SINCE 0.5.0 web.allowZipDownloads = true +# If *web.allowZipDownloads=true* the following formats will be displayed for +# download compressed archive links: +# +# zip = standard .zip +# tar = standard tar format (preserves *nix permissions and symlinks) +# gz = gz-compressed tar +# xz = xz-compressed tar +# bzip2 = bzip2-compressed tar +# +# SPACE-DELIMITED +# SINCE 1.2.0 +web.compressedDownloads = zip gz + # Allow optional Lucene integration. Lucene indexing is an opt-in feature. # A repository may specify branches to index with Lucene instead of using Git # commit traversal. There are scenarios where you may want to completely disable @@ -321,12 +504,31 @@ # SINCE 0.9.0 web.allowLuceneIndexing = true +# Allows an authenticated user to create forks of a repository +# +# set this to false if you want to disable all fork controls on the web site +# +web.allowForking = true + +# Controls the length of shortened commit hash ids +# +# SINCE 1.2.0 +web.shortCommitIdLength = 6 + # Use Clippy (Flash solution) to provide a copy-to-clipboard button. # If false, a button with a more primitive JavaScript-based prompt box will # offer a 3-step (click, ctrl+c, enter) copy-to-clipboard alternative. # # SINCE 0.8.0 web.allowFlashCopyToClipboard = true + +# Default maximum number of commits that a repository may contribute to the +# activity page, regardless of the selected duration. This setting may be valuable +# for an extremely busy server. This value may also be configed per-repository +# in Edit Repository. 0 disables this throttle. +# +# SINCE 1.2.0 +web.maxActivityCommits = 0 # Default number of entries to include in RSS Syndication links # @@ -531,7 +733,7 @@ # # SPACE-DELIMITED # SINCE 0.5.0 -web.prettyPrintExtensions = c cpp cs css htm html java js php pl prefs properties py rb sh sql xml vb +web.prettyPrintExtensions = c cpp cs css frm groovy htm html java js php pl prefs properties py rb scala sh sql xml vb # Registered extensions for markdown transformation # @@ -753,6 +955,8 @@ # # URL of the LDAP server. +# To use encrypted transport, use either ldaps:// URL for SSL or ldap+tls:// to +# send StartTLS command. # # SINCE 1.0.0 realm.ldap.server = ldap://localhost @@ -867,6 +1071,16 @@ # SINCE 1.0.0 realm.ldap.email = email +# The RedmineUserService must be backed by another user service for standard user +# and team management. +# default: users.conf +# +# RESTART REQUIRED +realm.redmine.backingUserService = users.conf + +# URL of the Redmine. +realm.redmine.url = http://example.com/redmine + # # Server Settings # @@ -941,17 +1155,49 @@ # RESTART REQUIRED server.ajpBindInterface = localhost +# Alias of certificate to use for https/SSL serving. If blank the first +# certificate found in the keystore will be used. +# +# SINCE 1.2.0 +# RESTART REQUIRED +server.certificateAlias = localhost + # Password for SSL keystore. # Keystore password and certificate password must match. # This is provided for convenience, its probably more secure to set this value # using the --storePassword command line parameter. # +# If you are using the official JRE or JDK from Oracle you may not have the +# JCE Unlimited Strength Jurisdiction Policy files bundled with your JVM. Because +# of this, your store/key password can not exceed 7 characters. If you require +# longer passwords you may need to install the JCE Unlimited Strength Jurisdiction +# Policy files from Oracle. +# +# http://www.oracle.com/technetwork/java/javase/downloads/index.html +# +# Gitblit and the Gitblit Certificate Authority will both indicate if Unlimited +# Strength encryption is available. +# # SINCE 0.5.0 # RESTART REQUIRED server.storePassword = gitblit + +# If serving over https (recommended) you might consider requiring clients to +# authenticate with ssl certificates. If enabled, only https clients with the +# a valid client certificate will be able to access Gitblit. +# +# If disabled, client certificate authentication is optional and will be tried +# first before falling-back to form authentication or basic authentication. +# +# Requiring client certificates to access any of Gitblit may be too extreme, +# consider this carefully. +# +# SINCE 1.2.0 +# RESTART REQUIRED +server.requireClientCertificates = false # Port for shutdown monitor to listen on. # # SINCE 0.5.0 # RESTART REQUIRED -server.shutdownPort = 8081 \ No newline at end of file +server.shutdownPort = 8081 -- Gitblit v1.9.1