Blob

Date:
Message:
revert 9f1cce3d0e53209180eabbcd48878c1e989101e7 we actually should open the log file in the chroot, the bug is in the code.
Actions:
History | Blame | Raw File
1 .\" Copyright (c) 2022, 2023, 2024 Omar Polo <op@omarpolo.com>

2 .\"

3 .\" Permission to use, copy, modify, and distribute this software for any

4 .\" purpose with or without fee is hereby granted, provided that the above

5 .\" copyright notice and this permission notice appear in all copies.

6 .\"

7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

14 .Dd January 11, 2024

15 .Dt GMID.CONF 5

16 .Os

17 .Sh NAME

18 .Nm gmid.conf

19 .Nd gmid Gemini server configuration file

20 .Sh DESCRIPTION

21 .Nm

22 is the configuration file format for the

23 .Xr gmid 8

24 Gemini server.

25 .Pp

26 The configuration file is divided into the following sections:

27 .Bl -tag -width Ds

28 .It Sy Macros

29 User-defined variables may be defined and used later, simplifying the

30 configuration file.

31 .It Sy Global Options

32 Global settings for

33 .Xr gmid 8 .

34 .It Sy Types

35 Media types and extensions.

36 .It Sy Servers

37 Virtual hosts definition.

38 .El

39 .Pp

40 Within the sections, empty lines are ignored and comments can be put

41 anywhere in the file using a hash mark

42 .Pq Sq #

43 and extend to the end of the current line.

44 A boolean is either the symbol

45 .Sq on

46 or

47 .Sq off .

48 A string is a sequence of characters wrapped in double quotes,

49 .Dq like this .

50 Multiple strings one next to the other are joined into a single

51 string:

52 .Bd -literal -offset indent

53 # equivalent to "temporary-failure"

54 block return 40 "temporary" "-" "failure"

55 .Ed

56 .Pp

57 Furthermore, quoting is necessary only when a string needs to contain

58 special characters

59 .Pq like spaces or punctuation ,

60 something that looks like a number or a reserved keyword.

61 The last example could have been written also as:

62 .Bd -literal -offset indent

63 block return 40 temporary "-" failure

64 .Ed

65 .Pp

66 Strict ordering of the sections is not enforced, so that is possible

67 to mix macros, options and

68 .Ic server

69 blocks.

70 However, defining all the

71 .Ic server

72 blocks after the macros and the global options is recommended.

73 .Pp

74 Newlines are often optional, except around top-level instructions, and

75 semicolons

76 .Dq \&;

77 can also be optionally used to separate options.

78 .Pp

79 Additional configuration files can be included with the

80 .Ic include

81 keyword, for example:

82 .Bd -literal -offset indent

83 include "/etc/gmid.conf.local"

84 .Ed

85 .Ss Macros

86 Macros can be defined that will later be expanded in context.

87 Macro names must start with a letter, digit or underscore and may

88 contain any of those characters.

89 Macros names may not be reserved words.

90 Macros are not expanded inside quotes.

91 .Pp

92 Two kinds of macros are supported: variable-like and proper macros.

93 When a macro is invoked with a

94 .Dq $

95 before its name its expanded as a string, whereas when it's invoked

96 with a

97 .Dq @

98 its expanded in-place.

99 .Pp

100 For example:

101 .Bd -literal -offset indent

102 ext_ip = "10.0.0.1"

103 dir = "/var/gemini"

104 certdir = "/etc/keys"

105 common = "lang it; auto index on"

107 server "foo" {

108 	listen on $ext_ip

109 	root $dir "/foo"         # "/var/gemini/foo"

110 	cert $certdir "/foo.pem" # "/etc/keys/foo.pem"

111 	key  $certdir "/foo.key" # "/etc/keys/foo.key"

112 	@common

114 .Ed

115 .Ss Global Options

116 .Bl -tag -width 12m

117 .It Ic chroot Ar path

118 .Xr chroot 2

119 the process to the given

120 .Ar path .

121 The daemon has to be run with root privileges and thus the option

122 .Ic user

123 needs to be provided too, so privileges can be dropped afterwards.

124 All the paths in the configuration file are relative to the chroot

125 directory, except for the

126 .Ic cert ,

127 .Ic key

128 and

129 .Ic ocsp

130 paths.

131 Defaults to the

132 .Ic user

133 home directory, if provided.

134 .It Ic log Ar options

135 Specify logging options.

136 Multiple options may be provided within curly braces.

137 The available options are as follows:

138 .Bl -tag -width Ds

139 .It Ic access Ar file

140 Log the requests to

141 .Ar file .

142 The path is relative to the

143 .Ic chroot .

144 .It Ic style Ar style

145 Set the logging style, defaults to

146 .Ic legacy .

147 The

148 .Ar style

149 can be one of:

150 .Bl -tag -width Ds

151 .It Ic common

152 Attempt to be compatible with the default Apache httpd log format.

153 Each line is formatted as follows: the matching host name,

154 the remote IP address, one dash

155 .Sq - ,

156 Common Name of the client certificate

157 .Pq if provided, '-' otherwise ,

158 the timestamp of the request, the request URI wrapped in double quotes,

159 the response code and the size of the response.

160 .It Ic combined

161 Attempt to be compatible with the default nginx log format.

162 Each line is formatted as follows: the remote IP address, one dash

163 .Sq - ,

164 Common Name of the client certificate

165 .Pq if provided, '-' otherwise ,

166 the timestamp wrapped in square brackets, the request URI wrapped in

167 double quotes, the response code, the size of the response, a dash

168 wrapped in double quotes and "".

169 The strangness of these two last fields is because Gemini doesn't have

170 the notion of the

171 .Dq Referer

172 header nor the

173 .Dq User-agent .

174 .\" .It Ic condensed

175 .\" The native

176 .\" .Xr gmid 8

177 .\" format since 2.0.

178 .\" Each line is formatted as follows: RFC 3339 date time,

179 .\" remote IP address, Common Name of the client certificate

180 .\" .Pq if provided, '-' otherwise ,

181 .\" the matching host name, the request URI, the size of the request,

182 .\" the size of the response, the response code and meta.

183 .It Ic legacy

184 Each line is formatted as follows: the remote IP address and port, the

185 .Sq GET

186 keyword, the request URI, the response code and meta.

187 .El

188 .It Ic syslog Op Ic off

189 Log to syslog.

190 It is enabled by default, use the

191 .Ic off

192 argument to disable.

193 .It Ic syslog facility Ar facility

194 Log to

195 .Xr syslog 3

196 using specified

197 .Ar facility .

198 Available facilities are as follows: daemon, ftp, local0 through local7 and

199 user.

200 These are case insensitive and can be prefixed with

201 .Sq LOG_ .

202 Not all level may be available on all operating systems.

203 The default facility is

204 .Ev LOG_DAEMON .

205 .El

206 .It Ic prefork Ar number

207 Run the specified number of server processes.

208 This increases the performance and prevents delays when connecting to

209 a server.

210 .Xr gmid 8

211 runs 3 server processes by default.

212 The maximum number allowed is 16.

213 .It Ic protocols Ar string

214 Specify the TLS protocols to enable.

215 Refer to

216 .Xr tls_config_parse_protocols 3

217 for the valid protocol string values.

218 By default, both TLSv1.3 and TLSv1.2 are enabled.

219 Use

220 .Dq tlsv1.3

221 to enable only TLSv1.3.

222 .It Ic user Ar string

223 Run the daemon as the given user.

224 Mandatory if the

225 .Ic chroot

226 option is used.

227 .El

228 .Ss Servers

229 Every virtual host is defined by a

230 .Ic server

231 block:

232 .Bl -tag -width Ds

233 .It Ic server Ar hostname Brq ...

234 Match the server name using shell globbing rules.

235 It can be an explicit name,

236 .Ar www.example.com ,

237 or a name including wildcards,

238 .Ar *.example.com .

239 .El

240 .Pp

241 Followed by a block of options that is enclosed in curly brackets:

242 .Bl -tag -width Ds

243 .It Ic alias Ar name

244 Specify an additional alias

245 .Ar name

246 for this server.

247 .It Ic auto Ic index Ar bool

248 If no index file is found, automatically generate a directory listing.

249 Disabled by default.

250 .It Ic block Op Ic return Ar code Op Ar meta

251 Send a reply and close the connection;

252 by default

253 .Ar code

254 is 40

255 and

256 .Ar meta

257 is

258 .Dq temporary failure .

259 If

260 .Ar code

261 is in the 3x range, then

262 .Ar meta

263 is mandatory.

264 Inside

265 .Ar meta ,

266 the following special sequences are supported:

267 .Bl -tag -width Ds -compact

268 .It \&%\&%

269 is replaced with a single

270 .Sq \&% .

271 .It \&%p

272 is replaced with the request path.

273 .It \&%q

274 is replaced with the query string of the request.

275 .It \&%P

276 is replaced with the server port.

277 .It \&%N

278 is replaced with the server name.

279 .El

280 .It Ic cert Ar file

281 Path to the certificate to use for this server.

282 .Ar file

283 should contain a PEM encoded certificate.

284 This option is mandatory.

285 .It Ic default type Ar string

286 Set the default media type that is used if the media type for a

287 specified extension is not found.

288 If not specified, the

289 .Ic default type

290 is set to

291 .Dq application/octet-stream .

292 .It Ic fastcgi Ar option

293 Enable FastCGI instead of serving files.

294 Multiple options may be specified within curly braces.

295 Valid options are:

296 .Bl -tag -width Ds

297 .It Ic param Ar name Cm = Ar value

298 Set the param

299 .Ar name

300 to

301 .Ar value .

302 .It Ic socket Oo Ic tcp Oc Ar socket Oo Cm port Ar port Oc

303 The

304 .Ar socket

305 can either be a UNIX-domain socket or a TCP socket.

306 If the FastCGI application is listening on a UNIX domain socket,

307 .Ar socket

308 is a local path name within the

309 .Xr chroot 2

310 root directory of

311 .Xr gmid 8 .

312 Otherwise, the

313 .Ic tcp

314 keyword must be provided and

315 .Ar socket

316 is interpreted as a hostname or an IP address.

317 .Ar port

318 can be either a port number or the name of a service enclosed in

319 double quotes.

320 If not specified defaults to 9000.

321 .It Ic strip Ar number

322 Strip

323 .Ar number

324 leading path components from the request URL before splitting it in

325 .Ev SCRIPT_NAME

326 and

327 .Ev PATH_INFO .

328 .El

329 .Pp

330 The FastCGI handler will be given the following variables by default:

331 .Bl -tag -width 24m

332 .\" .It Ev GEMINI_DOCUMENT_ROOT

333 .\" The root directory of the virtual host.

334 .It Ev GEMINI_URL_PATH

335 Full path of the request.

336 .It Ev GEMINI_SEARCH_STRING

337 The decoded

338 .Ev QUERY_STRING

339 if defined in the request and if it doesn't contain any unencoded

340 .Sq =

341 characters, otherwise unset.

342 .It Ev GATEWAY_INTERFACE

343 .Dq CGI/1.1

344 .It Ev AUTH_TYPE

345 The string "Certificate" if the client used a certificate, otherwise

346 unset.

347 .It Ev PATH_INFO

348 The portion of the requested path that is derived from the the IRI

349 path hierarchy following

350 .Ev SCRIPT_NAME .

351 Can be unset.

352 .It Ev PATH_TRANSLATED

353 Present if and only if

354 .Ev PATH_INFO

355 is set.

356 It represent the translation of the

357 .Ev PATH_INFO .

358 .Nm gmid

359 builds this by appending the

360 .Ev PATH_INFO

361 to the virtual host directory root.

362 .It Ev QUERY_STRING

363 The URL-encoded search or parameter string.

364 .It Ev REMOTE_ADDR , Ev REMOTE_HOST

365 Textual representation of the client IP.

366 .It Ev REQUEST_METHOD

367 This is present only for RFC3875 (CGI) compliance.

368 It's always set to

369 .Dq GET .

370 .It Ev SCRIPT_NAME

371 The virtual URI path to the script.

372 Since it's impossible to determine in all cases the correct

373 .Ev SCRIPT_NAME

374 programmatically

375 .Nm gmid

376 assumes it's the empty string.

377 It is recommended to manually specify this parameter when serving a

378 sub-tree of a virtual host via FastCGI.

379 .It Ev SERVER_NAME

380 The name of the server

381 .It Ev SERVER_PORT

382 The port the server is listening on.

383 .It Ev SERVER_PROTOCOL

384 .Dq GEMINI

385 .It Ev SERVER_SOFTWARE

386 The name and version of the server, i.e.

387 .Dq gmid/2.0.1

388 .It Ev REMOTE_USER

389 The subject of the client certificate if provided, otherwise unset.

390 .It Ev TLS_CLIENT_ISSUER

391 The is the issuer of the client certificate if provided, otherwise

392 unset.

393 .It Ev TLS_CLIENT_HASH

394 The hash of the client certificate if provided, otherwise unset.

395 The format is

396 .Dq ALGO:HASH .

397 .It Ev TLS_VERSION

398 The TLS version negotiated with the peer.

399 .It Ev TLS_CIPHER

400 The cipher suite negotiated with the peer.

401 .It Ev TLS_CIPHER_STRENGTH

402 The strength in bits for the symmetric cipher that is being used with

403 the peer.

404 .It Ev TLS_CLIENT_NOT_AFTER

405 The time corresponding to the end of the validity period of the peer

406 certificate in the ISO 8601 format

407 .Pq e.g. Dq 2021-02-07T20:17:41Z .

408 .It Ev TLS_CLIENT_NOT_BEFORE

409 The time corresponding to the start of the validity period of the peer

410 certificate in the ISO 8601 format.

411 .El

412 .It Ic fastcgi off

413 Disable FastCGI handling in the current location.

414 .It Ic index Ar string

415 Set the directory index file.

416 If not specified, it defaults to

417 .Pa index.gmi .

418 .It Ic key Ar file

419 Specify the private key to use for this server.

420 .Ar file

421 should contain a PEM encoded private key.

422 This option is mandatory.

423 .It Ic lang Ar string

424 Specify the language tag for the text/gemini content served.

425 If not specified, no

426 .Dq lang

427 parameter will be added in the response.

428 .It Ic listen on Ar address Op Ic port Ar number

429 Set the listen

430 .Ar address

431 and

432 .Ar port

433 which defaults to

434 .Sq 1965 .

435 This statement can be specified multiple times.

436 If

437 .Ar address

438 is

439 .Sq *

440 then

441 .Xr gmid 8

442 will listen on all IPv4 and IPv6 addresses.

443 .Ar 0.0.0.0

444 can be used to listen on all IPv4 addresses and

445 .Ar ::

446 on all IPv6 addresses.

447 .It Ic location Ar path Brq ...

448 Specify server configuration rules for a specific location.

449 .Ar path

450 argument will be matched against the request path with shell globbing

451 rules.

452 In case of multiple location statements in the same context, the first

453 matching location will be put into effect and the later ones ignored.

454 Therefore is advisable to match for more specific paths first and for

455 generic ones later on.

457 .Ic location

458 section may include most of the server configuration rules

459 except

460 .Ic alias , Ic cert , Ic key , Ic listen , Ic location

461 and

462 .Ic proxy .

463 .It Ic log Ar bool

464 Enable or disable the logging for the current server or location block.

465 .It Ic ocsp Ar file

466 Specify an OCSP response to be stapled during TLS handshakes

467 with this server.

468 The

469 .Ar file

470 should contain a DER-format OCSP response retrieved from an

471 OCSP server for the

472 .Ic cert

473 in use.

474 If the OCSP response in

475 .Ar file

476 is empty, OCSP stapling will not be used.

477 The default is to not use OCSP stapling.

478 .It Ic proxy Oo Cm proto Ar name Oc Oo Cm for-host Ar host Oo Cm port Ar port Oc Oc Brq ...

479 Set up a reverse proxy.

480 The optional matching rules

481 .Cm proto

482 and

483 .Cm for-host

484 can be used to enable proxying only for protocols matching

485 .Ar name

486 .Po Dq gemini

487 by default

488 .Pc

489 and/or whose request IRI matches

490 .Ar host

491 and

492 .Ar port

493 .Pq 1965 by default .

494 Matching happens using shell globbing rules.

495 .Pp

496 In case of multiple matching proxy blocks in the same context, the

497 first matching proxy will be put into effect and the later ones

498 ignored.

499 .Pp

500 Valid options are:

501 .Bl -tag -width Ds

502 .It Ic cert Ar file

503 Specify the client certificate to use when making requests.

504 .It Ic key Ar file

505 Specify the client certificate key to use when making requests.

506 .It Ic protocols Ar string

507 Specify the TLS protocols allowed when making remote requests.

508 Refer to the

509 .Xr tls_config_parse_protocols 3

510 function for the valid protocol string values.

511 By default, both TLSv1.2 and TLSv1.3 are enabled.

512 .It Ic relay-to Ar host Op Cm port Ar port

513 Relay the request to the given

514 .Ar host

515 at the given

516 .Ar port ,

517 1965 by default.

518 This is the only mandatory option in a

519 .Ic proxy

520 block.

521 .It Ic require Ic client Ic ca Ar file

522 Allow the proxying only from clients that provide a certificate

523 signed by the CA certificate in

524 .Ar file .

525 .It Ic sni Ar hostname

526 Use the given

527 .Ar hostname

528 instead of the one extracted from the

529 .Ic relay-to

530 rule for the TLS handshake with the proxied gemini server.

531 .It Ic use-tls Ar bool

532 Specify whether to use TLS when connecting to the proxied host.

533 Enabled by default.

534 .It Ic verifyname Ar bool

535 Enable or disable the TLS server name verification.

536 Enabled by default.

537 .El

538 .It Ic root Ar directory

539 Specify the root directory for this server

540 .Pq alas the current Dq document root .

541 It's relative to the chroot if enabled.

542 .It Ic require Ic client Ic ca Ar path

543 Allow requests only from clients that provide a certificate signed by

544 the CA certificate in

545 .Ar path .

546 It needs to be a PEM-encoded certificate and it's not relative to the

547 chroot.

548 .It Ic strip Ar number

549 Strip

550 .Ar number

551 components from the beginning of the path before doing a lookup in the

552 root directory.

553 It's also considered for the

554 .Ar meta

555 parameter in the scope of a

556 .Ic block return .

557 .El

558 .Ss Types

559 The

560 .Ic types

561 section must include one or more lines of the following syntax, enclosed

562 in curly brances:

563 .Bl -tag -width Ds

564 .It Ar type Ns / Ns Ar subtype Ar name Op Ar name ...

565 Set the media

566 .Ar type

567 and

568 .Ar subtype

569 to the specified extension

570 .Ar name .

571 One or more names can be specified per line.

572 Earch line may end with an optional semicolon.

573 .It Ic include Ar file

574 Include types definition from an external file, for example

575 .Pa /usr/share/misc/mime.types .

576 .El

577 .Pp

578 By default

579 .Nm gmid

580 uses the following mapping if no

581 .Ic types

582 block is defined:

583 .Pp

584 .Bl -tag -offset indent -width 15m -compact

585 .It application/pdf

586 pdf

587 .It image/gif

588 gif

589 .It image/jpeg

590 jpg jpeg

591 .It image/png

592 png

593 .It image/svg+xml

594 svg

595 .It text/gemini

596 gemini gmi

597 .It text/markdown

598 markdown md

599 .It text/x-patch

600 diff patch

601 .It text/xml

602 xml

603 .El

604 .Pp

605 As an exception,

606 .Nm gmid

607 uses the MIME type

608 .Ar text/gemini

609 for file extensions

610 .Ar gemini

611 or

612 .Ar gmi

613 if no mapping was found.

614 .Sh EXAMPLES

615 The following is an example of a possible configuration for a site

616 that enables only TLSv1.3, adds the MIME types mapping from

617 .Pa /usr/share/misc/mime.types

618 and defines two virtual host:

619 .Bd -literal -offset indent

620 protocols "tlsv1.3"

622 types {

623 	include "/usr/share/misc/mime.types"

626 server "example.com" {

627 	listen on * port 1965

628 	cert "/etc/ssl/example.com.pem"

629 	key  "/etc/ssl/private/example.com.key"

630 	root "/var/gemini/example.com"

633 server "example.it" {

634 	listen on * port 1965

635 	cert "/etc/ssl/example.it.pem"

636 	key  "/etc/ssl/private/example.it.key"

637 	root "/var/gemini/example.it"

639 	# set the language for text/gemini files

640 	lang "it"

642 .Ed

643 .Pp

644 Yet another example, showing how to enable a

645 .Ic chroot

646 and use

647 .Ic location

648 rule

649 .Bd -literal -offset indent

650 chroot "/var/gemini"

651 user "_gmid"

653 server "example.com" {

654 	listen on * port 1965

656 	# absolute paths:

657 	cert "/etc/ssl/example.com.pem"

658 	key  "/etc/ssl/private/example.com.key"

660 	# relative to the chroot:

661 	root "/example.com"

663 	location "/static/*" {

664 		# load the following rules only for

665 		# requests that matches "/static/*"

667 		auto index on

668 		index "index.gemini"

671 .Ed

672 .Pp

673 This shows how to set up a reverse proxy: all request for

674 .Sq example.com

675 will be forwarded to 10.0.0.6 transparently.

676 Proxying establish a new TLS connection, so any client-certificates used

677 to connect to

678 .Xr gmid 8

679 cannot be provided to the proxied server as well.

680 .Bd -literal -offset indent

681 server "example.com" {

682 	listen on * port 1965

683 	cert "/etc/ssl/example.com.pem"

684 	key "/etc/ssl/private/example.com.key"

685 	proxy {

686 		relay-to 10.0.0.6 port 1965

689 .Ed

690 .Sh SEE ALSO

691 .Xr gmid 8 ,

692 .Xr slowcgi 8

693 .Sh AUTHORS

694 .An -nosplit

695 The

696 .Nm gmid

697 program was written by

698 .An Omar Polo Aq Mt op@omarpolo.com .