Blob

Date:
Message:
added ``block return'' and ``strip'' options
Actions:
History | Blame | Raw File
1 .\" Copyright (c) 2021 Omar Polo <op@omarpolo.com>

2 .\"

3 .\" Permission to use, copy, modify, and distribute this software for any

4 .\" purpose with or without fee is hereby granted, provided that the above

5 .\" copyright notice and this permission notice appear in all copies.

6 .\"

7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

14 .Dd $Mdocdate: January 30 2021$

15 .Dt GMIND 1

16 .Os

17 .Sh NAME

18 .Nm gmid

19 .Nd simple and secure Gemini server

20 .Sh SYNOPSIS

21 .Nm

22 .Bk -words

23 .Op Fl fnv

24 .Op Fl c Ar config

25 .Ek

26 .Nm

27 .Bk -words

28 .Op Fl 6hv

29 .Op Fl d Pa certs-dir

30 .Op Fl H Ar hostname

31 .Op Fl p Ar port

32 .Op Fl x Pa cgi

33 .Op Pa dir

34 .Ek

35 .Sh DESCRIPTION

36 .Nm

37 is a simple and minimal gemini server that can serve static files and

38 execute CGI scripts.

39 It can run without a configuration file with a limited set of features

40 available.

41 .Pp

42 .Nm

43 rereads the configuration file when it receives

44 .Dv SIGHUP .

45 .Pp

46 The options are as follows:

47 .Bl -tag -width 14m

48 .It Fl c Pa config

49 Specify the configuration file.

50 .It Fl f

51 Stays and logs on the foreground.

52 .It Fl n

53 Check that the configuration is valid, but don't start the server.

54 .El

55 .Pp

56 If no configuration file is given,

57 .Nm

58 will look for the following options

59 .Bl -tag -width 14m

60 .It Fl 6

61 Enable IPv6.

62 .It Fl d Pa certs-path

63 Directory where certificates for the config-less mode are stored.

64 By default is

65 .Pa $XDG_DATA_HOME/gmid ,

66 i.e.

67 .Pa ~/.local/share/gmid .

68 .It Fl H Ar hostname

69 The hostname, by default

70 .Ar localhost .

71 Certificates for the given

72 .Ar hostname

73 are searched inside the

74 .Pa certs-dir

75 directory given with the

76 .Fl d

77 option.

78 They have the form

79 .Pa hostname.cert.pem

80 and

81 .Pa hostname.key.pem .

82 If a certificate and key doesn't exists for a given hostname they

83 will be automatically generated.

84 .It Fl h

85 Print the usage and exit.

86 .It Fl p Ar port

87 The port to listen on, by default 1965.

88 .It Fl v

89 Increase the verbosity of the logs.

90 .It Fl x Pa path

91 Enable execution of CGI scripts.

92 See the description of the

93 .Ic cgi

94 option in the section

95 .Sq Servers

96 below to learn how

97 .Pa path

98 is processed.

99 Cannot be provided more than once.

100 .It Pa dir

101 The root directory to serve.

102 By default the current working directory is assumed.

103 .El

104 .Sh CONFIGURATION FILE

105 The configuration file is divided into two sections:

106 .Bl -tag -width xxxx

107 .It Sy Global Options

108 Global settings for

109 .Nm .

110 .It Sy Servers

111 Virtual hosts definition.

112 .El

113 .Pp

114 Within the sections, empty lines are ignored and comments can be put

115 anywhere in the file using a hash mark

116 .Pq Sq # ,

117 and extend to the end of the current line.

118 A boolean is either the symbol

119 .Sq on

120 or

121 .Sq off .

122 A string is a sequence of characters wrapped in double quotes,

123 .Dq like this .

124 .Ss Global Options

125 .Bl -tag -width 12m

126 .It Ic ipv6 Ar bool

127 Enable or disable IPv6 support.

128 By default is off.

129 .It Ic port Ar portno

130 The port to listen on.

131 By default is 1965.

132 .It Ic protocols Ar string

133 Specify the TLS protocols to enable.

134 Refer to

135 .Xr tls_config_parse_protocols 3

136 for the valid protocol string values.

137 By default, both TLSv1.3 and TLSv1.2 are enabled.

138 Use

139 .Dq tlsv1.3

140 to enable only TLSv1.3.

141 .It Ic mime Ar mime-type Ar file-extension

142 Add a mapping for the given

143 .Ar file-extension

144 to the given

145 .Ar mime-type .

146 Both argument are strings.

147 .It Ic chroot Pa path

148 .Xr chroot 2

149 the process to the given

150 .Pa path .

151 The daemon has to be run with root privileges and thus the option

152 .Ic user

153 needs to be provided, so privileges can be dropped.

154 Note that

155 .Nm

156 will enter the chroot after loading the TLS keys, but before opening

157 the virtual host root directories.

158 It's recommended to keep the TLS keys outside the chroot.

159 Future version of

160 .Nm

161 may require this.

162 .It Ic user Ar string

163 Run the daemon as the given user.

164 .El

165 .Ss Servers

166 Every virtual host is defined by a

167 .Ic server

168 block:

169 .Bl -tag -width Ds

170 .It Ic server Ar hostname Brq ...

171 Match the server name using shell globbing rules.

172 This can be an explicit name,

173 .Ar www.example.com ,

174 or a name including a wildcards,

175 .Ar *.example.com .

176 .El

177 .Pp

178 Followed by a block of options that is enclosed in curly brackets:

179 .Bl -tag -width Ds

180 .It Ic cert Pa file

181 Path to the certificate to use for this server.

182 The

183 .Pa file

184 should contain a PEM encoded certificate.

185 This option is mandatory.

186 .It Ic key Pa file

187 Specify the private key to use for this server.

188 The

189 .Pa file

190 should contain a PEM encoded private key.

191 This option is mandatory.

192 .It Ic root Pa directory

193 Specify the root directory for this server.

194 This option is mandatory.

195 It's relative to the chroot, if enabled.

196 .It Ic cgi Pa path

197 Execute CGI scripts that matches

198 .Pa path

199 using shell globbing rules.

200 .It Ic default type Ar string

201 Set the default media type that is used if the media type for a

202 specified extension is not found.

203 If not specified, the

204 .Ic default type

205 is set to

206 .Dq application/octet-stream .

207 .It Ic lang Ar string

208 Specify the language tag for the text/gemini content served.

209 If not specified, no

210 .Dq lang

211 parameter will be added in the response.

212 .It Ic index Ar string

213 Set the directory index file.

214 If not specified, it defaults to

215 .Pa index.gmi .

216 .It Ic auto Ic index Ar bool

217 If no index file is found, automatically generate a directory listing.

218 It's disabled by default.

219 .It Ic location Pa path Brq ...

220 Specify server configuration rules for a specific location.

221 The

222 .Pa path

223 argument will be matched against the request path with shell globbing

224 rules.

225 In case of multiple location statements in the same context, the first

226 matching location will be put into effect and the later ones ignored.

227 Therefore is advisable to match for more specific paths first and for

228 generic ones later on.

230 .Ic location

231 section may include most of the server configuration rules

232 except

233 .Ic cert , Ic key , Ic root , Ic location No and Ic cgi .

234 .It Ic block Op Ic return Ar code Op Ar meta

235 Send a reply and close the connection;

236 .Ar code

237 is 40

238 and

239 .Ar meta

240 is

241 .Dq temporary failure

242 by default.

243 If

244 .Ar code

245 is in the 3x range, then

246 .Ar meta

247 must be provided.

248 Inside

249 .Ar meta ,

250 the following special sequences are replaced:

251 .Bl -tag -compact

252 .It %%

253 is replaced with a single

254 .Sq % .

255 .It %p

256 is replaced with the request path.

257 .It %q

258 is replaced with the query string of the request.

259 .It %P

260 is replaced with the server port.

261 .It %N

262 is replaced with the server name.

263 .El

264 .It Ic strip Ar number

265 Strip

266 .Ar number

267 components from the beginning of the path.

268 It's only considered for the

269 .Ar meta

270 parameter in the scope of a matching

271 .Ic block return .

272 .El

273 .Sh CGI

274 When a request for an executable file matches the

275 .Ic cgi

276 rule, that file will be execute and its output fed to the client.

277 .Pp

278 The CGI scripts are executed in the directory they reside and inherit

279 the environment from

280 .Nm

281 with these additional variables set:

282 .Bl -tag -width 24m

283 .It Ev GATEWAY_INTERFACE

284 .Dq CGI/1.1

285 .It Ev GEMINI_DOCUMENT_ROOT

286 The root directory of the virtual host.

287 .It Ev GEMINI_SCRIPT_FILENAME

288 Full path to the CGI script being executed.

289 .It Ev GEMINI_URL

290 The full IRI of the request.

291 .It Ev GEMINI_URL_PATH

292 The path of the request.

293 .It Ev PATH_INFO

294 The portion of the requested path that is derived from the the IRI

295 path hierarchy following the part that identifies the script itself.

296 Can be unset.

297 .It Ev PATH_TRANSLATED

298 Present if and only if

299 .Ev PATH_INFO

300 is set.

301 It represent the translation of the

302 .Ev PATH_INFO .

303 .Nm

304 builds this by appending the

305 .Ev PATH_INFO

306 to the virtual host directory root.

307 .It Ev QUERY_STRING

308 The decoded query string.

309 .It Ev REMOTE_ADDR , Ev REMOTE_HOST

310 Textual representation of the client IP.

311 .It Ev REQUEST_METHOD

312 This is present only for RFC3875 (CGI) compliance.

313 It's always set to the empty string.

314 .It Ev SCRIPT_NAME

315 The part of the

316 .Ev GEMINI_URL_PATH

317 that identifies the current CGI script.

318 .It Ev SERVER_NAME

319 The name of the server

320 .It Ev SERVER_PORT

321 The port the server is listening on.

322 .It Ev SERVER_PROTOCOL

323 .Dq GEMINI

324 .It Ev SERVER_SOFTWARE

325 The name and version of the server, i.e.

326 .Dq gmid/1.5

327 .It Ev AUTH_TYPE

328 The string "Certificate" if the client used a certificate, otherwise

329 unset.

330 .It Ev REMOTE_USER

331 The subject of the client certificate if provided, otherwise unset.

332 .It Ev TLS_CLIENT_ISSUER

333 The is the issuer of the client certificate if provided, otherwise

334 unset.

335 .It Ev TLS_CLIENT_HASH

336 The hash of the client certificate if provided, otherwise unset.

337 The format is

338 .Dq ALGO:HASH .

339 .El

340 .Pp

341 .Sh MIME

342 To auto-detect the MIME type of the response

343 .Nm

344 looks at the file extension and consults its internal table.

345 By default the following mappings are loaded, but they can be

346 overridden or extended using the

347 .Ic mime

348 configuration option.

349 If no MIME is found, the value of

350 .Ic default type

351 matching the file

352 .Ic location

353 will be used, which is

354 .Dq application/octet-stream

355 by default.

356 .Pp

357 .Bl -tag -offset indent -width 14m -compact

358 .It gemini, gmi

359 text/gemini

360 .It gif

361 image/gif

362 .It jpeg

363 image/jpeg

364 .It jpg

365 image/jpeg

366 .It markdown, md

367 text/markdown

368 .It pdf

369 application/pdf

370 .It png

371 image/png

372 .It svg

373 image/svg+xml

374 .It txt

375 text/plain

376 .It xml

377 text/xml

378 .El

379 .Sh EXAMPLES

380 Serve the current directory

381 .Bd -literal -offset indent

382 $ gmid .

383 .Ed

384 .Pp

385 To serve the directory

386 .Pa docs

387 and enable CGI scripts inside

388 .Pa docs/cgi ,

389 you can

390 .Bd -literal -offset indent

391 $ mkdir docs/cgi

392 $ cat <<EOF > cgi/hello

393 #!/bin/sh

394 printf "20 text/plain\\r\\n"

395 echo "hello world"

396 EOF

397 $ chmod +x docs/cgi/hello

398 $ gmid -x cgi docs

399 .Ed

400 .Pp

401 The following is an example of a possible configuration for a site

402 that enables only TLSv1.3, adds a mime type for the file extension

403 "rtf" and defines two virtual host:

404 .Bd -literal -offset indent

405 ipv6 on		# enable ipv6

407 protocols "tlsv1.3"

409 mime "application/rtf" "rtf"

411 server "example.com" {

412 	cert "/path/to/cert.pem"

413 	key  "/path/to/key.pem"

414 	root "/var/gemini/example.com"

417 server "it.example.com" {

418 	cert "/path/to/cert.pem"

419 	key  "/path/to/key.pem"

420 	root "/var/gemini/it.example.com"

421 	cgi  "/cgi-bin/*"

422 	lang "it"

424 .Ed

425 .Pp

426 Yet another example, showing how to enable a

427 .Ic chroot

428 and use

429 .Ic location

430 rule

431 .Bd -literal -offset indent

432 chroot "/var/gemini"

433 user "_gmid"

435 server "example.com" {

436 	cert "/path/to/cert.pem"

437 	key  "/path/to/key.pem"

438 	root "/example.com" # in the /var/gemini chroot

440 	location "/static/*" {

441 		auto index on

442 		index "index.gemini"

445 .Ed

446 .Sh ACKNOWLEDGEMENTS

447 .Nm

448 uses the

449 .Dq Flexible and Economical

450 UTF-8 decoder written by

451 .An Bjoern Hoehrmann .

452 .Sh AUTHORS

453 .An -nosplit

454 The

455 .Nm

456 program was written by

457 .An Omar Polo Aq Mt op@omarpolo.com .

458 .Sh CAVEATS

459 .Bl -bullet

460 .It

461 The root directories of all virtual hosts are opened during the daemon

462 startup; this means that if a root directory gets deleted and then

463 re-created,

464 .Nm

465 won't be able to serve files inside that directory until a restart.

466 This restriction applies only to the root directories and not their content.

467 .It

468 a %2F sequence is indistinguishable from a literal slash: this is not

469 RFC3986-compliant.

470 .It

471 a %00 sequence is treated as invalid character and thus rejected.

472 .El