.\" Copyright (c) 2021, 2022 Omar Polo <op@omarpolo.com>

.\"

.\" Permission to use, copy, modify, and distribute this software for any

.\" purpose with or without fee is hereby granted, provided that the above

.\" copyright notice and this permission notice appear in all copies.

.\"

.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

.Dd $Mdocdate: April 7 2022$

.Dt GMID 1

.Os

.Sh NAME

.Nm gmid

.Nd simple and secure Gemini server

.Sh SYNOPSIS

.Nm

.Bk -words

.Op Fl fnv

.Op Fl c Ar config

.Op Fl D Ar macro Ns = Ns Ar value

.Op Fl P Ar pidfile

.Ek

.Nm

.Bk -words

.Op Fl 6hVv

.Op Fl d Ar certs-dir

.Op Fl H Ar hostname

.Op Fl p Ar port

.Op Fl x Ar cgi

.Op Ar dir

.Ek

.Sh DESCRIPTION

.Nm

is a simple and minimal gemini server that can serve static files,

execute CGI scripts and talk to FastCGI applications.

It can run without a configuration file with a limited set of features

available.

.Pp

.Nm

rereads the configuration file when it receives

.Dv SIGHUP .

.Pp

The options are as follows:

.Bl -tag -width 14m

.It Fl c Ar config

Specify the configuration file.

.It Fl D Ar macro Ns = Ns Ar value

Define

.Ar macro

to be set to

.Ar value

on the command line.

Overrides the definition of

.Ar macro

in the config file if present.

.It Fl f

Stays and logs on the foreground.

.It Fl n

Check that the configuration is valid, but don't start the server.

If specified two or more time, dump the configuration in addition to

verify it.

.It Fl P Ar pidfile

Write daemon's pid to the given location.

.Ar pidfile

will also act as lock: if another process is holding a lock on that

file,

.Nm

will refuse to start.

.El

.Pp

If no configuration file is given,

.Nm

runs in

.Dq config-less mode

.Pq i.e. runs in the foreground to serve a directory from the shell

and looks for the following options

.Bl -tag -width 14m

.It Fl 6

Enable IPv6.

.It Fl d Ar certs-path

Directory where certificates for the config-less mode are stored.

By default it is

.Pa $XDG_DATA_HOME/gmid ,

i.e.

.Pa ~/.local/share/gmid .

.It Fl H Ar hostname

The hostname

.Po

.Ar localhost

by default

.Pc .

Certificates for the given

.Ar hostname

are searched inside the

.Ar certs-dir

directory given with the

.Fl d

option.

They have the form

.Pa hostname.cert.pem

and

.Pa hostname.key.pem .

If a certificate or a key doesn't exist for a given hostname, they

will be generated automatically.

.It Fl h , Fl -help

Print the usage and exit.

.It Fl p Ar port

The port to listen on, by default 1965.

.It Fl V , Fl -version

Print the version and exit.

.It Fl v

Verbose mode.

Multiple

.Fl v

options increase the verbosity.

.It Fl x Ar path

Enable execution of

.Sx CGI

scripts.

See the description of the

.Ic cgi

option in the

.Sq Servers

section below to learn how

.Ar path

is processed.

Cannot be provided more than once.

.It Ar dir

The root directory to serve.

By default the current working directory is assumed.

.El

.Sh LOGGING

Messages and requests are logged by

.Xr syslog 3

using the

.Dv DAEMON

facility or printed on

.Em stderr .

.Pp

Requests are logged with the

.Dv NOTICE

severity.

Each request log entry has the following fields, separated by

whitespace:

.Pp

.Bl -bullet -compact

.It

Client IP address and the source port number, separated by a colon

.It

.Sy GET

keyword

.It

Request URL

.It

Response status

.It

Response meta

.El

.Sh EXAMPLES

Serve the current directory

.Bd -literal -offset indent

$ gmid .

.Ed

.Pp

To serve the directory

.Pa docs

and enable CGI scripts inside

.Pa docs/cgi

.Bd -literal -offset indent

$ mkdir docs/cgi

$ cat <<EOF > docs/cgi/hello

#!/bin/sh

printf "20 text/plain\er\en"

echo "hello world"

EOF

$ chmod +x docs/cgi/hello

$ gmid -x '/cgi/*' docs

.Ed

.Pp

An X.509 certificate must be provided to run

.Nm

using a configuration file.

First, the RSA certificate is created using a wildcard common name:

.Bd -literal -offset indent

# openssl genrsa \-out /etc/ssl/private/example.com.key 4096

# openssl req \-new \-x509 \e

\-key /etc/ssl/private/example.com.key \e

\-out /etc/ssl/example.com.crt \e

\-days 36500 \-nodes \e

\-subj "/CN=example.com"

# chmod 600 /etc/ssl/example.com.crt

# chmod 600 /etc/ssl/private/example.com.key

.Ed

.Pp

In the example above, a certificate is valid for one hundred years from

the date it was created, which is normal for TOFU.

.Pp

Then, to run

.Nm

as a daemon:

.Bd -literal -offset indent

$ gmid -c /etc/gmid.conf

.Ed

.Sh SEE ALSO

.Xr gmid.conf 5

.Sh ACKNOWLEDGEMENTS

.Nm

uses the

.Dq Flexible and Economical

UTF-8 decoder written by

.An Bjoern Hoehrmann .

.Sh AUTHORS

.An -nosplit

The

.Nm

program was written by

.An Omar Polo Aq Mt op@omarpolo.com .

.Sh CAVEATS

.Bl -bullet

.It

All the root directories are opened during the daemon startup; if a

root directory is deleted and then re-created,

.Nm

won't be able to serve files inside that directory until a restart.

This restriction only applies to the root directories and not their

content.

.It

a %2F sequence is indistinguishable from a literal slash: this is not

RFC3986-compliant.

.It

a %00 sequence is treated as invalid character and thus rejected.

.El