op public repos

Blob

Date:: Tue Jun 29 14:19:35 2021 UTC
Message:: document macros: both -D and syntax
Actions:: History | Blame | Raw File
1 .\" Copyright (c) 2021 Omar Polo <op@omarpolo.com>
2 .\"
3 .\" Permission to use, copy, modify, and distribute this software for any
4 .\" purpose with or without fee is hereby granted, provided that the above
5 .\" copyright notice and this permission notice appear in all copies.
6 .\"
7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14 .Dd $Mdocdate: January 30 2021$
15 .Dt GMID 1
16 .Os
17 .Sh NAME
18 .Nm gmid
19 .Nd simple and secure Gemini server
20 .Sh SYNOPSIS
21 .Nm
22 .Bk -words
23 .Op Fl fnv
24 .Op Fl c Ar config
25 .Op Fl D Ar macro Ns = Ns Ar value
26 .Op Fl P Ar pidfile
27 .Ek
28 .Nm
29 .Bk -words
30 .Op Fl 6hVv
31 .Op Fl d Pa certs-dir
32 .Op Fl H Ar hostname
33 .Op Fl p Ar port
34 .Op Fl x Pa cgi
35 .Op Pa dir
36 .Ek
37 .Sh DESCRIPTION
38 .Nm
39 is a simple and minimal gemini server that can serve static files,
40 execute CGI scripts and talk to FastCGI applications.
41 It can run without a configuration file with a limited set of features
42 available.
43 .Pp
44 .Nm
45 rereads the configuration file when it receives
46 .Dv SIGHUP .
47 .Pp
48 The options are as follows:
49 .Bl -tag -width 14m
50 .It Fl c Pa config
51 Specify the configuration file.
52 .It Fl D Ar macro Ns = Ns Ar value
53 Define
54 .Ar macro
55 to be set to
56 .Ar value
57 on the command line.
58 Overrides the definition of
59 .Ar macro
60 in the config file if present.
61 .It Fl f
62 Stays and logs on the foreground.
63 .It Fl n
64 Check that the configuration is valid, but don't start the server.
65 .It Fl P Pa pidfile
66 Write
67 .Nm
68 pid to the given path.
69 .El
70 .Pp
71 If no configuration file is given,
72 .Nm
73 will look for the following options
74 .Bl -tag -width 14m
75 .It Fl 6
76 Enable IPv6.
77 .It Fl d Pa certs-path
78 Directory where certificates for the config-less mode are stored.
79 By default is
80 .Pa $XDG_DATA_HOME/gmid ,
81 i.e.
82 .Pa ~/.local/share/gmid .
83 .It Fl H Ar hostname
84 The hostname, by default
85 .Ar localhost .
86 Certificates for the given
87 .Ar hostname
88 are searched inside the
89 .Pa certs-dir
90 directory given with the
91 .Fl d
92 option.
93 They have the form
94 .Pa hostname.cert.pem
95 and
96 .Pa hostname.key.pem .
97 If a certificate or key don't exists for a given hostname they
98 will be automatically generated.
99 .It Fl h , Fl -help
100 Print the usage and exit.
101 .It Fl p Ar port
102 The port to listen on, by default 1965.
103 .It Fl V , Fl -version
104 Print the version and exit.
105 .It Fl v
106 Verbose mode.
107 Multiple
108 .Fl v
109 options increase the verbosity.
110 .It Fl x Pa path
111 Enable execution of CGI scripts.
112 See the description of the
113 .Ic cgi
114 option in the section
115 .Sq Servers
116 below to learn how
117 .Pa path
118 is processed.
119 Cannot be provided more than once.
120 .It Pa dir
121 The root directory to serve.
122 By default the current working directory is assumed.
123 .El
124 .Sh CONFIGURATION FILE
125 The configuration file is divided into three sections:
126 .Bl -tag -width xxxx
127 .It Sy Macros
128 User-defined variables may be defined and used later, simplifying the
129 configuration file.
130 .It Sy Global Options
131 Global settings for
132 .Nm .
133 .It Sy Servers
134 Virtual hosts definition.
135 .El
136 .Pp
137 Within the sections, empty lines are ignored and comments can be put
138 anywhere in the file using a hash mark
139 .Pq Sq # ,
140 and extend to the end of the current line.
141 A boolean is either the symbol
142 .Sq on
143 or
144 .Sq off .
145 A string is a sequence of characters wrapped in double quotes,
146 .Dq like this .
147 .Pp
148 Strict ordering of the sections is not enforced, so that is possible
149 to mix macros, options and
150 .Ic server
151 blocks.
152 However, defining all the
153 .Ic server
154 blocks after the macros and the global options is recommended.
155 .Ss Macros
156 Macros can be defined that will later be expanded in context.
157 Macro names must start with a letter, digit or underscore and may
158 contain any of those characters.
159 Macro names may not be reserved words.
160 Macros are expanded inside the quotes too.
161 .Pp
162 For example:
163 .Bd -literal -offset indent
164 dir = "/var/gemini"
165 cert = "/etc/keys"
166 
167 server "foo" {
168 	root "$dir/foo"      # -> /var/gemini/foo
169 	cert "$cert/foo.crt" # -> /etc/keys/foo.crt
170 	key  "$cert/foo.pem" # -> /etc/keys/foo.pem
171 }
172 .Ed
173 .Ss Global Options
174 .Bl -tag -width 12m
175 .It Ic chroot Pa path
176 .Xr chroot 2
177 the process to the given
178 .Pa path .
179 The daemon has to be run with root privileges and thus the option
180 .Ic user
181 needs to be provided, so privileges can be dropped.
182 Note that
183 .Nm
184 will enter the chroot after loading the TLS keys, but before opening
185 the virtual host root directories.
186 It's recommended to keep the TLS keys outside the chroot.
187 Future version of
188 .Nm
189 may enforce this.
190 .It Ic ipv6 Ar bool
191 Enable or disable IPv6 support.
192 By default is off.
193 .It Ic mime Ar mime-type Ar file-extension
194 Add a mapping for the given
195 .Ar file-extension
196 to the given
197 .Ar mime-type .
198 Both argument are strings.
199 .It Ic port Ar portno
200 The port to listen on.
201 By default is 1965.
202 .It Ic prefork Ar number
203 Run the specified number of server processes.
204 This increases the performance and prevents delays when connecting to
205 a server.
206 .Nm
207 runs 3 server processes by default, when not in config-less mode.
208 The maximum number allowed is 16.
209 .It Ic protocols Ar string
210 Specify the TLS protocols to enable.
211 Refer to
212 .Xr tls_config_parse_protocols 3
213 for the valid protocol string values.
214 By default, both TLSv1.3 and TLSv1.2 are enabled.
215 Use
216 .Dq tlsv1.3
217 to enable only TLSv1.3.
218 .It Ic user Ar string
219 Run the daemon as the given user.
220 .El
221 .Ss Servers
222 Every virtual host is defined by a
223 .Ic server
224 block:
225 .Bl -tag -width Ds
226 .It Ic server Ar hostname Brq ...
227 Match the server name using shell globbing rules.
228 This can be an explicit name,
229 .Ar www.example.com ,
230 or a name including a wildcards,
231 .Ar *.example.com .
232 .El
233 .Pp
234 Followed by a block of options that is enclosed in curly brackets:
235 .Bl -tag -width Ds
236 .It Ic alias Ar name
237 Specify an additional alias
238 .Ar name
239 for this server.
240 .It Ic auto Ic index Ar bool
241 If no index file is found, automatically generate a directory listing.
242 It's disabled by default.
243 .It Ic block Op Ic return Ar code Op Ar meta
244 Send a reply and close the connection;
245 .Ar code
246 is 40
247 and
248 .Ar meta
249 is
250 .Dq temporary failure
251 by default.
252 If
253 .Ar code
254 is in the 3x range, then
255 .Ar meta
256 must be provided.
257 Inside
258 .Ar meta ,
259 the following special sequences are replaced:
260 .Bl -tag -width Ds -compact
261 .It \&%\&%
262 is replaced with a single
263 .Sq \&% .
264 .It \&%p
265 is replaced with the request path.
266 .It \&%q
267 is replaced with the query string of the request.
268 .It \&%P
269 is replaced with the server port.
270 .It \&%N
271 is replaced with the server name.
272 .El
273 .It Ic cert Pa file
274 Path to the certificate to use for this server.
275 The
276 .Pa file
277 should contain a PEM encoded certificate.
278 This option is mandatory.
279 .It Ic cgi Pa path
280 Execute CGI scripts that matches
281 .Pa path
282 using shell globbing rules.
283 .It Ic default type Ar string
284 Set the default media type that is used if the media type for a
285 specified extension is not found.
286 If not specified, the
287 .Ic default type
288 is set to
289 .Dq application/octet-stream .
290 .It Ic entrypoint Pa path
291 Handle all the requests for the current virtual host using the
292 CGI script at
293 .Pa path .
294 .It Ic env Ar name Ar value
295 Set the environment variable
296 .Ar name
297 to
298 .Ar value
299 when executing CGI scripts.
300 Can be provided more than once.
301 .\" don't document the "spawn <prog>" form because it probably won't
302 .\" be kept.
303 .It Ic fastcgi Oo Ic tcp Oc Pa socket Oo Ar port Oc
304 Enable FastCGI instead of serving files.
305 The
306 .Pa socket
307 can either be a UNIX domain socket or a TCP socket.
308 If the FastCGI application is listening on a UNIX domain socket,
309 .Pa socket
310 is a local path name within the
311 .Xr chroot 2
312 root directory of
313 .Nm .
314 Otherwise, the
315 .Ic tcp
316 keyword must be provided and
317 .Pa socket
318 is interpreted as a hostname or an IP address.
319 .Ar port
320 can be either a port number or the name of a service enclosed in
321 double quotes.
322 If it's not specified defaults to 9000.
323 .It Ic index Ar string
324 Set the directory index file.
325 If not specified, it defaults to
326 .Pa index.gmi .
327 .It Ic key Pa file
328 Specify the private key to use for this server.
329 The
330 .Pa file
331 should contain a PEM encoded private key.
332 This option is mandatory.
333 .It Ic lang Ar string
334 Specify the language tag for the text/gemini content served.
335 If not specified, no
336 .Dq lang
337 parameter will be added in the response.
338 .It Ic location Pa path Brq ...
339 Specify server configuration rules for a specific location.
340 The
341 .Pa path
342 argument will be matched against the request path with shell globbing
343 rules.
344 In case of multiple location statements in the same context, the first
345 matching location will be put into effect and the later ones ignored.
346 Therefore is advisable to match for more specific paths first and for
347 generic ones later on.
348 A
349 .Ic location
350 section may include most of the server configuration rules
351 except
352 .Ic alias , Ic cert , Ic env , Ic key , Ic location ,
353 .Ic entrypoint No and Ic cgi .
354 .It Ic log Ar bool
355 Enable or disable the logging for the current server or location block.
356 .It Ic param Ar name Ar value
357 Set the param
358 .Ar name
359 to
360 .Ar value
361 for FastCGI.
362 .It Ic root Pa directory
363 Specify the root directory for this server.
364 It's relative to the chroot, if enabled.
365 .It Ic require Ic client Ic ca Pa path
366 Allow requests only from clients that provide a certificate signed by
367 the CA certificate in
368 .Pa path .
369 It needs to be a PEM-encoded certificate and it's not relative to the
370 chroot.
371 .It Ic strip Ar number
372 Strip
373 .Ar number
374 components from the beginning of the path before doing a lookup in the
375 root directory.
376 It's also considered for the
377 .Ar meta
378 parameter in the scope of a
379 .Ic block return .
380 .El
381 .Sh CGI
382 When a request for an executable file matches the
383 .Ic cgi
384 rule, that file will be execute and its output fed to the client.
385 .Pp
386 The CGI scripts are executed in the directory they reside and inherit
387 the environment from
388 .Nm
389 with these additional variables set:
390 .Bl -tag -width 24m
391 .It Ev GATEWAY_INTERFACE
392 .Dq CGI/1.1
393 .It Ev GEMINI_DOCUMENT_ROOT
394 The root directory of the virtual host.
395 .It Ev GEMINI_SCRIPT_FILENAME
396 Full path to the CGI script being executed.
397 .It Ev GEMINI_URL
398 The full IRI of the request.
399 .It Ev GEMINI_URL_PATH
400 The path of the request.
401 .It Ev PATH_INFO
402 The portion of the requested path that is derived from the the IRI
403 path hierarchy following the part that identifies the script itself.
404 Can be unset.
405 .It Ev PATH_TRANSLATED
406 Present if and only if
407 .Ev PATH_INFO
408 is set.
409 It represent the translation of the
410 .Ev PATH_INFO .
411 .Nm
412 builds this by appending the
413 .Ev PATH_INFO
414 to the virtual host directory root.
415 .It Ev QUERY_STRING
416 The decoded query string.
417 .It Ev REMOTE_ADDR , Ev REMOTE_HOST
418 Textual representation of the client IP.
419 .It Ev REQUEST_METHOD
420 This is present only for RFC3875 (CGI) compliance.
421 It's always set to the empty string.
422 .It Ev SCRIPT_NAME
423 The part of the
424 .Ev GEMINI_URL_PATH
425 that identifies the current CGI script.
426 .It Ev SERVER_NAME
427 The name of the server
428 .It Ev SERVER_PORT
429 The port the server is listening on.
430 .It Ev SERVER_PROTOCOL
431 .Dq GEMINI
432 .It Ev SERVER_SOFTWARE
433 The name and version of the server, i.e.
434 .Dq gmid/1.5
435 .It Ev AUTH_TYPE
436 The string "Certificate" if the client used a certificate, otherwise
437 unset.
438 .It Ev REMOTE_USER
439 The subject of the client certificate if provided, otherwise unset.
440 .It Ev TLS_CLIENT_ISSUER
441 The is the issuer of the client certificate if provided, otherwise
442 unset.
443 .It Ev TLS_CLIENT_HASH
444 The hash of the client certificate if provided, otherwise unset.
445 The format is
446 .Dq ALGO:HASH .
447 .It Ev TLS_VERSION
448 The TLS version negotiated with the peer.
449 .It Ev TLS_CIPHER
450 The cipher suite negotiated with the peer.
451 .It Ev TLS_CIPHER_STRENGTH
452 The strength in bits for the symmetric cipher that is being used with
453 the peer.
454 .It Ev TLS_CLIENT_NOT_AFTER
455 The time corresponding to the end of the validity period of the peer
456 certificate in the ISO 8601 format
457 .Pq e.g. Dq 2021-02-07T20:17:41Z .
458 .It Ev TLS_CLIENT_NOT_BEFORE
459 The time corresponding to the start of the validity period of the peer
460 certificate in the ISO 8601 format.
461 .El
462 .Sh FastCGI
463 .Nm
464 optionally supports FastCGI.
465 A
466 .Ic fastcgi
467 rule must be present in a server or location block.
468 Then, all requests matching that server or location will be handled
469 via the specified FastCGI backend.
470 .Pp
471 By default the following variables
472 .Pq parameters
473 are sent, and carry the same semantics as with CGI.
474 More parameters can be added with the
475 .Ic param
476 option.
477 .Bl -bullet -compact
478 .It
479 GATEWAY_INTERFACE
480 .It
481 GEMINI_URL_PATH
482 .It
483 QUERY_STRING
484 .It
485 REMOTE_ADDR
486 .It
487 REMOTE_HOST
488 .It
489 REQUEST_METHOD
490 .It
491 SERVER_NAME
492 .It
493 SERVER_PROTOCOL
494 .It
495 SERVER_SOFTWARE
496 .It
497 AUTH_TYPE
498 .It
499 REMOTE_USER
500 .It
501 TLS_CLIENT_ISSUER
502 .It
503 TLS_CLIENT_HASH
504 .It
505 TLS_VERSION
506 .It
507 TLS_CIPHER
508 .It
509 TLS_CIPHER_STRENGTH
510 .It
511 TLS_CLIENT_NOT_BEFORE
512 .It
513 TLS_CLIENT_NOT_AFTER
514 .El
515 .Sh MIME
516 To auto-detect the MIME type of the response
517 .Nm
518 looks at the file extension and consults its internal table.
519 By default the following mappings are loaded, but they can be
520 overridden or extended using the
521 .Ic mime
522 configuration option.
523 If no MIME is found, the value of
524 .Ic default type
525 matching the file
526 .Ic location
527 will be used, which is
528 .Dq application/octet-stream
529 by default.
530 .Pp
531 .Bl -tag -offset indent -width 14m -compact
532 .It diff
533 text/x-patch
534 .It gemini, gmi
535 text/gemini
536 .It gif
537 image/gif
538 .It jpeg
539 image/jpeg
540 .It jpg
541 image/jpeg
542 .It markdown, md
543 text/markdown
544 .It patch
545 text/x-patch
546 .It pdf
547 application/pdf
548 .It png
549 image/png
550 .It svg
551 image/svg+xml
552 .It txt
553 text/plain
554 .It xml
555 text/xml
556 .El
557 .Sh EXAMPLES
558 Serve the current directory
559 .Bd -literal -offset indent
560 $ gmid .
561 .Ed
562 .Pp
563 To serve the directory
564 .Pa docs
565 and enable CGI scripts inside
566 .Pa docs/cgi ,
567 you can
568 .Bd -literal -offset indent
569 $ mkdir docs/cgi
570 $ cat <<EOF > docs/cgi/hello
571 #!/bin/sh
572 printf "20 text/plain\\r\\n"
573 echo "hello world"
574 EOF
575 $ chmod +x docs/cgi/hello
576 $ gmid -x '/cgi/*' docs
577 .Ed
578 .Pp
579 The following is an example of a possible configuration for a site
580 that enables only TLSv1.3, adds a mime type for the file extension
581 "rtf" and defines two virtual host:
582 .Bd -literal -offset indent
583 ipv6 on		# enable ipv6
584 
585 protocols "tlsv1.3"
586 
587 mime "application/rtf" "rtf"
588 
589 server "example.com" {
590 	cert "/path/to/cert.pem"
591 	key  "/path/to/key.pem"
592 	root "/var/gemini/example.com"
593 }
594 
595 server "it.example.com" {
596 	cert "/path/to/cert.pem"
597 	key  "/path/to/key.pem"
598 	root "/var/gemini/it.example.com"
599 	cgi  "/cgi-bin/*"
600 	lang "it"
601 }
602 .Ed
603 .Pp
604 Yet another example, showing how to enable a
605 .Ic chroot
606 and use
607 .Ic location
608 rule
609 .Bd -literal -offset indent
610 chroot "/var/gemini"
611 user "_gmid"
612 
613 server "example.com" {
614 	cert "/path/to/cert.pem"
615 	key  "/path/to/key.pem"
616 	root "/example.com" # in the /var/gemini chroot
617 
618 	location "/static/*" {
619 		auto index on
620 		index "index.gemini"
621 	}
622 }
623 .Ed
624 .Sh ACKNOWLEDGEMENTS
625 .Nm
626 uses the
627 .Dq Flexible and Economical
628 UTF-8 decoder written by
629 .An Bjoern Hoehrmann .
630 .Sh AUTHORS
631 .An -nosplit
632 The
633 .Nm
634 program was written by
635 .An Omar Polo Aq Mt op@omarpolo.com .
636 .Sh CAVEATS
637 .Bl -bullet
638 .It
639 The root directories of all virtual hosts are opened during the daemon
640 startup; this means that if a root directory gets deleted and then
641 re-created,
642 .Nm
643 won't be able to serve files inside that directory until a restart.
644 This restriction applies only to the root directories and not their content.
645 .It
646 a %2F sequence is indistinguishable from a literal slash: this is not
647 RFC3986-compliant.
648 .It
649 a %00 sequence is treated as invalid character and thus rejected.
650 .El