1 .\" Copyright (c) 2022 Omar Polo <op@omarpolo.com>
2 .\"
3 .\" Permission to use, copy, modify, and distribute this software for any
4 .\" purpose with or without fee is hereby granted, provided that the above
5 .\" copyright notice and this permission notice appear in all copies.
6 .\"
7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14 .Dd $Mdocdate: December 2 2022$
15 .Dt GMID.CONF 5
16 .Os
17 .Sh NAME
18 .Nm gmid.conf
19 .Nd gmid Gemini server configuration file
20 .Sh DESCRIPTION
21 .Nm
22 is the configuration file format for the
23 .Xr gmid 1
24 Gemini server.
25 .Pp
26 The configuration file is divided into three sections:
27 .Bl -tag -width xxxx
28 .It Sy Macros
29 User-defined variables may be defined and used later, simplifying the
30 configuration file.
31 .It Sy Global Options
32 Global settings for
33 .Nm .
34 .It Sy Servers
35 Virtual hosts definition.
36 .It Sy Types
37 Media types and extensions.
38 .El
39 .Pp
40 Within the sections, empty lines are ignored and comments can be put
41 anywhere in the file using a hash mark
42 .Pq Sq # ,
43 and extend to the end of the current line.
44 A boolean is either the symbol
45 .Sq on
46 or
47 .Sq off .
48 A string is a sequence of characters wrapped in double quotes,
49 .Dq like this .
50 Multiple strings one next to the other are joined into a single
51 string:
52 .Bd -literal -offset indent
53 # equivalent to "temporary-failure"
54 block return 40 "temporary" "-" "failure"
55 .Ed
56 .Pp
57 Furthermore, quoting is necessary only when a string needs to contain
58 special characters
59 .Pq like spaces or punctuation ,
60 something that looks like a number or a reserved keyword.
61 The last example could have been written also as:
62 .Bd -literal -offset indent
63 block return 40 temporary "-" failure
64 .Ed
65 .Pp
66 Strict ordering of the sections is not enforced, so that is possible
67 to mix macros, options and
68 .Ic server
69 blocks.
70 However, defining all the
71 .Ic server
72 blocks after the macros and the global options is recommended.
73 .Pp
74 Newlines are often optional, except around top-level instructions, and
75 semicolons
76 .Dq \&;
77 can also be optionally used to separate options.
78 .Pp
79 Additional configuration files can be included with the
80 .Ic include
81 keyword, for example:
82 .Bd -literal -offset indent
83 include "/etc/gmid.conf.local"
84 .Ed
85 .Ss Macros
86 Macros can be defined that will later be expanded in context.
87 Macro names must start with a letter, digit or underscore and may
88 contain any of those characters.
89 Macros names may not be reserved words.
90 Macros are not expanded inside quotes.
91 .Pp
92 Two kinds of macros are supported: variable-like and proper macros.
93 When a macro is invoked with a
94 .Dq $
95 before its name its expanded as a string, whereas when it's invoked
96 with a
97 .Dq @
98 its expanded in-place.
99 .Pp
100 For example:
101 .Bd -literal -offset indent
102 dir = "/var/gemini"
103 certdir = "/etc/keys"
104 common = "lang it; auto index on"
105 
106 server "foo" {
107 	root $dir "/foo"         # -> /var/gemini/foo
108 	cert $certdir "/foo.pem" # -> /etc/keys/foo.pem
109 	key  $certdir "/foo.key" # -> /etc/keys/foo.key
110 	@common
111 }
112 .Ed
113 .Ss Global Options
114 .Bl -tag -width 12m
115 .It Ic chroot Ar path
116 .Xr chroot 2
117 the process to the given
118 .Ar path .
119 The daemon has to be run with root privileges and thus the option
120 .Ic user
121 needs to be provided, so privileges can be dropped.
122 Note that
123 .Nm
124 will enter the chroot after loading the TLS keys, but before opening
125 the virtual host root directories.
126 It's recommended to keep the TLS keys outside the chroot.
127 Future version of
128 .Nm
129 may enforce this.
130 .It Ic ipv6 Ar bool
131 Enable or disable IPv6 support, off by default.
132 .It Ic port Ar portno
133 The port to listen on.
134 1965 by default.
135 .It Ic prefork Ar number
136 Run the specified number of server processes.
137 This increases the performance and prevents delays when connecting to
138 a server.
139 When not in config-less mode,
140 .Nm
141 runs 3 server processes by default.
142 The maximum number allowed is 16.
143 .It Ic protocols Ar string
144 Specify the TLS protocols to enable.
145 Refer to
146 .Xr tls_config_parse_protocols 3
147 for the valid protocol string values.
148 By default, both TLSv1.3 and TLSv1.2 are enabled.
149 Use
150 .Dq tlsv1.3
151 to enable only TLSv1.3.
152 .It Ic user Ar string
153 Run the daemon as the given user.
154 .El
155 .Ss Servers
156 Every virtual host is defined by a
157 .Ic server
158 block:
159 .Bl -tag -width Ds
160 .It Ic server Ar hostname Brq ...
161 Match the server name using shell globbing rules.
162 It can be an explicit name,
163 .Ar www.example.com ,
164 or a name including a wildcards,
165 .Ar *.example.com .
166 .El
167 .Pp
168 Followed by a block of options that is enclosed in curly brackets:
169 .Bl -tag -width Ds
170 .It Ic alias Ar name
171 Specify an additional alias
172 .Ar name
173 for this server.
174 .It Ic auto Ic index Ar bool
175 If no index file is found, automatically generate a directory listing.
176 Disabled by default.
177 .It Ic block Op Ic return Ar code Op Ar meta
178 Send a reply and close the connection;
179 by default
180 .Ar code
181 is 40
182 and
183 .Ar meta
184 is
185 .Dq temporary failure .
186 If
187 .Ar code
188 is in the 3x range, then
189 .Ar meta
190 is mandatory.
191 Inside
192 .Ar meta ,
193 the following special sequences are supported:
194 .Bl -tag -width Ds -compact
195 .It \&%\&%
196 is replaced with a single
197 .Sq \&% .
198 .It \&%p
199 is replaced with the request path.
200 .It \&%q
201 is replaced with the query string of the request.
202 .It \&%P
203 is replaced with the server port.
204 .It \&%N
205 is replaced with the server name.
206 .El
207 .It Ic cert Ar file
208 Path to the certificate to use for this server.
209 .Ar file
210 should contain a PEM encoded certificate.
211 This option is mandatory.
212 .It Ic cgi Ar path
213 Execute
214 .Sx CGI
215 scripts that matches
216 .Ar path
217 using shell globbing rules.
218 .Pp
219 The CGI scripts are executed in the directory they reside and inherit
220 the environment from
221 .Nm gmid
222 with these additional variables set:
223 .Bl -tag -width 24m
224 .It Ev GATEWAY_INTERFACE
225 .Dq CGI/1.1
226 .It Ev GEMINI_DOCUMENT_ROOT
227 The root directory of the virtual host.
228 .It Ev GEMINI_SCRIPT_FILENAME
229 Full path to the CGI script being executed.
230 .It Ev GEMINI_URL
231 The full IRI of the request.
232 .It Ev GEMINI_URL_PATH
233 The path of the request.
234 .It Ev GEMINI_SEARCH_STRING
235 The decoded
236 .Ev QUERY_STRING
237 if defined in the request and if it doesn't contain any unencoded
238 .Sq =
239 characters, otherwise unset.
240 .It Ev PATH_INFO
241 The portion of the requested path that is derived from the the IRI
242 path hierarchy following the part that identifies the script itself.
243 Can be unset.
244 .It Ev PATH_TRANSLATED
245 Present if and only if
246 .Ev PATH_INFO
247 is set.
248 It represent the translation of the
249 .Ev PATH_INFO .
250 .Nm gmid
251 builds this by appending the
252 .Ev PATH_INFO
253 to the virtual host directory root.
254 .It Ev QUERY_STRING
255 The URL-encoded search or parameter string.
256 .It Ev REMOTE_ADDR , Ev REMOTE_HOST
257 Textual representation of the client IP.
258 .It Ev REQUEST_METHOD
259 This is present only for RFC3875 (CGI) compliance.
260 It's always set to the empty string.
261 .It Ev SCRIPT_NAME
262 The part of the
263 .Ev GEMINI_URL_PATH
264 that identifies the current CGI script.
265 .It Ev SERVER_NAME
266 The name of the server
267 .It Ev SERVER_PORT
268 The port the server is listening on.
269 .It Ev SERVER_PROTOCOL
270 .Dq GEMINI
271 .It Ev SERVER_SOFTWARE
272 The name and version of the server, i.e.
273 .Dq gmid/1.8.6
274 .It Ev AUTH_TYPE
275 The string "Certificate" if the client used a certificate, otherwise
276 unset.
277 .It Ev REMOTE_USER
278 The subject of the client certificate if provided, otherwise unset.
279 .It Ev TLS_CLIENT_ISSUER
280 The is the issuer of the client certificate if provided, otherwise
281 unset.
282 .It Ev TLS_CLIENT_HASH
283 The hash of the client certificate if provided, otherwise unset.
284 The format is
285 .Dq ALGO:HASH .
286 .It Ev TLS_VERSION
287 The TLS version negotiated with the peer.
288 .It Ev TLS_CIPHER
289 The cipher suite negotiated with the peer.
290 .It Ev TLS_CIPHER_STRENGTH
291 The strength in bits for the symmetric cipher that is being used with
292 the peer.
293 .It Ev TLS_CLIENT_NOT_AFTER
294 The time corresponding to the end of the validity period of the peer
295 certificate in the ISO 8601 format
296 .Pq e.g. Dq 2021-02-07T20:17:41Z .
297 .It Ev TLS_CLIENT_NOT_BEFORE
298 The time corresponding to the start of the validity period of the peer
299 certificate in the ISO 8601 format.
300 .El
301 .It Ic default type Ar string
302 Set the default media type that is used if the media type for a
303 specified extension is not found.
304 If not specified, the
305 .Ic default type
306 is set to
307 .Dq application/octet-stream .
308 .It Ic entrypoint Ar path
309 Handle all the requests for the current virtual host using the
310 .Sx CGI
311 script at
312 .Ar path ,
313 relative to the current document root.
314 .It Ic env Ar name Cm = Ar value
315 Set the environment variable
316 .Ar name
317 to
318 .Ar value
319 when executing CGI scripts.
320 Can be provided more than once.
321 .\" don't document the "spawn <prog>" form because it probably won't
322 .\" be kept.
323 .It Ic fastcgi Oo Ic tcp Oc Ar socket Oo Cm port Ar port Oc
324 Enable
325 .Sx FastCGI
326 instead of serving files.
327 The
328 .Ar socket
329 can either be a UNIX-domain socket or a TCP socket.
330 If the FastCGI application is listening on a UNIX domain socket,
331 .Ar socket
332 is a local path name within the
333 .Xr chroot 2
334 root directory of
335 .Nm .
336 Otherwise, the
337 .Ic tcp
338 keyword must be provided and
339 .Ar socket
340 is interpreted as a hostname or an IP address.
341 .Ar port
342 can be either a port number or the name of a service enclosed in
343 double quotes.
344 If not specified defaults to 9000.
345 .It Ic index Ar string
346 Set the directory index file.
347 If not specified, it defaults to
348 .Pa index.gmi .
349 .It Ic key Ar file
350 Specify the private key to use for this server.
351 .Ar file
352 should contain a PEM encoded private key.
353 This option is mandatory.
354 .It Ic lang Ar string
355 Specify the language tag for the text/gemini content served.
356 If not specified, no
357 .Dq lang
358 parameter will be added in the response.
359 .It Ic location Ar path Brq ...
360 Specify server configuration rules for a specific location.
361 .Ar path
362 argument will be matched against the request path with shell globbing
363 rules.
364 In case of multiple location statements in the same context, the first
365 matching location will be put into effect and the later ones ignored.
366 Therefore is advisable to match for more specific paths first and for
367 generic ones later on.
368 A
369 .Ic location
370 section may include most of the server configuration rules
371 except
372 .Ic alias , Ic cert , Ic cgi , Ic entrypoint , Ic env , Ic key ,
373 .Ic location , Ic param No and Ic proxy .
374 .It Ic log Ar bool
375 Enable or disable the logging for the current server or location block.
376 .It Ic param Ar name Cm = Ar value
377 Set the param
378 .Ar name
379 to
380 .Ar value
381 for FastCGI.
382 By default the following variables
383 .Pq parameters
384 are sent, and carry the same semantics as with CGI:
385 .Pp
386 .Bl -bullet -compact
387 .It
388 GATEWAY_INTERFACE
389 .It
390 GEMINI_URL_PATH
391 .It
392 QUERY_STRING
393 .It
394 REMOTE_ADDR
395 .It
396 REMOTE_HOST
397 .It
398 REQUEST_METHOD
399 .It
400 SERVER_NAME
401 .It
402 SERVER_PROTOCOL
403 .It
404 SERVER_SOFTWARE
405 .It
406 AUTH_TYPE
407 .It
408 REMOTE_USER
409 .It
410 TLS_CLIENT_ISSUER
411 .It
412 TLS_CLIENT_HASH
413 .It
414 TLS_VERSION
415 .It
416 TLS_CIPHER
417 .It
418 TLS_CIPHER_STRENGTH
419 .It
420 TLS_CLIENT_NOT_BEFORE
421 .It
422 TLS_CLIENT_NOT_AFTER
423 .El
424 .It Ic ocsp Ar file
425 Specify an OCSP response to be stapled during TLS handshakes
426 with this server.
427 The
428 .Ar file
429 should contain a DER-format OCSP response retrieved from an
430 OCSP server for the
431 .Ic cert
432 in use.
433 If the OCSP response in
434 .Ar file
435 is empty, OCSP stapling will not be used.
436 The default is to not use OCSP stapling.
437 .It Ic proxy Oo Cm proto Ar name Oc Oo Cm for-host Ar host : Ns Oo Ar port Oc Oc Brq ...
438 Set up a reverse proxy.
439 The optional matching rules
440 .Cm proto
441 and
442 .Cm for-host
443 can be used to enable proxying only for protocols matching
444 .Ar name
445 .Po Dq gemini
446 by default
447 .Pc
448 and/or whose request IRI matches
449 .Ar host
450 and
451 .Ar port
452 .Pq 1965 by default .
453 Matching happens using shell globbing rules.
454 .Pp
455 In case of multiple matching proxy blocks in the same context, the
456 first matching proxy will be put into effect and the later ones
457 ignored.
458 .Pp
459 Valid options are:
460 .Bl -tag -width Ds
461 .It Ic cert Ar file
462 Specify the client certificate to use when making requests.
463 .It Ic key Ar file
464 Specify the client certificate key to use when making requests.
465 .It Ic protocols Ar string
466 Specify the TLS protocols allowed when making remote requests.
467 Refer to the
468 .Xr tls_config_parse_protocols 3
469 function for the valid protocol string values.
470 By default, both TLSv1.2 and TLSv1.3 are enabled.
471 .It Ic relay-to Ar host : Ns Op Ar port
472 Relay the request to the given
473 .Ar host
474 at the given
475 .Ar port ,
476 1965 by default.
477 This is the only mandatory option in a
478 .Ic proxy
479 block.
480 .It Ic require Ic client Ic ca Ar file
481 Allow the proxying only from clients that provide a certificate
482 signed by the CA certificate in
483 .Ar file .
484 .It Ic sni Ar hostname
485 Use the given
486 .Ar hostname
487 instead of the one extracted from the
488 .Ic relay-to
489 rule for the TLS handshake with the proxied gemini server.
490 .It Ic use-tls Ar bool
491 Specify whether to use TLS when connecting to the proxied host.
492 Enabled by default.
493 .It Ic verifyname Ar bool
494 Enable or disable the TLS server name verification.
495 Enabled by default.
496 .El
497 .It Ic root Ar directory
498 Specify the root directory for this server
499 .Pq alas the current Dq document root .
500 It's relative to the chroot if enabled.
501 .It Ic require Ic client Ic ca Ar path
502 Allow requests only from clients that provide a certificate signed by
503 the CA certificate in
504 .Ar path .
505 It needs to be a PEM-encoded certificate and it's not relative to the
506 chroot.
507 .It Ic strip Ar number
508 Strip
509 .Ar number
510 components from the beginning of the path before doing a lookup in the
511 root directory.
512 It's also considered for the
513 .Ar meta
514 parameter in the scope of a
515 .Ic block return .
516 .El
517 .Ss Types
518 The
519 .Ic types
520 section must include one or more lines of the following syntax, enclosed
521 in curly brances:
522 .Bl -tag -width Ds
523 .It Ar type/subtype Ar name Op Ar name ...
524 Set the media
525 .Ar type
526 and
527 .Ar subtype
528 to the specified extension
529 .Ar name .
530 One or more names can be specified per line.
531 Earch line may end with an optional semicolon.
532 .It Ic include Ar file
533 Include types definition from an external file, for example
534 .Pa /usr/share/misc/mime.types .
535 .El
536 .Pp
537 By default
538 .Nm gmid
539 uses the following mapping if no
540 .Ic types
541 block is defined:
542 .Bl -tag -offset indent -width 15m -compact
543 .It application/pdf
544 pdf
545 .It image/gif
546 gif
547 .It image/jpeg
548 jpg jpeg
549 .It image/png
550 png
551 .It image/svg+xml
552 svg
553 .It text/gemini
554 gemini gmi
555 .It text/markdown
556 markdown md
557 .It text/x-patch
558 diff patch
559 .It text/xml
560 xml
561 .El
562 .Pp
563 As an exception,
564 .Nm gmid
565 uses the MIME type
566 .Ar text/gemini
567 for file extensions
568 .Ar gemini
569 or
570 .Ar gmi
571 if no mapping was found.
572 .Sh EXAMPLES
573 The following is an example of a possible configuration for a site
574 that enables only TLSv1.3, adds the MIME types mapping from
575 .Pa /usr/share/misc/mime.types
576 and defines two virtual host:
577 .Bd -literal -offset indent
578 ipv6 on		# enable ipv6
579 
580 protocols "tlsv1.3"
581 
582 types {
583 	include "/usr/share/misc/mime.types"
584 }
585 
586 server "example.com" {
587 	cert "/etc/ssl/example.com.pem"
588 	key  "/etc/ssl/private/example.com.key"
589 	root "/var/gemini/example.com"
590 }
591 
592 server "example.it" {
593 	cert "/etc/ssl/example.it.pem"
594 	key  "/etc/ssl/private/example.it.key"
595 	root "/var/gemini/example.it"
596 
597 	# execute cgi scripts inside "cgi-bin"
598 	cgi  "/cgi-bin/*"
599 
600 	# set the language for text/gemini files
601 	lang "it"
602 }
603 .Ed
604 .Pp
605 Yet another example, showing how to enable a
606 .Ic chroot
607 and use
608 .Ic location
609 rule
610 .Bd -literal -offset indent
611 chroot "/var/gemini"
612 user "_gmid"
613 
614 server "example.com" {
615 	# absolute paths:
616 	cert "/etc/ssl/example.com.pem"
617 	key  "/etc/ssl/private/example.com.key"
618 
619 	# relative to the chroot:
620 	root "/example.com"
621 
622 	location "/static/*" {
623 		# load the following rules only for
624 		# requests that matches "/static/*"
625 
626 		auto index on
627 		index "index.gemini"
628 	}
629 }
630 .Ed
631 .Sh SEE ALSO
632 .Xr gmid 1 ,
633 .Xr slowcgi 8
634 .Sh AUTHORS
635 .An -nosplit
636 The
637 .Nm gmid
638 program was written by
639 .An Omar Polo Aq Mt op@omarpolo.com .