op public repos

Blob

Date:: Wed Apr 28 12:43:17 2021 UTC
Message:: added ``env'' option to define environment vars for CGI scripts
Actions:: History | Blame | Raw File
1 .\" Copyright (c) 2021 Omar Polo <op@omarpolo.com>
2 .\"
3 .\" Permission to use, copy, modify, and distribute this software for any
4 .\" purpose with or without fee is hereby granted, provided that the above
5 .\" copyright notice and this permission notice appear in all copies.
6 .\"
7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14 .Dd $Mdocdate: January 30 2021$
15 .Dt GMID 1
16 .Os
17 .Sh NAME
18 .Nm gmid
19 .Nd simple and secure Gemini server
20 .Sh SYNOPSIS
21 .Nm
22 .Bk -words
23 .Op Fl fnv
24 .Op Fl c Ar config
25 .Ek
26 .Nm
27 .Bk -words
28 .Op Fl 6hv
29 .Op Fl d Pa certs-dir
30 .Op Fl H Ar hostname
31 .Op Fl p Ar port
32 .Op Fl x Pa cgi
33 .Op Pa dir
34 .Ek
35 .Sh DESCRIPTION
36 .Nm
37 is a simple and minimal gemini server that can serve static files and
38 execute CGI scripts.
39 It can run without a configuration file with a limited set of features
40 available.
41 .Pp
42 .Nm
43 rereads the configuration file when it receives
44 .Dv SIGHUP .
45 .Pp
46 The options are as follows:
47 .Bl -tag -width 14m
48 .It Fl c Pa config
49 Specify the configuration file.
50 .It Fl f
51 Stays and logs on the foreground.
52 .It Fl n
53 Check that the configuration is valid, but don't start the server.
54 .El
55 .Pp
56 If no configuration file is given,
57 .Nm
58 will look for the following options
59 .Bl -tag -width 14m
60 .It Fl 6
61 Enable IPv6.
62 .It Fl d Pa certs-path
63 Directory where certificates for the config-less mode are stored.
64 By default is
65 .Pa $XDG_DATA_HOME/gmid ,
66 i.e.
67 .Pa ~/.local/share/gmid .
68 .It Fl H Ar hostname
69 The hostname, by default
70 .Ar localhost .
71 Certificates for the given
72 .Ar hostname
73 are searched inside the
74 .Pa certs-dir
75 directory given with the
76 .Fl d
77 option.
78 They have the form
79 .Pa hostname.cert.pem
80 and
81 .Pa hostname.key.pem .
82 If a certificate or key don't exists for a given hostname they
83 will be automatically generated.
84 .It Fl h
85 Print the usage and exit.
86 .It Fl p Ar port
87 The port to listen on, by default 1965.
88 .It Fl v
89 Verbose mode.
90 Multiple
91 .Fl v
92 options increase the verbosity.
93 .It Fl x Pa path
94 Enable execution of CGI scripts.
95 See the description of the
96 .Ic cgi
97 option in the section
98 .Sq Servers
99 below to learn how
100 .Pa path
101 is processed.
102 Cannot be provided more than once.
103 .It Pa dir
104 The root directory to serve.
105 By default the current working directory is assumed.
106 .El
107 .Sh CONFIGURATION FILE
108 The configuration file is divided into two sections:
109 .Bl -tag -width xxxx
110 .It Sy Global Options
111 Global settings for
112 .Nm .
113 .It Sy Servers
114 Virtual hosts definition.
115 .El
116 .Pp
117 Within the sections, empty lines are ignored and comments can be put
118 anywhere in the file using a hash mark
119 .Pq Sq # ,
120 and extend to the end of the current line.
121 A boolean is either the symbol
122 .Sq on
123 or
124 .Sq off .
125 A string is a sequence of characters wrapped in double quotes,
126 .Dq like this .
127 .Ss Global Options
128 .Bl -tag -width 12m
129 .It Ic chroot Pa path
130 .Xr chroot 2
131 the process to the given
132 .Pa path .
133 The daemon has to be run with root privileges and thus the option
134 .Ic user
135 needs to be provided, so privileges can be dropped.
136 Note that
137 .Nm
138 will enter the chroot after loading the TLS keys, but before opening
139 the virtual host root directories.
140 It's recommended to keep the TLS keys outside the chroot.
141 Future version of
142 .Nm
143 may enforce this.
144 .It Ic ipv6 Ar bool
145 Enable or disable IPv6 support.
146 By default is off.
147 .It Ic mime Ar mime-type Ar file-extension
148 Add a mapping for the given
149 .Ar file-extension
150 to the given
151 .Ar mime-type .
152 Both argument are strings.
153 .It Ic port Ar portno
154 The port to listen on.
155 By default is 1965.
156 .It Ic prefork Ar number
157 Run the specified number of server processes.
158 This increases the performance and prevents delays when connecting to
159 a server.
160 .Nm
161 runs 3 server processes by default, when not in config-less mode.
162 The maximum number allowed is 16.
163 .It Ic protocols Ar string
164 Specify the TLS protocols to enable.
165 Refer to
166 .Xr tls_config_parse_protocols 3
167 for the valid protocol string values.
168 By default, both TLSv1.3 and TLSv1.2 are enabled.
169 Use
170 .Dq tlsv1.3
171 to enable only TLSv1.3.
172 .It Ic user Ar string
173 Run the daemon as the given user.
174 .El
175 .Ss Servers
176 Every virtual host is defined by a
177 .Ic server
178 block:
179 .Bl -tag -width Ds
180 .It Ic server Ar hostname Brq ...
181 Match the server name using shell globbing rules.
182 This can be an explicit name,
183 .Ar www.example.com ,
184 or a name including a wildcards,
185 .Ar *.example.com .
186 .El
187 .Pp
188 Followed by a block of options that is enclosed in curly brackets:
189 .Bl -tag -width Ds
190 .It Ic auto Ic index Ar bool
191 If no index file is found, automatically generate a directory listing.
192 It's disabled by default.
193 .It Ic block Op Ic return Ar code Op Ar meta
194 Send a reply and close the connection;
195 .Ar code
196 is 40
197 and
198 .Ar meta
199 is
200 .Dq temporary failure
201 by default.
202 If
203 .Ar code
204 is in the 3x range, then
205 .Ar meta
206 must be provided.
207 Inside
208 .Ar meta ,
209 the following special sequences are replaced:
210 .Bl -tag -compact
211 .It \&%\&%
212 is replaced with a single
213 .Sq \&% .
214 .It \&%p
215 is replaced with the request path.
216 .It \&%q
217 is replaced with the query string of the request.
218 .It \&%P
219 is replaced with the server port.
220 .It \&%N
221 is replaced with the server name.
222 .El
223 .It Ic cert Pa file
224 Path to the certificate to use for this server.
225 The
226 .Pa file
227 should contain a PEM encoded certificate.
228 This option is mandatory.
229 .It Ic cgi Pa path
230 Execute CGI scripts that matches
231 .Pa path
232 using shell globbing rules.
233 .It Ic default type Ar string
234 Set the default media type that is used if the media type for a
235 specified extension is not found.
236 If not specified, the
237 .Ic default type
238 is set to
239 .Dq application/octet-stream .
240 .It Ic entrypoint Pa path
241 Handle all the requests for the current virtual host using the
242 CGI script at
243 .Pa path .
244 .It Ic env Ar name Ar value
245 Set the environment variable
246 .Ar name
247 to
248 .Ar value
249 when executing CGI scripts.
250 Can be provided more than once.
251 .It Ic index Ar string
252 Set the directory index file.
253 If not specified, it defaults to
254 .Pa index.gmi .
255 .It Ic key Pa file
256 Specify the private key to use for this server.
257 The
258 .Pa file
259 should contain a PEM encoded private key.
260 This option is mandatory.
261 .It Ic lang Ar string
262 Specify the language tag for the text/gemini content served.
263 If not specified, no
264 .Dq lang
265 parameter will be added in the response.
266 .It Ic location Pa path Brq ...
267 Specify server configuration rules for a specific location.
268 The
269 .Pa path
270 argument will be matched against the request path with shell globbing
271 rules.
272 In case of multiple location statements in the same context, the first
273 matching location will be put into effect and the later ones ignored.
274 Therefore is advisable to match for more specific paths first and for
275 generic ones later on.
276 A
277 .Ic location
278 section may include most of the server configuration rules
279 except
280 .Ic cert , Ic env , Ic key , Ic root , Ic location ,
281 .Ic entrypoint No and Ic cgi .
282 .It Ic root Pa directory
283 Specify the root directory for this server.
284 This option is mandatory.
285 It's relative to the chroot, if enabled.
286 .It Ic require Ic client Ic ca Pa path
287 Allow requests only from clients that provide a certificate signed by
288 the CA certificate in
289 .Pa path .
290 It needs to be a PEM-encoded certificate and it's not relative to the
291 chroot.
292 .It Ic strip Ar number
293 Strip
294 .Ar number
295 components from the beginning of the path.
296 It's only considered for the
297 .Ar meta
298 parameter in the scope of a
299 .Ic block return .
300 .El
301 .Sh CGI
302 When a request for an executable file matches the
303 .Ic cgi
304 rule, that file will be execute and its output fed to the client.
305 .Pp
306 The CGI scripts are executed in the directory they reside and inherit
307 the environment from
308 .Nm
309 with these additional variables set:
310 .Bl -tag -width 24m
311 .It Ev GATEWAY_INTERFACE
312 .Dq CGI/1.1
313 .It Ev GEMINI_DOCUMENT_ROOT
314 The root directory of the virtual host.
315 .It Ev GEMINI_SCRIPT_FILENAME
316 Full path to the CGI script being executed.
317 .It Ev GEMINI_URL
318 The full IRI of the request.
319 .It Ev GEMINI_URL_PATH
320 The path of the request.
321 .It Ev PATH_INFO
322 The portion of the requested path that is derived from the the IRI
323 path hierarchy following the part that identifies the script itself.
324 Can be unset.
325 .It Ev PATH_TRANSLATED
326 Present if and only if
327 .Ev PATH_INFO
328 is set.
329 It represent the translation of the
330 .Ev PATH_INFO .
331 .Nm
332 builds this by appending the
333 .Ev PATH_INFO
334 to the virtual host directory root.
335 .It Ev QUERY_STRING
336 The decoded query string.
337 .It Ev REMOTE_ADDR , Ev REMOTE_HOST
338 Textual representation of the client IP.
339 .It Ev REQUEST_METHOD
340 This is present only for RFC3875 (CGI) compliance.
341 It's always set to the empty string.
342 .It Ev SCRIPT_NAME
343 The part of the
344 .Ev GEMINI_URL_PATH
345 that identifies the current CGI script.
346 .It Ev SERVER_NAME
347 The name of the server
348 .It Ev SERVER_PORT
349 The port the server is listening on.
350 .It Ev SERVER_PROTOCOL
351 .Dq GEMINI
352 .It Ev SERVER_SOFTWARE
353 The name and version of the server, i.e.
354 .Dq gmid/1.5
355 .It Ev AUTH_TYPE
356 The string "Certificate" if the client used a certificate, otherwise
357 unset.
358 .It Ev REMOTE_USER
359 The subject of the client certificate if provided, otherwise unset.
360 .It Ev TLS_CLIENT_ISSUER
361 The is the issuer of the client certificate if provided, otherwise
362 unset.
363 .It Ev TLS_CLIENT_HASH
364 The hash of the client certificate if provided, otherwise unset.
365 The format is
366 .Dq ALGO:HASH .
367 .It Ev TLS_VERSION
368 The TLS version negotiated with the peer.
369 .It Ev TLS_CIPHER
370 The cipher suite negotiated with the peer.
371 .It Ev TLS_CIPHER_STRENGTH
372 The strength in bits for the symmetric cipher that is being used with
373 the peer.
374 .It Ev TLS_CLIENT_NOT_AFTER
375 The time corresponding to the end of the validity period of the peer
376 certificate in the ISO 8601 format
377 .Pq e.g. Dq 2021-02-07T20:17:41Z .
378 .It Ev TLS_CLIENT_NOT_BEFORE
379 The time corresponding to the start of the validity period of the peer
380 certificate in the ISO 8601 format.
381 .El
382 .Pp
383 .Sh MIME
384 To auto-detect the MIME type of the response
385 .Nm
386 looks at the file extension and consults its internal table.
387 By default the following mappings are loaded, but they can be
388 overridden or extended using the
389 .Ic mime
390 configuration option.
391 If no MIME is found, the value of
392 .Ic default type
393 matching the file
394 .Ic location
395 will be used, which is
396 .Dq application/octet-stream
397 by default.
398 .Pp
399 .Bl -tag -offset indent -width 14m -compact
400 .It diff
401 text/x-patch
402 .It gemini, gmi
403 text/gemini
404 .It gif
405 image/gif
406 .It jpeg
407 image/jpeg
408 .It jpg
409 image/jpeg
410 .It markdown, md
411 text/markdown
412 .It patch
413 text/x-patch
414 .It pdf
415 application/pdf
416 .It png
417 image/png
418 .It svg
419 image/svg+xml
420 .It txt
421 text/plain
422 .It xml
423 text/xml
424 .El
425 .Sh EXAMPLES
426 Serve the current directory
427 .Bd -literal -offset indent
428 $ gmid .
429 .Ed
430 .Pp
431 To serve the directory
432 .Pa docs
433 and enable CGI scripts inside
434 .Pa docs/cgi ,
435 you can
436 .Bd -literal -offset indent
437 $ mkdir docs/cgi
438 $ cat <<EOF > docs/cgi/hello
439 #!/bin/sh
440 printf "20 text/plain\\r\\n"
441 echo "hello world"
442 EOF
443 $ chmod +x docs/cgi/hello
444 $ gmid -x '/cgi/*' docs
445 .Ed
446 .Pp
447 The following is an example of a possible configuration for a site
448 that enables only TLSv1.3, adds a mime type for the file extension
449 "rtf" and defines two virtual host:
450 .Bd -literal -offset indent
451 ipv6 on		# enable ipv6
452 
453 protocols "tlsv1.3"
454 
455 mime "application/rtf" "rtf"
456 
457 server "example.com" {
458 	cert "/path/to/cert.pem"
459 	key  "/path/to/key.pem"
460 	root "/var/gemini/example.com"
461 }
462 
463 server "it.example.com" {
464 	cert "/path/to/cert.pem"
465 	key  "/path/to/key.pem"
466 	root "/var/gemini/it.example.com"
467 	cgi  "/cgi-bin/*"
468 	lang "it"
469 }
470 .Ed
471 .Pp
472 Yet another example, showing how to enable a
473 .Ic chroot
474 and use
475 .Ic location
476 rule
477 .Bd -literal -offset indent
478 chroot "/var/gemini"
479 user "_gmid"
480 
481 server "example.com" {
482 	cert "/path/to/cert.pem"
483 	key  "/path/to/key.pem"
484 	root "/example.com" # in the /var/gemini chroot
485 
486 	location "/static/*" {
487 		auto index on
488 		index "index.gemini"
489 	}
490 }
491 .Ed
492 .Sh ACKNOWLEDGEMENTS
493 .Nm
494 uses the
495 .Dq Flexible and Economical
496 UTF-8 decoder written by
497 .An Bjoern Hoehrmann .
498 .Sh AUTHORS
499 .An -nosplit
500 The
501 .Nm
502 program was written by
503 .An Omar Polo Aq Mt op@omarpolo.com .
504 .Sh CAVEATS
505 .Bl -bullet
506 .It
507 The root directories of all virtual hosts are opened during the daemon
508 startup; this means that if a root directory gets deleted and then
509 re-created,
510 .Nm
511 won't be able to serve files inside that directory until a restart.
512 This restriction applies only to the root directories and not their content.
513 .It
514 a %2F sequence is indistinguishable from a literal slash: this is not
515 RFC3986-compliant.
516 .It
517 a %00 sequence is treated as invalid character and thus rejected.
518 .El