Blob

Date:
Message:
mention -V/--version and --help in the manpage
Actions:
History | Blame | Raw File
1 .\" Copyright (c) 2021 Omar Polo <op@omarpolo.com>

2 .\"

3 .\" Permission to use, copy, modify, and distribute this software for any

4 .\" purpose with or without fee is hereby granted, provided that the above

5 .\" copyright notice and this permission notice appear in all copies.

6 .\"

7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

14 .Dd $Mdocdate: January 30 2021$

15 .Dt GMID 1

16 .Os

17 .Sh NAME

18 .Nm gmid

19 .Nd simple and secure Gemini server

20 .Sh SYNOPSIS

21 .Nm

22 .Bk -words

23 .Op Fl fnv

24 .Op Fl c Ar config

25 .Op Fl P Ar pidfile

26 .Ek

27 .Nm

28 .Bk -words

29 .Op Fl 6hVv

30 .Op Fl d Pa certs-dir

31 .Op Fl H Ar hostname

32 .Op Fl p Ar port

33 .Op Fl x Pa cgi

34 .Op Pa dir

35 .Ek

36 .Sh DESCRIPTION

37 .Nm

38 is a simple and minimal gemini server that can serve static files,

39 execute CGI scripts and talk to FastCGI applications.

40 It can run without a configuration file with a limited set of features

41 available.

42 .Pp

43 .Nm

44 rereads the configuration file when it receives

45 .Dv SIGHUP .

46 .Pp

47 The options are as follows:

48 .Bl -tag -width 14m

49 .It Fl c Pa config

50 Specify the configuration file.

51 .It Fl f

52 Stays and logs on the foreground.

53 .It Fl n

54 Check that the configuration is valid, but don't start the server.

55 .It Fl P Pa pidfile

56 Write

57 .Nm

58 pid to the given path.

59 .El

60 .Pp

61 If no configuration file is given,

62 .Nm

63 will look for the following options

64 .Bl -tag -width 14m

65 .It Fl 6

66 Enable IPv6.

67 .It Fl d Pa certs-path

68 Directory where certificates for the config-less mode are stored.

69 By default is

70 .Pa $XDG_DATA_HOME/gmid ,

71 i.e.

72 .Pa ~/.local/share/gmid .

73 .It Fl H Ar hostname

74 The hostname, by default

75 .Ar localhost .

76 Certificates for the given

77 .Ar hostname

78 are searched inside the

79 .Pa certs-dir

80 directory given with the

81 .Fl d

82 option.

83 They have the form

84 .Pa hostname.cert.pem

85 and

86 .Pa hostname.key.pem .

87 If a certificate or key don't exists for a given hostname they

88 will be automatically generated.

89 .It Fl h , Fl -help

90 Print the usage and exit.

91 .It Fl p Ar port

92 The port to listen on, by default 1965.

93 .It Fl V , Fl -version

94 Print the version and exit.

95 .It Fl v

96 Verbose mode.

97 Multiple

98 .Fl v

99 options increase the verbosity.

100 .It Fl x Pa path

101 Enable execution of CGI scripts.

102 See the description of the

103 .Ic cgi

104 option in the section

105 .Sq Servers

106 below to learn how

107 .Pa path

108 is processed.

109 Cannot be provided more than once.

110 .It Pa dir

111 The root directory to serve.

112 By default the current working directory is assumed.

113 .El

114 .Sh CONFIGURATION FILE

115 The configuration file is divided into two sections:

116 .Bl -tag -width xxxx

117 .It Sy Global Options

118 Global settings for

119 .Nm .

120 .It Sy Servers

121 Virtual hosts definition.

122 .El

123 .Pp

124 Within the sections, empty lines are ignored and comments can be put

125 anywhere in the file using a hash mark

126 .Pq Sq # ,

127 and extend to the end of the current line.

128 A boolean is either the symbol

129 .Sq on

130 or

131 .Sq off .

132 A string is a sequence of characters wrapped in double quotes,

133 .Dq like this .

134 .Ss Global Options

135 .Bl -tag -width 12m

136 .It Ic chroot Pa path

137 .Xr chroot 2

138 the process to the given

139 .Pa path .

140 The daemon has to be run with root privileges and thus the option

141 .Ic user

142 needs to be provided, so privileges can be dropped.

143 Note that

144 .Nm

145 will enter the chroot after loading the TLS keys, but before opening

146 the virtual host root directories.

147 It's recommended to keep the TLS keys outside the chroot.

148 Future version of

149 .Nm

150 may enforce this.

151 .It Ic ipv6 Ar bool

152 Enable or disable IPv6 support.

153 By default is off.

154 .It Ic mime Ar mime-type Ar file-extension

155 Add a mapping for the given

156 .Ar file-extension

157 to the given

158 .Ar mime-type .

159 Both argument are strings.

160 .It Ic port Ar portno

161 The port to listen on.

162 By default is 1965.

163 .It Ic prefork Ar number

164 Run the specified number of server processes.

165 This increases the performance and prevents delays when connecting to

166 a server.

167 .Nm

168 runs 3 server processes by default, when not in config-less mode.

169 The maximum number allowed is 16.

170 .It Ic protocols Ar string

171 Specify the TLS protocols to enable.

172 Refer to

173 .Xr tls_config_parse_protocols 3

174 for the valid protocol string values.

175 By default, both TLSv1.3 and TLSv1.2 are enabled.

176 Use

177 .Dq tlsv1.3

178 to enable only TLSv1.3.

179 .It Ic user Ar string

180 Run the daemon as the given user.

181 .El

182 .Ss Servers

183 Every virtual host is defined by a

184 .Ic server

185 block:

186 .Bl -tag -width Ds

187 .It Ic server Ar hostname Brq ...

188 Match the server name using shell globbing rules.

189 This can be an explicit name,

190 .Ar www.example.com ,

191 or a name including a wildcards,

192 .Ar *.example.com .

193 .El

194 .Pp

195 Followed by a block of options that is enclosed in curly brackets:

196 .Bl -tag -width Ds

197 .It Ic alias Ar name

198 Specify an additional alias

199 .Ar name

200 for this server.

201 .It Ic auto Ic index Ar bool

202 If no index file is found, automatically generate a directory listing.

203 It's disabled by default.

204 .It Ic block Op Ic return Ar code Op Ar meta

205 Send a reply and close the connection;

206 .Ar code

207 is 40

208 and

209 .Ar meta

210 is

211 .Dq temporary failure

212 by default.

213 If

214 .Ar code

215 is in the 3x range, then

216 .Ar meta

217 must be provided.

218 Inside

219 .Ar meta ,

220 the following special sequences are replaced:

221 .Bl -tag -width Ds -compact

222 .It \&%\&%

223 is replaced with a single

224 .Sq \&% .

225 .It \&%p

226 is replaced with the request path.

227 .It \&%q

228 is replaced with the query string of the request.

229 .It \&%P

230 is replaced with the server port.

231 .It \&%N

232 is replaced with the server name.

233 .El

234 .It Ic cert Pa file

235 Path to the certificate to use for this server.

236 The

237 .Pa file

238 should contain a PEM encoded certificate.

239 This option is mandatory.

240 .It Ic cgi Pa path

241 Execute CGI scripts that matches

242 .Pa path

243 using shell globbing rules.

244 .It Ic default type Ar string

245 Set the default media type that is used if the media type for a

246 specified extension is not found.

247 If not specified, the

248 .Ic default type

249 is set to

250 .Dq application/octet-stream .

251 .It Ic entrypoint Pa path

252 Handle all the requests for the current virtual host using the

253 CGI script at

254 .Pa path .

255 .It Ic env Ar name Ar value

256 Set the environment variable

257 .Ar name

258 to

259 .Ar value

260 when executing CGI scripts.

261 Can be provided more than once.

262 .\" don't document the "spawn <prog>" form because it probably won't

263 .\" be kept.

264 .It Ic fastcgi Oo Ic tcp Oc Pa socket Oo Ar port Oc

265 Enable FastCGI instead of serving files.

266 The

267 .Pa socket

268 can either be a UNIX domain socket or a TCP socket.

269 If the FastCGI application is listening on a UNIX domain socket,

270 .Pa socket

271 is a local path name within the

272 .Xr chroot 2

273 root directory of

274 .Nm .

275 Otherwise, the

276 .Ic tcp

277 keyword must be provided and

278 .Pa socket

279 is interpreted as a hostname or an IP address.

280 .Ar port

281 can be either a port number or the name of a service enclosed in

282 double quotes.

283 If it's not specified defaults to 9000.

284 .It Ic index Ar string

285 Set the directory index file.

286 If not specified, it defaults to

287 .Pa index.gmi .

288 .It Ic key Pa file

289 Specify the private key to use for this server.

290 The

291 .Pa file

292 should contain a PEM encoded private key.

293 This option is mandatory.

294 .It Ic lang Ar string

295 Specify the language tag for the text/gemini content served.

296 If not specified, no

297 .Dq lang

298 parameter will be added in the response.

299 .It Ic location Pa path Brq ...

300 Specify server configuration rules for a specific location.

301 The

302 .Pa path

303 argument will be matched against the request path with shell globbing

304 rules.

305 In case of multiple location statements in the same context, the first

306 matching location will be put into effect and the later ones ignored.

307 Therefore is advisable to match for more specific paths first and for

308 generic ones later on.

310 .Ic location

311 section may include most of the server configuration rules

312 except

313 .Ic alias , Ic cert , Ic env , Ic key , Ic location ,

314 .Ic entrypoint No and Ic cgi .

315 .It Ic log Ar bool

316 Enable or disable the logging for the current server or location block.

317 .It Ic param Ar name Ar value

318 Set the param

319 .Ar name

320 to

321 .Ar value

322 for FastCGI.

323 .It Ic root Pa directory

324 Specify the root directory for this server.

325 It's relative to the chroot, if enabled.

326 .It Ic require Ic client Ic ca Pa path

327 Allow requests only from clients that provide a certificate signed by

328 the CA certificate in

329 .Pa path .

330 It needs to be a PEM-encoded certificate and it's not relative to the

331 chroot.

332 .It Ic strip Ar number

333 Strip

334 .Ar number

335 components from the beginning of the path before doing a lookup in the

336 root directory.

337 It's also considered for the

338 .Ar meta

339 parameter in the scope of a

340 .Ic block return .

341 .El

342 .Sh CGI

343 When a request for an executable file matches the

344 .Ic cgi

345 rule, that file will be execute and its output fed to the client.

346 .Pp

347 The CGI scripts are executed in the directory they reside and inherit

348 the environment from

349 .Nm

350 with these additional variables set:

351 .Bl -tag -width 24m

352 .It Ev GATEWAY_INTERFACE

353 .Dq CGI/1.1

354 .It Ev GEMINI_DOCUMENT_ROOT

355 The root directory of the virtual host.

356 .It Ev GEMINI_SCRIPT_FILENAME

357 Full path to the CGI script being executed.

358 .It Ev GEMINI_URL

359 The full IRI of the request.

360 .It Ev GEMINI_URL_PATH

361 The path of the request.

362 .It Ev PATH_INFO

363 The portion of the requested path that is derived from the the IRI

364 path hierarchy following the part that identifies the script itself.

365 Can be unset.

366 .It Ev PATH_TRANSLATED

367 Present if and only if

368 .Ev PATH_INFO

369 is set.

370 It represent the translation of the

371 .Ev PATH_INFO .

372 .Nm

373 builds this by appending the

374 .Ev PATH_INFO

375 to the virtual host directory root.

376 .It Ev QUERY_STRING

377 The decoded query string.

378 .It Ev REMOTE_ADDR , Ev REMOTE_HOST

379 Textual representation of the client IP.

380 .It Ev REQUEST_METHOD

381 This is present only for RFC3875 (CGI) compliance.

382 It's always set to the empty string.

383 .It Ev SCRIPT_NAME

384 The part of the

385 .Ev GEMINI_URL_PATH

386 that identifies the current CGI script.

387 .It Ev SERVER_NAME

388 The name of the server

389 .It Ev SERVER_PORT

390 The port the server is listening on.

391 .It Ev SERVER_PROTOCOL

392 .Dq GEMINI

393 .It Ev SERVER_SOFTWARE

394 The name and version of the server, i.e.

395 .Dq gmid/1.5

396 .It Ev AUTH_TYPE

397 The string "Certificate" if the client used a certificate, otherwise

398 unset.

399 .It Ev REMOTE_USER

400 The subject of the client certificate if provided, otherwise unset.

401 .It Ev TLS_CLIENT_ISSUER

402 The is the issuer of the client certificate if provided, otherwise

403 unset.

404 .It Ev TLS_CLIENT_HASH

405 The hash of the client certificate if provided, otherwise unset.

406 The format is

407 .Dq ALGO:HASH .

408 .It Ev TLS_VERSION

409 The TLS version negotiated with the peer.

410 .It Ev TLS_CIPHER

411 The cipher suite negotiated with the peer.

412 .It Ev TLS_CIPHER_STRENGTH

413 The strength in bits for the symmetric cipher that is being used with

414 the peer.

415 .It Ev TLS_CLIENT_NOT_AFTER

416 The time corresponding to the end of the validity period of the peer

417 certificate in the ISO 8601 format

418 .Pq e.g. Dq 2021-02-07T20:17:41Z .

419 .It Ev TLS_CLIENT_NOT_BEFORE

420 The time corresponding to the start of the validity period of the peer

421 certificate in the ISO 8601 format.

422 .El

423 .Sh FastCGI

424 .Nm

425 optionally supports FastCGI.

427 .Ic fastcgi

428 rule must be present in a server or location block.

429 Then, all requests matching that server or location will be handled

430 via the specified FastCGI backend.

431 .Pp

432 By default the following variables

433 .Pq parameters

434 are sent, and carry the same semantics as with CGI.

435 More parameters can be added with the

436 .Ic param

437 option.

438 .Bl -bullet -compact

439 .It

440 GATEWAY_INTERFACE

441 .It

442 GEMINI_URL_PATH

443 .It

444 QUERY_STRING

445 .It

446 REMOTE_ADDR

447 .It

448 REMOTE_HOST

449 .It

450 REQUEST_METHOD

451 .It

452 SERVER_NAME

453 .It

454 SERVER_PROTOCOL

455 .It

456 SERVER_SOFTWARE

457 .It

458 AUTH_TYPE

459 .It

460 REMOTE_USER

461 .It

462 TLS_CLIENT_ISSUER

463 .It

464 TLS_CLIENT_HASH

465 .It

466 TLS_VERSION

467 .It

468 TLS_CIPHER

469 .It

470 TLS_CIPHER_STRENGTH

471 .It

472 TLS_CLIENT_NOT_BEFORE

473 .It

474 TLS_CLIENT_NOT_AFTER

475 .El

476 .Sh MIME

477 To auto-detect the MIME type of the response

478 .Nm

479 looks at the file extension and consults its internal table.

480 By default the following mappings are loaded, but they can be

481 overridden or extended using the

482 .Ic mime

483 configuration option.

484 If no MIME is found, the value of

485 .Ic default type

486 matching the file

487 .Ic location

488 will be used, which is

489 .Dq application/octet-stream

490 by default.

491 .Pp

492 .Bl -tag -offset indent -width 14m -compact

493 .It diff

494 text/x-patch

495 .It gemini, gmi

496 text/gemini

497 .It gif

498 image/gif

499 .It jpeg

500 image/jpeg

501 .It jpg

502 image/jpeg

503 .It markdown, md

504 text/markdown

505 .It patch

506 text/x-patch

507 .It pdf

508 application/pdf

509 .It png

510 image/png

511 .It svg

512 image/svg+xml

513 .It txt

514 text/plain

515 .It xml

516 text/xml

517 .El

518 .Sh EXAMPLES

519 Serve the current directory

520 .Bd -literal -offset indent

521 $ gmid .

522 .Ed

523 .Pp

524 To serve the directory

525 .Pa docs

526 and enable CGI scripts inside

527 .Pa docs/cgi ,

528 you can

529 .Bd -literal -offset indent

530 $ mkdir docs/cgi

531 $ cat <<EOF > docs/cgi/hello

532 #!/bin/sh

533 printf "20 text/plain\\r\\n"

534 echo "hello world"

535 EOF

536 $ chmod +x docs/cgi/hello

537 $ gmid -x '/cgi/*' docs

538 .Ed

539 .Pp

540 The following is an example of a possible configuration for a site

541 that enables only TLSv1.3, adds a mime type for the file extension

542 "rtf" and defines two virtual host:

543 .Bd -literal -offset indent

544 ipv6 on		# enable ipv6

546 protocols "tlsv1.3"

548 mime "application/rtf" "rtf"

550 server "example.com" {

551 	cert "/path/to/cert.pem"

552 	key  "/path/to/key.pem"

553 	root "/var/gemini/example.com"

556 server "it.example.com" {

557 	cert "/path/to/cert.pem"

558 	key  "/path/to/key.pem"

559 	root "/var/gemini/it.example.com"

560 	cgi  "/cgi-bin/*"

561 	lang "it"

563 .Ed

564 .Pp

565 Yet another example, showing how to enable a

566 .Ic chroot

567 and use

568 .Ic location

569 rule

570 .Bd -literal -offset indent

571 chroot "/var/gemini"

572 user "_gmid"

574 server "example.com" {

575 	cert "/path/to/cert.pem"

576 	key  "/path/to/key.pem"

577 	root "/example.com" # in the /var/gemini chroot

579 	location "/static/*" {

580 		auto index on

581 		index "index.gemini"

584 .Ed

585 .Sh ACKNOWLEDGEMENTS

586 .Nm

587 uses the

588 .Dq Flexible and Economical

589 UTF-8 decoder written by

590 .An Bjoern Hoehrmann .

591 .Sh AUTHORS

592 .An -nosplit

593 The

594 .Nm

595 program was written by

596 .An Omar Polo Aq Mt op@omarpolo.com .

597 .Sh CAVEATS

598 .Bl -bullet

599 .It

600 The root directories of all virtual hosts are opened during the daemon

601 startup; this means that if a root directory gets deleted and then

602 re-created,

603 .Nm

604 won't be able to serve files inside that directory until a restart.

605 This restriction applies only to the root directories and not their content.

606 .It

607 a %2F sequence is indistinguishable from a literal slash: this is not

608 RFC3986-compliant.

609 .It

610 a %00 sequence is treated as invalid character and thus rejected.

611 .El