Blame

Date:
Message:
add -levent in the example
Actions:
History | Blob | Raw File
  1 b9220ca4 2021-01-11 op # gmid

  2 3e4749f7 2020-10-02 op 

  3 b9231167 2021-02-08 op gmid is a fast Gemini server written with security in mind.  I

  4 b9231167 2021-02-08 op initially wrote it to serve static files, but it has grown into a

  5 747b35d0 2021-02-08 op featureful server.

  6 3e4749f7 2020-10-02 op 

  7 3e4749f7 2020-10-02 op 

  8 b9220ca4 2021-01-11 op ## Features

  9 3e4749f7 2020-10-02 op 

 10 601bc1cc 2021-01-30 op (random order)

 11 601bc1cc 2021-01-30 op 

 12 747b35d0 2021-02-08 op  - reconfiguration: reload the running configuration without

 13 747b35d0 2021-02-08 op    interruption

 14 86edc4f4 2021-02-04 op  - sandboxed by default on OpenBSD, Linux and FreeBSD

 15 4d2ec6d7 2021-01-13 op  - IRI support (RFC3987)

 16 286c4f40 2021-01-27 op  - punycode support

 17 601bc1cc 2021-01-30 op  - dual stack (IPv4 and IPv6)

 18 601bc1cc 2021-01-30 op  - automatic certificate generation for config-less mode

 19 b9220ca4 2021-01-11 op  - CGI scripts

 20 b9220ca4 2021-01-11 op  - (very) low memory footprint

 21 b9231167 2021-02-08 op  - event-based asynchronous I/O model

 22 b9220ca4 2021-01-11 op  - small codebase, easily hackable

 23 b9220ca4 2021-01-11 op  - virtual hosts

 24 286c4f40 2021-01-27 op  - per-location rules

 25 286c4f40 2021-01-27 op  - optional directory listings

 26 286c4f40 2021-01-27 op  - configurable mime types

 27 0b00962d 2021-01-25 op  - chroot support

 28 3e4749f7 2020-10-02 op 

 29 fab952e1 2020-10-03 op 

 30 286c4f40 2021-01-27 op ## Internationalisation (IRIs, UNICODE, punycode, all that stuff)

 31 286c4f40 2021-01-27 op 

 32 286c4f40 2021-01-27 op Even thought the current Gemini specification doesn't mention anything

 33 601bc1cc 2021-01-30 op in this regard, I do think these are important things and so I tried

 34 601bc1cc 2021-01-30 op to implement them in the most user-friendly way I could think of.

 35 286c4f40 2021-01-27 op 

 36 601bc1cc 2021-01-30 op For starters, gmid has full support for IRI (RFC3987 —

 37 22a742e4 2021-01-29 op Internationalized Resource Identifiers).  IRIs are a superset of URIs,

 38 286c4f40 2021-01-27 op so there aren't incompatibilities with URI-only clients.

 39 286c4f40 2021-01-27 op 

 40 601bc1cc 2021-01-30 op There is full support also for punycode.  In theory, the user doesn't

 41 286c4f40 2021-01-27 op even need to know that punycode is a thing.  The hostname in the

 42 601bc1cc 2021-01-30 op configuration file can (and must be) in the decoded form (e.g. `naïve`

 43 601bc1cc 2021-01-30 op and not `xn--nave-6pa`), gmid will do the rest.

 44 286c4f40 2021-01-27 op 

 45 601bc1cc 2021-01-30 op The only missing piece is UNICODE normalisation of the IRI path: gmid

 46 601bc1cc 2021-01-30 op doesn't do that (yet).

 47 286c4f40 2021-01-27 op 

 48 286c4f40 2021-01-27 op 

 49 1487e11e 2021-02-06 op ## Configuration

 50 1487e11e 2021-02-06 op 

 51 1487e11e 2021-02-06 op gmid has a rich configuration file, heavily inspired by OpenBSD'

 52 1487e11e 2021-02-06 op httpd.  While you should definitely check the manpage because it

 53 1487e11e 2021-02-06 op documents every option in depth, here's an example of what gmid can

 54 1487e11e 2021-02-06 op do.

 55 1487e11e 2021-02-06 op 

 56 1487e11e 2021-02-06 op ```conf

 57 1487e11e 2021-02-06 op ipv6 on     # enable ipv6

 58 1487e11e 2021-02-06 op 

 59 1487e11e 2021-02-06 op server "example.com" {

 60 1487e11e 2021-02-06 op     cert "/path/to/cert.pem"

 61 1487e11e 2021-02-06 op     key  "/path/to/key.pem"

 62 1487e11e 2021-02-06 op     root "/var/gemini/example.com"

 63 1487e11e 2021-02-06 op     lang "it"

 64 1487e11e 2021-02-06 op     cgi  "/cgi/*"

 65 1487e11e 2021-02-06 op 

 66 1487e11e 2021-02-06 op     location "/files/*" {

 67 1487e11e 2021-02-06 op         auto index on

 68 1487e11e 2021-02-06 op     }

 69 1487e11e 2021-02-06 op 

 70 1487e11e 2021-02-06 op     location "/repo/*" {

 71 1487e11e 2021-02-06 op         # change the index file name

 72 1487e11e 2021-02-06 op         index "README.gmi"

 73 1487e11e 2021-02-06 op     }

 74 1487e11e 2021-02-06 op 

 75 1487e11e 2021-02-06 op     # redirect /cgi/man/... to man.example.com/...

 76 1487e11e 2021-02-06 op     location "/cgi/man*" {

 77 1487e11e 2021-02-06 op         strip 2

 78 1487e11e 2021-02-06 op         block return 31 "gemini://man.example.com%p"

 79 1487e11e 2021-02-06 op     }

 80 1487e11e 2021-02-06 op }

 81 1487e11e 2021-02-06 op 

 82 1487e11e 2021-02-06 op server "man.example.com" {

 83 1487e11e 2021-02-06 op     cert "..."

 84 1487e11e 2021-02-06 op     key  "..."

 85 1487e11e 2021-02-06 op     root "/var/gemini/man.example.com"

 86 1487e11e 2021-02-06 op 

 87 1487e11e 2021-02-06 op     # handle every request with the CGI script `man'

 88 1487e11e 2021-02-06 op     entrypoint "man"

 89 1487e11e 2021-02-06 op }

 90 1487e11e 2021-02-06 op ```

 91 1487e11e 2021-02-06 op 

 92 1487e11e 2021-02-06 op 

 93 b9220ca4 2021-01-11 op ## Building

 94 3e4749f7 2020-10-02 op 

 95 b9231167 2021-02-08 op gmid depends on a POSIX libc, libevent2, OpenSSL/LibreSSL and libtls

 96 b9231167 2021-02-08 op (provided either by LibreSSL or libretls).  At build time, flex and

 97 b9231167 2021-02-08 op yacc (or GNU bison) are also needed.

 98 3e4749f7 2020-10-02 op 

 99 771d8f28 2021-01-17 op The build is as simple as

100 3e4749f7 2020-10-02 op 

101 601bc1cc 2021-01-30 op     ./configure

102 b9220ca4 2021-01-11 op     make

103 3e4749f7 2020-10-02 op 

104 8f0da580 2021-01-21 op If the configure scripts fails to pick up something, please open an

105 f980545b 2021-01-21 op issue or notify me via email.

106 8f0da580 2021-01-21 op 

107 771d8f28 2021-01-17 op To install execute:

108 881a9dd9 2021-01-16 op 

109 771d8f28 2021-01-17 op     make install

110 771d8f28 2021-01-17 op 

111 601bc1cc 2021-01-30 op ### Docker

112 771d8f28 2021-01-17 op 

113 601bc1cc 2021-01-30 op If you have trouble installing LibreSSL or libretls, you can use

114 601bc1cc 2021-01-30 op Docker to build a `gmid` image with:

115 601bc1cc 2021-01-30 op 

116 17b09e3c 2021-01-18 op     docker build -t gmid .

117 17b09e3c 2021-01-18 op 

118 17b09e3c 2021-01-18 op and then run it with something along the lines of

119 17b09e3c 2021-01-18 op 

120 17b09e3c 2021-01-18 op     docker run --rm -it -p 1965:1965 \

121 6c117838 2021-01-25 op         -v /path/to/gmid.conf:...:ro \

122 17b09e3c 2021-01-18 op         -v /path/to/docs:/var/gemini \

123 6c117838 2021-01-25 op         gmid -c .../gmid.conf

124 17b09e3c 2021-01-18 op 

125 601bc1cc 2021-01-30 op (ellipses used for brevity)

126 17b09e3c 2021-01-18 op 

127 dd8cc7d3 2021-01-22 op ### Local libretls

128 17b09e3c 2021-01-18 op 

129 8f0da580 2021-01-21 op This is **NOT** recommended, please try to port LibreSSL/LibreTLS to

130 8f0da580 2021-01-21 op your distribution of choice or use docker instead.

131 8f0da580 2021-01-21 op 

132 601bc1cc 2021-01-30 op However, it's possible to statically-link `gmid` to locally-installed

133 601bc1cc 2021-01-30 op libretls quite easily.  (It's how I test gmid on Fedora, for instance)

134 8f0da580 2021-01-21 op 

135 04397b32 2021-01-21 op Let's say you have compiled and installed libretls in `$LIBRETLS`,

136 8f0da580 2021-01-21 op then you can build `gmid` with

137 8f0da580 2021-01-21 op 

138 04397b32 2021-01-21 op     ./configure CFLAGS="-I$LIBRETLS/include" \

139 1606927e 2021-02-11 op                 LDFLAGS="$LIBRETLS/lib/libtls.a -lssl -lcrypto -lpthread -levent"

140 8f0da580 2021-01-21 op     make

141 8f0da580 2021-01-21 op 

142 dd8cc7d3 2021-01-22 op ### Testing

143 dd8cc7d3 2021-01-22 op 

144 31a4993a 2021-01-23 op Execute

145 dd8cc7d3 2021-01-22 op 

146 dd8cc7d3 2021-01-22 op     make regress

147 dd8cc7d3 2021-01-22 op 

148 601bc1cc 2021-01-30 op to start the suite.  Keep in mind that the regression tests will

149 601bc1cc 2021-01-30 op create files inside the `regress` directory and bind the 10965 port.

150 dd8cc7d3 2021-01-22 op 

151 dd8cc7d3 2021-01-22 op 

152 881a9dd9 2021-01-16 op ## Architecture/Security considerations

153 881a9dd9 2021-01-16 op 

154 881a9dd9 2021-01-16 op gmid is composed by two processes: a listener and an executor.  The

155 881a9dd9 2021-01-16 op listener process is the only one that needs internet access and is

156 881a9dd9 2021-01-16 op sandboxed.  When a CGI script needs to be executed, the executor

157 881a9dd9 2021-01-16 op (outside of the sandbox) sets up a pipe and gives one end to the

158 881a9dd9 2021-01-16 op listener, while the other is bound to the CGI script standard output.

159 909ea500 2021-01-27 op This way, is still possible to execute CGI scripts without

160 601bc1cc 2021-01-30 op restrictions even in the presence of a sandboxed network process.

161 881a9dd9 2021-01-16 op 

162 601bc1cc 2021-01-30 op On OpenBSD, the listener runs with the `stdio recvfd rpath inet`

163 601bc1cc 2021-01-30 op pledges, while the executor has `stdio sendfd proc exec`; both have

164 601bc1cc 2021-01-30 op unveiled only the served directories.

165 881a9dd9 2021-01-16 op 

166 ea58dab1 2021-01-17 op On FreeBSD, the executor process is sandboxed with `capsicum(4)`.

167 d939d0f0 2021-01-17 op 

168 601bc1cc 2021-01-30 op On Linux, a `seccomp(2)` filter is installed in the listener to allow

169 601bc1cc 2021-01-30 op only certain syscalls, see [sandbox.c](sandbox.c) for more information

170 601bc1cc 2021-01-30 op on the BPF program.

171 ea58dab1 2021-01-17 op 

172 ea58dab1 2021-01-17 op In any case, you are invited to run gmid inside some sort of

173 0b00962d 2021-01-25 op container/jail/chroot.