Blob

Date:
Message:
reorder stuff
Actions:
History | Blame | Raw File
1 .\" Copyright (c) 2021 Omar Polo <op@omarpolo.com>

2 .\"

3 .\" Permission to use, copy, modify, and distribute this software for any

4 .\" purpose with or without fee is hereby granted, provided that the above

5 .\" copyright notice and this permission notice appear in all copies.

6 .\"

7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

14 .Dd $Mdocdate: January 30 2021$

15 .Dt GMIND 1

16 .Os

17 .Sh NAME

18 .Nm gmid

19 .Nd simple and secure Gemini server

20 .Sh SYNOPSIS

21 .Nm

22 .Bk -words

23 .Op Fl fnv

24 .Op Fl c Ar config

25 .Ek

26 .Nm

27 .Bk -words

28 .Op Fl 6hv

29 .Op Fl d Pa certs-dir

30 .Op Fl H Ar hostname

31 .Op Fl p Ar port

32 .Op Fl x Pa cgi

33 .Op Pa dir

34 .Ek

35 .Sh DESCRIPTION

36 .Nm

37 is a simple and minimal gemini server that can serve static files and

38 execute CGI scripts.

39 It can run without a configuration file with a limited set of features

40 available.

41 .Pp

42 .Nm

43 rereads the configuration file when it receives

44 .Dv SIGHUP .

45 .Pp

46 The options are as follows:

47 .Bl -tag -width 14m

48 .It Fl c Pa config

49 Specify the configuration file.

50 .It Fl f

51 Stays and logs on the foreground.

52 .It Fl n

53 Check that the configuration is valid, but don't start the server.

54 .El

55 .Pp

56 If no configuration file is given,

57 .Nm

58 will look for the following options

59 .Bl -tag -width 14m

60 .It Fl 6

61 Enable IPv6.

62 .It Fl d Pa certs-path

63 Directory where certificates for the config-less mode are stored.

64 By default is

65 .Pa $XDG_DATA_HOME/gmid ,

66 i.e.

67 .Pa ~/.local/share/gmid .

68 .It Fl H Ar hostname

69 The hostname, by default

70 .Ar localhost .

71 Certificates for the given

72 .Ar hostname

73 are searched inside the

74 .Pa certs-dir

75 directory given with the

76 .Fl d

77 option.

78 They have the form

79 .Pa hostname.cert.pem

80 and

81 .Pa hostname.key.pem .

82 If a certificate and key doesn't exists for a given hostname they

83 will be automatically generated.

84 .It Fl h

85 Print the usage and exit.

86 .It Fl p Ar port

87 The port to listen on, by default 1965.

88 .It Fl v

89 Increase the verbosity of the logs.

90 .It Fl x Pa path

91 Enable execution of CGI scripts.

92 See the description of the

93 .Ic cgi

94 option in the section

95 .Sq Servers

96 below to learn how

97 .Pa path

98 is processed.

99 Cannot be provided more than once.

100 .It Pa dir

101 The root directory to serve.

102 By default the current working directory is assumed.

103 .El

104 .Sh CONFIGURATION FILE

105 The configuration file is divided into two sections:

106 .Bl -tag -width xxxx

107 .It Sy Global Options

108 Global settings for

109 .Nm .

110 .It Sy Servers

111 Virtual hosts definition.

112 .El

113 .Pp

114 Within the sections, empty lines are ignored and comments can be put

115 anywhere in the file using a hash mark

116 .Pq Sq # ,

117 and extend to the end of the current line.

118 A boolean is either the symbol

119 .Sq on

120 or

121 .Sq off .

122 A string is a sequence of characters wrapped in double quotes,

123 .Dq like this .

124 .Ss Global Options

125 .Bl -tag -width 12m

126 .It Ic chroot Pa path

127 .Xr chroot 2

128 the process to the given

129 .Pa path .

130 The daemon has to be run with root privileges and thus the option

131 .Ic user

132 needs to be provided, so privileges can be dropped.

133 Note that

134 .Nm

135 will enter the chroot after loading the TLS keys, but before opening

136 the virtual host root directories.

137 It's recommended to keep the TLS keys outside the chroot.

138 Future version of

139 .Nm

140 may require this.

141 .It Ic ipv6 Ar bool

142 Enable or disable IPv6 support.

143 By default is off.

144 .It Ic mime Ar mime-type Ar file-extension

145 Add a mapping for the given

146 .Ar file-extension

147 to the given

148 .Ar mime-type .

149 Both argument are strings.

150 .It Ic port Ar portno

151 The port to listen on.

152 By default is 1965.

153 .It Ic protocols Ar string

154 Specify the TLS protocols to enable.

155 Refer to

156 .Xr tls_config_parse_protocols 3

157 for the valid protocol string values.

158 By default, both TLSv1.3 and TLSv1.2 are enabled.

159 Use

160 .Dq tlsv1.3

161 to enable only TLSv1.3.

162 .It Ic user Ar string

163 Run the daemon as the given user.

164 .El

165 .Ss Servers

166 Every virtual host is defined by a

167 .Ic server

168 block:

169 .Bl -tag -width Ds

170 .It Ic server Ar hostname Brq ...

171 Match the server name using shell globbing rules.

172 This can be an explicit name,

173 .Ar www.example.com ,

174 or a name including a wildcards,

175 .Ar *.example.com .

176 .El

177 .Pp

178 Followed by a block of options that is enclosed in curly brackets:

179 .Bl -tag -width Ds

180 .It Ic auto Ic index Ar bool

181 If no index file is found, automatically generate a directory listing.

182 It's disabled by default.

183 .It Ic block Op Ic return Ar code Op Ar meta

184 Send a reply and close the connection;

185 .Ar code

186 is 40

187 and

188 .Ar meta

189 is

190 .Dq temporary failure

191 by default.

192 If

193 .Ar code

194 is in the 3x range, then

195 .Ar meta

196 must be provided.

197 Inside

198 .Ar meta ,

199 the following special sequences are replaced:

200 .Bl -tag -compact

201 .It \&%\&%

202 is replaced with a single

203 .Sq \&% .

204 .It \&%p

205 is replaced with the request path.

206 .It \&%q

207 is replaced with the query string of the request.

208 .It \&%P

209 is replaced with the server port.

210 .It \&%N

211 is replaced with the server name.

212 .El

213 .It Ic cert Pa file

214 Path to the certificate to use for this server.

215 The

216 .Pa file

217 should contain a PEM encoded certificate.

218 This option is mandatory.

219 .It Ic cgi Pa path

220 Execute CGI scripts that matches

221 .Pa path

222 using shell globbing rules.

223 .It Ic default type Ar string

224 Set the default media type that is used if the media type for a

225 specified extension is not found.

226 If not specified, the

227 .Ic default type

228 is set to

229 .Dq application/octet-stream .

230 .It Ic entrypoint Pa path

231 Make the CGI script at

232 .Pa path

233 .Pq relative to the Ic root No directory

234 handle all the requests for the current virtual host

235 .It Ic index Ar string

236 Set the directory index file.

237 If not specified, it defaults to

238 .Pa index.gmi .

239 .It Ic key Pa file

240 Specify the private key to use for this server.

241 The

242 .Pa file

243 should contain a PEM encoded private key.

244 This option is mandatory.

245 .It Ic lang Ar string

246 Specify the language tag for the text/gemini content served.

247 If not specified, no

248 .Dq lang

249 parameter will be added in the response.

250 .It Ic location Pa path Brq ...

251 Specify server configuration rules for a specific location.

252 The

253 .Pa path

254 argument will be matched against the request path with shell globbing

255 rules.

256 In case of multiple location statements in the same context, the first

257 matching location will be put into effect and the later ones ignored.

258 Therefore is advisable to match for more specific paths first and for

259 generic ones later on.

261 .Ic location

262 section may include most of the server configuration rules

263 except

264 .Ic cert , Ic key , Ic root , Ic location ,

265 .Ic entrypoint No and Ic cgi .

266 .It Ic root Pa directory

267 Specify the root directory for this server.

268 This option is mandatory.

269 It's relative to the chroot, if enabled.

270 .It Ic strip Ar number

271 Strip

272 .Ar number

273 components from the beginning of the path.

274 It's only considered for the

275 .Ar meta

276 parameter in the scope of a

277 .Ic block return .

278 .El

279 .Sh CGI

280 When a request for an executable file matches the

281 .Ic cgi

282 rule, that file will be execute and its output fed to the client.

283 .Pp

284 The CGI scripts are executed in the directory they reside and inherit

285 the environment from

286 .Nm

287 with these additional variables set:

288 .Bl -tag -width 24m

289 .It Ev GATEWAY_INTERFACE

290 .Dq CGI/1.1

291 .It Ev GEMINI_DOCUMENT_ROOT

292 The root directory of the virtual host.

293 .It Ev GEMINI_SCRIPT_FILENAME

294 Full path to the CGI script being executed.

295 .It Ev GEMINI_URL

296 The full IRI of the request.

297 .It Ev GEMINI_URL_PATH

298 The path of the request.

299 .It Ev PATH_INFO

300 The portion of the requested path that is derived from the the IRI

301 path hierarchy following the part that identifies the script itself.

302 Can be unset.

303 .It Ev PATH_TRANSLATED

304 Present if and only if

305 .Ev PATH_INFO

306 is set.

307 It represent the translation of the

308 .Ev PATH_INFO .

309 .Nm

310 builds this by appending the

311 .Ev PATH_INFO

312 to the virtual host directory root.

313 .It Ev QUERY_STRING

314 The decoded query string.

315 .It Ev REMOTE_ADDR , Ev REMOTE_HOST

316 Textual representation of the client IP.

317 .It Ev REQUEST_METHOD

318 This is present only for RFC3875 (CGI) compliance.

319 It's always set to the empty string.

320 .It Ev SCRIPT_NAME

321 The part of the

322 .Ev GEMINI_URL_PATH

323 that identifies the current CGI script.

324 .It Ev SERVER_NAME

325 The name of the server

326 .It Ev SERVER_PORT

327 The port the server is listening on.

328 .It Ev SERVER_PROTOCOL

329 .Dq GEMINI

330 .It Ev SERVER_SOFTWARE

331 The name and version of the server, i.e.

332 .Dq gmid/1.5

333 .It Ev AUTH_TYPE

334 The string "Certificate" if the client used a certificate, otherwise

335 unset.

336 .It Ev REMOTE_USER

337 The subject of the client certificate if provided, otherwise unset.

338 .It Ev TLS_CLIENT_ISSUER

339 The is the issuer of the client certificate if provided, otherwise

340 unset.

341 .It Ev TLS_CLIENT_HASH

342 The hash of the client certificate if provided, otherwise unset.

343 The format is

344 .Dq ALGO:HASH .

345 .El

346 .Pp

347 .Sh MIME

348 To auto-detect the MIME type of the response

349 .Nm

350 looks at the file extension and consults its internal table.

351 By default the following mappings are loaded, but they can be

352 overridden or extended using the

353 .Ic mime

354 configuration option.

355 If no MIME is found, the value of

356 .Ic default type

357 matching the file

358 .Ic location

359 will be used, which is

360 .Dq application/octet-stream

361 by default.

362 .Pp

363 .Bl -tag -offset indent -width 14m -compact

364 .It gemini, gmi

365 text/gemini

366 .It gif

367 image/gif

368 .It jpeg

369 image/jpeg

370 .It jpg

371 image/jpeg

372 .It markdown, md

373 text/markdown

374 .It pdf

375 application/pdf

376 .It png

377 image/png

378 .It svg

379 image/svg+xml

380 .It txt

381 text/plain

382 .It xml

383 text/xml

384 .El

385 .Sh EXAMPLES

386 Serve the current directory

387 .Bd -literal -offset indent

388 $ gmid .

389 .Ed

390 .Pp

391 To serve the directory

392 .Pa docs

393 and enable CGI scripts inside

394 .Pa docs/cgi ,

395 you can

396 .Bd -literal -offset indent

397 $ mkdir docs/cgi

398 $ cat <<EOF > cgi/hello

399 #!/bin/sh

400 printf "20 text/plain\\r\\n"

401 echo "hello world"

402 EOF

403 $ chmod +x docs/cgi/hello

404 $ gmid -x cgi docs

405 .Ed

406 .Pp

407 The following is an example of a possible configuration for a site

408 that enables only TLSv1.3, adds a mime type for the file extension

409 "rtf" and defines two virtual host:

410 .Bd -literal -offset indent

411 ipv6 on		# enable ipv6

413 protocols "tlsv1.3"

415 mime "application/rtf" "rtf"

417 server "example.com" {

418 	cert "/path/to/cert.pem"

419 	key  "/path/to/key.pem"

420 	root "/var/gemini/example.com"

423 server "it.example.com" {

424 	cert "/path/to/cert.pem"

425 	key  "/path/to/key.pem"

426 	root "/var/gemini/it.example.com"

427 	cgi  "/cgi-bin/*"

428 	lang "it"

430 .Ed

431 .Pp

432 Yet another example, showing how to enable a

433 .Ic chroot

434 and use

435 .Ic location

436 rule

437 .Bd -literal -offset indent

438 chroot "/var/gemini"

439 user "_gmid"

441 server "example.com" {

442 	cert "/path/to/cert.pem"

443 	key  "/path/to/key.pem"

444 	root "/example.com" # in the /var/gemini chroot

446 	location "/static/*" {

447 		auto index on

448 		index "index.gemini"

451 .Ed

452 .Sh ACKNOWLEDGEMENTS

453 .Nm

454 uses the

455 .Dq Flexible and Economical

456 UTF-8 decoder written by

457 .An Bjoern Hoehrmann .

458 .Sh AUTHORS

459 .An -nosplit

460 The

461 .Nm

462 program was written by

463 .An Omar Polo Aq Mt op@omarpolo.com .

464 .Sh CAVEATS

465 .Bl -bullet

466 .It

467 The root directories of all virtual hosts are opened during the daemon

468 startup; this means that if a root directory gets deleted and then

469 re-created,

470 .Nm

471 won't be able to serve files inside that directory until a restart.

472 This restriction applies only to the root directories and not their content.

473 .It

474 a %2F sequence is indistinguishable from a literal slash: this is not

475 RFC3986-compliant.

476 .It

477 a %00 sequence is treated as invalid character and thus rejected.

478 .El