1 .\" Copyright (c) 2022, 2023, 2024 Omar Polo <op@omarpolo.com>
3 .\" Permission to use, copy, modify, and distribute this software for any
4 .\" purpose with or without fee is hereby granted, provided that the above
5 .\" copyright notice and this permission notice appear in all copies.
7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 .Nd gmid Gemini server configuration file
22 is the configuration file format for the
26 The configuration file is divided into the following sections:
29 User-defined variables may be defined and used later, simplifying the
35 Media types and extensions.
37 Virtual hosts definition.
40 Within the sections, empty lines are ignored and comments can be put
41 anywhere in the file using a hash mark
43 and extend to the end of the current line.
44 A boolean is either the symbol
48 A string is a sequence of characters wrapped in double quotes,
50 Multiple strings one next to the other are joined into a single
52 .Bd -literal -offset indent
53 # equivalent to "temporary-failure"
54 block return 40 "temporary" "-" "failure"
57 Furthermore, quoting is necessary only when a string needs to contain
59 .Pq like spaces or punctuation ,
60 something that looks like a number or a reserved keyword.
61 The last example could have been written also as:
62 .Bd -literal -offset indent
63 block return 40 temporary "-" failure
66 Strict ordering of the sections is not enforced, so that is possible
67 to mix macros, options and
70 However, defining all the
72 blocks after the macros and the global options is recommended.
74 Newlines are often optional, except around top-level instructions, and
77 can also be optionally used to separate options.
79 Additional configuration files can be included with the
82 .Bd -literal -offset indent
83 include "/etc/gmid.conf.local"
86 Macros can be defined that will later be expanded in context.
87 Macro names must start with a letter, digit or underscore and may
88 contain any of those characters.
89 Macros names may not be reserved words.
90 Macros are not expanded inside quotes.
92 Two kinds of macros are supported: variable-like and proper macros.
93 When a macro is invoked with a
95 before its name its expanded as a string, whereas when it's invoked
98 its expanded in-place.
101 .Bd -literal -offset indent
104 certdir = "/etc/keys"
105 common = "lang it; auto index on"
109 root $dir "/foo" # "/var/gemini/foo"
110 cert $certdir "/foo.pem" # "/etc/keys/foo.pem"
111 key $certdir "/foo.key" # "/etc/keys/foo.key"
117 .It Ic chroot Ar path
119 the process to the given
121 The daemon has to be run with root privileges and thus the option
123 needs to be provided too, so privileges can be dropped afterwards.
124 All the paths in the configuration file are relative to the chroot
125 directory, except for the
133 home directory, if provided.
134 .It Ic log Ar options
135 Specify logging options.
136 Multiple options may be provided within curly braces.
137 The available options are as follows:
139 .It Ic access Ar file
142 The path is relative to the
144 .It Ic style Ar style
145 Set the logging style, defaults to
152 Attempt to be compatible with the default Apache httpd log format.
153 Each line is formatted as follows: the matching host name,
154 the remote IP address, one dash
156 Common Name of the client certificate
157 .Pq if provided, '-' otherwise ,
158 the timestamp of the request, the request URI wrapped in double quotes,
159 the response code and the size of the response.
161 Attempt to be compatible with the default nginx log format.
162 Each line is formatted as follows: the remote IP address, one dash
164 Common Name of the client certificate
165 .Pq if provided, '-' otherwise ,
166 the timestamp wrapped in square brackets, the request URI wrapped in
167 double quotes, the response code, the size of the response, a dash
168 wrapped in double quotes and "".
169 The strangness of these two last fields is because Gemini doesn't have
177 .\" format since 2.0.
178 .\" Each line is formatted as follows: RFC 3339 date time,
179 .\" remote IP address, Common Name of the client certificate
180 .\" .Pq if provided, '-' otherwise ,
181 .\" the matching host name, the request URI, the size of the request,
182 .\" the size of the response, the response code and meta.
184 Each line is formatted as follows: the remote IP address and port, the
186 keyword, the request URI, the response code and meta.
188 .It Ic syslog Op Ic off
190 It is enabled by default, use the
193 .It Ic syslog facility Ar facility
198 Available facilities are as follows: daemon, ftp, local0 through local7 and
200 These are case insensitive and can be prefixed with
202 Not all level may be available on all operating systems.
203 The default facility is
206 .It Ic prefork Ar number
207 Run the specified number of server processes.
208 This increases the performance and prevents delays when connecting to
211 runs 3 server processes by default.
212 The maximum number allowed is 16.
213 .It Ic protocols Ar string
214 Specify the TLS protocols to enable.
216 .Xr tls_config_parse_protocols 3
217 for the valid protocol string values.
218 By default, both TLSv1.3 and TLSv1.2 are enabled.
221 to enable only TLSv1.3.
222 .It Ic user Ar string
223 Run the daemon as the given user.
229 Every virtual host is defined by a
233 .It Ic server Ar hostname Brq ...
234 Match the server name using shell globbing rules.
235 It can be an explicit name,
236 .Ar www.example.com ,
237 or a name including wildcards,
241 Followed by a block of options that is enclosed in curly brackets:
244 Specify an additional alias
247 .It Ic auto Ic index Ar bool
248 If no index file is found, automatically generate a directory listing.
250 .It Ic block Op Ic return Ar code Op Ar meta
251 Send a reply and close the connection;
258 .Dq temporary failure .
261 is in the 3x range, then
266 the following special sequences are supported:
267 .Bl -tag -width Ds -compact
269 is replaced with a single
272 is replaced with the request path.
274 is replaced with the query string of the request.
276 is replaced with the server port.
278 is replaced with the server name.
281 Path to the certificate to use for this server.
283 should contain a PEM encoded certificate.
284 This option is mandatory.
285 .It Ic default type Ar string
286 Set the default media type that is used if the media type for a
287 specified extension is not found.
288 If not specified, the
291 .Dq application/octet-stream .
292 .It Ic fastcgi Ar option
293 Enable FastCGI instead of serving files.
294 Multiple options may be specified within curly braces.
297 .It Ic param Ar name Cm = Ar value
302 .It Ic socket Oo Ic tcp Oc Ar socket Oo Cm port Ar port Oc
305 can either be a UNIX-domain socket or a TCP socket.
306 If the FastCGI application is listening on a UNIX domain socket,
308 is a local path name within the
314 keyword must be provided and
316 is interpreted as a hostname or an IP address.
318 can be either a port number or the name of a service enclosed in
320 If not specified defaults to 9000.
321 .It Ic strip Ar number
324 leading path components from the request URL before splitting it in
330 The FastCGI handler will be given the following variables by default:
332 .\" .It Ev GEMINI_DOCUMENT_ROOT
333 .\" The root directory of the virtual host.
334 .It Ev GEMINI_URL_PATH
335 Full path of the request.
336 .It Ev GEMINI_SEARCH_STRING
339 if defined in the request and if it doesn't contain any unencoded
341 characters, otherwise unset.
342 .It Ev GATEWAY_INTERFACE
345 The string "Certificate" if the client used a certificate, otherwise
348 The portion of the requested path that is derived from the the IRI
349 path hierarchy following
352 .It Ev PATH_TRANSLATED
353 Present if and only if
356 It represent the translation of the
359 builds this by appending the
361 to the virtual host directory root.
363 The URL-encoded search or parameter string.
364 .It Ev REMOTE_ADDR , Ev REMOTE_HOST
365 Textual representation of the client IP.
366 .It Ev REQUEST_METHOD
367 This is present only for RFC3875 (CGI) compliance.
371 The virtual URI path to the script.
372 Since it's impossible to determine in all cases the correct
376 assumes it's the empty string.
377 It is recommended to manually specify this parameter when serving a
378 sub-tree of a virtual host via FastCGI.
380 The name of the server
382 The port the server is listening on.
383 .It Ev SERVER_PROTOCOL
385 .It Ev SERVER_SOFTWARE
386 The name and version of the server, i.e.
389 The subject of the client certificate if provided, otherwise unset.
390 .It Ev TLS_CLIENT_ISSUER
391 The is the issuer of the client certificate if provided, otherwise
393 .It Ev TLS_CLIENT_HASH
394 The hash of the client certificate if provided, otherwise unset.
398 The TLS version negotiated with the peer.
400 The cipher suite negotiated with the peer.
401 .It Ev TLS_CIPHER_STRENGTH
402 The strength in bits for the symmetric cipher that is being used with
404 .It Ev TLS_CLIENT_NOT_AFTER
405 The time corresponding to the end of the validity period of the peer
406 certificate in the ISO 8601 format
407 .Pq e.g. Dq 2021-02-07T20:17:41Z .
408 .It Ev TLS_CLIENT_NOT_BEFORE
409 The time corresponding to the start of the validity period of the peer
410 certificate in the ISO 8601 format.
413 Disable FastCGI handling in the current location.
414 .It Ic index Ar string
415 Set the directory index file.
416 If not specified, it defaults to
419 Specify the private key to use for this server.
421 should contain a PEM encoded private key.
422 This option is mandatory.
423 .It Ic lang Ar string
424 Specify the language tag for the text/gemini content served.
427 parameter will be added in the response.
428 .It Ic listen on Ar address Op Ic port Ar number
435 This statement can be specified multiple times.
442 will listen on all IPv4 and IPv6 addresses.
444 can be used to listen on all IPv4 addresses and
446 on all IPv6 addresses.
447 .It Ic location Ar path Brq ...
448 Specify server configuration rules for a specific location.
450 argument will be matched against the request path with shell globbing
452 In case of multiple location statements in the same context, the first
453 matching location will be put into effect and the later ones ignored.
454 Therefore is advisable to match for more specific paths first and for
455 generic ones later on.
458 section may include most of the server configuration rules
460 .Ic alias , Ic cert , Ic key , Ic listen , Ic location
464 Enable or disable the logging for the current server or location block.
466 Specify an OCSP response to be stapled during TLS handshakes
470 should contain a DER-format OCSP response retrieved from an
474 If the OCSP response in
476 is empty, OCSP stapling will not be used.
477 The default is to not use OCSP stapling.
478 .It Ic proxy Oo Cm proto Ar name Oc Oo Cm for-host Ar host Oo Cm port Ar port Oc Oc Brq ...
479 Set up a reverse proxy.
480 The optional matching rules
484 can be used to enable proxying only for protocols matching
489 and/or whose request IRI matches
493 .Pq 1965 by default .
494 Matching happens using shell globbing rules.
496 In case of multiple matching proxy blocks in the same context, the
497 first matching proxy will be put into effect and the later ones
503 Specify the client certificate to use when making requests.
505 Specify the client certificate key to use when making requests.
506 .It Ic protocols Ar string
507 Specify the TLS protocols allowed when making remote requests.
509 .Xr tls_config_parse_protocols 3
510 function for the valid protocol string values.
511 By default, both TLSv1.2 and TLSv1.3 are enabled.
512 .It Ic relay-to Ar host Op Cm port Ar port
513 Relay the request to the given
518 This is the only mandatory option in a
521 .It Ic require Ic client Ic ca Ar file
522 Allow the proxying only from clients that provide a certificate
523 signed by the CA certificate in
525 .It Ic sni Ar hostname
528 instead of the one extracted from the
530 rule for the TLS handshake with the proxied gemini server.
531 .It Ic use-tls Ar bool
532 Specify whether to use TLS when connecting to the proxied host.
534 .It Ic verifyname Ar bool
535 Enable or disable the TLS server name verification.
538 .It Ic root Ar directory
539 Specify the root directory for this server
540 .Pq alas the current Dq document root .
541 It's relative to the chroot if enabled.
542 .It Ic require Ic client Ic ca Ar path
543 Allow requests only from clients that provide a certificate signed by
544 the CA certificate in
546 It needs to be a PEM-encoded certificate and it's not relative to the
548 .It Ic strip Ar number
551 components from the beginning of the path before doing a lookup in the
553 It's also considered for the
555 parameter in the scope of a
561 section must include one or more lines of the following syntax, enclosed
564 .It Ar type Ns / Ns Ar subtype Ar name Op Ar name ...
569 to the specified extension
571 One or more names can be specified per line.
572 Earch line may end with an optional semicolon.
573 .It Ic include Ar file
574 Include types definition from an external file, for example
575 .Pa /usr/share/misc/mime.types .
580 uses the following mapping if no
584 .Bl -tag -offset indent -width 15m -compact
613 if no mapping was found.
615 The following is an example of a possible configuration for a site
616 that enables only TLSv1.3, adds the MIME types mapping from
617 .Pa /usr/share/misc/mime.types
618 and defines two virtual host:
619 .Bd -literal -offset indent
623 include "/usr/share/misc/mime.types"
626 server "example.com" {
627 listen on * port 1965
628 cert "/etc/ssl/example.com.pem"
629 key "/etc/ssl/private/example.com.key"
630 root "/var/gemini/example.com"
633 server "example.it" {
634 listen on * port 1965
635 cert "/etc/ssl/example.it.pem"
636 key "/etc/ssl/private/example.it.key"
637 root "/var/gemini/example.it"
639 # set the language for text/gemini files
644 Yet another example, showing how to enable a
649 .Bd -literal -offset indent
653 server "example.com" {
654 listen on * port 1965
657 cert "/etc/ssl/example.com.pem"
658 key "/etc/ssl/private/example.com.key"
660 # relative to the chroot:
663 location "/static/*" {
664 # load the following rules only for
665 # requests that matches "/static/*"
673 This shows how to set up a reverse proxy: all request for
675 will be forwarded to 10.0.0.6 transparently.
676 Proxying establish a new TLS connection, so any client-certificates used
679 cannot be provided to the proxied server as well.
680 .Bd -literal -offset indent
681 server "example.com" {
682 listen on * port 1965
683 cert "/etc/ssl/example.com.pem"
684 key "/etc/ssl/private/example.com.key"
686 relay-to 10.0.0.6 port 1965
697 program was written by
698 .An Omar Polo Aq Mt op@omarpolo.com .