3 83715601 2022-12-02 op **the `master` branch is WIP: it's what gmid 2.0 will be, with breaking
4 83715601 2022-12-02 op changes et al. Please use the latest release from the 1.8 branch for a
5 83715601 2022-12-02 op stable and documented experience, thank you.**
7 b9231167 2021-02-08 op gmid is a fast Gemini server written with security in mind. I
8 b9231167 2021-02-08 op initially wrote it to serve static files, but it has grown into a
9 747b35d0 2021-02-08 op featureful server.
14 601bc1cc 2021-01-30 op (random order)
16 08ce6f52 2021-04-29 op - sandboxed by default on OpenBSD, Linux and FreeBSD
17 747b35d0 2021-02-08 op - reconfiguration: reload the running configuration without
19 290b5baa 2021-02-23 op - automatic redirect/error pages (see `block return`)
20 4d2ec6d7 2021-01-13 op - IRI support (RFC3987)
21 601bc1cc 2021-01-30 op - automatic certificate generation for config-less mode
22 c3eb759a 2021-12-29 op - reverse proxying
23 d29a2ee2 2022-09-06 op - FastCGI support
24 08ce6f52 2021-04-29 op - virtual hosts
25 08ce6f52 2021-04-29 op - location rules
26 b9231167 2021-02-08 op - event-based asynchronous I/O model
27 08ce6f52 2021-04-29 op - low memory footprint
28 b9220ca4 2021-01-11 op - small codebase, easily hackable
31 286c4f40 2021-01-27 op ## Internationalisation (IRIs, UNICODE, punycode, all that stuff)
33 286c4f40 2021-01-27 op Even thought the current Gemini specification doesn't mention anything
34 601bc1cc 2021-01-30 op in this regard, I do think these are important things and so I tried
35 601bc1cc 2021-01-30 op to implement them in the most user-friendly way I could think of.
37 601bc1cc 2021-01-30 op For starters, gmid has full support for IRI (RFC3987 —
38 22a742e4 2021-01-29 op Internationalized Resource Identifiers). IRIs are a superset of URIs,
39 286c4f40 2021-01-27 op so there aren't incompatibilities with URI-only clients.
41 601bc1cc 2021-01-30 op There is full support also for punycode. In theory, the user doesn't
42 286c4f40 2021-01-27 op even need to know that punycode is a thing. The hostname in the
43 601bc1cc 2021-01-30 op configuration file can (and must be) in the decoded form (e.g. `naïve`
44 601bc1cc 2021-01-30 op and not `xn--nave-6pa`), gmid will do the rest.
46 601bc1cc 2021-01-30 op The only missing piece is UNICODE normalisation of the IRI path: gmid
47 601bc1cc 2021-01-30 op doesn't do that (yet).
50 1487e11e 2021-02-06 op ## Configuration
52 1487e11e 2021-02-06 op gmid has a rich configuration file, heavily inspired by OpenBSD'
53 08ce6f52 2021-04-29 op httpd, with every detail carefully documented in the manpage. Here's
54 08ce6f52 2021-04-29 op a minimal example of a config file:
57 08ce6f52 2021-04-29 op server "example.com" {
58 08ce6f52 2021-04-29 op cert "/path/to/cert.pem"
59 08ce6f52 2021-04-29 op key "/path/to/key.pem"
60 08ce6f52 2021-04-29 op root "/var/gemini/example.com"
64 3759d3eb 2021-07-06 op and a slightly more complex one
67 1487e11e 2021-02-06 op ipv6 on # enable ipv6
69 3759d3eb 2021-07-06 op # define a macro
70 3759d3eb 2021-07-06 op cert_root = "/path/to/keys"
72 1487e11e 2021-02-06 op server "example.com" {
73 08ce6f52 2021-04-29 op alias "foobar.com"
75 3759d3eb 2021-07-06 op cert $cert_root "/example.com.crt"
76 3759d3eb 2021-07-06 op key $cert_root "/example.com.pem"
77 08ce6f52 2021-04-29 op root "/var/gemini/example.com"
79 08ce6f52 2021-04-29 op # lang for text/gemini files
82 08ce6f52 2021-04-29 op # only for locations that matches /files/*
83 08ce6f52 2021-04-29 op location "/files/*" {
84 08ce6f52 2021-04-29 op # generate directory listings
88 08ce6f52 2021-04-29 op location "/repo/*" {
89 08ce6f52 2021-04-29 op # change the index file name
90 08ce6f52 2021-04-29 op index "README.gmi"
99 4252e62c 2022-03-29 op gmid depends on libevent2, OpenSSL/LibreSSL and libtls (provided
100 4252e62c 2022-03-29 op either by LibreSSL or libretls). At build time, yacc (or GNU bison)
101 4252e62c 2022-03-29 op is also needed.
103 771d8f28 2021-01-17 op The build is as simple as
108 2ddc9271 2021-03-29 op or `make static` to build a statically-linked executable.
110 8f0da580 2021-01-21 op If the configure scripts fails to pick up something, please open an
111 f980545b 2021-01-21 op issue or notify me via email.
113 771d8f28 2021-01-17 op To install execute:
117 bb4be662 2021-04-25 op Please keep in mind that the master branch, from time to time, may be
118 bb4be662 2021-04-25 op accidentally broken on some platforms. gmid is developed primarily on
119 bb4be662 2021-04-25 op OpenBSD/amd64 and commits on the master branch don't get always tested
120 bb4be662 2021-04-25 op in other OSes. Before tagging a release however, a comprehensive
121 c79b63f5 2021-04-27 op testing on various platform is done to ensure that everything is
122 c79b63f5 2021-04-27 op working as intended.
131 ed78e81b 2022-02-18 op to start the suite. Keep in mind that the regression tests needs to
132 601bc1cc 2021-01-30 op create files inside the `regress` directory and bind the 10965 port.
135 456a4c6b 2022-03-29 op ## Contributing
137 456a4c6b 2022-03-29 op Any form of contribution is welcome, not only patches or bug reports.
138 456a4c6b 2022-03-29 op If you have a sample configuration for some specific use-case, a
139 456a4c6b 2022-03-29 op script or anything that could be useful to others, consider adding it
140 456a4c6b 2022-03-29 op to the `contrib` directory.
143 881a9dd9 2021-01-16 op ## Architecture/Security considerations
145 d29a2ee2 2022-09-06 op **outdated: revisit for gmid 2.0**
148 290b5baa 2021-02-23 op gmid is composed by four processes: the parent process, the logger,
149 290b5baa 2021-02-23 op the listener and the executor. The parent process is the only one
150 290b5baa 2021-02-23 op that doesn't drop privileges, but all it does is to wait for a SIGHUP
151 290b5baa 2021-02-23 op to reload the configuration and spawn a new generation of children
152 e58a447a 2021-07-29 op process. The logger process gathers the logs and prints 'em to
153 290b5baa 2021-02-23 op stderr or syslog (for the time being.) The listener process is the
154 290b5baa 2021-02-23 op only one that needs internet access and is sandboxed by default. The
155 be52e954 2021-07-09 op executor process exists only to fork and execute CGI scripts, and
156 be52e954 2021-07-09 op optionally to connect to FastCGI applications.
158 dcfdb969 2021-10-24 op On OpenBSD the processes are all `pledge(2)`d and `unveil(2)`ed.
160 94be0bf0 2021-03-20 op On FreeBSD, the listener and logger process are sandboxed with `capsicum(4)`.
162 601bc1cc 2021-01-30 op On Linux, a `seccomp(2)` filter is installed in the listener to allow
163 601bc1cc 2021-01-30 op only certain syscalls, see [sandbox.c](sandbox.c) for more information
164 67c49bc5 2021-09-19 op about the BPF program. If available, landlock is used to limit the
165 67c49bc5 2021-09-19 op portion of the file system gmid can access (requires linux 5.13+.)
167 6957a8c2 2021-06-04 op In any case, it's advisable to run gmid inside some sort of
168 0b00962d 2021-01-25 op container/jail/chroot.