1 207dc0f9 2021-01-02 op .\" Copyright (c) 2021, 2022 Omar Polo <op@omarpolo.com>
3 3e4749f7 2020-10-02 op .\" Permission to use, copy, modify, and distribute this software for any
4 3e4749f7 2020-10-02 op .\" purpose with or without fee is hereby granted, provided that the above
5 3e4749f7 2020-10-02 op .\" copyright notice and this permission notice appear in all copies.
7 3e4749f7 2020-10-02 op .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 3e4749f7 2020-10-02 op .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 3e4749f7 2020-10-02 op .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
10 3e4749f7 2020-10-02 op .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 3e4749f7 2020-10-02 op .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12 3e4749f7 2020-10-02 op .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13 3e4749f7 2020-10-02 op .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14 da613aba 2022-03-26 op .Dd $Mdocdate: February 26 2022$
19 714685c1 2021-01-30 op .Nd simple and secure Gemini server
24 15902770 2021-01-15 op .Op Fl c Ar config
25 8b743dda 2021-06-29 op .Op Fl D Ar macro Ns = Ns Ar value
26 8e8b2e25 2021-04-28 op .Op Fl P Ar pidfile
31 14cee926 2022-01-04 op .Op Fl d Ar certs-dir
32 f28d96d3 2021-01-25 op .Op Fl H Ar hostname
33 721e2325 2020-11-18 op .Op Fl p Ar port
34 14cee926 2022-01-04 op .Op Fl x Ar cgi
37 3e4749f7 2020-10-02 op .Sh DESCRIPTION
39 8ff40039 2021-05-24 op is a simple and minimal gemini server that can serve static files,
40 8ff40039 2021-05-24 op execute CGI scripts and talk to FastCGI applications.
41 eb699783 2021-01-18 op It can run without a configuration file with a limited set of features
45 3007f565 2021-02-04 op rereads the configuration file when it receives
48 eb699783 2021-01-18 op The options are as follows:
49 f28d96d3 2021-01-25 op .Bl -tag -width 14m
50 14cee926 2022-01-04 op .It Fl c Ar config
51 f28d96d3 2021-01-25 op Specify the configuration file.
52 8b743dda 2021-06-29 op .It Fl D Ar macro Ns = Ns Ar value
57 8b743dda 2021-06-29 op on the command line.
58 8b743dda 2021-06-29 op Overrides the definition of
60 8b743dda 2021-06-29 op in the config file if present.
62 46af8c6c 2021-01-27 op Stays and logs on the foreground.
64 eb699783 2021-01-18 op Check that the configuration is valid, but don't start the server.
65 f0a01fc7 2021-10-09 op If specified two or more time, dump the configuration in addition to
67 14cee926 2022-01-04 op .It Fl P Ar pidfile
68 301e039d 2021-07-29 op Write daemon's pid to the given location.
70 2b520ad5 2021-07-09 op will also act as lock: if another process is holding a lock on that
73 2b520ad5 2021-07-09 op will refuse to start.
76 eb699783 2021-01-18 op If no configuration file is given,
79 ebf3373d 2021-12-02 op .Dq config-less mode
80 ebf3373d 2021-12-02 op .Pq i.e. runs in the foreground to serve a directory from the shell
81 ebf3373d 2021-12-02 op and looks for the following options
82 f28d96d3 2021-01-25 op .Bl -tag -width 14m
85 14cee926 2022-01-04 op .It Fl d Ar certs-path
86 f28d96d3 2021-01-25 op Directory where certificates for the config-less mode are stored.
87 301e039d 2021-07-29 op By default it is
88 f28d96d3 2021-01-25 op .Pa $XDG_DATA_HOME/gmid ,
90 f28d96d3 2021-01-25 op .Pa ~/.local/share/gmid .
91 71cf3975 2021-01-25 op .It Fl H Ar hostname
97 f28d96d3 2021-01-25 op Certificates for the given
99 f28d96d3 2021-01-25 op are searched inside the
100 14cee926 2022-01-04 op .Ar certs-dir
101 f28d96d3 2021-01-25 op directory given with the
104 714685c1 2021-01-30 op They have the form
105 f28d96d3 2021-01-25 op .Pa hostname.cert.pem
107 f28d96d3 2021-01-25 op .Pa hostname.key.pem .
108 301e039d 2021-07-29 op If a certificate or a key doesn't exist for a given hostname, they
109 301e039d 2021-07-29 op will be generated automatically.
110 ba65dcc8 2021-06-29 op .It Fl h , Fl -help
111 fab952e1 2020-10-03 op Print the usage and exit.
112 721e2325 2020-11-18 op .It Fl p Ar port
113 eb699783 2021-01-18 op The port to listen on, by default 1965.
114 ba65dcc8 2021-06-29 op .It Fl V , Fl -version
115 ba65dcc8 2021-06-29 op Print the version and exit.
117 3abf91b0 2021-02-07 op Verbose mode.
120 3abf91b0 2021-02-07 op options increase the verbosity.
121 14cee926 2022-01-04 op .It Fl x Ar path
122 301e039d 2021-07-29 op Enable execution of
125 eb699783 2021-01-18 op See the description of the
127 301e039d 2021-07-29 op option in the
129 301e039d 2021-07-29 op section below to learn how
131 eb699783 2021-01-18 op is processed.
132 eb699783 2021-01-18 op Cannot be provided more than once.
134 f28d96d3 2021-01-25 op The root directory to serve.
135 f28d96d3 2021-01-25 op By default the current working directory is assumed.
137 eb699783 2021-01-18 op .Sh CONFIGURATION FILE
138 8b743dda 2021-06-29 op The configuration file is divided into three sections:
139 eb699783 2021-01-18 op .Bl -tag -width xxxx
140 8b743dda 2021-06-29 op .It Sy Macros
141 8b743dda 2021-06-29 op User-defined variables may be defined and used later, simplifying the
142 8b743dda 2021-06-29 op configuration file.
143 eb699783 2021-01-18 op .It Sy Global Options
144 eb699783 2021-01-18 op Global settings for
146 eb699783 2021-01-18 op .It Sy Servers
147 f28d96d3 2021-01-25 op Virtual hosts definition.
149 e0bf950d 2022-02-26 op Media types and extensions.
152 eb699783 2021-01-18 op Within the sections, empty lines are ignored and comments can be put
153 eb699783 2021-01-18 op anywhere in the file using a hash mark
155 eb699783 2021-01-18 op and extend to the end of the current line.
156 eb699783 2021-01-18 op A boolean is either the symbol
160 f28d96d3 2021-01-25 op A string is a sequence of characters wrapped in double quotes,
161 f28d96d3 2021-01-25 op .Dq like this .
162 eaf7f776 2021-06-29 op Multiple strings one next to the other are joined into a single
164 eaf7f776 2021-06-29 op .Bd -literal -offset indent
165 eaf7f776 2021-06-29 op # equivalent to "temporary-failure"
166 eaf7f776 2021-06-29 op block return 40 "temporary" "-" "failure"
169 2b520ad5 2021-07-09 op Furthermore, quoting is necessary only when a string needs to contain
170 528f37cd 2021-07-09 op special characters
171 528f37cd 2021-07-09 op .Pq like spaces or punctuation ,
172 528f37cd 2021-07-09 op something that looks like a number or a reserved keyword.
173 2b520ad5 2021-07-09 op The last example could have been written also as:
174 2b520ad5 2021-07-09 op .Bd -literal -offset indent
175 2b520ad5 2021-07-09 op block return 40 temporary "-" failure
178 8b743dda 2021-06-29 op Strict ordering of the sections is not enforced, so that is possible
179 8b743dda 2021-06-29 op to mix macros, options and
182 8b743dda 2021-06-29 op However, defining all the
184 8b743dda 2021-06-29 op blocks after the macros and the global options is recommended.
186 528f37cd 2021-07-09 op Newlines are often optional, except around top-level instructions, and
189 528f37cd 2021-07-09 op can also be optionally used to separate options.
191 528f37cd 2021-07-09 op Additional configuration files can be included with the
193 528f37cd 2021-07-09 op keyword, for example:
194 528f37cd 2021-07-09 op .Bd -literal -offset indent
195 528f37cd 2021-07-09 op include "/etc/gmid.conf.local"
198 8b743dda 2021-06-29 op Macros can be defined that will later be expanded in context.
199 8b743dda 2021-06-29 op Macro names must start with a letter, digit or underscore and may
200 8b743dda 2021-06-29 op contain any of those characters.
201 4f9a2760 2021-07-02 op Macros names may not be reserved words.
202 bfb076ed 2021-06-29 op Macros are not expanded inside quotes.
204 528f37cd 2021-07-09 op Two kinds of macros are supported: variable-like and proper macros.
205 528f37cd 2021-07-09 op When a macro is invoked with a
207 528f37cd 2021-07-09 op before its name its expanded as a string, whereas when it's invoked
210 528f37cd 2021-07-09 op its expanded in-place.
213 8b743dda 2021-06-29 op .Bd -literal -offset indent
214 8b743dda 2021-06-29 op dir = "/var/gemini"
215 2d06ae62 2021-07-11 op certdir = "/etc/keys"
216 528f37cd 2021-07-09 op common = "lang it; auto index on"
218 8b743dda 2021-06-29 op server "foo" {
219 ad15003b 2021-07-11 op root $dir "/foo" # -> /var/gemini/foo
220 2d06ae62 2021-07-11 op cert $certdir "/foo.crt" # -> /etc/keys/foo.crt
221 2d06ae62 2021-07-11 op key $certdir "/foo.pem" # -> /etc/keys/foo.pem
225 eb699783 2021-01-18 op .Ss Global Options
226 eb699783 2021-01-18 op .Bl -tag -width 12m
227 14cee926 2022-01-04 op .It Ic chroot Ar path
229 ae08ec7d 2021-01-25 op the process to the given
231 ae08ec7d 2021-01-25 op The daemon has to be run with root privileges and thus the option
233 714685c1 2021-01-30 op needs to be provided, so privileges can be dropped.
236 714685c1 2021-01-30 op will enter the chroot after loading the TLS keys, but before opening
237 714685c1 2021-01-30 op the virtual host root directories.
238 714685c1 2021-01-30 op It's recommended to keep the TLS keys outside the chroot.
239 ae08ec7d 2021-01-25 op Future version of
241 1de92289 2021-04-15 op may enforce this.
242 2b92a447 2021-02-06 op .It Ic ipv6 Ar bool
243 2b520ad5 2021-07-09 op Enable or disable IPv6 support, off by default.
244 2b92a447 2021-02-06 op .It Ic port Ar portno
245 2b92a447 2021-02-06 op The port to listen on.
246 2b520ad5 2021-07-09 op 1965 by default.
247 a709ddf5 2021-02-07 op .It Ic prefork Ar number
248 a709ddf5 2021-02-07 op Run the specified number of server processes.
249 a709ddf5 2021-02-07 op This increases the performance and prevents delays when connecting to
251 2b520ad5 2021-07-09 op When not in config-less mode,
253 2b520ad5 2021-07-09 op runs 3 server processes by default.
254 2c3e53da 2021-03-03 op The maximum number allowed is 16.
255 2b92a447 2021-02-06 op .It Ic protocols Ar string
256 2b92a447 2021-02-06 op Specify the TLS protocols to enable.
258 2b92a447 2021-02-06 op .Xr tls_config_parse_protocols 3
259 2b92a447 2021-02-06 op for the valid protocol string values.
260 2b92a447 2021-02-06 op By default, both TLSv1.3 and TLSv1.2 are enabled.
263 2b92a447 2021-02-06 op to enable only TLSv1.3.
264 ae08ec7d 2021-01-25 op .It Ic user Ar string
265 ae08ec7d 2021-01-25 op Run the daemon as the given user.
268 eb699783 2021-01-18 op Every virtual host is defined by a
271 eb699783 2021-01-18 op .Bl -tag -width Ds
272 eb699783 2021-01-18 op .It Ic server Ar hostname Brq ...
273 75fbb178 2021-01-28 op Match the server name using shell globbing rules.
274 2b520ad5 2021-07-09 op It can be an explicit name,
275 de27389e 2021-01-21 op .Ar www.example.com ,
276 de27389e 2021-01-21 op or a name including a wildcards,
277 de27389e 2021-01-21 op .Ar *.example.com .
280 eb699783 2021-01-18 op Followed by a block of options that is enclosed in curly brackets:
281 eb699783 2021-01-18 op .Bl -tag -width Ds
282 cc8c2901 2021-04-29 op .It Ic alias Ar name
283 cc8c2901 2021-04-29 op Specify an additional alias
285 cc8c2901 2021-04-29 op for this server.
286 2b92a447 2021-02-06 op .It Ic auto Ic index Ar bool
287 2b92a447 2021-02-06 op If no index file is found, automatically generate a directory listing.
288 2b520ad5 2021-07-09 op Disabled by default.
289 2b92a447 2021-02-06 op .It Ic block Op Ic return Ar code Op Ar meta
290 2b92a447 2021-02-06 op Send a reply and close the connection;
297 2b520ad5 2021-07-09 op .Dq temporary failure .
300 2b92a447 2021-02-06 op is in the 3x range, then
302 2b520ad5 2021-07-09 op is mandatory.
305 2b520ad5 2021-07-09 op the following special sequences are supported:
306 fd1ae83d 2021-06-11 op .Bl -tag -width Ds -compact
308 2b92a447 2021-02-06 op is replaced with a single
311 2b92a447 2021-02-06 op is replaced with the request path.
313 2b92a447 2021-02-06 op is replaced with the query string of the request.
315 2b92a447 2021-02-06 op is replaced with the server port.
317 2b92a447 2021-02-06 op is replaced with the server name.
319 14cee926 2022-01-04 op .It Ic cert Ar file
320 eb699783 2021-01-18 op Path to the certificate to use for this server.
322 eb699783 2021-01-18 op should contain a PEM encoded certificate.
323 eb699783 2021-01-18 op This option is mandatory.
324 14cee926 2022-01-04 op .It Ic cgi Ar path
327 301e039d 2021-07-29 op scripts that matches
329 87f2b68b 2021-02-02 op using shell globbing rules.
330 6119e13e 2021-01-19 op .It Ic default type Ar string
331 6119e13e 2021-01-19 op Set the default media type that is used if the media type for a
332 6119e13e 2021-01-19 op specified extension is not found.
333 6119e13e 2021-01-19 op If not specified, the
334 6119e13e 2021-01-19 op .Ic default type
336 6119e13e 2021-01-19 op .Dq application/octet-stream .
337 14cee926 2022-01-04 op .It Ic entrypoint Ar path
338 dafaf467 2021-04-15 op Handle all the requests for the current virtual host using the
342 2b520ad5 2021-07-09 op relative to the current document root.
343 efacb859 2021-07-09 op .It Ic env Ar name Cm = Ar value
344 9cc630aa 2021-04-28 op Set the environment variable
348 9cc630aa 2021-04-28 op when executing CGI scripts.
349 9cc630aa 2021-04-28 op Can be provided more than once.
350 8ff40039 2021-05-24 op .\" don't document the "spawn <prog>" form because it probably won't
352 14cee926 2022-01-04 op .It Ic fastcgi Oo Ic tcp Oc Ar socket Oo Cm port Ar port Oc
355 301e039d 2021-07-29 op instead of serving files.
358 2b520ad5 2021-07-09 op can either be a UNIX-domain socket or a TCP socket.
359 8ff40039 2021-05-24 op If the FastCGI application is listening on a UNIX domain socket,
361 8ff40039 2021-05-24 op is a local path name within the
363 8ff40039 2021-05-24 op root directory of
365 8ff40039 2021-05-24 op Otherwise, the
367 8ff40039 2021-05-24 op keyword must be provided and
369 8ff40039 2021-05-24 op is interpreted as a hostname or an IP address.
371 8ff40039 2021-05-24 op can be either a port number or the name of a service enclosed in
372 8ff40039 2021-05-24 op double quotes.
373 2b520ad5 2021-07-09 op If not specified defaults to 9000.
374 2b92a447 2021-02-06 op .It Ic index Ar string
375 2b92a447 2021-02-06 op Set the directory index file.
376 2b92a447 2021-02-06 op If not specified, it defaults to
377 2b92a447 2021-02-06 op .Pa index.gmi .
378 14cee926 2022-01-04 op .It Ic key Ar file
379 2b92a447 2021-02-06 op Specify the private key to use for this server.
381 2b92a447 2021-02-06 op should contain a PEM encoded private key.
382 2b92a447 2021-02-06 op This option is mandatory.
383 05c23a54 2021-01-19 op .It Ic lang Ar string
384 05c23a54 2021-01-19 op Specify the language tag for the text/gemini content served.
385 05c23a54 2021-01-19 op If not specified, no
387 05c23a54 2021-01-19 op parameter will be added in the response.
388 14cee926 2022-01-04 op .It Ic location Ar path Brq ...
389 c8b74339 2021-01-24 op Specify server configuration rules for a specific location.
391 c8b74339 2021-01-24 op argument will be matched against the request path with shell globbing
393 6016a593 2021-01-30 op In case of multiple location statements in the same context, the first
394 6016a593 2021-01-30 op matching location will be put into effect and the later ones ignored.
395 6016a593 2021-01-30 op Therefore is advisable to match for more specific paths first and for
396 6016a593 2021-01-30 op generic ones later on.
399 c8b74339 2021-01-24 op section may include most of the server configuration rules
401 3d132b28 2021-07-09 op .Ic alias , Ic cert , Ic cgi , Ic entrypoint , Ic env , Ic key ,
402 c143dcfa 2021-12-29 op .Ic location , Ic param No and Ic proxy .
403 2c43dcce 2021-06-17 op .It Ic log Ar bool
404 2c43dcce 2021-06-17 op Enable or disable the logging for the current server or location block.
405 efacb859 2021-07-09 op .It Ic param Ar name Cm = Ar value
406 ada16f87 2021-06-11 op Set the param
411 ff05125e 2021-10-15 op .It Ic ocsp Ar file
412 ff05125e 2021-10-15 op Specify an OCSP response to be stapled during TLS handshakes
413 ff05125e 2021-10-15 op with this server.
416 ff05125e 2021-10-15 op should contain a DER-format OCSP response retrieved from an
417 ff05125e 2021-10-15 op OCSP server for the
420 ff05125e 2021-10-15 op If the OCSP response in
422 ff05125e 2021-10-15 op is empty, OCSP stapling will not be used.
423 ff05125e 2021-10-15 op The default is to not use OCSP stapling.
424 207dc0f9 2021-01-02 op .It Ic proxy Oo Cm proto Ar name Oc Oo Cm for-host Ar host : Ns Oo Ar port Oc Oc Brq ...
425 207dc0f9 2021-01-02 op Set up a reverse proxy.
426 207dc0f9 2021-01-02 op The optional matching rules
430 207dc0f9 2021-01-02 op can be used to enable proxying only for protocols matching
432 207dc0f9 2021-01-02 op .Po Dq gemini
435 207dc0f9 2021-01-02 op and/or whose request IRI matches
439 207dc0f9 2021-01-02 op .Pq 1965 by default .
440 207dc0f9 2021-01-02 op Matching happens using shell globbing rules.
442 207dc0f9 2021-01-02 op In case of multiple matching proxy blocks in the same context, the
443 207dc0f9 2021-01-02 op first matching proxy will be put into effect and the later ones
446 ee68c361 2021-01-01 op Valid options are:
447 ee68c361 2021-01-01 op .Bl -tag -width Ds
448 ee68c361 2021-01-01 op .It Ic cert Ar file
449 ee68c361 2021-01-01 op Specify the client certificate to use when making requests.
450 ee68c361 2021-01-01 op .It Ic key Ar file
451 ee68c361 2021-01-01 op Specify the client certificate key to use when making requests.
452 ee68c361 2021-01-01 op .It Ic protocols Ar string
453 ee68c361 2021-01-01 op Specify the TLS protocols allowed when making remote requests.
455 ee68c361 2021-01-01 op .Xr tls_config_parse_protocols 3
456 ee68c361 2021-01-01 op function for the valid protocol string values.
457 ee68c361 2021-01-01 op By default, both TLSv1.2 and TLSv1.3 are enabled.
458 ee68c361 2021-01-01 op .It Ic relay-to Ar host : Ns Op Ar port
459 ee68c361 2021-01-01 op Relay the request to the given
463 207dc0f9 2021-01-02 op 1965 by default.
464 207dc0f9 2021-01-02 op This is the only mandatory option in a
467 7c2374af 2022-01-04 op .It Ic require Ic client Ic ca Ar file
468 7c2374af 2022-01-04 op Allow the proxying only from clients that provide a certificate
469 7c2374af 2022-01-04 op signed by the CA certificate in
471 1cdea97b 2022-01-30 op .It Ic sni Ar hostname
472 1cdea97b 2022-01-30 op Use the given
474 1cdea97b 2022-01-30 op instead of the one extracted from the
476 1cdea97b 2022-01-30 op rule for the TLS handshake with the proxied gemini server.
477 53884ec0 2021-01-01 op .It Ic use-tls Ar bool
478 53884ec0 2021-01-01 op Specify whether to use TLS when connecting to the proxied host.
479 53884ec0 2021-01-01 op Enabled by default.
480 ee68c361 2021-01-01 op .It Ic verifyname Ar bool
481 207dc0f9 2021-01-02 op Enable or disable the TLS server name verification.
482 207dc0f9 2021-01-02 op Enabled by default.
484 14cee926 2022-01-04 op .It Ic root Ar directory
485 2b520ad5 2021-07-09 op Specify the root directory for this server
486 2b520ad5 2021-07-09 op .Pq alas the current Dq document root .
487 2b520ad5 2021-07-09 op It's relative to the chroot if enabled.
488 14cee926 2022-01-04 op .It Ic require Ic client Ic ca Ar path
489 02be96c6 2021-02-09 op Allow requests only from clients that provide a certificate signed by
490 02be96c6 2021-02-09 op the CA certificate in
492 02be96c6 2021-02-09 op It needs to be a PEM-encoded certificate and it's not relative to the
494 6abda252 2021-02-06 op .It Ic strip Ar number
497 0773413c 2021-05-15 op components from the beginning of the path before doing a lookup in the
498 0773413c 2021-05-15 op root directory.
499 0773413c 2021-05-15 op It's also considered for the
501 2b92a447 2021-02-06 op parameter in the scope of a
502 6abda252 2021-02-06 op .Ic block return .
507 e0bf950d 2022-02-26 op section must include one or more lines of the following syntax, enclosed
508 e0bf950d 2022-02-26 op in curly brances:
509 e0bf950d 2022-02-26 op .Bl -tag -width Ds
510 e0bf950d 2022-02-26 op .It Ar type/subtype Ar name Op Ar name ...
511 e0bf950d 2022-02-26 op Set the media
515 e0bf950d 2022-02-26 op to the specified extension
517 e0bf950d 2022-02-26 op One or more names can be specified per line.
518 e0bf950d 2022-02-26 op Earch line may end with an optional semicolon.
519 e0bf950d 2022-02-26 op .It Ic include Ar file
520 e0bf950d 2022-02-26 op Include types definition from an external file, for example
521 e0bf950d 2022-02-26 op .Pa /usr/share/misc/mime.types .
524 87f2b68b 2021-02-02 op When a request for an executable file matches the
526 301e039d 2021-07-29 op rule, that file will be executed and its output fed to the client.
528 ee655e64 2021-02-01 op The CGI scripts are executed in the directory they reside and inherit
529 a7b9bb4d 2021-01-24 op the environment from
531 0ed56567 2020-11-06 op with these additional variables set:
532 ee655e64 2021-02-01 op .Bl -tag -width 24m
533 28ec6178 2021-01-24 op .It Ev GATEWAY_INTERFACE
535 ee655e64 2021-02-01 op .It Ev GEMINI_DOCUMENT_ROOT
536 ee655e64 2021-02-01 op The root directory of the virtual host.
537 ee655e64 2021-02-01 op .It Ev GEMINI_SCRIPT_FILENAME
538 ee655e64 2021-02-01 op Full path to the CGI script being executed.
539 ee655e64 2021-02-01 op .It Ev GEMINI_URL
540 ee655e64 2021-02-01 op The full IRI of the request.
541 ee655e64 2021-02-01 op .It Ev GEMINI_URL_PATH
542 ee655e64 2021-02-01 op The path of the request.
543 ee655e64 2021-02-01 op .It Ev PATH_INFO
544 ee655e64 2021-02-01 op The portion of the requested path that is derived from the the IRI
545 ee655e64 2021-02-01 op path hierarchy following the part that identifies the script itself.
546 ee655e64 2021-02-01 op Can be unset.
547 ee655e64 2021-02-01 op .It Ev PATH_TRANSLATED
548 ee655e64 2021-02-01 op Present if and only if
549 ee655e64 2021-02-01 op .Ev PATH_INFO
551 ee655e64 2021-02-01 op It represent the translation of the
552 ee655e64 2021-02-01 op .Ev PATH_INFO .
554 ee655e64 2021-02-01 op builds this by appending the
555 ee655e64 2021-02-01 op .Ev PATH_INFO
556 ee655e64 2021-02-01 op to the virtual host directory root.
557 ee655e64 2021-02-01 op .It Ev QUERY_STRING
558 ee655e64 2021-02-01 op The decoded query string.
559 ee655e64 2021-02-01 op .It Ev REMOTE_ADDR , Ev REMOTE_HOST
560 ee655e64 2021-02-01 op Textual representation of the client IP.
561 ee655e64 2021-02-01 op .It Ev REQUEST_METHOD
562 ee655e64 2021-02-01 op This is present only for RFC3875 (CGI) compliance.
563 ee655e64 2021-02-01 op It's always set to the empty string.
564 ee655e64 2021-02-01 op .It Ev SCRIPT_NAME
565 ee655e64 2021-02-01 op The part of the
566 ee655e64 2021-02-01 op .Ev GEMINI_URL_PATH
567 ee655e64 2021-02-01 op that identifies the current CGI script.
568 ee655e64 2021-02-01 op .It Ev SERVER_NAME
569 ee655e64 2021-02-01 op The name of the server
570 ee655e64 2021-02-01 op .It Ev SERVER_PORT
571 ee655e64 2021-02-01 op The port the server is listening on.
572 28ec6178 2021-01-24 op .It Ev SERVER_PROTOCOL
574 0ed56567 2020-11-06 op .It Ev SERVER_SOFTWARE
575 ee655e64 2021-02-01 op The name and version of the server, i.e.
576 1a04137e 2022-03-27 op .Dq gmid/1.8.3
577 677afbd3 2020-12-02 op .It Ev AUTH_TYPE
578 28ec6178 2021-01-24 op The string "Certificate" if the client used a certificate, otherwise
580 677afbd3 2020-12-02 op .It Ev REMOTE_USER
581 677afbd3 2020-12-02 op The subject of the client certificate if provided, otherwise unset.
582 677afbd3 2020-12-02 op .It Ev TLS_CLIENT_ISSUER
583 28ec6178 2021-01-24 op The is the issuer of the client certificate if provided, otherwise
585 677afbd3 2020-12-02 op .It Ev TLS_CLIENT_HASH
586 677afbd3 2020-12-02 op The hash of the client certificate if provided, otherwise unset.
587 ee655e64 2021-02-01 op The format is
588 ee655e64 2021-02-01 op .Dq ALGO:HASH .
589 89541eee 2021-04-13 op .It Ev TLS_VERSION
590 89541eee 2021-04-13 op The TLS version negotiated with the peer.
591 89541eee 2021-04-13 op .It Ev TLS_CIPHER
592 89541eee 2021-04-13 op The cipher suite negotiated with the peer.
593 89541eee 2021-04-13 op .It Ev TLS_CIPHER_STRENGTH
594 89541eee 2021-04-13 op The strength in bits for the symmetric cipher that is being used with
596 b63e30ff 2021-02-07 op .It Ev TLS_CLIENT_NOT_AFTER
597 b63e30ff 2021-02-07 op The time corresponding to the end of the validity period of the peer
598 b63e30ff 2021-02-07 op certificate in the ISO 8601 format
599 b63e30ff 2021-02-07 op .Pq e.g. Dq 2021-02-07T20:17:41Z .
600 b63e30ff 2021-02-07 op .It Ev TLS_CLIENT_NOT_BEFORE
601 b63e30ff 2021-02-07 op The time corresponding to the start of the validity period of the peer
602 b63e30ff 2021-02-07 op certificate in the ISO 8601 format.
606 ada16f87 2021-06-11 op optionally supports FastCGI.
609 ada16f87 2021-06-11 op rule must be present in a server or location block.
610 ada16f87 2021-06-11 op Then, all requests matching that server or location will be handled
611 ada16f87 2021-06-11 op via the specified FastCGI backend.
613 ada16f87 2021-06-11 op By default the following variables
614 ada16f87 2021-06-11 op .Pq parameters
615 ada16f87 2021-06-11 op are sent, and carry the same semantics as with CGI.
616 ada16f87 2021-06-11 op More parameters can be added with the
620 ada16f87 2021-06-11 op .Bl -bullet -compact
622 ada16f87 2021-06-11 op GATEWAY_INTERFACE
624 ada16f87 2021-06-11 op GEMINI_URL_PATH
632 ada16f87 2021-06-11 op REQUEST_METHOD
636 ada16f87 2021-06-11 op SERVER_PROTOCOL
638 ada16f87 2021-06-11 op SERVER_SOFTWARE
644 ada16f87 2021-06-11 op TLS_CLIENT_ISSUER
646 ada16f87 2021-06-11 op TLS_CLIENT_HASH
652 ada16f87 2021-06-11 op TLS_CIPHER_STRENGTH
654 ada16f87 2021-06-11 op TLS_CLIENT_NOT_BEFORE
656 ada16f87 2021-06-11 op TLS_CLIENT_NOT_AFTER
658 c586dfea 2022-01-30 op .Sh MEDIA TYPES
659 75fbb178 2021-01-28 op To auto-detect the MIME type of the response
661 e0bf950d 2022-02-26 op looks at the file extension and consults an internal table.
662 75fbb178 2021-01-28 op If no MIME is found, the value of
663 75fbb178 2021-01-28 op .Ic default type
664 75fbb178 2021-01-28 op matching the file
666 e0bf950d 2022-02-26 op will be used, or
667 e0bf950d 2022-02-26 op .Dq application/octet-stream .
669 e0bf950d 2022-02-26 op By default the following mappings are loaded, but they can be
670 e0bf950d 2022-02-26 op overridden or extended using the
671 e0bf950d 2022-02-26 op .Ic type Brq ...
674 75fbb178 2021-01-28 op .Bl -tag -offset indent -width 14m -compact
677 75fbb178 2021-01-28 op .It gemini, gmi
685 75fbb178 2021-01-28 op .It markdown, md
686 75fbb178 2021-01-28 op text/markdown
690 75fbb178 2021-01-28 op application/pdf
694 75fbb178 2021-01-28 op image/svg+xml
701 e58a447a 2021-07-29 op Messages and requests are logged by
705 e58a447a 2021-07-29 op facility or printed on
708 e58a447a 2021-07-29 op Requests are logged with the
711 e58a447a 2021-07-29 op Each request log entry has the following fields, separated by
714 e58a447a 2021-07-29 op .Bl -bullet -compact
716 e58a447a 2021-07-29 op Client IP address and the source port number, separated by a colon
723 e58a447a 2021-07-29 op Response status
725 e58a447a 2021-07-29 op Response meta
728 f28d96d3 2021-01-25 op Serve the current directory
729 6980aad6 2020-10-02 op .Bd -literal -offset indent
733 f28d96d3 2021-01-25 op To serve the directory
735 f28d96d3 2021-01-25 op and enable CGI scripts inside
737 0ed56567 2020-11-06 op .Bd -literal -offset indent
738 f28d96d3 2021-01-25 op $ mkdir docs/cgi
739 b7a99061 2021-04-15 op $ cat <<EOF > docs/cgi/hello
741 af5f9b27 2021-07-21 op printf "20 text/plain\er\en"
742 f28d96d3 2021-01-25 op echo "hello world"
744 f28d96d3 2021-01-25 op $ chmod +x docs/cgi/hello
745 b890467e 2021-03-20 op $ gmid -x '/cgi/*' docs
748 e308526c 2021-07-29 op An X.509 certificate must be provided to run
750 e308526c 2021-07-29 op using a configuration file.
751 e308526c 2021-07-29 op First, the RSA certificate is created using a wildcard common name:
752 e308526c 2021-07-29 op .Bd -literal -offset indent
753 e308526c 2021-07-29 op # openssl genrsa \-out /etc/ssl/private/example.com.key 4096
754 1298e430 2021-10-09 op # openssl req \-new \-x509 \e
755 1298e430 2021-10-09 op \-key /etc/ssl/private/example.com.key \e
756 1298e430 2021-10-09 op \-out /etc/ssl/example.com.crt \e
757 1298e430 2021-10-09 op \-days 36500 \-nodes \e
758 2bb1776b 2021-07-29 op \-subj "/CN=example.com"
759 e308526c 2021-07-29 op # chmod 600 /etc/ssl/example.com.crt
760 e308526c 2021-07-29 op # chmod 600 /etc/ssl/private/example.com.key
763 e308526c 2021-07-29 op In the example above, a certificate is valid for one hundred years from
764 e308526c 2021-07-29 op the date it was created, which is normal for TOFU.
766 eb699783 2021-01-18 op The following is an example of a possible configuration for a site
767 4ee08593 2022-04-07 op that enables only TLSv1.3, adds the MIME types mapping from
768 4ee08593 2022-04-07 op .Pa /usr/share/misc/mime.types
769 e308526c 2021-07-29 op and defines two virtual host:
770 eb699783 2021-01-18 op .Bd -literal -offset indent
771 eb699783 2021-01-18 op ipv6 on # enable ipv6
773 eb699783 2021-01-18 op protocols "tlsv1.3"
776 4ee08593 2022-04-07 op include "/usr/share/misc/mime.types"
779 eb699783 2021-01-18 op server "example.com" {
780 e308526c 2021-07-29 op cert "/etc/ssl/example.com.crt"
781 e308526c 2021-07-29 op key "/etc/ssl/private/example.com.key"
782 eb699783 2021-01-18 op root "/var/gemini/example.com"
785 eb699783 2021-01-18 op server "it.example.com" {
786 e308526c 2021-07-29 op cert "/etc/ssl/example.com.crt"
787 e308526c 2021-07-29 op key "/etc/ssl/private/example.com.key"
788 eb699783 2021-01-18 op root "/var/gemini/it.example.com"
790 2b520ad5 2021-07-09 op # enable cgi scripts inside "cgi-bin"
791 87f2b68b 2021-02-02 op cgi "/cgi-bin/*"
793 2b520ad5 2021-07-09 op # set the language for text/gemini files
798 f28d96d3 2021-01-25 op Yet another example, showing how to enable a
803 f28d96d3 2021-01-25 op .Bd -literal -offset indent
804 f28d96d3 2021-01-25 op chroot "/var/gemini"
807 f28d96d3 2021-01-25 op server "example.com" {
808 2b520ad5 2021-07-09 op cert "/path/to/cert.pem" # absolute path
809 2b520ad5 2021-07-09 op key "/path/to/key.pem" # also absolute
810 2b520ad5 2021-07-09 op root "/example.com" # relative to the chroot
812 4ee08bd1 2021-02-03 op location "/static/*" {
813 2b520ad5 2021-07-09 op # load the following rules only for
814 2b520ad5 2021-07-09 op # requests that matches "/static/*"
816 f28d96d3 2021-01-25 op auto index on
817 f28d96d3 2021-01-25 op index "index.gemini"
821 ef04b551 2021-01-09 op .Sh ACKNOWLEDGEMENTS
824 eb699783 2021-01-18 op .Dq Flexible and Economical
825 eb699783 2021-01-18 op UTF-8 decoder written by
826 f28d96d3 2021-01-25 op .An Bjoern Hoehrmann .
831 714685c1 2021-01-30 op program was written by
832 714685c1 2021-01-30 op .An Omar Polo Aq Mt op@omarpolo.com .
836 2b520ad5 2021-07-09 op All the root directories are opened during the daemon startup; if a
837 2b520ad5 2021-07-09 op root directory is deleted and then re-created,
839 eb699783 2021-01-18 op won't be able to serve files inside that directory until a restart.
840 2b520ad5 2021-07-09 op This restriction only applies to the root directories and not their
843 714685c1 2021-01-30 op a %2F sequence is indistinguishable from a literal slash: this is not
844 714685c1 2021-01-30 op RFC3986-compliant.
846 714685c1 2021-01-30 op a %00 sequence is treated as invalid character and thus rejected.