op public repos

Blob

Date:: Wed Jan 27 12:04:37 2021 UTC
Message:: drop the daemon config in favour of the -f flag Now it daemonize by default when running with a config, unless the -f flag is given.
Actions:: History | Blame | Raw File
1 .\" Copyright (c) 2021 Omar Polo <op@omarpolo.com>
2 .\"
3 .\" Permission to use, copy, modify, and distribute this software for any
4 .\" purpose with or without fee is hereby granted, provided that the above
5 .\" copyright notice and this permission notice appear in all copies.
6 .\"
7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14 .Dd $Mdocdate: January 25 2021$
15 .Dt GMIND 1
16 .Os
17 .Sh NAME
18 .Nm gmid
19 .Nd dead simple zero configuration gemini server
20 .Sh SYNOPSIS
21 .Nm
22 .Bk -words
23 .Op Fl fn
24 .Op Fl c Ar config
25 |
26 .Op Fl 6h
27 .Op Fl d Pa certs-dir
28 .Op Fl H Ar hostname
29 .Op Fl p Ar port
30 .Op Fl x Pa cgi
31 .Op Pa dir
32 .Ek
33 .Sh DESCRIPTION
34 .Nm
35 is a simple and minimal gemini server that can serve static files and
36 execute CGI scripts.
37 It can run without a configuration file with a limited set of features
38 available.
39 If a configuration file is given, no other flags shall be given,
40 except for
41 .Fl f
42 and
43 .Fl n .
44 .Pp
45 .Nm
46 fully supports IRIs (Internationalized Resource Identifiers, see
47 RFC3987).
48 .Pp
49 The options are as follows:
50 .Bl -tag -width 14m
51 .It Fl c Pa config
52 Specify the configuration file.
53 .It Fl f
54 Stays and logs on the foreground.
55 .It Fl n
56 Check that the configuration is valid, but don't start the server.
57 .El
58 .Pp
59 If no configuration file is given,
60 .Nm
61 will look for the following options
62 .Bl -tag -width 14m
63 .It Fl 6
64 Enable IPv6.
65 .It Fl d Pa certs-path
66 Directory where certificates for the config-less mode are stored.
67 By default is
68 .Pa $XDG_DATA_HOME/gmid ,
69 i.e.
70 .Pa ~/.local/share/gmid .
71 .It Fl H Ar hostname
72 The hostname, by default
73 .Ar localhost .
74 Certificates for the given
75 .Ar hostname
76 are searched inside the
77 .Pa certs-dir
78 directory given with the
79 .Fl d
80 option.
81 The have the form
82 .Pa hostname.cert.pem
83 and
84 .Pa hostname.key.pem .
85 If a certificate and key doesn't exists for a given hostname they
86 would be automatically generated.
87 .It Fl h
88 Print the usage and exit.
89 .It Fl p Ar port
90 The port to listen on, by default 1965.
91 .It Fl x Pa path
92 Enable execution of CGI scripts.
93 See the description of the
94 .Ic cgi
95 .Ic server
96 option in the section
97 .Sq Servers
98 below to learn how
99 .Pa path
100 is processed.
101 Cannot be provided more than once.
102 .It Pa dir
103 The root directory to serve.
104 By default the current working directory is assumed.
105 .El
106 .Sh CONFIGURATION FILE
107 The configuration file is divided into two sections:
108 .Bl -tag -width xxxx
109 .It Sy Global Options
110 Global settings for
111 .Nm .
112 .It Sy Servers
113 Virtual hosts definition.
114 .El
115 .Pp
116 Within the sections, empty lines are ignored and comments can be put
117 anywhere in the file using a hash mark
118 .Pq Sq # ,
119 and extend to the end of the current line.
120 A boolean is either the symbol
121 .Sq on
122 or
123 .Sq off .
124 A string is a sequence of characters wrapped in double quotes,
125 .Dq like this .
126 .Ss Global Options
127 .Bl -tag -width 12m
128 .It Ic ipv6 Ar bool
129 Enable or disable IPv6 support.
130 By default is off.
131 .It Ic port Ar portno
132 The port to listen on.
133 By default is 1965.
134 .It Ic protocols Ar string
135 Specify the TLS protocols to enable.
136 Refer to
137 .Xr tls_config_parse_protocols 3
138 for the valid protocol string values.
139 By default, both TLSv1.3 and TLSv1.2 are used.
140 Use
141 .Dq tlsv1.3
142 to enable only TLSv1.3.
143 .It Ic mime Ar mime-type Ar file-extension
144 Add a mapping for the given
145 .Ar file-extension
146 to the given
147 .Ar mime-type .
148 Both argument are strings.
149 .It Ic chroot Pa path
150 .Xr chroot 2
151 the process to the given
152 .Pa path .
153 The daemon has to be run with root privileges and thus the option
154 .Ic user
155 needs to be provided, so
156 .Nm
157 can drop the privileges.
158 Note that they are dropped after loading the TLS keys, so it's
159 recommended to put those outside the chroot.
160 Future version of
161 .Nm
162 may require this.
163 .It Ic user Ar string
164 Run the daemon as the given user.
165 .El
166 .Ss Servers
167 Every virtual host is defined by a
168 .Ic server
169 block:
170 .Bl -tag -width Ds
171 .It Ic server Ar hostname Brq ...
172 Match the server name using shell globbing rules.  This can be an explicit name,
173 .Ar www.example.com ,
174 or a name including a wildcards,
175 .Ar *.example.com .
176 .El
177 .Pp
178 Followed by a block of options that is enclosed in curly brackets:
179 .Bl -tag -width Ds
180 .It Ic cert Pa file
181 Path to the certificate to use for this server.
182 The
183 .Pa file
184 should contain a PEM encoded certificate.
185 This option is mandatory.
186 .It Ic key Pa file
187 Specify the private key to use for this server.
188 The
189 .Pa file
190 should contain a PEM encoded private key.
191 This option is mandatory.
192 .It Ic root Pa directory
193 Specify the root directory for this server.
194 This option is mandatory.
195 It's relative to the chroot, if enabled.
196 .It Ic cgi Pa path
197 Enable the execution of CGI scripts if
198 .Pa path
199 is a prefix of the user request string.
200 An empty path "" will effectively enable the execution of any file
201 with the executable bit set inside the root directory.
202 .It Ic default type Ar string
203 Set the default media type that is used if the media type for a
204 specified extension is not found.
205 If not specified, the
206 .Ic default type
207 is set to
208 .Dq application/octet-stream .
209 .It Ic lang Ar string
210 Specify the language tag for the text/gemini content served.
211 If not specified, no
212 .Dq lang
213 parameter will be added in the response.
214 .It Ic index Ar string
215 Set the directory index file.
216 If not specified, it defaults to
217 .Pa index.gmi .
218 .It Ic auto Ic index Ar bool
219 If no index file is found, automatically generate a directory listing.
220 It's disabled by default.
221 .It Ic location Pa path Brq ...
222 Specify server configuration rules for a specific location.
223 The
224 .Pa path
225 argument will be matched against the request path with shell globbing
226 rules.
227 In case of multiple location statements in the same context, the last
228 matching location will be put into effect.
229 Therefore is advisable to match for a generic paths first and for more
230 specific ones later on.
231 A
232 .Ic location
233 section may include most of the server configuration rules
234 except
235 .Ic cert , Ic key , Ic root , Ic location No and Ic CGI .
236 .El
237 .Sh CGI
238 When CGI scripts are enabled for a directory, a request for an
239 executable file will execute it and fed its output to the client.
240 .Pp
241 The CGI scripts are executed in the root directory of the virtual
242 host, or in the served directory if run without config, and inherits
243 the environment from
244 .Nm
245 with these additional variables set:
246 .Bl -tag -width 18m
247 .It Ev GATEWAY_INTERFACE
248 "CGI/1.1"
249 .It Ev SERVER_PROTOCOL
250 "GEMINI"
251 .It Ev SERVER_SOFTWARE
252 "gmid"
253 .It Ev SERVER_PORT
254 "1965"
255 .It Ev SERVER_NAME
256 The vhost.
257 This variable is not available when operating without a configuration.
258 .It Ev SCRIPT_NAME
259 The (public) path to the script, e.g.
260 .Pa "/cgi-bin/example.cgi"
261 .It Ev SCRIPT_EXECUTABLE
262 The full path to the executable.
263 .It Ev REQUEST_URI
264 The user request (without the query parameters.)
265 .It Ev REQUEST_RELATIVE
266 The request relative to the script.
267 .It Ev QUERY_STRING
268 The query parameters.
269 .It Ev REMOTE_HOST
270 The remote IP address.
271 .It Ev REMOTE_ADDR
272 The remote IP address.
273 .It Ev DOCUMENT_ROOT
274 The root directory being served, the one provided with the
275 .Ar d
276 parameter to
277 .Nm
278 or the root directory of the virtual host.
279 .It Ev AUTH_TYPE
280 The string "Certificate" if the client used a certificate, otherwise
281 unset.
282 .It Ev REMOTE_USER
283 The subject of the client certificate if provided, otherwise unset.
284 .It Ev TLS_CLIENT_ISSUER
285 The is the issuer of the client certificate if provided, otherwise
286 unset.
287 .It Ev TLS_CLIENT_HASH
288 The hash of the client certificate if provided, otherwise unset.
289 The format is "ALGO:HASH".
290 .El
291 .Pp
292 Let's say you have a script in
293 .Pa /cgi-bin/script
294 and the user request is
295 .Pa /cgi-bin/script/foo/bar?quux .
296 Then
297 .Ev SCRIPT_NAME
298 will be
299 .Pa cgi-bin/script ,
300 .Ev SCRIPT_EXECUTABLE
301 will be
302 .Pa $DOCUMENT_ROOT/cgi-bin/script ,
303 .Ev REQUEST_URI
304 will be
305 .Pa cgi-bin/script/foo/bar ,
306 .Ev REQUEST_RELATIVE
307 will be
308 .Pa foo/bar
309 and
310 .Ev QUERY_STRING
311 will be
312 .Ar quux .
313 .Sh EXAMPLES
314 Serve the current directory
315 .Bd -literal -offset indent
316 $ gmid .
317 .Ed
318 .Pp
319 To serve the directory
320 .Pa docs
321 and enable CGI scripts inside
322 .Pa docs/cgi ,
323 you can
324 .Bd -literal -offset indent
325 $ mkdir docs/cgi
326 $ cat <<EOF > cgi/hello
327 #!/bin/sh
328 printf "20 text/plain\\r\\n"
329 echo "hello world"
330 EOF
331 $ chmod +x docs/cgi/hello
332 $ gmid -x cgi docs
333 .Ed
334 .Pp
335 Note that the argument to the
336 .Fl x
337 option is
338 .Pa cgi
339 and not
340 .Pa docs/cgi ,
341 since it's relative to the document root.
342 .Pp
343 The following is an example of a possible configuration for a site
344 that enables only TLSv1.3, adds a mime type for the file extension
345 "rtf" and defines two virtual host:
346 .Bd -literal -offset indent
347 ipv6 on		# enable ipv6
348 
349 protocols "tlsv1.3"
350 
351 mime "application/rtf" "rtf"
352 
353 server "example.com" {
354 	cert "/path/to/cert.pem"
355 	key  "/path/to/key.pem"
356 	root "/var/gemini/example.com"
357 }
358 
359 server "it.example.com" {
360 	cert "/path/to/cert.pem"
361 	key  "/path/to/key.pem"
362 	root "/var/gemini/it.example.com"
363 	cgi  "/cgi-bin"
364 	lang "it"
365 }
366 .Ed
367 .Pp
368 Yet another example, showing how to enable a
369 .Ic chroot
370 and use
371 .Ic location
372 rule
373 .Bd -literal -offset indent
374 chroot "/var/gemini"
375 user "_gmid"
376 
377 server "example.com" {
378 	cert "/path/to/cert.pem"
379 	key  "/path/to/key.pem"
380 	root "/var/gemini/example.com"
381 
382 	location "/static/" {
383 		auto index on
384 		index "index.gemini"
385 	}
386 }
387 .Ed
388 .Sh ACKNOWLEDGEMENTS
389 .Nm
390 uses the
391 .Dq Flexible and Economical
392 UTF-8 decoder written by
393 .An Bjoern Hoehrmann .
394 .Sh CAVEATS
395 .Bl -bullet
396 .It
397 The root directories of all virtual hosts are opened during the daemon
398 startup; this means that if a root directory gets deleted and then
399 re-created,
400 .Nm
401 won't be able to serve files inside that directory until a restart.
402 This restriction applies only to the root directories and not their content.
403 .It
404 a %2F sequence in the path part is indistinguishable from a literal
405 slash: this is not RFC3986-compliant.
406 .It
407 a %00 sequence either in the path or in the query part is treated as
408 invalid character and thus rejected.
409 .El