Blob

Date:
Message:
add log syslog off; don't turn syslog off when log access is specified
Actions:
History | Blame | Raw File
1 .\" Copyright (c) 2022, 2023 Omar Polo <op@omarpolo.com>

2 .\"

3 .\" Permission to use, copy, modify, and distribute this software for any

4 .\" purpose with or without fee is hereby granted, provided that the above

5 .\" copyright notice and this permission notice appear in all copies.

6 .\"

7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

14 .Dd July 24, 2023

15 .Dt GMID.CONF 5

16 .Os

17 .Sh NAME

18 .Nm gmid.conf

19 .Nd gmid Gemini server configuration file

20 .Sh DESCRIPTION

21 .Nm

22 is the configuration file format for the

23 .Xr gmid 8

24 Gemini server.

25 .Pp

26 The configuration file is divided into the following sections:

27 .Bl -tag -width Ds

28 .It Sy Macros

29 User-defined variables may be defined and used later, simplifying the

30 configuration file.

31 .It Sy Global Options

32 Global settings for

33 .Xr gmid 8 .

34 .It Sy Servers

35 Virtual hosts definition.

36 .It Sy Types

37 Media types and extensions.

38 .El

39 .Pp

40 Within the sections, empty lines are ignored and comments can be put

41 anywhere in the file using a hash mark

42 .Pq Sq #

43 and extend to the end of the current line.

44 A boolean is either the symbol

45 .Sq on

46 or

47 .Sq off .

48 A string is a sequence of characters wrapped in double quotes,

49 .Dq like this .

50 Multiple strings one next to the other are joined into a single

51 string:

52 .Bd -literal -offset indent

53 # equivalent to "temporary-failure"

54 block return 40 "temporary" "-" "failure"

55 .Ed

56 .Pp

57 Furthermore, quoting is necessary only when a string needs to contain

58 special characters

59 .Pq like spaces or punctuation ,

60 something that looks like a number or a reserved keyword.

61 The last example could have been written also as:

62 .Bd -literal -offset indent

63 block return 40 temporary "-" failure

64 .Ed

65 .Pp

66 Strict ordering of the sections is not enforced, so that is possible

67 to mix macros, options and

68 .Ic server

69 blocks.

70 However, defining all the

71 .Ic server

72 blocks after the macros and the global options is recommended.

73 .Pp

74 Newlines are often optional, except around top-level instructions, and

75 semicolons

76 .Dq \&;

77 can also be optionally used to separate options.

78 .Pp

79 Additional configuration files can be included with the

80 .Ic include

81 keyword, for example:

82 .Bd -literal -offset indent

83 include "/etc/gmid.conf.local"

84 .Ed

85 .Ss Macros

86 Macros can be defined that will later be expanded in context.

87 Macro names must start with a letter, digit or underscore and may

88 contain any of those characters.

89 Macros names may not be reserved words.

90 Macros are not expanded inside quotes.

91 .Pp

92 Two kinds of macros are supported: variable-like and proper macros.

93 When a macro is invoked with a

94 .Dq $

95 before its name its expanded as a string, whereas when it's invoked

96 with a

97 .Dq @

98 its expanded in-place.

99 .Pp

100 For example:

101 .Bd -literal -offset indent

102 dir = "/var/gemini"

103 certdir = "/etc/keys"

104 common = "lang it; auto index on"

106 server "foo" {

107 	root $dir "/foo"         # "/var/gemini/foo"

108 	cert $certdir "/foo.pem" # "/etc/keys/foo.pem"

109 	key  $certdir "/foo.key" # "/etc/keys/foo.key"

110 	@common

112 .Ed

113 .Ss Global Options

114 .Bl -tag -width 12m

115 .It Ic chroot Ar path

116 .Xr chroot 2

117 the process to the given

118 .Ar path .

119 The daemon has to be run with root privileges and thus the option

120 .Ic user

121 needs to be provided too, so privileges can be dropped afterwards.

122 All the paths in the configuration file are relative to the chroot

123 directory, except for the

124 .Ic cert ,

125 .Ic key

126 and

127 .Ic ocsp

128 paths.

129 Defaults to the

130 .Ic user

131 home directory, if provided.

132 .It Ic log Ar options

133 Specify logging options.

134 Multiple options may be provided within curly braces.

135 The available options are as follows:

136 .Bl -tag -width Ds

137 .It Ic syslog Op Ic off

138 Log to syslog.

139 It is enabled by default, use the

140 .Ic off

141 argument to disable.

142 .It Ic access Ar file

143 Log the requests to

144 .Ar file .

145 The path is relative to the

146 .Ic chroot .

147 .It Ic style Ar style

148 Set the logging style, defaults to

149 .Ic condensed .

150 The

151 .Ar style

152 can be one of:

153 .Bl -tag -width Ds

154 .It Ic common

155 Attempt to be compatible with the default Apache httpd log format.

156 Each line is formatted as follows: the matching host name,

157 the remote IP address, one dash

158 .Sq - ,

159 Common Name of the client certificate

160 .Pq if provided, '-' otherwise ,

161 the timestamp of the request, the request URI wrapped in double quotes,

162 the response code and the size of the response.

163 .It Ic combined

164 Attempt to be compatible with the default nginx log format.

165 Each line is formatted as follows: the remote IP address, one dash

166 .Sq - ,

167 Common Name of the client certificate

168 .Pq if provided, '-' otherwise ,

169 the timestamp wrapped in square brackets, the request URI wrapped in

170 double quotes, the response code, the size of the response, a dash

171 wrapped in double quotes and "".

172 The strangness of these two last fields is because Gemini doesn't have

173 the notion of the

174 .Dq Referer

175 header nor the

176 .Dq User-agent .

177 .It Ic condensed

178 The native

179 .Xr gmid 8

180 format since 2.0.

181 Each line is formatted as follows: RFC 3339 date time,

182 remote IP address, Common Name of the client certificate

183 .Pq if provided, '-' otherwise ,

184 the matching host name, the request URI, the size of the response,

185 the response code and meta.

186 .It Ic legacy

187 The pre-2.0 gmid native format.

188 Each line is formatted as follows: the remote IP address and port, the

189 .Sq GET

190 keyword, the request URI, the response code and meta.

191 .El

192 .El

193 .It Ic prefork Ar number

194 Run the specified number of server processes.

195 This increases the performance and prevents delays when connecting to

196 a server.

197 .Xr gmid 8

198 runs 3 server processes by default.

199 The maximum number allowed is 16.

200 .It Ic protocols Ar string

201 Specify the TLS protocols to enable.

202 Refer to

203 .Xr tls_config_parse_protocols 3

204 for the valid protocol string values.

205 By default, both TLSv1.3 and TLSv1.2 are enabled.

206 Use

207 .Dq tlsv1.3

208 to enable only TLSv1.3.

209 .It Ic user Ar string

210 Run the daemon as the given user.

211 .El

212 .Ss Servers

213 Every virtual host is defined by a

214 .Ic server

215 block:

216 .Bl -tag -width Ds

217 .It Ic server Ar hostname Brq ...

218 Match the server name using shell globbing rules.

219 It can be an explicit name,

220 .Ar www.example.com ,

221 or a name including a wildcards,

222 .Ar *.example.com .

223 .El

224 .Pp

225 Followed by a block of options that is enclosed in curly brackets:

226 .Bl -tag -width Ds

227 .It Ic alias Ar name

228 Specify an additional alias

229 .Ar name

230 for this server.

231 .It Ic auto Ic index Ar bool

232 If no index file is found, automatically generate a directory listing.

233 Disabled by default.

234 .It Ic block Op Ic return Ar code Op Ar meta

235 Send a reply and close the connection;

236 by default

237 .Ar code

238 is 40

239 and

240 .Ar meta

241 is

242 .Dq temporary failure .

243 If

244 .Ar code

245 is in the 3x range, then

246 .Ar meta

247 is mandatory.

248 Inside

249 .Ar meta ,

250 the following special sequences are supported:

251 .Bl -tag -width Ds -compact

252 .It \&%\&%

253 is replaced with a single

254 .Sq \&% .

255 .It \&%p

256 is replaced with the request path.

257 .It \&%q

258 is replaced with the query string of the request.

259 .It \&%P

260 is replaced with the server port.

261 .It \&%N

262 is replaced with the server name.

263 .El

264 .It Ic cert Ar file

265 Path to the certificate to use for this server.

266 .Ar file

267 should contain a PEM encoded certificate.

268 This option is mandatory.

269 .It Ic default type Ar string

270 Set the default media type that is used if the media type for a

271 specified extension is not found.

272 If not specified, the

273 .Ic default type

274 is set to

275 .Dq application/octet-stream .

276 .It Ic fastcgi Ar option

277 Enable FastCGI instead of serving files.

278 Multiple options may be specified within curly braces.

279 Valid options are:

280 .Bl -tag -width Ds

281 .It Ic param Ar name Cm = Ar value

282 Set the param

283 .Ar name

284 to

285 .Ar value .

286 .It Ic socket Oo Ic tcp Oc Ar socket Oo Cm port Ar port Oc

287 The

288 .Ar socket

289 can either be a UNIX-domain socket or a TCP socket.

290 If the FastCGI application is listening on a UNIX domain socket,

291 .Ar socket

292 is a local path name within the

293 .Xr chroot 2

294 root directory of

295 .Nm .

296 Otherwise, the

297 .Ic tcp

298 keyword must be provided and

299 .Ar socket

300 is interpreted as a hostname or an IP address.

301 .Ar port

302 can be either a port number or the name of a service enclosed in

303 double quotes.

304 If not specified defaults to 9000.

305 .El

306 .Pp

307 The FastCGI handler will be given the following variables by default:

308 .Bl -tag -width 24m

309 .It Ev GATEWAY_INTERFACE

310 .Dq CGI/1.1

311 .It Ev GEMINI_DOCUMENT_ROOT

312 The root directory of the virtual host.

313 .It Ev GEMINI_SCRIPT_FILENAME

314 Full path to the FastCGI script being executed.

315 .It Ev GEMINI_URL

316 The full IRI of the request.

317 .It Ev GEMINI_URL_PATH

318 The path of the request.

319 .It Ev GEMINI_SEARCH_STRING

320 The decoded

321 .Ev QUERY_STRING

322 if defined in the request and if it doesn't contain any unencoded

323 .Sq =

324 characters, otherwise unset.

325 .It Ev PATH_INFO

326 The portion of the requested path that is derived from the the IRI

327 path hierarchy following the part that identifies the script itself.

328 Can be unset.

329 .It Ev PATH_TRANSLATED

330 Present if and only if

331 .Ev PATH_INFO

332 is set.

333 It represent the translation of the

334 .Ev PATH_INFO .

335 .Nm gmid

336 builds this by appending the

337 .Ev PATH_INFO

338 to the virtual host directory root.

339 .It Ev QUERY_STRING

340 The URL-encoded search or parameter string.

341 .It Ev REMOTE_ADDR , Ev REMOTE_HOST

342 Textual representation of the client IP.

343 .It Ev REQUEST_METHOD

344 This is present only for RFC3875 (CGI) compliance.

345 It's always set to the empty string.

346 .It Ev SCRIPT_NAME

347 The virtual URI path to the script.

348 .It Ev SERVER_NAME

349 The name of the server

350 .It Ev SERVER_PORT

351 The port the server is listening on.

352 .It Ev SERVER_PROTOCOL

353 .Dq GEMINI

354 .It Ev SERVER_SOFTWARE

355 The name and version of the server, i.e.

356 .Dq gmid/1.8.4

357 .It Ev AUTH_TYPE

358 The string "Certificate" if the client used a certificate, otherwise

359 unset.

360 .It Ev REMOTE_USER

361 The subject of the client certificate if provided, otherwise unset.

362 .It Ev TLS_CLIENT_ISSUER

363 The is the issuer of the client certificate if provided, otherwise

364 unset.

365 .It Ev TLS_CLIENT_HASH

366 The hash of the client certificate if provided, otherwise unset.

367 The format is

368 .Dq ALGO:HASH .

369 .It Ev TLS_VERSION

370 The TLS version negotiated with the peer.

371 .It Ev TLS_CIPHER

372 The cipher suite negotiated with the peer.

373 .It Ev TLS_CIPHER_STRENGTH

374 The strength in bits for the symmetric cipher that is being used with

375 the peer.

376 .It Ev TLS_CLIENT_NOT_AFTER

377 The time corresponding to the end of the validity period of the peer

378 certificate in the ISO 8601 format

379 .Pq e.g. Dq 2021-02-07T20:17:41Z .

380 .It Ev TLS_CLIENT_NOT_BEFORE

381 The time corresponding to the start of the validity period of the peer

382 certificate in the ISO 8601 format.

383 .El

384 .It Ic fastcgi off

385 Disable FastCGI handling in the current location.

386 .It Ic index Ar string

387 Set the directory index file.

388 If not specified, it defaults to

389 .Pa index.gmi .

390 .It Ic key Ar file

391 Specify the private key to use for this server.

392 .Ar file

393 should contain a PEM encoded private key.

394 This option is mandatory.

395 .It Ic lang Ar string

396 Specify the language tag for the text/gemini content served.

397 If not specified, no

398 .Dq lang

399 parameter will be added in the response.

400 .It Ic listen on Ar address Op Ic port Ar number

401 Set the listen

402 .Ar address

403 and

404 .Ar port

405 which defaults to

406 .Sq 1965 .

407 This statement can be specified multiple times.

408 If

409 .Ar address

410 is

411 .Sq *

412 then

413 .Xr gmid 8

414 will listen on all IPv4 and IPv6 addresses.

415 .Ar 0.0.0.0

416 can be used to listen on all IPv4 addresses and

417 .Ar ::

418 on all IPv6 addresses.

419 .It Ic location Ar path Brq ...

420 Specify server configuration rules for a specific location.

421 .Ar path

422 argument will be matched against the request path with shell globbing

423 rules.

424 In case of multiple location statements in the same context, the first

425 matching location will be put into effect and the later ones ignored.

426 Therefore is advisable to match for more specific paths first and for

427 generic ones later on.

429 .Ic location

430 section may include most of the server configuration rules

431 except

432 .Ic alias , Ic cert , Ic key , Ic listen , Ic location

433 and

434 .Ic proxy .

435 .It Ic log Ar bool

436 Enable or disable the logging for the current server or location block.

437 .It Ic ocsp Ar file

438 Specify an OCSP response to be stapled during TLS handshakes

439 with this server.

440 The

441 .Ar file

442 should contain a DER-format OCSP response retrieved from an

443 OCSP server for the

444 .Ic cert

445 in use.

446 If the OCSP response in

447 .Ar file

448 is empty, OCSP stapling will not be used.

449 The default is to not use OCSP stapling.

450 .It Ic proxy Oo Cm proto Ar name Oc Oo Cm for-host Ar host Oo Cm port Ar port Oc Oc Brq ...

451 Set up a reverse proxy.

452 The optional matching rules

453 .Cm proto

454 and

455 .Cm for-host

456 can be used to enable proxying only for protocols matching

457 .Ar name

458 .Po Dq gemini

459 by default

460 .Pc

461 and/or whose request IRI matches

462 .Ar host

463 and

464 .Ar port

465 .Pq 1965 by default .

466 Matching happens using shell globbing rules.

467 .Pp

468 In case of multiple matching proxy blocks in the same context, the

469 first matching proxy will be put into effect and the later ones

470 ignored.

471 .Pp

472 Valid options are:

473 .Bl -tag -width Ds

474 .It Ic cert Ar file

475 Specify the client certificate to use when making requests.

476 .It Ic key Ar file

477 Specify the client certificate key to use when making requests.

478 .It Ic protocols Ar string

479 Specify the TLS protocols allowed when making remote requests.

480 Refer to the

481 .Xr tls_config_parse_protocols 3

482 function for the valid protocol string values.

483 By default, both TLSv1.2 and TLSv1.3 are enabled.

484 .It Ic relay-to Ar host Op Cm port Ar port

485 Relay the request to the given

486 .Ar host

487 at the given

488 .Ar port ,

489 1965 by default.

490 This is the only mandatory option in a

491 .Ic proxy

492 block.

493 .It Ic require Ic client Ic ca Ar file

494 Allow the proxying only from clients that provide a certificate

495 signed by the CA certificate in

496 .Ar file .

497 .It Ic sni Ar hostname

498 Use the given

499 .Ar hostname

500 instead of the one extracted from the

501 .Ic relay-to

502 rule for the TLS handshake with the proxied gemini server.

503 .It Ic use-tls Ar bool

504 Specify whether to use TLS when connecting to the proxied host.

505 Enabled by default.

506 .It Ic verifyname Ar bool

507 Enable or disable the TLS server name verification.

508 Enabled by default.

509 .El

510 .It Ic root Ar directory

511 Specify the root directory for this server

512 .Pq alas the current Dq document root .

513 It's relative to the chroot if enabled.

514 .It Ic require Ic client Ic ca Ar path

515 Allow requests only from clients that provide a certificate signed by

516 the CA certificate in

517 .Ar path .

518 It needs to be a PEM-encoded certificate and it's not relative to the

519 chroot.

520 .It Ic strip Ar number

521 Strip

522 .Ar number

523 components from the beginning of the path before doing a lookup in the

524 root directory.

525 It's also considered for the

526 .Ar meta

527 parameter in the scope of a

528 .Ic block return .

529 .El

530 .Ss Types

531 The

532 .Ic types

533 section must include one or more lines of the following syntax, enclosed

534 in curly brances:

535 .Bl -tag -width Ds

536 .It Ar type Ns / Ns Ar subtype Ar name Op Ar name ...

537 Set the media

538 .Ar type

539 and

540 .Ar subtype

541 to the specified extension

542 .Ar name .

543 One or more names can be specified per line.

544 Earch line may end with an optional semicolon.

545 .It Ic include Ar file

546 Include types definition from an external file, for example

547 .Pa /usr/share/misc/mime.types .

548 .El

549 .Pp

550 By default

551 .Nm gmid

552 uses the following mapping if no

553 .Ic types

554 block is defined:

555 .Pp

556 .Bl -tag -offset indent -width 15m -compact

557 .It application/pdf

558 pdf

559 .It image/gif

560 gif

561 .It image/jpeg

562 jpg jpeg

563 .It image/png

564 png

565 .It image/svg+xml

566 svg

567 .It text/gemini

568 gemini gmi

569 .It text/markdown

570 markdown md

571 .It text/x-patch

572 diff patch

573 .It text/xml

574 xml

575 .El

576 .Pp

577 As an exception,

578 .Nm gmid

579 uses the MIME type

580 .Ar text/gemini

581 for file extensions

582 .Ar gemini

583 or

584 .Ar gmi

585 if no mapping was found.

586 .Sh EXAMPLES

587 The following is an example of a possible configuration for a site

588 that enables only TLSv1.3, adds the MIME types mapping from

589 .Pa /usr/share/misc/mime.types

590 and defines two virtual host:

591 .Bd -literal -offset indent

592 protocols "tlsv1.3"

594 types {

595 	include "/usr/share/misc/mime.types"

598 server "example.com" {

599 	listen on * port 1965

600 	cert "/etc/ssl/example.com.pem"

601 	key  "/etc/ssl/private/example.com.key"

602 	root "/var/gemini/example.com"

605 server "example.it" {

606 	listen on * port 1965

607 	cert "/etc/ssl/example.it.pem"

608 	key  "/etc/ssl/private/example.it.key"

609 	root "/var/gemini/example.it"

611 	# set the language for text/gemini files

612 	lang "it"

614 .Ed

615 .Pp

616 Yet another example, showing how to enable a

617 .Ic chroot

618 and use

619 .Ic location

620 rule

621 .Bd -literal -offset indent

622 chroot "/var/gemini"

623 user "_gmid"

625 server "example.com" {

626 	listen on * port 1965

628 	# absolute paths:

629 	cert "/etc/ssl/example.com.pem"

630 	key  "/etc/ssl/private/example.com.key"

632 	# relative to the chroot:

633 	root "/example.com"

635 	location "/static/*" {

636 		# load the following rules only for

637 		# requests that matches "/static/*"

639 		auto index on

640 		index "index.gemini"

643 .Ed

644 .Sh SEE ALSO

645 .Xr gmid 8 ,

646 .Xr slowcgi 8

647 .Sh AUTHORS

648 .An -nosplit

649 The

650 .Nm gmid

651 program was written by

652 .An Omar Polo Aq Mt op@omarpolo.com .