Blame

Date:
Message:
typos
Actions:
History | Blob | Raw File
  1 0111ad5d 2021-10-09 op <!doctype html>

  2 0111ad5d 2021-10-09 op <html lang="en">

  3 0111ad5d 2021-10-09 op   <head>

  4 35340c9f 2021-10-09 op     <title>gmid quickstart</title>

  5 0111ad5d 2021-10-09 op     <meta charset="utf8" />

  6 0111ad5d 2021-10-09 op     <meta name="viewport" content="width=device-width, initial-scale=1" />

  7 0111ad5d 2021-10-09 op     <style>

  8 0111ad5d 2021-10-09 op     body {

  9 0111ad5d 2021-10-09 op       font-family: monospace;

 10 0111ad5d 2021-10-09 op       font-size: 14px;

 11 0111ad5d 2021-10-09 op       max-width: 780px;

 12 0111ad5d 2021-10-09 op       margin: 0 auto;

 13 0111ad5d 2021-10-09 op       padding: 20px;

 14 0111ad5d 2021-10-09 op       padding-bottom: 80px;

 15 0111ad5d 2021-10-09 op     }

 16 0111ad5d 2021-10-09 op 

 17 0111ad5d 2021-10-09 op     h1::before {

 18 0111ad5d 2021-10-09 op       content: "# ";

 19 0111ad5d 2021-10-09 op     }

 20 0111ad5d 2021-10-09 op 

 21 0111ad5d 2021-10-09 op     h2 {

 22 0111ad5d 2021-10-09 op       margin-top: 40px;

 23 0111ad5d 2021-10-09 op     }

 24 0111ad5d 2021-10-09 op 

 25 0111ad5d 2021-10-09 op     h2::before {

 26 0111ad5d 2021-10-09 op       content: "## ";

 27 0111ad5d 2021-10-09 op     }

 28 0111ad5d 2021-10-09 op 

 29 0111ad5d 2021-10-09 op     h3::before {

 30 0111ad5d 2021-10-09 op       content: "### ";

 31 0111ad5d 2021-10-09 op     }

 32 0111ad5d 2021-10-09 op 

 33 0111ad5d 2021-10-09 op     blockquote {

 34 0111ad5d 2021-10-09 op       margin: 0;

 35 0111ad5d 2021-10-09 op       padding: 0;

 36 0111ad5d 2021-10-09 op     }

 37 0111ad5d 2021-10-09 op 

 38 0111ad5d 2021-10-09 op     blockquote::before {

 39 0111ad5d 2021-10-09 op       content: "> ";

 40 0111ad5d 2021-10-09 op     }

 41 0111ad5d 2021-10-09 op 

 42 0111ad5d 2021-10-09 op     blockquote p {

 43 0111ad5d 2021-10-09 op       font-style: italic;

 44 0111ad5d 2021-10-09 op       display: inline;

 45 0111ad5d 2021-10-09 op     }

 46 0111ad5d 2021-10-09 op 

 47 0111ad5d 2021-10-09 op     p.link::before {

 48 0111ad5d 2021-10-09 op       content: "→ ";

 49 0111ad5d 2021-10-09 op     }

 50 0111ad5d 2021-10-09 op 

 51 0111ad5d 2021-10-09 op     strong::before { content: "*" }

 52 0111ad5d 2021-10-09 op     strong::after  { content: "*" }

 53 0111ad5d 2021-10-09 op 

 54 0111ad5d 2021-10-09 op     hr {

 55 0111ad5d 2021-10-09 op       border: 0;

 56 0111ad5d 2021-10-09 op       height: 1px;

 57 0111ad5d 2021-10-09 op       background-color: #222;

 58 0111ad5d 2021-10-09 op       width: 100%;

 59 0111ad5d 2021-10-09 op       display: block;

 60 0111ad5d 2021-10-09 op       margin: 2em auto;

 61 0111ad5d 2021-10-09 op     }

 62 0111ad5d 2021-10-09 op 

 63 0111ad5d 2021-10-09 op     img {

 64 0111ad5d 2021-10-09 op       border-radius: 5px;

 65 0111ad5d 2021-10-09 op     }

 66 0111ad5d 2021-10-09 op 

 67 0111ad5d 2021-10-09 op     pre {

 68 0111ad5d 2021-10-09 op       overflow: auto;

 69 0111ad5d 2021-10-09 op       padding: 1rem;

 70 0111ad5d 2021-10-09 op       background-color: #f0f0f0;

 71 0111ad5d 2021-10-09 op       border-radius: 3px;

 72 0111ad5d 2021-10-09 op     }

 73 0111ad5d 2021-10-09 op 

 74 0111ad5d 2021-10-09 op     pre.banner {

 75 0111ad5d 2021-10-09 op       display: flex;

 76 0111ad5d 2021-10-09 op       flex-direction: row;

 77 0111ad5d 2021-10-09 op       justify-content: center;

 78 0111ad5d 2021-10-09 op     }

 79 0111ad5d 2021-10-09 op 

 80 0111ad5d 2021-10-09 op     code, kbd {

 81 0111ad5d 2021-10-09 op       color: #9d109d;

 82 0111ad5d 2021-10-09 op     }

 83 0111ad5d 2021-10-09 op 

 84 0111ad5d 2021-10-09 op     img {

 85 0111ad5d 2021-10-09 op       display: block;

 86 0111ad5d 2021-10-09 op       margin: 0 auto;

 87 0111ad5d 2021-10-09 op       max-width: 100%;

 88 0111ad5d 2021-10-09 op     }

 89 0111ad5d 2021-10-09 op 

 90 0111ad5d 2021-10-09 op     @media (prefers-color-scheme: dark) {

 91 0111ad5d 2021-10-09 op       body {

 92 0111ad5d 2021-10-09 op         background-color: #222;

 93 0111ad5d 2021-10-09 op         color: white;

 94 0111ad5d 2021-10-09 op       }

 95 0111ad5d 2021-10-09 op 

 96 0111ad5d 2021-10-09 op       a {

 97 0111ad5d 2021-10-09 op         color: aqua;

 98 0111ad5d 2021-10-09 op       }

 99 0111ad5d 2021-10-09 op 

100 0111ad5d 2021-10-09 op       hr {

101 0111ad5d 2021-10-09 op         background-color: #ddd;

102 0111ad5d 2021-10-09 op       }

103 0111ad5d 2021-10-09 op 

104 0111ad5d 2021-10-09 op       pre {

105 0111ad5d 2021-10-09 op         background-color: #353535;

106 0111ad5d 2021-10-09 op       }

107 0111ad5d 2021-10-09 op 

108 0111ad5d 2021-10-09 op       code, kbd {

109 0111ad5d 2021-10-09 op         color: #ff4cff;

110 0111ad5d 2021-10-09 op       }

111 0111ad5d 2021-10-09 op     }

112 0111ad5d 2021-10-09 op 

113 0111ad5d 2021-10-09 op     @media (max-width: 400px) {

114 0111ad5d 2021-10-09 op       pre.banner { font-size: 9px; }

115 0111ad5d 2021-10-09 op     }

116 0111ad5d 2021-10-09 op 

117 0111ad5d 2021-10-09 op     @media (max-width: 500px) {

118 0111ad5d 2021-10-09 op       pre.banner { font-size: 10px; }

119 0111ad5d 2021-10-09 op     }

120 0111ad5d 2021-10-09 op     </style>

121 0111ad5d 2021-10-09 op   </head>

122 0111ad5d 2021-10-09 op   <body>

123 0111ad5d 2021-10-09 op     <header>

124 0111ad5d 2021-10-09 op       <nav>

125 0111ad5d 2021-10-09 op         <a href="/">Home</a> |

126 0111ad5d 2021-10-09 op         <a href="contrib.html">contrib</a> |

127 0111ad5d 2021-10-09 op         Quickstart |

128 0111ad5d 2021-10-09 op         <a href="gmid.1.html">docs</a>

129 0111ad5d 2021-10-09 op       </nav>

130 0111ad5d 2021-10-09 op     </header>

131 0111ad5d 2021-10-09 op     <h1>gmid quickstart</h1>

132 0111ad5d 2021-10-09 op     <p>gmid can be run in two different “modes”:</p>

133 0111ad5d 2021-10-09 op     <dl>

134 0111ad5d 2021-10-09 op       <dt>configless:</dt>

135 0111ad5d 2021-10-09 op       <dd>

136 0111ad5d 2021-10-09 op         a quick way to serve a directory tree from the shell, useful

137 0111ad5d 2021-10-09 op         for testing a capsule before uploading it

138 0111ad5d 2021-10-09 op       </dd>

139 0111ad5d 2021-10-09 op       <dt>daemon mode:</dt>

140 0111ad5d 2021-10-09 op       <dd>

141 0111ad5d 2021-10-09 op         gmid reads the configuration file and runs in the background

142 0111ad5d 2021-10-09 op       </dd>

143 0111ad5d 2021-10-09 op     </dl>

144 0111ad5d 2021-10-09 op     <p>To run gmid in the “configless” mode, just type:</p>

145 0111ad5d 2021-10-09 op     <pre>$ gmid path/to/dir</pre>

146 0111ad5d 2021-10-09 op     <p>

147 0111ad5d 2021-10-09 op       gmid will then generate a certificate inside ~/.local/share/gmid

148 540d05de 2021-10-09 op       and serve the given directory locally.

149 0111ad5d 2021-10-09 op     </p>

150 0111ad5d 2021-10-09 op     <p>

151 0111ad5d 2021-10-09 op       To run gmid in daemon mode a configuration file is needed.  The

152 0111ad5d 2021-10-09 op       format of the configuration file is described in the manpage and

153 0111ad5d 2021-10-09 op       is quite flexible, but for simple setup something like the

154 0111ad5d 2021-10-09 op       following should be enough:

155 0111ad5d 2021-10-09 op     </p>

156 0111ad5d 2021-10-09 op     <pre># /etc/gmid.conf

157 0111ad5d 2021-10-09 op 

158 0111ad5d 2021-10-09 op server "example.com" {

159 0111ad5d 2021-10-09 op 	cert "/path/to/certificate"

160 0111ad5d 2021-10-09 op 	key  "/path/to/private-key"

161 0111ad5d 2021-10-09 op 	root "/var/gemini/example.com"

162 0111ad5d 2021-10-09 op }</pre>

163 0111ad5d 2021-10-09 op     <p>

164 0111ad5d 2021-10-09 op       A X.509 (TLS) certificate can be generated using

165 0111ad5d 2021-10-09 op       <a href="https://git.omarpolo.com/gmid/tree/contrib/gencert">contrib/gencert</a>:

166 0111ad5d 2021-10-09 op     </p>

167 0111ad5d 2021-10-09 op     <pre>$ ./contrib/gencert example.com

168 0111ad5d 2021-10-09 op Generating a 4096 bit RSA private key

169 0111ad5d 2021-10-09 op .................................................++++

170 0111ad5d 2021-10-09 op ..........++++

171 0111ad5d 2021-10-09 op writing new private key to './example.com.key'

172 0111ad5d 2021-10-09 op -----

173 0111ad5d 2021-10-09 op 

174 0111ad5d 2021-10-09 op Generated files:

175 0111ad5d 2021-10-09 op         ./example.com.pem : certificate

176 0111ad5d 2021-10-09 op         ./example.com.key : private key</pre>

177 0111ad5d 2021-10-09 op     <p>

178 35340c9f 2021-10-09 op       Optionally, move ‘example.com.pem’ and ‘example.com.key’ to

179 0111ad5d 2021-10-09 op       another location.

180 0111ad5d 2021-10-09 op     </p>

181 0111ad5d 2021-10-09 op     <p>

182 0111ad5d 2021-10-09 op       Make sure that the ‘cert’ and ‘key’ options in the configuration

183 0111ad5d 2021-10-09 op       file points to these files.

184 0111ad5d 2021-10-09 op     </p>

185 0111ad5d 2021-10-09 op     <p>Then running gmid is as easy as</p>

186 0111ad5d 2021-10-09 op     <pre>$ gmid -c /etc/gmid.conf</pre>

187 0111ad5d 2021-10-09 op     <h2>Securing your gmid installation</h2>

188 0111ad5d 2021-10-09 op     <p>

189 0111ad5d 2021-10-09 op       gmid employs various techniques to prevent the damage caused by

190 0111ad5d 2021-10-09 op       bugs, but some steps needs to be done manually.

191 0111ad5d 2021-10-09 op     </p>

192 0111ad5d 2021-10-09 op     <p>

193 0111ad5d 2021-10-09 op       If gmid was installed from your distribution package manager,

194 0111ad5d 2021-10-09 op       chance are that it already does all of this and is also

195 0111ad5d 2021-10-09 op       providing a service to run gmid automatically (e.g. a systemd

196 0111ad5d 2021-10-09 op       unit file, a rc script, …)  Otherwise, it’s heavily suggested to

197 0111ad5d 2021-10-09 op       create at least a dedicated user.

198 0111ad5d 2021-10-09 op     </p>

199 0111ad5d 2021-10-09 op     <h3>A dedicated user</h3>

200 0111ad5d 2021-10-09 op     <p>

201 35340c9f 2021-10-09 op       Ideally, gmid should be started with root privileges and drop

202 0111ad5d 2021-10-09 op       privileges to a local user.  This way, the created certificates

203 0111ad5d 2021-10-09 op       can be readable only by root.  For example, on GNU/linux systems

204 0111ad5d 2021-10-09 op       a ‘gmid’ user can be created with:

205 0111ad5d 2021-10-09 op     </p>

206 35340c9f 2021-10-09 op     <pre># useradd --system --no-create-home -s /bin/nologin -c "gmid Gemini server" gmid</pre>

207 0111ad5d 2021-10-09 op     <p>

208 0111ad5d 2021-10-09 op       Please consult your OS documentation for more information on the

209 0111ad5d 2021-10-09 op       matter.

210 0111ad5d 2021-10-09 op     </p>

211 0111ad5d 2021-10-09 op     <p>

212 0111ad5d 2021-10-09 op       The configuration then needs to be adjusted to include the

213 0111ad5d 2021-10-09 op       ‘user’ directive at the top:

214 0111ad5d 2021-10-09 op     </p>

215 0111ad5d 2021-10-09 op     <pre># /etc/gmid.conf

216 0111ad5d 2021-10-09 op user "gmid"

217 0111ad5d 2021-10-09 op 

218 0111ad5d 2021-10-09 op server "example.com" { … }</pre>

219 0111ad5d 2021-10-09 op     <p>

220 0111ad5d 2021-10-09 op       gmid then needs to be started with root privileges, but will

221 0111ad5d 2021-10-09 op       then switch to the provided user automatically.  If by accident

222 0111ad5d 2021-10-09 op       the ‘user’ is forgotten and gmid is running as root, it will

223 0111ad5d 2021-10-09 op       complain loudly in the logs.

224 0111ad5d 2021-10-09 op     </p>

225 0111ad5d 2021-10-09 op     <h3>chroot</h3>

226 0111ad5d 2021-10-09 op     <p>

227 0111ad5d 2021-10-09 op       It’s a common practice for system daemons to chroot themselves

228 0111ad5d 2021-10-09 op       into a directory.  From here on I’ll assume /var/gemini, but it

229 0111ad5d 2021-10-09 op       can be any directory.

230 0111ad5d 2021-10-09 op     </p>

231 0111ad5d 2021-10-09 op     <p>

232 0111ad5d 2021-10-09 op       A chroot on UNIX-like OS is an operation that changes the

233 0111ad5d 2021-10-09 op       “apparent” root directory (i.e. “/”) from the current process

234 0111ad5d 2021-10-09 op       and its child.  Think of it like imprisoning a process into a

235 0111ad5d 2021-10-09 op       directory and never letting it escape until it terminates.

236 0111ad5d 2021-10-09 op     </p>

237 0111ad5d 2021-10-09 op     <p>

238 0111ad5d 2021-10-09 op       Using a chroot may complicate the use of CGI scripts, because

239 35340c9f 2021-10-09 op       then all the dependencies of the scripts (like sh, perl,

240 35340c9f 2021-10-09 op       libraries…) need to be installed inside the chroot too.  For

241 35340c9f 2021-10-09 op       this very reason gmid supports FastCGI.

242 0111ad5d 2021-10-09 op     </p>

243 0111ad5d 2021-10-09 op     <p>

244 0111ad5d 2021-10-09 op       The chroot feature requires a dedicate user, see the previous

245 0111ad5d 2021-10-09 op       section.

246 0111ad5d 2021-10-09 op     </p>

247 0111ad5d 2021-10-09 op     <p>

248 0111ad5d 2021-10-09 op       To chroot gmid inside a directory, use the ‘chroot’ directive in

249 0111ad5d 2021-10-09 op       the configuration file:

250 0111ad5d 2021-10-09 op     </p>

251 0111ad5d 2021-10-09 op     <pre># /etc/gmid.conf

252 0111ad5d 2021-10-09 op 

253 35340c9f 2021-10-09 op user "gmid"

254 35340c9f 2021-10-09 op 

255 0111ad5d 2021-10-09 op # the given directory, /var/gemini in this case, must exists.

256 0111ad5d 2021-10-09 op chroot "/var/gemini"</pre>

257 0111ad5d 2021-10-09 op     <p>

258 0111ad5d 2021-10-09 op       Note that once ‘chroot’ is in place, every ‘root’ directive is

259 0111ad5d 2021-10-09 op       implicitly relative to the chroot, but ‘cert’ and ‘key’ aren’t!

260 0111ad5d 2021-10-09 op     </p>

261 0111ad5d 2021-10-09 op     <p>For example, given the following configuration:</p>

262 0111ad5d 2021-10-09 op     <pre># /etc/gmid.conf

263 0111ad5d 2021-10-09 op 

264 0111ad5d 2021-10-09 op user "gmid"

265 0111ad5d 2021-10-09 op chroot "/var/gemini"

266 0111ad5d 2021-10-09 op 

267 0111ad5d 2021-10-09 op server "example.com" {

268 0111ad5d 2021-10-09 op 	cert "/etc/ssl/example.com.pem"

269 0111ad5d 2021-10-09 op 	key  "/etc/ssl/example.com.key"

270 0111ad5d 2021-10-09 op 	root "/example.com"

271 0111ad5d 2021-10-09 op }</pre>

272 0111ad5d 2021-10-09 op     <p>

273 0111ad5d 2021-10-09 op       The certificate and the key path are the specified ones, but the

274 0111ad5d 2021-10-09 op       root directory of the virtual host is actually

275 0111ad5d 2021-10-09 op       “/var/gemini/example.com/”.

276 0111ad5d 2021-10-09 op     </p>

277 0111ad5d 2021-10-09 op   </body>

278 0111ad5d 2021-10-09 op </html>