op public repos

Blob

Date:: Mon May 24 09:07:28 2021 UTC
Message:: document `fastcgi' config option
Actions:: History | Blame | Raw File
1 .\" Copyright (c) 2021 Omar Polo <op@omarpolo.com>
2 .\"
3 .\" Permission to use, copy, modify, and distribute this software for any
4 .\" purpose with or without fee is hereby granted, provided that the above
5 .\" copyright notice and this permission notice appear in all copies.
6 .\"
7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14 .Dd $Mdocdate: January 30 2021$
15 .Dt GMID 1
16 .Os
17 .Sh NAME
18 .Nm gmid
19 .Nd simple and secure Gemini server
20 .Sh SYNOPSIS
21 .Nm
22 .Bk -words
23 .Op Fl fnv
24 .Op Fl c Ar config
25 .Op Fl P Ar pidfile
26 .Ek
27 .Nm
28 .Bk -words
29 .Op Fl 6hv
30 .Op Fl d Pa certs-dir
31 .Op Fl H Ar hostname
32 .Op Fl p Ar port
33 .Op Fl x Pa cgi
34 .Op Pa dir
35 .Ek
36 .Sh DESCRIPTION
37 .Nm
38 is a simple and minimal gemini server that can serve static files,
39 execute CGI scripts and talk to FastCGI applications.
40 It can run without a configuration file with a limited set of features
41 available.
42 .Pp
43 .Nm
44 rereads the configuration file when it receives
45 .Dv SIGHUP .
46 .Pp
47 The options are as follows:
48 .Bl -tag -width 14m
49 .It Fl c Pa config
50 Specify the configuration file.
51 .It Fl f
52 Stays and logs on the foreground.
53 .It Fl n
54 Check that the configuration is valid, but don't start the server.
55 .It Fl P Pa pidfile
56 Write
57 .Nm
58 pid to the given path.
59 .El
60 .Pp
61 If no configuration file is given,
62 .Nm
63 will look for the following options
64 .Bl -tag -width 14m
65 .It Fl 6
66 Enable IPv6.
67 .It Fl d Pa certs-path
68 Directory where certificates for the config-less mode are stored.
69 By default is
70 .Pa $XDG_DATA_HOME/gmid ,
71 i.e.
72 .Pa ~/.local/share/gmid .
73 .It Fl H Ar hostname
74 The hostname, by default
75 .Ar localhost .
76 Certificates for the given
77 .Ar hostname
78 are searched inside the
79 .Pa certs-dir
80 directory given with the
81 .Fl d
82 option.
83 They have the form
84 .Pa hostname.cert.pem
85 and
86 .Pa hostname.key.pem .
87 If a certificate or key don't exists for a given hostname they
88 will be automatically generated.
89 .It Fl h
90 Print the usage and exit.
91 .It Fl p Ar port
92 The port to listen on, by default 1965.
93 .It Fl v
94 Verbose mode.
95 Multiple
96 .Fl v
97 options increase the verbosity.
98 .It Fl x Pa path
99 Enable execution of CGI scripts.
100 See the description of the
101 .Ic cgi
102 option in the section
103 .Sq Servers
104 below to learn how
105 .Pa path
106 is processed.
107 Cannot be provided more than once.
108 .It Pa dir
109 The root directory to serve.
110 By default the current working directory is assumed.
111 .El
112 .Sh CONFIGURATION FILE
113 The configuration file is divided into two sections:
114 .Bl -tag -width xxxx
115 .It Sy Global Options
116 Global settings for
117 .Nm .
118 .It Sy Servers
119 Virtual hosts definition.
120 .El
121 .Pp
122 Within the sections, empty lines are ignored and comments can be put
123 anywhere in the file using a hash mark
124 .Pq Sq # ,
125 and extend to the end of the current line.
126 A boolean is either the symbol
127 .Sq on
128 or
129 .Sq off .
130 A string is a sequence of characters wrapped in double quotes,
131 .Dq like this .
132 .Ss Global Options
133 .Bl -tag -width 12m
134 .It Ic chroot Pa path
135 .Xr chroot 2
136 the process to the given
137 .Pa path .
138 The daemon has to be run with root privileges and thus the option
139 .Ic user
140 needs to be provided, so privileges can be dropped.
141 Note that
142 .Nm
143 will enter the chroot after loading the TLS keys, but before opening
144 the virtual host root directories.
145 It's recommended to keep the TLS keys outside the chroot.
146 Future version of
147 .Nm
148 may enforce this.
149 .It Ic ipv6 Ar bool
150 Enable or disable IPv6 support.
151 By default is off.
152 .It Ic mime Ar mime-type Ar file-extension
153 Add a mapping for the given
154 .Ar file-extension
155 to the given
156 .Ar mime-type .
157 Both argument are strings.
158 .It Ic port Ar portno
159 The port to listen on.
160 By default is 1965.
161 .It Ic prefork Ar number
162 Run the specified number of server processes.
163 This increases the performance and prevents delays when connecting to
164 a server.
165 .Nm
166 runs 3 server processes by default, when not in config-less mode.
167 The maximum number allowed is 16.
168 .It Ic protocols Ar string
169 Specify the TLS protocols to enable.
170 Refer to
171 .Xr tls_config_parse_protocols 3
172 for the valid protocol string values.
173 By default, both TLSv1.3 and TLSv1.2 are enabled.
174 Use
175 .Dq tlsv1.3
176 to enable only TLSv1.3.
177 .It Ic user Ar string
178 Run the daemon as the given user.
179 .El
180 .Ss Servers
181 Every virtual host is defined by a
182 .Ic server
183 block:
184 .Bl -tag -width Ds
185 .It Ic server Ar hostname Brq ...
186 Match the server name using shell globbing rules.
187 This can be an explicit name,
188 .Ar www.example.com ,
189 or a name including a wildcards,
190 .Ar *.example.com .
191 .El
192 .Pp
193 Followed by a block of options that is enclosed in curly brackets:
194 .Bl -tag -width Ds
195 .It Ic alias Ar name
196 Specify an additional alias
197 .Ar name
198 for this server.
199 .It Ic auto Ic index Ar bool
200 If no index file is found, automatically generate a directory listing.
201 It's disabled by default.
202 .It Ic block Op Ic return Ar code Op Ar meta
203 Send a reply and close the connection;
204 .Ar code
205 is 40
206 and
207 .Ar meta
208 is
209 .Dq temporary failure
210 by default.
211 If
212 .Ar code
213 is in the 3x range, then
214 .Ar meta
215 must be provided.
216 Inside
217 .Ar meta ,
218 the following special sequences are replaced:
219 .Bl -tag -compact
220 .It \&%\&%
221 is replaced with a single
222 .Sq \&% .
223 .It \&%p
224 is replaced with the request path.
225 .It \&%q
226 is replaced with the query string of the request.
227 .It \&%P
228 is replaced with the server port.
229 .It \&%N
230 is replaced with the server name.
231 .El
232 .It Ic cert Pa file
233 Path to the certificate to use for this server.
234 The
235 .Pa file
236 should contain a PEM encoded certificate.
237 This option is mandatory.
238 .It Ic cgi Pa path
239 Execute CGI scripts that matches
240 .Pa path
241 using shell globbing rules.
242 .It Ic default type Ar string
243 Set the default media type that is used if the media type for a
244 specified extension is not found.
245 If not specified, the
246 .Ic default type
247 is set to
248 .Dq application/octet-stream .
249 .It Ic entrypoint Pa path
250 Handle all the requests for the current virtual host using the
251 CGI script at
252 .Pa path .
253 .It Ic env Ar name Ar value
254 Set the environment variable
255 .Ar name
256 to
257 .Ar value
258 when executing CGI scripts.
259 Can be provided more than once.
260 .\" don't document the "spawn <prog>" form because it probably won't
261  \" be kept.
262 .It Ic fastcgi Oo Ic tcp Oc Pa socket Oo Ar port Oc
263 Enable FastCGI instead of serving files.
264 The
265 .Pa socket
266 can either be a UNIX domain socket or a TCP socket.
267 If the FastCGI application is listening on a UNIX domain socket,
268 .Pa socket
269 is a local path name within the
270 .Xr chroot 2
271 root directory of
272 .Nm .
273 Otherwise, the
274 .Ic tcp
275 keyword must be provided and
276 .Pa socket
277 is interpreted as a hostname or an IP address.
278 .Ar port
279 can be either a port number or the name of a service enclosed in
280 double quotes.
281 If it's not specified defaults to 9000.
282 .It Ic index Ar string
283 Set the directory index file.
284 If not specified, it defaults to
285 .Pa index.gmi .
286 .It Ic key Pa file
287 Specify the private key to use for this server.
288 The
289 .Pa file
290 should contain a PEM encoded private key.
291 This option is mandatory.
292 .It Ic lang Ar string
293 Specify the language tag for the text/gemini content served.
294 If not specified, no
295 .Dq lang
296 parameter will be added in the response.
297 .It Ic location Pa path Brq ...
298 Specify server configuration rules for a specific location.
299 The
300 .Pa path
301 argument will be matched against the request path with shell globbing
302 rules.
303 In case of multiple location statements in the same context, the first
304 matching location will be put into effect and the later ones ignored.
305 Therefore is advisable to match for more specific paths first and for
306 generic ones later on.
307 A
308 .Ic location
309 section may include most of the server configuration rules
310 except
311 .Ic alias , Ic cert , Ic env , Ic key , Ic location ,
312 .Ic entrypoint No and Ic cgi .
313 .It Ic root Pa directory
314 Specify the root directory for this server.
315 It's relative to the chroot, if enabled.
316 .It Ic require Ic client Ic ca Pa path
317 Allow requests only from clients that provide a certificate signed by
318 the CA certificate in
319 .Pa path .
320 It needs to be a PEM-encoded certificate and it's not relative to the
321 chroot.
322 .It Ic strip Ar number
323 Strip
324 .Ar number
325 components from the beginning of the path before doing a lookup in the
326 root directory.
327 It's also considered for the
328 .Ar meta
329 parameter in the scope of a
330 .Ic block return .
331 .El
332 .Sh CGI
333 When a request for an executable file matches the
334 .Ic cgi
335 rule, that file will be execute and its output fed to the client.
336 .Pp
337 The CGI scripts are executed in the directory they reside and inherit
338 the environment from
339 .Nm
340 with these additional variables set:
341 .Bl -tag -width 24m
342 .It Ev GATEWAY_INTERFACE
343 .Dq CGI/1.1
344 .It Ev GEMINI_DOCUMENT_ROOT
345 The root directory of the virtual host.
346 .It Ev GEMINI_SCRIPT_FILENAME
347 Full path to the CGI script being executed.
348 .It Ev GEMINI_URL
349 The full IRI of the request.
350 .It Ev GEMINI_URL_PATH
351 The path of the request.
352 .It Ev PATH_INFO
353 The portion of the requested path that is derived from the the IRI
354 path hierarchy following the part that identifies the script itself.
355 Can be unset.
356 .It Ev PATH_TRANSLATED
357 Present if and only if
358 .Ev PATH_INFO
359 is set.
360 It represent the translation of the
361 .Ev PATH_INFO .
362 .Nm
363 builds this by appending the
364 .Ev PATH_INFO
365 to the virtual host directory root.
366 .It Ev QUERY_STRING
367 The decoded query string.
368 .It Ev REMOTE_ADDR , Ev REMOTE_HOST
369 Textual representation of the client IP.
370 .It Ev REQUEST_METHOD
371 This is present only for RFC3875 (CGI) compliance.
372 It's always set to the empty string.
373 .It Ev SCRIPT_NAME
374 The part of the
375 .Ev GEMINI_URL_PATH
376 that identifies the current CGI script.
377 .It Ev SERVER_NAME
378 The name of the server
379 .It Ev SERVER_PORT
380 The port the server is listening on.
381 .It Ev SERVER_PROTOCOL
382 .Dq GEMINI
383 .It Ev SERVER_SOFTWARE
384 The name and version of the server, i.e.
385 .Dq gmid/1.5
386 .It Ev AUTH_TYPE
387 The string "Certificate" if the client used a certificate, otherwise
388 unset.
389 .It Ev REMOTE_USER
390 The subject of the client certificate if provided, otherwise unset.
391 .It Ev TLS_CLIENT_ISSUER
392 The is the issuer of the client certificate if provided, otherwise
393 unset.
394 .It Ev TLS_CLIENT_HASH
395 The hash of the client certificate if provided, otherwise unset.
396 The format is
397 .Dq ALGO:HASH .
398 .It Ev TLS_VERSION
399 The TLS version negotiated with the peer.
400 .It Ev TLS_CIPHER
401 The cipher suite negotiated with the peer.
402 .It Ev TLS_CIPHER_STRENGTH
403 The strength in bits for the symmetric cipher that is being used with
404 the peer.
405 .It Ev TLS_CLIENT_NOT_AFTER
406 The time corresponding to the end of the validity period of the peer
407 certificate in the ISO 8601 format
408 .Pq e.g. Dq 2021-02-07T20:17:41Z .
409 .It Ev TLS_CLIENT_NOT_BEFORE
410 The time corresponding to the start of the validity period of the peer
411 certificate in the ISO 8601 format.
412 .El
413 .Pp
414 .Sh MIME
415 To auto-detect the MIME type of the response
416 .Nm
417 looks at the file extension and consults its internal table.
418 By default the following mappings are loaded, but they can be
419 overridden or extended using the
420 .Ic mime
421 configuration option.
422 If no MIME is found, the value of
423 .Ic default type
424 matching the file
425 .Ic location
426 will be used, which is
427 .Dq application/octet-stream
428 by default.
429 .Pp
430 .Bl -tag -offset indent -width 14m -compact
431 .It diff
432 text/x-patch
433 .It gemini, gmi
434 text/gemini
435 .It gif
436 image/gif
437 .It jpeg
438 image/jpeg
439 .It jpg
440 image/jpeg
441 .It markdown, md
442 text/markdown
443 .It patch
444 text/x-patch
445 .It pdf
446 application/pdf
447 .It png
448 image/png
449 .It svg
450 image/svg+xml
451 .It txt
452 text/plain
453 .It xml
454 text/xml
455 .El
456 .Sh EXAMPLES
457 Serve the current directory
458 .Bd -literal -offset indent
459 $ gmid .
460 .Ed
461 .Pp
462 To serve the directory
463 .Pa docs
464 and enable CGI scripts inside
465 .Pa docs/cgi ,
466 you can
467 .Bd -literal -offset indent
468 $ mkdir docs/cgi
469 $ cat <<EOF > docs/cgi/hello
470 #!/bin/sh
471 printf "20 text/plain\\r\\n"
472 echo "hello world"
473 EOF
474 $ chmod +x docs/cgi/hello
475 $ gmid -x '/cgi/*' docs
476 .Ed
477 .Pp
478 The following is an example of a possible configuration for a site
479 that enables only TLSv1.3, adds a mime type for the file extension
480 "rtf" and defines two virtual host:
481 .Bd -literal -offset indent
482 ipv6 on		# enable ipv6
483 
484 protocols "tlsv1.3"
485 
486 mime "application/rtf" "rtf"
487 
488 server "example.com" {
489 	cert "/path/to/cert.pem"
490 	key  "/path/to/key.pem"
491 	root "/var/gemini/example.com"
492 }
493 
494 server "it.example.com" {
495 	cert "/path/to/cert.pem"
496 	key  "/path/to/key.pem"
497 	root "/var/gemini/it.example.com"
498 	cgi  "/cgi-bin/*"
499 	lang "it"
500 }
501 .Ed
502 .Pp
503 Yet another example, showing how to enable a
504 .Ic chroot
505 and use
506 .Ic location
507 rule
508 .Bd -literal -offset indent
509 chroot "/var/gemini"
510 user "_gmid"
511 
512 server "example.com" {
513 	cert "/path/to/cert.pem"
514 	key  "/path/to/key.pem"
515 	root "/example.com" # in the /var/gemini chroot
516 
517 	location "/static/*" {
518 		auto index on
519 		index "index.gemini"
520 	}
521 }
522 .Ed
523 .Sh ACKNOWLEDGEMENTS
524 .Nm
525 uses the
526 .Dq Flexible and Economical
527 UTF-8 decoder written by
528 .An Bjoern Hoehrmann .
529 .Sh AUTHORS
530 .An -nosplit
531 The
532 .Nm
533 program was written by
534 .An Omar Polo Aq Mt op@omarpolo.com .
535 .Sh CAVEATS
536 .Bl -bullet
537 .It
538 The root directories of all virtual hosts are opened during the daemon
539 startup; this means that if a root directory gets deleted and then
540 re-created,
541 .Nm
542 won't be able to serve files inside that directory until a restart.
543 This restriction applies only to the root directories and not their content.
544 .It
545 a %2F sequence is indistinguishable from a literal slash: this is not
546 RFC3986-compliant.
547 .It
548 a %00 sequence is treated as invalid character and thus rejected.
549 .El