op public repos

Blob

Date:: Sat Jan 30 12:16:18 2021 UTC
Message:: sync date
Actions:: History | Blame | Raw File
1 .\" Copyright (c) 2021 Omar Polo <op@omarpolo.com>
2 .\"
3 .\" Permission to use, copy, modify, and distribute this software for any
4 .\" purpose with or without fee is hereby granted, provided that the above
5 .\" copyright notice and this permission notice appear in all copies.
6 .\"
7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14 .Dd $Mdocdate: January 30 2021$
15 .Dt GMIND 1
16 .Os
17 .Sh NAME
18 .Nm gmid
19 .Nd simple and secure Gemini server
20 .Sh SYNOPSIS
21 .Nm
22 .Bk -words
23 .Op Fl fn
24 .Op Fl c Ar config
25 |
26 .Op Fl 6hv
27 .Op Fl d Pa certs-dir
28 .Op Fl H Ar hostname
29 .Op Fl p Ar port
30 .Op Fl x Pa cgi
31 .Op Pa dir
32 .Ek
33 .Sh DESCRIPTION
34 .Nm
35 is a simple and minimal gemini server that can serve static files and
36 execute CGI scripts.
37 It can run without a configuration file with a limited set of features
38 available.
39 If a configuration file is given, no other flags shall be given,
40 except for
41 .Fl f
42 and
43 .Fl n .
44 .Pp
45 The options are as follows:
46 .Bl -tag -width 14m
47 .It Fl c Pa config
48 Specify the configuration file.
49 .It Fl f
50 Stays and logs on the foreground.
51 .It Fl n
52 Check that the configuration is valid, but don't start the server.
53 .El
54 .Pp
55 If no configuration file is given,
56 .Nm
57 will look for the following options
58 .Bl -tag -width 14m
59 .It Fl 6
60 Enable IPv6.
61 .It Fl d Pa certs-path
62 Directory where certificates for the config-less mode are stored.
63 By default is
64 .Pa $XDG_DATA_HOME/gmid ,
65 i.e.
66 .Pa ~/.local/share/gmid .
67 .It Fl H Ar hostname
68 The hostname, by default
69 .Ar localhost .
70 Certificates for the given
71 .Ar hostname
72 are searched inside the
73 .Pa certs-dir
74 directory given with the
75 .Fl d
76 option.
77 They have the form
78 .Pa hostname.cert.pem
79 and
80 .Pa hostname.key.pem .
81 If a certificate and key doesn't exists for a given hostname they
82 will be automatically generated.
83 .It Fl h
84 Print the usage and exit.
85 .It Fl p Ar port
86 The port to listen on, by default 1965.
87 .It Fl v
88 Increase the verbosity of the logs.
89 .It Fl x Pa path
90 Enable execution of CGI scripts.
91 See the description of the
92 .Ic cgi
93 option in the section
94 .Sq Servers
95 below to learn how
96 .Pa path
97 is processed.
98 Cannot be provided more than once.
99 .It Pa dir
100 The root directory to serve.
101 By default the current working directory is assumed.
102 .El
103 .Sh CONFIGURATION FILE
104 The configuration file is divided into two sections:
105 .Bl -tag -width xxxx
106 .It Sy Global Options
107 Global settings for
108 .Nm .
109 .It Sy Servers
110 Virtual hosts definition.
111 .El
112 .Pp
113 Within the sections, empty lines are ignored and comments can be put
114 anywhere in the file using a hash mark
115 .Pq Sq # ,
116 and extend to the end of the current line.
117 A boolean is either the symbol
118 .Sq on
119 or
120 .Sq off .
121 A string is a sequence of characters wrapped in double quotes,
122 .Dq like this .
123 .Ss Global Options
124 .Bl -tag -width 12m
125 .It Ic ipv6 Ar bool
126 Enable or disable IPv6 support.
127 By default is off.
128 .It Ic port Ar portno
129 The port to listen on.
130 By default is 1965.
131 .It Ic protocols Ar string
132 Specify the TLS protocols to enable.
133 Refer to
134 .Xr tls_config_parse_protocols 3
135 for the valid protocol string values.
136 By default, both TLSv1.3 and TLSv1.2 are enabled.
137 Use
138 .Dq tlsv1.3
139 to enable only TLSv1.3.
140 .It Ic mime Ar mime-type Ar file-extension
141 Add a mapping for the given
142 .Ar file-extension
143 to the given
144 .Ar mime-type .
145 Both argument are strings.
146 .It Ic chroot Pa path
147 .Xr chroot 2
148 the process to the given
149 .Pa path .
150 The daemon has to be run with root privileges and thus the option
151 .Ic user
152 needs to be provided, so privileges can be dropped.
153 Note that
154 .Nm
155 will enter the chroot after loading the TLS keys, but before opening
156 the virtual host root directories.
157 It's recommended to keep the TLS keys outside the chroot.
158 Future version of
159 .Nm
160 may require this.
161 .It Ic user Ar string
162 Run the daemon as the given user.
163 .El
164 .Ss Servers
165 Every virtual host is defined by a
166 .Ic server
167 block:
168 .Bl -tag -width Ds
169 .It Ic server Ar hostname Brq ...
170 Match the server name using shell globbing rules.
171 This can be an explicit name,
172 .Ar www.example.com ,
173 or a name including a wildcards,
174 .Ar *.example.com .
175 .El
176 .Pp
177 Followed by a block of options that is enclosed in curly brackets:
178 .Bl -tag -width Ds
179 .It Ic cert Pa file
180 Path to the certificate to use for this server.
181 The
182 .Pa file
183 should contain a PEM encoded certificate.
184 This option is mandatory.
185 .It Ic key Pa file
186 Specify the private key to use for this server.
187 The
188 .Pa file
189 should contain a PEM encoded private key.
190 This option is mandatory.
191 .It Ic root Pa directory
192 Specify the root directory for this server.
193 This option is mandatory.
194 It's relative to the chroot, if enabled.
195 .It Ic cgi Pa path
196 Enable the execution of CGI scripts if
197 .Pa path
198 is a prefix of the user request string.
199 An empty path "" will effectively enable the execution of any file
200 with the executable bit set inside the root directory.
201 .It Ic default type Ar string
202 Set the default media type that is used if the media type for a
203 specified extension is not found.
204 If not specified, the
205 .Ic default type
206 is set to
207 .Dq application/octet-stream .
208 .It Ic lang Ar string
209 Specify the language tag for the text/gemini content served.
210 If not specified, no
211 .Dq lang
212 parameter will be added in the response.
213 .It Ic index Ar string
214 Set the directory index file.
215 If not specified, it defaults to
216 .Pa index.gmi .
217 .It Ic auto Ic index Ar bool
218 If no index file is found, automatically generate a directory listing.
219 It's disabled by default.
220 .It Ic location Pa path Brq ...
221 Specify server configuration rules for a specific location.
222 The
223 .Pa path
224 argument will be matched against the request path with shell globbing
225 rules.
226 In case of multiple location statements in the same context, the first
227 matching location will be put into effect and the later ones ignored.
228 Therefore is advisable to match for more specific paths first and for
229 generic ones later on.
230 A
231 .Ic location
232 section may include most of the server configuration rules
233 except
234 .Ic cert , Ic key , Ic root , Ic location No and Ic cgi .
235 .El
236 .Sh CGI
237 When CGI scripts are enabled for a directory, a request for an
238 executable file will execute it and fed its output to the client.
239 .Pp
240 The CGI scripts are executed in the root directory of the virtual
241 host, or in the served directory if run without config, and inherits
242 the environment from
243 .Nm
244 with these additional variables set:
245 .Bl -tag -width 18m
246 .It Ev GATEWAY_INTERFACE
247 "CGI/1.1"
248 .It Ev SERVER_PROTOCOL
249 "GEMINI"
250 .It Ev SERVER_SOFTWARE
251 "gmid"
252 .It Ev SERVER_PORT
253 "1965"
254 .It Ev SERVER_NAME
255 The vhost.
256 This variable is not available when operating without a configuration.
257 .It Ev SCRIPT_NAME
258 The (public) path to the script, e.g.
259 .Pa "/cgi-bin/example.cgi"
260 .It Ev SCRIPT_EXECUTABLE
261 The full path to the executable.
262 .It Ev REQUEST_URI
263 The user request (without the query parameters.)
264 .It Ev REQUEST_RELATIVE
265 The request relative to the script.
266 .It Ev QUERY_STRING
267 The query parameters.
268 .It Ev REMOTE_HOST
269 The remote IP address.
270 .It Ev REMOTE_ADDR
271 The remote IP address.
272 .It Ev DOCUMENT_ROOT
273 The root directory being served, the one provided with the
274 .Ar d
275 parameter to
276 .Nm
277 or the root directory of the virtual host.
278 .It Ev AUTH_TYPE
279 The string "Certificate" if the client used a certificate, otherwise
280 unset.
281 .It Ev REMOTE_USER
282 The subject of the client certificate if provided, otherwise unset.
283 .It Ev TLS_CLIENT_ISSUER
284 The is the issuer of the client certificate if provided, otherwise
285 unset.
286 .It Ev TLS_CLIENT_HASH
287 The hash of the client certificate if provided, otherwise unset.
288 The format is "ALGO:HASH".
289 .El
290 .Pp
291 Let's say you have a script in
292 .Pa /cgi-bin/script
293 and the user request is
294 .Pa /cgi-bin/script/foo/bar?quux .
295 Then
296 .Ev SCRIPT_NAME
297 will be
298 .Pa cgi-bin/script ,
299 .Ev SCRIPT_EXECUTABLE
300 will be
301 .Pa $DOCUMENT_ROOT/cgi-bin/script ,
302 .Ev REQUEST_URI
303 will be
304 .Pa cgi-bin/script/foo/bar ,
305 .Ev REQUEST_RELATIVE
306 will be
307 .Pa foo/bar
308 and
309 .Ev QUERY_STRING
310 will be
311 .Ar quux .
312 .Sh MIME
313 To auto-detect the MIME type of the response
314 .Nm
315 looks at the file extension and consults its internal table.
316 By default the following mappings are loaded, but they can be
317 overridden or extended using the
318 .Ic mime
319 configuration option.
320 If no MIME is found, the value of
321 .Ic default type
322 matching the file
323 .Ic location
324 will be used, which is
325 .Dq application/octet-stream
326 by default.
327 .Pp
328 .Bl -tag -offset indent -width 14m -compact
329 .It gemini, gmi
330 text/gemini
331 .It gif
332 image/gif
333 .It jpeg
334 image/jpeg
335 .It jpg
336 image/jpeg
337 .It markdown, md
338 text/markdown
339 .It pdf
340 application/pdf
341 .It png
342 image/png
343 .It svg
344 image/svg+xml
345 .It txt
346 text/plain
347 .It xml
348 text/xml
349 .El
350 .Sh EXAMPLES
351 Serve the current directory
352 .Bd -literal -offset indent
353 $ gmid .
354 .Ed
355 .Pp
356 To serve the directory
357 .Pa docs
358 and enable CGI scripts inside
359 .Pa docs/cgi ,
360 you can
361 .Bd -literal -offset indent
362 $ mkdir docs/cgi
363 $ cat <<EOF > cgi/hello
364 #!/bin/sh
365 printf "20 text/plain\\r\\n"
366 echo "hello world"
367 EOF
368 $ chmod +x docs/cgi/hello
369 $ gmid -x cgi docs
370 .Ed
371 .Pp
372 Note that the argument to the
373 .Fl x
374 option is
375 .Pa cgi
376 and not
377 .Pa docs/cgi ,
378 since it's relative to the document root.
379 .Pp
380 The following is an example of a possible configuration for a site
381 that enables only TLSv1.3, adds a mime type for the file extension
382 "rtf" and defines two virtual host:
383 .Bd -literal -offset indent
384 ipv6 on		# enable ipv6
385 
386 protocols "tlsv1.3"
387 
388 mime "application/rtf" "rtf"
389 
390 server "example.com" {
391 	cert "/path/to/cert.pem"
392 	key  "/path/to/key.pem"
393 	root "/var/gemini/example.com"
394 }
395 
396 server "it.example.com" {
397 	cert "/path/to/cert.pem"
398 	key  "/path/to/key.pem"
399 	root "/var/gemini/it.example.com"
400 	cgi  "/cgi-bin"
401 	lang "it"
402 }
403 .Ed
404 .Pp
405 Yet another example, showing how to enable a
406 .Ic chroot
407 and use
408 .Ic location
409 rule
410 .Bd -literal -offset indent
411 chroot "/var/gemini"
412 user "_gmid"
413 
414 server "example.com" {
415 	cert "/path/to/cert.pem"
416 	key  "/path/to/key.pem"
417 	root "/example.com" # in the /var/gemini chroot
418 
419 	location "/static/" {
420 		auto index on
421 		index "index.gemini"
422 	}
423 }
424 .Ed
425 .Sh ACKNOWLEDGEMENTS
426 .Nm
427 uses the
428 .Dq Flexible and Economical
429 UTF-8 decoder written by
430 .An Bjoern Hoehrmann .
431 .Sh AUTHORS
432 .An -nosplit
433 The
434 .Nm
435 program was written by
436 .An Omar Polo Aq Mt op@omarpolo.com .
437 .Sh CAVEATS
438 .Bl -bullet
439 .It
440 The root directories of all virtual hosts are opened during the daemon
441 startup; this means that if a root directory gets deleted and then
442 re-created,
443 .Nm
444 won't be able to serve files inside that directory until a restart.
445 This restriction applies only to the root directories and not their content.
446 .It
447 a %2F sequence is indistinguishable from a literal slash: this is not
448 RFC3986-compliant.
449 .It
450 a %00 sequence is treated as invalid character and thus rejected.
451 .El