Blob

Date:
Message:
mention SIGHUP in manpage
Actions:
History | Blame | Raw File
1 .\" Copyright (c) 2021 Omar Polo <op@omarpolo.com>

2 .\"

3 .\" Permission to use, copy, modify, and distribute this software for any

4 .\" purpose with or without fee is hereby granted, provided that the above

5 .\" copyright notice and this permission notice appear in all copies.

6 .\"

7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

14 .Dd $Mdocdate: January 30 2021$

15 .Dt GMIND 1

16 .Os

17 .Sh NAME

18 .Nm gmid

19 .Nd simple and secure Gemini server

20 .Sh SYNOPSIS

21 .Nm

22 .Bk -words

23 .Op Fl fn

24 .Op Fl c Ar config

25 |

26 .Op Fl 6hv

27 .Op Fl d Pa certs-dir

28 .Op Fl H Ar hostname

29 .Op Fl p Ar port

30 .Op Fl x Pa cgi

31 .Op Pa dir

32 .Ek

33 .Sh DESCRIPTION

34 .Nm

35 is a simple and minimal gemini server that can serve static files and

36 execute CGI scripts.

37 It can run without a configuration file with a limited set of features

38 available.

39 If a configuration file is given, no other flags shall be given,

40 except for

41 .Fl f

42 and

43 .Fl n .

44 .Pp

45 .Nm

46 rereads the configuration file when it receives

47 .Dv SIGHUP .

48 .Pp

49 The options are as follows:

50 .Bl -tag -width 14m

51 .It Fl c Pa config

52 Specify the configuration file.

53 .It Fl f

54 Stays and logs on the foreground.

55 .It Fl n

56 Check that the configuration is valid, but don't start the server.

57 .El

58 .Pp

59 If no configuration file is given,

60 .Nm

61 will look for the following options

62 .Bl -tag -width 14m

63 .It Fl 6

64 Enable IPv6.

65 .It Fl d Pa certs-path

66 Directory where certificates for the config-less mode are stored.

67 By default is

68 .Pa $XDG_DATA_HOME/gmid ,

69 i.e.

70 .Pa ~/.local/share/gmid .

71 .It Fl H Ar hostname

72 The hostname, by default

73 .Ar localhost .

74 Certificates for the given

75 .Ar hostname

76 are searched inside the

77 .Pa certs-dir

78 directory given with the

79 .Fl d

80 option.

81 They have the form

82 .Pa hostname.cert.pem

83 and

84 .Pa hostname.key.pem .

85 If a certificate and key doesn't exists for a given hostname they

86 will be automatically generated.

87 .It Fl h

88 Print the usage and exit.

89 .It Fl p Ar port

90 The port to listen on, by default 1965.

91 .It Fl v

92 Increase the verbosity of the logs.

93 .It Fl x Pa path

94 Enable execution of CGI scripts.

95 See the description of the

96 .Ic cgi

97 option in the section

98 .Sq Servers

99 below to learn how

100 .Pa path

101 is processed.

102 Cannot be provided more than once.

103 .It Pa dir

104 The root directory to serve.

105 By default the current working directory is assumed.

106 .El

107 .Sh CONFIGURATION FILE

108 The configuration file is divided into two sections:

109 .Bl -tag -width xxxx

110 .It Sy Global Options

111 Global settings for

112 .Nm .

113 .It Sy Servers

114 Virtual hosts definition.

115 .El

116 .Pp

117 Within the sections, empty lines are ignored and comments can be put

118 anywhere in the file using a hash mark

119 .Pq Sq # ,

120 and extend to the end of the current line.

121 A boolean is either the symbol

122 .Sq on

123 or

124 .Sq off .

125 A string is a sequence of characters wrapped in double quotes,

126 .Dq like this .

127 .Ss Global Options

128 .Bl -tag -width 12m

129 .It Ic ipv6 Ar bool

130 Enable or disable IPv6 support.

131 By default is off.

132 .It Ic port Ar portno

133 The port to listen on.

134 By default is 1965.

135 .It Ic protocols Ar string

136 Specify the TLS protocols to enable.

137 Refer to

138 .Xr tls_config_parse_protocols 3

139 for the valid protocol string values.

140 By default, both TLSv1.3 and TLSv1.2 are enabled.

141 Use

142 .Dq tlsv1.3

143 to enable only TLSv1.3.

144 .It Ic mime Ar mime-type Ar file-extension

145 Add a mapping for the given

146 .Ar file-extension

147 to the given

148 .Ar mime-type .

149 Both argument are strings.

150 .It Ic chroot Pa path

151 .Xr chroot 2

152 the process to the given

153 .Pa path .

154 The daemon has to be run with root privileges and thus the option

155 .Ic user

156 needs to be provided, so privileges can be dropped.

157 Note that

158 .Nm

159 will enter the chroot after loading the TLS keys, but before opening

160 the virtual host root directories.

161 It's recommended to keep the TLS keys outside the chroot.

162 Future version of

163 .Nm

164 may require this.

165 .It Ic user Ar string

166 Run the daemon as the given user.

167 .El

168 .Ss Servers

169 Every virtual host is defined by a

170 .Ic server

171 block:

172 .Bl -tag -width Ds

173 .It Ic server Ar hostname Brq ...

174 Match the server name using shell globbing rules.

175 This can be an explicit name,

176 .Ar www.example.com ,

177 or a name including a wildcards,

178 .Ar *.example.com .

179 .El

180 .Pp

181 Followed by a block of options that is enclosed in curly brackets:

182 .Bl -tag -width Ds

183 .It Ic cert Pa file

184 Path to the certificate to use for this server.

185 The

186 .Pa file

187 should contain a PEM encoded certificate.

188 This option is mandatory.

189 .It Ic key Pa file

190 Specify the private key to use for this server.

191 The

192 .Pa file

193 should contain a PEM encoded private key.

194 This option is mandatory.

195 .It Ic root Pa directory

196 Specify the root directory for this server.

197 This option is mandatory.

198 It's relative to the chroot, if enabled.

199 .It Ic cgi Pa path

200 Execute CGI scripts that matches

201 .Pa path

202 using shell globbing rules.

203 .It Ic default type Ar string

204 Set the default media type that is used if the media type for a

205 specified extension is not found.

206 If not specified, the

207 .Ic default type

208 is set to

209 .Dq application/octet-stream .

210 .It Ic lang Ar string

211 Specify the language tag for the text/gemini content served.

212 If not specified, no

213 .Dq lang

214 parameter will be added in the response.

215 .It Ic index Ar string

216 Set the directory index file.

217 If not specified, it defaults to

218 .Pa index.gmi .

219 .It Ic auto Ic index Ar bool

220 If no index file is found, automatically generate a directory listing.

221 It's disabled by default.

222 .It Ic location Pa path Brq ...

223 Specify server configuration rules for a specific location.

224 The

225 .Pa path

226 argument will be matched against the request path with shell globbing

227 rules.

228 In case of multiple location statements in the same context, the first

229 matching location will be put into effect and the later ones ignored.

230 Therefore is advisable to match for more specific paths first and for

231 generic ones later on.

233 .Ic location

234 section may include most of the server configuration rules

235 except

236 .Ic cert , Ic key , Ic root , Ic location No and Ic cgi .

237 .El

238 .Sh CGI

239 When a request for an executable file matches the

240 .Ic cgi

241 rule, that file will be execute and its output fed to the client.

242 .Pp

243 The CGI scripts are executed in the directory they reside and inherit

244 the environment from

245 .Nm

246 with these additional variables set:

247 .Bl -tag -width 24m

248 .It Ev GATEWAY_INTERFACE

249 .Dq CGI/1.1

250 .It Ev GEMINI_DOCUMENT_ROOT

251 The root directory of the virtual host.

252 .It Ev GEMINI_SCRIPT_FILENAME

253 Full path to the CGI script being executed.

254 .It Ev GEMINI_URL

255 The full IRI of the request.

256 .It Ev GEMINI_URL_PATH

257 The path of the request.

258 .It Ev PATH_INFO

259 The portion of the requested path that is derived from the the IRI

260 path hierarchy following the part that identifies the script itself.

261 Can be unset.

262 .It Ev PATH_TRANSLATED

263 Present if and only if

264 .Ev PATH_INFO

265 is set.

266 It represent the translation of the

267 .Ev PATH_INFO .

268 .Nm

269 builds this by appending the

270 .Ev PATH_INFO

271 to the virtual host directory root.

272 .It Ev QUERY_STRING

273 The decoded query string.

274 .It Ev REMOTE_ADDR , Ev REMOTE_HOST

275 Textual representation of the client IP.

276 .It Ev REQUEST_METHOD

277 This is present only for RFC3875 (CGI) compliance.

278 It's always set to the empty string.

279 .It Ev SCRIPT_NAME

280 The part of the

281 .Ev GEMINI_URL_PATH

282 that identifies the current CGI script.

283 .It Ev SERVER_NAME

284 The name of the server

285 .It Ev SERVER_PORT

286 The port the server is listening on.

287 .It Ev SERVER_PROTOCOL

288 .Dq GEMINI

289 .It Ev SERVER_SOFTWARE

290 The name and version of the server, i.e.

291 .Dq gmid/1.5

292 .It Ev AUTH_TYPE

293 The string "Certificate" if the client used a certificate, otherwise

294 unset.

295 .It Ev REMOTE_USER

296 The subject of the client certificate if provided, otherwise unset.

297 .It Ev TLS_CLIENT_ISSUER

298 The is the issuer of the client certificate if provided, otherwise

299 unset.

300 .It Ev TLS_CLIENT_HASH

301 The hash of the client certificate if provided, otherwise unset.

302 The format is

303 .Dq ALGO:HASH .

304 .El

305 .Pp

306 .Sh MIME

307 To auto-detect the MIME type of the response

308 .Nm

309 looks at the file extension and consults its internal table.

310 By default the following mappings are loaded, but they can be

311 overridden or extended using the

312 .Ic mime

313 configuration option.

314 If no MIME is found, the value of

315 .Ic default type

316 matching the file

317 .Ic location

318 will be used, which is

319 .Dq application/octet-stream

320 by default.

321 .Pp

322 .Bl -tag -offset indent -width 14m -compact

323 .It gemini, gmi

324 text/gemini

325 .It gif

326 image/gif

327 .It jpeg

328 image/jpeg

329 .It jpg

330 image/jpeg

331 .It markdown, md

332 text/markdown

333 .It pdf

334 application/pdf

335 .It png

336 image/png

337 .It svg

338 image/svg+xml

339 .It txt

340 text/plain

341 .It xml

342 text/xml

343 .El

344 .Sh EXAMPLES

345 Serve the current directory

346 .Bd -literal -offset indent

347 $ gmid .

348 .Ed

349 .Pp

350 To serve the directory

351 .Pa docs

352 and enable CGI scripts inside

353 .Pa docs/cgi ,

354 you can

355 .Bd -literal -offset indent

356 $ mkdir docs/cgi

357 $ cat <<EOF > cgi/hello

358 #!/bin/sh

359 printf "20 text/plain\\r\\n"

360 echo "hello world"

361 EOF

362 $ chmod +x docs/cgi/hello

363 $ gmid -x cgi docs

364 .Ed

365 .Pp

366 The following is an example of a possible configuration for a site

367 that enables only TLSv1.3, adds a mime type for the file extension

368 "rtf" and defines two virtual host:

369 .Bd -literal -offset indent

370 ipv6 on		# enable ipv6

372 protocols "tlsv1.3"

374 mime "application/rtf" "rtf"

376 server "example.com" {

377 	cert "/path/to/cert.pem"

378 	key  "/path/to/key.pem"

379 	root "/var/gemini/example.com"

382 server "it.example.com" {

383 	cert "/path/to/cert.pem"

384 	key  "/path/to/key.pem"

385 	root "/var/gemini/it.example.com"

386 	cgi  "/cgi-bin/*"

387 	lang "it"

389 .Ed

390 .Pp

391 Yet another example, showing how to enable a

392 .Ic chroot

393 and use

394 .Ic location

395 rule

396 .Bd -literal -offset indent

397 chroot "/var/gemini"

398 user "_gmid"

400 server "example.com" {

401 	cert "/path/to/cert.pem"

402 	key  "/path/to/key.pem"

403 	root "/example.com" # in the /var/gemini chroot

405 	location "/static/*" {

406 		auto index on

407 		index "index.gemini"

410 .Ed

411 .Sh ACKNOWLEDGEMENTS

412 .Nm

413 uses the

414 .Dq Flexible and Economical

415 UTF-8 decoder written by

416 .An Bjoern Hoehrmann .

417 .Sh AUTHORS

418 .An -nosplit

419 The

420 .Nm

421 program was written by

422 .An Omar Polo Aq Mt op@omarpolo.com .

423 .Sh CAVEATS

424 .Bl -bullet

425 .It

426 The root directories of all virtual hosts are opened during the daemon

427 startup; this means that if a root directory gets deleted and then

428 re-created,

429 .Nm

430 won't be able to serve files inside that directory until a restart.

431 This restriction applies only to the root directories and not their content.

432 .It

433 a %2F sequence is indistinguishable from a literal slash: this is not

434 RFC3986-compliant.

435 .It

436 a %00 sequence is treated as invalid character and thus rejected.

437 .El