Blob

Date:
Message:
improve logs management
Actions:
History | Blame | Raw File
1 .\" Copyright (c) 2021 Omar Polo <op@omarpolo.com>

2 .\"

3 .\" Permission to use, copy, modify, and distribute this software for any

4 .\" purpose with or without fee is hereby granted, provided that the above

5 .\" copyright notice and this permission notice appear in all copies.

6 .\"

7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

14 .Dd $Mdocdate: January 30 2021$

15 .Dt GMIND 1

16 .Os

17 .Sh NAME

18 .Nm gmid

19 .Nd simple and secure Gemini server

20 .Sh SYNOPSIS

21 .Nm

22 .Bk -words

23 .Op Fl fnv

24 .Op Fl c Ar config

25 .Ek

26 .Nm

27 .Bk -words

28 .Op Fl 6hv

29 .Op Fl d Pa certs-dir

30 .Op Fl H Ar hostname

31 .Op Fl p Ar port

32 .Op Fl x Pa cgi

33 .Op Pa dir

34 .Ek

35 .Sh DESCRIPTION

36 .Nm

37 is a simple and minimal gemini server that can serve static files and

38 execute CGI scripts.

39 It can run without a configuration file with a limited set of features

40 available.

41 .Pp

42 .Nm

43 rereads the configuration file when it receives

44 .Dv SIGHUP .

45 .Pp

46 The options are as follows:

47 .Bl -tag -width 14m

48 .It Fl c Pa config

49 Specify the configuration file.

50 .It Fl f

51 Stays and logs on the foreground.

52 .It Fl n

53 Check that the configuration is valid, but don't start the server.

54 .El

55 .Pp

56 If no configuration file is given,

57 .Nm

58 will look for the following options

59 .Bl -tag -width 14m

60 .It Fl 6

61 Enable IPv6.

62 .It Fl d Pa certs-path

63 Directory where certificates for the config-less mode are stored.

64 By default is

65 .Pa $XDG_DATA_HOME/gmid ,

66 i.e.

67 .Pa ~/.local/share/gmid .

68 .It Fl H Ar hostname

69 The hostname, by default

70 .Ar localhost .

71 Certificates for the given

72 .Ar hostname

73 are searched inside the

74 .Pa certs-dir

75 directory given with the

76 .Fl d

77 option.

78 They have the form

79 .Pa hostname.cert.pem

80 and

81 .Pa hostname.key.pem .

82 If a certificate and key doesn't exists for a given hostname they

83 will be automatically generated.

84 .It Fl h

85 Print the usage and exit.

86 .It Fl p Ar port

87 The port to listen on, by default 1965.

88 .It Fl v

89 Verbose mode.

90 Multiple

91 .Fl v

92 options increase the verbosity.

93 .It Fl x Pa path

94 Enable execution of CGI scripts.

95 See the description of the

96 .Ic cgi

97 option in the section

98 .Sq Servers

99 below to learn how

100 .Pa path

101 is processed.

102 Cannot be provided more than once.

103 .It Pa dir

104 The root directory to serve.

105 By default the current working directory is assumed.

106 .El

107 .Sh CONFIGURATION FILE

108 The configuration file is divided into two sections:

109 .Bl -tag -width xxxx

110 .It Sy Global Options

111 Global settings for

112 .Nm .

113 .It Sy Servers

114 Virtual hosts definition.

115 .El

116 .Pp

117 Within the sections, empty lines are ignored and comments can be put

118 anywhere in the file using a hash mark

119 .Pq Sq # ,

120 and extend to the end of the current line.

121 A boolean is either the symbol

122 .Sq on

123 or

124 .Sq off .

125 A string is a sequence of characters wrapped in double quotes,

126 .Dq like this .

127 .Ss Global Options

128 .Bl -tag -width 12m

129 .It Ic chroot Pa path

130 .Xr chroot 2

131 the process to the given

132 .Pa path .

133 The daemon has to be run with root privileges and thus the option

134 .Ic user

135 needs to be provided, so privileges can be dropped.

136 Note that

137 .Nm

138 will enter the chroot after loading the TLS keys, but before opening

139 the virtual host root directories.

140 It's recommended to keep the TLS keys outside the chroot.

141 Future version of

142 .Nm

143 may require this.

144 .It Ic ipv6 Ar bool

145 Enable or disable IPv6 support.

146 By default is off.

147 .It Ic mime Ar mime-type Ar file-extension

148 Add a mapping for the given

149 .Ar file-extension

150 to the given

151 .Ar mime-type .

152 Both argument are strings.

153 .It Ic port Ar portno

154 The port to listen on.

155 By default is 1965.

156 .It Ic prefork Ar number

157 Run the specified number of server processes.

158 This increases the performance and prevents delays when connecting to

159 a server.

160 .Nm

161 runs 3 server processes by default, when not in config-less mode.

162 .It Ic protocols Ar string

163 Specify the TLS protocols to enable.

164 Refer to

165 .Xr tls_config_parse_protocols 3

166 for the valid protocol string values.

167 By default, both TLSv1.3 and TLSv1.2 are enabled.

168 Use

169 .Dq tlsv1.3

170 to enable only TLSv1.3.

171 .It Ic user Ar string

172 Run the daemon as the given user.

173 .El

174 .Ss Servers

175 Every virtual host is defined by a

176 .Ic server

177 block:

178 .Bl -tag -width Ds

179 .It Ic server Ar hostname Brq ...

180 Match the server name using shell globbing rules.

181 This can be an explicit name,

182 .Ar www.example.com ,

183 or a name including a wildcards,

184 .Ar *.example.com .

185 .El

186 .Pp

187 Followed by a block of options that is enclosed in curly brackets:

188 .Bl -tag -width Ds

189 .It Ic auto Ic index Ar bool

190 If no index file is found, automatically generate a directory listing.

191 It's disabled by default.

192 .It Ic block Op Ic return Ar code Op Ar meta

193 Send a reply and close the connection;

194 .Ar code

195 is 40

196 and

197 .Ar meta

198 is

199 .Dq temporary failure

200 by default.

201 If

202 .Ar code

203 is in the 3x range, then

204 .Ar meta

205 must be provided.

206 Inside

207 .Ar meta ,

208 the following special sequences are replaced:

209 .Bl -tag -compact

210 .It \&%\&%

211 is replaced with a single

212 .Sq \&% .

213 .It \&%p

214 is replaced with the request path.

215 .It \&%q

216 is replaced with the query string of the request.

217 .It \&%P

218 is replaced with the server port.

219 .It \&%N

220 is replaced with the server name.

221 .El

222 .It Ic cert Pa file

223 Path to the certificate to use for this server.

224 The

225 .Pa file

226 should contain a PEM encoded certificate.

227 This option is mandatory.

228 .It Ic cgi Pa path

229 Execute CGI scripts that matches

230 .Pa path

231 using shell globbing rules.

232 .It Ic default type Ar string

233 Set the default media type that is used if the media type for a

234 specified extension is not found.

235 If not specified, the

236 .Ic default type

237 is set to

238 .Dq application/octet-stream .

239 .It Ic entrypoint Pa path

240 Make the CGI script at

241 .Pa path

242 .Pq relative to the Ic root No directory

243 handle all the requests for the current virtual host

244 .It Ic index Ar string

245 Set the directory index file.

246 If not specified, it defaults to

247 .Pa index.gmi .

248 .It Ic key Pa file

249 Specify the private key to use for this server.

250 The

251 .Pa file

252 should contain a PEM encoded private key.

253 This option is mandatory.

254 .It Ic lang Ar string

255 Specify the language tag for the text/gemini content served.

256 If not specified, no

257 .Dq lang

258 parameter will be added in the response.

259 .It Ic location Pa path Brq ...

260 Specify server configuration rules for a specific location.

261 The

262 .Pa path

263 argument will be matched against the request path with shell globbing

264 rules.

265 In case of multiple location statements in the same context, the first

266 matching location will be put into effect and the later ones ignored.

267 Therefore is advisable to match for more specific paths first and for

268 generic ones later on.

270 .Ic location

271 section may include most of the server configuration rules

272 except

273 .Ic cert , Ic key , Ic root , Ic location ,

274 .Ic entrypoint No and Ic cgi .

275 .It Ic root Pa directory

276 Specify the root directory for this server.

277 This option is mandatory.

278 It's relative to the chroot, if enabled.

279 .It Ic strip Ar number

280 Strip

281 .Ar number

282 components from the beginning of the path.

283 It's only considered for the

284 .Ar meta

285 parameter in the scope of a

286 .Ic block return .

287 .El

288 .Sh CGI

289 When a request for an executable file matches the

290 .Ic cgi

291 rule, that file will be execute and its output fed to the client.

292 .Pp

293 The CGI scripts are executed in the directory they reside and inherit

294 the environment from

295 .Nm

296 with these additional variables set:

297 .Bl -tag -width 24m

298 .It Ev GATEWAY_INTERFACE

299 .Dq CGI/1.1

300 .It Ev GEMINI_DOCUMENT_ROOT

301 The root directory of the virtual host.

302 .It Ev GEMINI_SCRIPT_FILENAME

303 Full path to the CGI script being executed.

304 .It Ev GEMINI_URL

305 The full IRI of the request.

306 .It Ev GEMINI_URL_PATH

307 The path of the request.

308 .It Ev PATH_INFO

309 The portion of the requested path that is derived from the the IRI

310 path hierarchy following the part that identifies the script itself.

311 Can be unset.

312 .It Ev PATH_TRANSLATED

313 Present if and only if

314 .Ev PATH_INFO

315 is set.

316 It represent the translation of the

317 .Ev PATH_INFO .

318 .Nm

319 builds this by appending the

320 .Ev PATH_INFO

321 to the virtual host directory root.

322 .It Ev QUERY_STRING

323 The decoded query string.

324 .It Ev REMOTE_ADDR , Ev REMOTE_HOST

325 Textual representation of the client IP.

326 .It Ev REQUEST_METHOD

327 This is present only for RFC3875 (CGI) compliance.

328 It's always set to the empty string.

329 .It Ev SCRIPT_NAME

330 The part of the

331 .Ev GEMINI_URL_PATH

332 that identifies the current CGI script.

333 .It Ev SERVER_NAME

334 The name of the server

335 .It Ev SERVER_PORT

336 The port the server is listening on.

337 .It Ev SERVER_PROTOCOL

338 .Dq GEMINI

339 .It Ev SERVER_SOFTWARE

340 The name and version of the server, i.e.

341 .Dq gmid/1.5

342 .It Ev AUTH_TYPE

343 The string "Certificate" if the client used a certificate, otherwise

344 unset.

345 .It Ev REMOTE_USER

346 The subject of the client certificate if provided, otherwise unset.

347 .It Ev TLS_CLIENT_ISSUER

348 The is the issuer of the client certificate if provided, otherwise

349 unset.

350 .It Ev TLS_CLIENT_HASH

351 The hash of the client certificate if provided, otherwise unset.

352 The format is

353 .Dq ALGO:HASH .

354 .El

355 .Pp

356 .Sh MIME

357 To auto-detect the MIME type of the response

358 .Nm

359 looks at the file extension and consults its internal table.

360 By default the following mappings are loaded, but they can be

361 overridden or extended using the

362 .Ic mime

363 configuration option.

364 If no MIME is found, the value of

365 .Ic default type

366 matching the file

367 .Ic location

368 will be used, which is

369 .Dq application/octet-stream

370 by default.

371 .Pp

372 .Bl -tag -offset indent -width 14m -compact

373 .It gemini, gmi

374 text/gemini

375 .It gif

376 image/gif

377 .It jpeg

378 image/jpeg

379 .It jpg

380 image/jpeg

381 .It markdown, md

382 text/markdown

383 .It pdf

384 application/pdf

385 .It png

386 image/png

387 .It svg

388 image/svg+xml

389 .It txt

390 text/plain

391 .It xml

392 text/xml

393 .El

394 .Sh EXAMPLES

395 Serve the current directory

396 .Bd -literal -offset indent

397 $ gmid .

398 .Ed

399 .Pp

400 To serve the directory

401 .Pa docs

402 and enable CGI scripts inside

403 .Pa docs/cgi ,

404 you can

405 .Bd -literal -offset indent

406 $ mkdir docs/cgi

407 $ cat <<EOF > cgi/hello

408 #!/bin/sh

409 printf "20 text/plain\\r\\n"

410 echo "hello world"

411 EOF

412 $ chmod +x docs/cgi/hello

413 $ gmid -x cgi docs

414 .Ed

415 .Pp

416 The following is an example of a possible configuration for a site

417 that enables only TLSv1.3, adds a mime type for the file extension

418 "rtf" and defines two virtual host:

419 .Bd -literal -offset indent

420 ipv6 on		# enable ipv6

422 protocols "tlsv1.3"

424 mime "application/rtf" "rtf"

426 server "example.com" {

427 	cert "/path/to/cert.pem"

428 	key  "/path/to/key.pem"

429 	root "/var/gemini/example.com"

432 server "it.example.com" {

433 	cert "/path/to/cert.pem"

434 	key  "/path/to/key.pem"

435 	root "/var/gemini/it.example.com"

436 	cgi  "/cgi-bin/*"

437 	lang "it"

439 .Ed

440 .Pp

441 Yet another example, showing how to enable a

442 .Ic chroot

443 and use

444 .Ic location

445 rule

446 .Bd -literal -offset indent

447 chroot "/var/gemini"

448 user "_gmid"

450 server "example.com" {

451 	cert "/path/to/cert.pem"

452 	key  "/path/to/key.pem"

453 	root "/example.com" # in the /var/gemini chroot

455 	location "/static/*" {

456 		auto index on

457 		index "index.gemini"

460 .Ed

461 .Sh ACKNOWLEDGEMENTS

462 .Nm

463 uses the

464 .Dq Flexible and Economical

465 UTF-8 decoder written by

466 .An Bjoern Hoehrmann .

467 .Sh AUTHORS

468 .An -nosplit

469 The

470 .Nm

471 program was written by

472 .An Omar Polo Aq Mt op@omarpolo.com .

473 .Sh CAVEATS

474 .Bl -bullet

475 .It

476 The root directories of all virtual hosts are opened during the daemon

477 startup; this means that if a root directory gets deleted and then

478 re-created,

479 .Nm

480 won't be able to serve files inside that directory until a restart.

481 This restriction applies only to the root directories and not their content.

482 .It

483 a %2F sequence is indistinguishable from a literal slash: this is not

484 RFC3986-compliant.

485 .It

486 a %00 sequence is treated as invalid character and thus rejected.

487 .El