Blob
Date:
Fri Apr 8 13:33:05 2022
UTC
Message:
+jpeg
.\" Copyright (c) 2022 Omar Polo <op@omarpolo.com>.\".\" Permission to use, copy, modify, and distribute this software for any.\" purpose with or without fee is hereby granted, provided that the above.\" copyright notice and this permission notice appear in all copies..\".\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE..Dd $Mdocdate: April 7 2022$.Dt GMID.CONF 5.Os.Sh NAME.Nm gmid.conf.Nd gmid Gemini server configuration file.Sh DESCRIPTION.Nmis the configuration file format for the.Xr gmid 1Gemini server..PpThe configuration file is divided into three sections:.Bl -tag -width xxxx.It Sy MacrosUser-defined variables may be defined and used later, simplifying theconfiguration file..It Sy Global OptionsGlobal settings for.Nm ..It Sy ServersVirtual hosts definition..It Sy TypesMedia types and extensions..El.PpWithin the sections, empty lines are ignored and comments can be putanywhere in the file using a hash mark.Pq Sq # ,and extend to the end of the current line.A boolean is either the symbol.Sq onor.Sq off .A string is a sequence of characters wrapped in double quotes,.Dq like this .Multiple strings one next to the other are joined into a singlestring:.Bd -literal -offset indent# equivalent to "temporary-failure"block return 40 "temporary" "-" "failure".Ed.PpFurthermore, quoting is necessary only when a string needs to containspecial characters.Pq like spaces or punctuation ,something that looks like a number or a reserved keyword.The last example could have been written also as:.Bd -literal -offset indentblock return 40 temporary "-" failure.Ed.PpStrict ordering of the sections is not enforced, so that is possibleto mix macros, options and.Ic serverblocks.However, defining all the.Ic serverblocks after the macros and the global options is recommended..PpNewlines are often optional, except around top-level instructions, andsemicolons.Dq \&;can also be optionally used to separate options..PpAdditional configuration files can be included with the.Ic includekeyword, for example:.Bd -literal -offset indentinclude "/etc/gmid.conf.local".Ed.Ss MacrosMacros can be defined that will later be expanded in context.Macro names must start with a letter, digit or underscore and maycontain any of those characters.Macros names may not be reserved words.Macros are not expanded inside quotes..PpTwo kinds of macros are supported: variable-like and proper macros.When a macro is invoked with a.Dq $before its name its expanded as a string, whereas when it's invokedwith a.Dq @its expanded in-place..PpFor example:.Bd -literal -offset indentdir = "/var/gemini"certdir = "/etc/keys"common = "lang it; auto index on"server "foo" {root $dir "/foo" # -> /var/gemini/foocert $certdir "/foo.pem" # -> /etc/keys/foo.pemkey $certdir "/foo.key" # -> /etc/keys/foo.key@common}.Ed.Ss Global Options.Bl -tag -width 12m.It Ic chroot Ar path.Xr chroot 2the process to the given.Ar path .The daemon has to be run with root privileges and thus the option.Ic userneeds to be provided, so privileges can be dropped.Note that.Nmwill enter the chroot after loading the TLS keys, but before openingthe virtual host root directories.It's recommended to keep the TLS keys outside the chroot.Future version of.Nmmay enforce this..It Ic ipv6 Ar boolEnable or disable IPv6 support, off by default..It Ic port Ar portnoThe port to listen on.1965 by default..It Ic prefork Ar numberRun the specified number of server processes.This increases the performance and prevents delays when connecting toa server.When not in config-less mode,.Nmruns 3 server processes by default.The maximum number allowed is 16..It Ic protocols Ar stringSpecify the TLS protocols to enable.Refer to.Xr tls_config_parse_protocols 3for the valid protocol string values.By default, both TLSv1.3 and TLSv1.2 are enabled.Use.Dq tlsv1.3to enable only TLSv1.3..It Ic user Ar stringRun the daemon as the given user..El.Ss ServersEvery virtual host is defined by a.Ic serverblock:.Bl -tag -width Ds.It Ic server Ar hostname Brq ...Match the server name using shell globbing rules.It can be an explicit name,.Ar www.example.com ,or a name including a wildcards,.Ar *.example.com ..El.PpFollowed by a block of options that is enclosed in curly brackets:.Bl -tag -width Ds.It Ic alias Ar nameSpecify an additional alias.Ar namefor this server..It Ic auto Ic index Ar boolIf no index file is found, automatically generate a directory listing.Disabled by default..It Ic block Op Ic return Ar code Op Ar metaSend a reply and close the connection;by default.Ar codeis 40and.Ar metais.Dq temporary failure .If.Ar codeis in the 3x range, then.Ar metais mandatory.Inside.Ar meta ,the following special sequences are supported:.Bl -tag -width Ds -compact.It \&%\&%is replaced with a single.Sq \&% ..It \&%pis replaced with the request path..It \&%qis replaced with the query string of the request..It \&%Pis replaced with the server port..It \&%Nis replaced with the server name..El.It Ic cert Ar filePath to the certificate to use for this server..Ar fileshould contain a PEM encoded certificate.This option is mandatory..It Ic cgi Ar pathExecute.Sx CGIscripts that matches.Ar pathusing shell globbing rules..PpThe CGI scripts are executed in the directory they reside and inheritthe environment from.Nm gmidwith these additional variables set:.Bl -tag -width 24m.It Ev GATEWAY_INTERFACE.Dq CGI/1.1.It Ev GEMINI_DOCUMENT_ROOTThe root directory of the virtual host..It Ev GEMINI_SCRIPT_FILENAMEFull path to the CGI script being executed..It Ev GEMINI_URLThe full IRI of the request..It Ev GEMINI_URL_PATHThe path of the request..It Ev PATH_INFOThe portion of the requested path that is derived from the the IRIpath hierarchy following the part that identifies the script itself.Can be unset..It Ev PATH_TRANSLATEDPresent if and only if.Ev PATH_INFOis set.It represent the translation of the.Ev PATH_INFO ..Nm gmidbuilds this by appending the.Ev PATH_INFOto the virtual host directory root..It Ev QUERY_STRINGThe decoded query string..It Ev REMOTE_ADDR , Ev REMOTE_HOSTTextual representation of the client IP..It Ev REQUEST_METHODThis is present only for RFC3875 (CGI) compliance.It's always set to the empty string..It Ev SCRIPT_NAMEThe part of the.Ev GEMINI_URL_PATHthat identifies the current CGI script..It Ev SERVER_NAMEThe name of the server.It Ev SERVER_PORTThe port the server is listening on..It Ev SERVER_PROTOCOL.Dq GEMINI.It Ev SERVER_SOFTWAREThe name and version of the server, i.e..Dq gmid/1.8.3.It Ev AUTH_TYPEThe string "Certificate" if the client used a certificate, otherwiseunset..It Ev REMOTE_USERThe subject of the client certificate if provided, otherwise unset..It Ev TLS_CLIENT_ISSUERThe is the issuer of the client certificate if provided, otherwiseunset..It Ev TLS_CLIENT_HASHThe hash of the client certificate if provided, otherwise unset.The format is.Dq ALGO:HASH ..It Ev TLS_VERSIONThe TLS version negotiated with the peer..It Ev TLS_CIPHERThe cipher suite negotiated with the peer..It Ev TLS_CIPHER_STRENGTHThe strength in bits for the symmetric cipher that is being used withthe peer..It Ev TLS_CLIENT_NOT_AFTERThe time corresponding to the end of the validity period of the peercertificate in the ISO 8601 format.Pq e.g. Dq 2021-02-07T20:17:41Z ..It Ev TLS_CLIENT_NOT_BEFOREThe time corresponding to the start of the validity period of the peercertificate in the ISO 8601 format..El.It Ic default type Ar stringSet the default media type that is used if the media type for aspecified extension is not found.If not specified, the.Ic default typeis set to.Dq application/octet-stream ..It Ic entrypoint Ar pathHandle all the requests for the current virtual host using the.Sx CGIscript at.Ar path ,relative to the current document root..It Ic env Ar name Cm = Ar valueSet the environment variable.Ar nameto.Ar valuewhen executing CGI scripts.Can be provided more than once..\" don't document the "spawn <prog>" form because it probably won't.\" be kept..It Ic fastcgi Oo Ic tcp Oc Ar socket Oo Cm port Ar port OcEnable.Sx FastCGIinstead of serving files.The.Ar socketcan either be a UNIX-domain socket or a TCP socket.If the FastCGI application is listening on a UNIX domain socket,.Ar socketis a local path name within the.Xr chroot 2root directory of.Nm .Otherwise, the.Ic tcpkeyword must be provided and.Ar socketis interpreted as a hostname or an IP address..Ar portcan be either a port number or the name of a service enclosed indouble quotes.If not specified defaults to 9000..It Ic index Ar stringSet the directory index file.If not specified, it defaults to.Pa index.gmi ..It Ic key Ar fileSpecify the private key to use for this server..Ar fileshould contain a PEM encoded private key.This option is mandatory..It Ic lang Ar stringSpecify the language tag for the text/gemini content served.If not specified, no.Dq langparameter will be added in the response..It Ic location Ar path Brq ...Specify server configuration rules for a specific location..Ar pathargument will be matched against the request path with shell globbingrules.In case of multiple location statements in the same context, the firstmatching location will be put into effect and the later ones ignored.Therefore is advisable to match for more specific paths first and forgeneric ones later on.A.Ic locationsection may include most of the server configuration rulesexcept.Ic alias , Ic cert , Ic cgi , Ic entrypoint , Ic env , Ic key ,.Ic location , Ic param No and Ic proxy ..It Ic log Ar boolEnable or disable the logging for the current server or location block..It Ic param Ar name Cm = Ar valueSet the param.Ar nameto.Ar valuefor FastCGI.By default the following variables.Pq parametersare sent, and carry the same semantics as with CGI:.Pp.Bl -bullet -compact.ItGATEWAY_INTERFACE.ItGEMINI_URL_PATH.ItQUERY_STRING.ItREMOTE_ADDR.ItREMOTE_HOST.ItREQUEST_METHOD.ItSERVER_NAME.ItSERVER_PROTOCOL.ItSERVER_SOFTWARE.ItAUTH_TYPE.ItREMOTE_USER.ItTLS_CLIENT_ISSUER.ItTLS_CLIENT_HASH.ItTLS_VERSION.ItTLS_CIPHER.ItTLS_CIPHER_STRENGTH.ItTLS_CLIENT_NOT_BEFORE.ItTLS_CLIENT_NOT_AFTER.El.It Ic ocsp Ar fileSpecify an OCSP response to be stapled during TLS handshakeswith this server.The.Ar fileshould contain a DER-format OCSP response retrieved from anOCSP server for the.Ic certin use.If the OCSP response in.Ar fileis empty, OCSP stapling will not be used.The default is to not use OCSP stapling..It Ic proxy Oo Cm proto Ar name Oc Oo Cm for-host Ar host : Ns Oo Ar port Oc Oc Brq ...Set up a reverse proxy.The optional matching rules.Cm protoand.Cm for-hostcan be used to enable proxying only for protocols matching.Ar name.Po Dq geminiby default.Pcand/or whose request IRI matches.Ar hostand.Ar port.Pq 1965 by default .Matching happens using shell globbing rules..PpIn case of multiple matching proxy blocks in the same context, thefirst matching proxy will be put into effect and the later onesignored..PpValid options are:.Bl -tag -width Ds.It Ic cert Ar fileSpecify the client certificate to use when making requests..It Ic key Ar fileSpecify the client certificate key to use when making requests..It Ic protocols Ar stringSpecify the TLS protocols allowed when making remote requests.Refer to the.Xr tls_config_parse_protocols 3function for the valid protocol string values.By default, both TLSv1.2 and TLSv1.3 are enabled..It Ic relay-to Ar host : Ns Op Ar portRelay the request to the given.Ar hostat the given.Ar port ,1965 by default.This is the only mandatory option in a.Ic proxyblock..It Ic require Ic client Ic ca Ar fileAllow the proxying only from clients that provide a certificatesigned by the CA certificate in.Ar file ..It Ic sni Ar hostnameUse the given.Ar hostnameinstead of the one extracted from the.Ic relay-torule for the TLS handshake with the proxied gemini server..It Ic use-tls Ar boolSpecify whether to use TLS when connecting to the proxied host.Enabled by default..It Ic verifyname Ar boolEnable or disable the TLS server name verification.Enabled by default..El.It Ic root Ar directorySpecify the root directory for this server.Pq alas the current Dq document root .It's relative to the chroot if enabled..It Ic require Ic client Ic ca Ar pathAllow requests only from clients that provide a certificate signed bythe CA certificate in.Ar path .It needs to be a PEM-encoded certificate and it's not relative to thechroot..It Ic strip Ar numberStrip.Ar numbercomponents from the beginning of the path before doing a lookup in theroot directory.It's also considered for the.Ar metaparameter in the scope of a.Ic block return ..El.Ss TypesThe.Ic typessection must include one or more lines of the following syntax, enclosedin curly brances:.Bl -tag -width Ds.It Ar type/subtype Ar name Op Ar name ...Set the media.Ar typeand.Ar subtypeto the specified extension.Ar name .One or more names can be specified per line.Earch line may end with an optional semicolon..It Ic include Ar fileInclude types definition from an external file, for example.Pa /usr/share/misc/mime.types ..El.PpBy default.Nm gmidhas built-in media types for.Bl -tag -offset indent -width 15m -compact.It application/pdf.It image/gifgif.It image/jpegjpg jpeg.It image/pngpng.It image/svg+xmlsvg.It text/geminigemini gmi.It text/markdownmarkdown md.It text/x-patchdiff patch.It text/xmlxml.El.Sh EXAMPLESThe following is an example of a possible configuration for a sitethat enables only TLSv1.3, adds the MIME types mapping from.Pa /usr/share/misc/mime.typesand defines two virtual host:.Bd -literal -offset indentipv6 on # enable ipv6protocols "tlsv1.3"types {include "/usr/share/misc/mime.types"}server "example.com" {cert "/etc/ssl/example.com.pem"key "/etc/ssl/private/example.com.key"root "/var/gemini/example.com"}server "example.it" {cert "/etc/ssl/example.it.pem"key "/etc/ssl/private/example.it.key"root "/var/gemini/example.it"# execute cgi scripts inside "cgi-bin"cgi "/cgi-bin/*"# set the language for text/gemini fileslang "it"}.Ed.PpYet another example, showing how to enable a.Ic chrootand use.Ic locationrule.Bd -literal -offset indentchroot "/var/gemini"user "_gmid"server "example.com" {# absolute paths:cert "/etc/ssl/example.com.pem"key "/etc/ssl/private/example.com.key"# relative to the chroot:root "/example.com"location "/static/*" {# load the following rules only for# requests that matches "/static/*"auto index onindex "index.gemini"}}.Ed.Sh SEE ALSO.Xr gmid 1 ,.Xr slowcgi 8.Sh AUTHORS.An -nosplitThe.Nm gmidprogram was written by.An Omar Polo Aq Mt op@omarpolo.com .
Omar Polo