1 .\" Copyright (c) 2021 Omar Polo <op@omarpolo.com>
3 .\" Permission to use, copy, modify, and distribute this software for any
4 .\" purpose with or without fee is hereby granted, provided that the above
5 .\" copyright notice and this permission notice appear in all copies.
7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14 .Dd $Mdocdate: January 30 2021$
19 .Nd simple and secure Gemini server
35 is a simple and minimal gemini server that can serve static files and
37 It can run without a configuration file with a limited set of features
39 If a configuration file is given, no other flags shall be given,
45 The options are as follows:
48 Specify the configuration file.
50 Stays and logs on the foreground.
52 Check that the configuration is valid, but don't start the server.
55 If no configuration file is given,
57 will look for the following options
61 .It Fl d Pa certs-path
62 Directory where certificates for the config-less mode are stored.
64 .Pa $XDG_DATA_HOME/gmid ,
66 .Pa ~/.local/share/gmid .
68 The hostname, by default
70 Certificates for the given
72 are searched inside the
74 directory given with the
80 .Pa hostname.key.pem .
81 If a certificate and key doesn't exists for a given hostname they
82 will be automatically generated.
84 Print the usage and exit.
86 The port to listen on, by default 1965.
88 Increase the verbosity of the logs.
90 Enable execution of CGI scripts.
91 See the description of the
98 Cannot be provided more than once.
100 The root directory to serve.
101 By default the current working directory is assumed.
103 .Sh CONFIGURATION FILE
104 The configuration file is divided into two sections:
106 .It Sy Global Options
110 Virtual hosts definition.
113 Within the sections, empty lines are ignored and comments can be put
114 anywhere in the file using a hash mark
116 and extend to the end of the current line.
117 A boolean is either the symbol
121 A string is a sequence of characters wrapped in double quotes,
126 Enable or disable IPv6 support.
128 .It Ic port Ar portno
129 The port to listen on.
131 .It Ic protocols Ar string
132 Specify the TLS protocols to enable.
134 .Xr tls_config_parse_protocols 3
135 for the valid protocol string values.
136 By default, both TLSv1.3 and TLSv1.2 are enabled.
139 to enable only TLSv1.3.
140 .It Ic mime Ar mime-type Ar file-extension
141 Add a mapping for the given
145 Both argument are strings.
146 .It Ic chroot Pa path
148 the process to the given
150 The daemon has to be run with root privileges and thus the option
152 needs to be provided, so privileges can be dropped.
155 will enter the chroot after loading the TLS keys, but before opening
156 the virtual host root directories.
157 It's recommended to keep the TLS keys outside the chroot.
161 .It Ic user Ar string
162 Run the daemon as the given user.
165 Every virtual host is defined by a
169 .It Ic server Ar hostname Brq ...
170 Match the server name using shell globbing rules.
171 This can be an explicit name,
172 .Ar www.example.com ,
173 or a name including a wildcards,
177 Followed by a block of options that is enclosed in curly brackets:
180 Path to the certificate to use for this server.
183 should contain a PEM encoded certificate.
184 This option is mandatory.
186 Specify the private key to use for this server.
189 should contain a PEM encoded private key.
190 This option is mandatory.
191 .It Ic root Pa directory
192 Specify the root directory for this server.
193 This option is mandatory.
194 It's relative to the chroot, if enabled.
196 Execute CGI scripts that matches
198 using shell globbing rules.
199 .It Ic default type Ar string
200 Set the default media type that is used if the media type for a
201 specified extension is not found.
202 If not specified, the
205 .Dq application/octet-stream .
206 .It Ic lang Ar string
207 Specify the language tag for the text/gemini content served.
210 parameter will be added in the response.
211 .It Ic index Ar string
212 Set the directory index file.
213 If not specified, it defaults to
215 .It Ic auto Ic index Ar bool
216 If no index file is found, automatically generate a directory listing.
217 It's disabled by default.
218 .It Ic location Pa path Brq ...
219 Specify server configuration rules for a specific location.
222 argument will be matched against the request path with shell globbing
224 In case of multiple location statements in the same context, the first
225 matching location will be put into effect and the later ones ignored.
226 Therefore is advisable to match for more specific paths first and for
227 generic ones later on.
230 section may include most of the server configuration rules
232 .Ic cert , Ic key , Ic root , Ic location No and Ic cgi .
235 When a request for an executable file matches the
237 rule, that file will be execute and its output fed to the client.
239 The CGI scripts are executed in the directory they reside and inherit
242 with these additional variables set:
244 .It Ev GATEWAY_INTERFACE
246 .It Ev GEMINI_DOCUMENT_ROOT
247 The root directory of the virtual host.
248 .It Ev GEMINI_SCRIPT_FILENAME
249 Full path to the CGI script being executed.
251 The full IRI of the request.
252 .It Ev GEMINI_URL_PATH
253 The path of the request.
255 The portion of the requested path that is derived from the the IRI
256 path hierarchy following the part that identifies the script itself.
258 .It Ev PATH_TRANSLATED
259 Present if and only if
262 It represent the translation of the
265 builds this by appending the
267 to the virtual host directory root.
269 The decoded query string.
270 .It Ev REMOTE_ADDR , Ev REMOTE_HOST
271 Textual representation of the client IP.
272 .It Ev REQUEST_METHOD
273 This is present only for RFC3875 (CGI) compliance.
274 It's always set to the empty string.
278 that identifies the current CGI script.
280 The name of the server
282 The port the server is listening on.
283 .It Ev SERVER_PROTOCOL
285 .It Ev SERVER_SOFTWARE
286 The name and version of the server, i.e.
289 The string "Certificate" if the client used a certificate, otherwise
292 The subject of the client certificate if provided, otherwise unset.
293 .It Ev TLS_CLIENT_ISSUER
294 The is the issuer of the client certificate if provided, otherwise
296 .It Ev TLS_CLIENT_HASH
297 The hash of the client certificate if provided, otherwise unset.
303 To auto-detect the MIME type of the response
305 looks at the file extension and consults its internal table.
306 By default the following mappings are loaded, but they can be
307 overridden or extended using the
309 configuration option.
310 If no MIME is found, the value of
314 will be used, which is
315 .Dq application/octet-stream
318 .Bl -tag -offset indent -width 14m -compact
341 Serve the current directory
342 .Bd -literal -offset indent
346 To serve the directory
348 and enable CGI scripts inside
351 .Bd -literal -offset indent
353 $ cat <<EOF > cgi/hello
355 printf "20 text/plain\\r\\n"
358 $ chmod +x docs/cgi/hello
362 The following is an example of a possible configuration for a site
363 that enables only TLSv1.3, adds a mime type for the file extension
364 "rtf" and defines two virtual host:
365 .Bd -literal -offset indent
366 ipv6 on # enable ipv6
370 mime "application/rtf" "rtf"
372 server "example.com" {
373 cert "/path/to/cert.pem"
374 key "/path/to/key.pem"
375 root "/var/gemini/example.com"
378 server "it.example.com" {
379 cert "/path/to/cert.pem"
380 key "/path/to/key.pem"
381 root "/var/gemini/it.example.com"
387 Yet another example, showing how to enable a
392 .Bd -literal -offset indent
396 server "example.com" {
397 cert "/path/to/cert.pem"
398 key "/path/to/key.pem"
399 root "/example.com" # in the /var/gemini chroot
401 location "/static/" {
410 .Dq Flexible and Economical
411 UTF-8 decoder written by
412 .An Bjoern Hoehrmann .
417 program was written by
418 .An Omar Polo Aq Mt op@omarpolo.com .
422 The root directories of all virtual hosts are opened during the daemon
423 startup; this means that if a root directory gets deleted and then
426 won't be able to serve files inside that directory until a restart.
427 This restriction applies only to the root directories and not their content.
429 a %2F sequence is indistinguishable from a literal slash: this is not
432 a %00 sequence is treated as invalid character and thus rejected.