Blob

Date:
Message:
pidfile support with `-P pidfile'
Actions:
History | Blame | Raw File
1 .\" Copyright (c) 2021 Omar Polo <op@omarpolo.com>

2 .\"

3 .\" Permission to use, copy, modify, and distribute this software for any

4 .\" purpose with or without fee is hereby granted, provided that the above

5 .\" copyright notice and this permission notice appear in all copies.

6 .\"

7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

14 .Dd $Mdocdate: January 30 2021$

15 .Dt GMID 1

16 .Os

17 .Sh NAME

18 .Nm gmid

19 .Nd simple and secure Gemini server

20 .Sh SYNOPSIS

21 .Nm

22 .Bk -words

23 .Op Fl fnv

24 .Op Fl c Ar config

25 .Op Fl P Ar pidfile

26 .Ek

27 .Nm

28 .Bk -words

29 .Op Fl 6hv

30 .Op Fl d Pa certs-dir

31 .Op Fl H Ar hostname

32 .Op Fl p Ar port

33 .Op Fl x Pa cgi

34 .Op Pa dir

35 .Ek

36 .Sh DESCRIPTION

37 .Nm

38 is a simple and minimal gemini server that can serve static files and

39 execute CGI scripts.

40 It can run without a configuration file with a limited set of features

41 available.

42 .Pp

43 .Nm

44 rereads the configuration file when it receives

45 .Dv SIGHUP .

46 .Pp

47 The options are as follows:

48 .Bl -tag -width 14m

49 .It Fl c Pa config

50 Specify the configuration file.

51 .It Fl f

52 Stays and logs on the foreground.

53 .It Fl n

54 Check that the configuration is valid, but don't start the server.

55 .It Fl P Pa pidfile

56 Write

57 .Nm

58 pid to the given path.

59 .El

60 .Pp

61 If no configuration file is given,

62 .Nm

63 will look for the following options

64 .Bl -tag -width 14m

65 .It Fl 6

66 Enable IPv6.

67 .It Fl d Pa certs-path

68 Directory where certificates for the config-less mode are stored.

69 By default is

70 .Pa $XDG_DATA_HOME/gmid ,

71 i.e.

72 .Pa ~/.local/share/gmid .

73 .It Fl H Ar hostname

74 The hostname, by default

75 .Ar localhost .

76 Certificates for the given

77 .Ar hostname

78 are searched inside the

79 .Pa certs-dir

80 directory given with the

81 .Fl d

82 option.

83 They have the form

84 .Pa hostname.cert.pem

85 and

86 .Pa hostname.key.pem .

87 If a certificate or key don't exists for a given hostname they

88 will be automatically generated.

89 .It Fl h

90 Print the usage and exit.

91 .It Fl p Ar port

92 The port to listen on, by default 1965.

93 .It Fl v

94 Verbose mode.

95 Multiple

96 .Fl v

97 options increase the verbosity.

98 .It Fl x Pa path

99 Enable execution of CGI scripts.

100 See the description of the

101 .Ic cgi

102 option in the section

103 .Sq Servers

104 below to learn how

105 .Pa path

106 is processed.

107 Cannot be provided more than once.

108 .It Pa dir

109 The root directory to serve.

110 By default the current working directory is assumed.

111 .El

112 .Sh CONFIGURATION FILE

113 The configuration file is divided into two sections:

114 .Bl -tag -width xxxx

115 .It Sy Global Options

116 Global settings for

117 .Nm .

118 .It Sy Servers

119 Virtual hosts definition.

120 .El

121 .Pp

122 Within the sections, empty lines are ignored and comments can be put

123 anywhere in the file using a hash mark

124 .Pq Sq # ,

125 and extend to the end of the current line.

126 A boolean is either the symbol

127 .Sq on

128 or

129 .Sq off .

130 A string is a sequence of characters wrapped in double quotes,

131 .Dq like this .

132 .Ss Global Options

133 .Bl -tag -width 12m

134 .It Ic chroot Pa path

135 .Xr chroot 2

136 the process to the given

137 .Pa path .

138 The daemon has to be run with root privileges and thus the option

139 .Ic user

140 needs to be provided, so privileges can be dropped.

141 Note that

142 .Nm

143 will enter the chroot after loading the TLS keys, but before opening

144 the virtual host root directories.

145 It's recommended to keep the TLS keys outside the chroot.

146 Future version of

147 .Nm

148 may enforce this.

149 .It Ic ipv6 Ar bool

150 Enable or disable IPv6 support.

151 By default is off.

152 .It Ic mime Ar mime-type Ar file-extension

153 Add a mapping for the given

154 .Ar file-extension

155 to the given

156 .Ar mime-type .

157 Both argument are strings.

158 .It Ic port Ar portno

159 The port to listen on.

160 By default is 1965.

161 .It Ic prefork Ar number

162 Run the specified number of server processes.

163 This increases the performance and prevents delays when connecting to

164 a server.

165 .Nm

166 runs 3 server processes by default, when not in config-less mode.

167 The maximum number allowed is 16.

168 .It Ic protocols Ar string

169 Specify the TLS protocols to enable.

170 Refer to

171 .Xr tls_config_parse_protocols 3

172 for the valid protocol string values.

173 By default, both TLSv1.3 and TLSv1.2 are enabled.

174 Use

175 .Dq tlsv1.3

176 to enable only TLSv1.3.

177 .It Ic user Ar string

178 Run the daemon as the given user.

179 .El

180 .Ss Servers

181 Every virtual host is defined by a

182 .Ic server

183 block:

184 .Bl -tag -width Ds

185 .It Ic server Ar hostname Brq ...

186 Match the server name using shell globbing rules.

187 This can be an explicit name,

188 .Ar www.example.com ,

189 or a name including a wildcards,

190 .Ar *.example.com .

191 .El

192 .Pp

193 Followed by a block of options that is enclosed in curly brackets:

194 .Bl -tag -width Ds

195 .It Ic auto Ic index Ar bool

196 If no index file is found, automatically generate a directory listing.

197 It's disabled by default.

198 .It Ic block Op Ic return Ar code Op Ar meta

199 Send a reply and close the connection;

200 .Ar code

201 is 40

202 and

203 .Ar meta

204 is

205 .Dq temporary failure

206 by default.

207 If

208 .Ar code

209 is in the 3x range, then

210 .Ar meta

211 must be provided.

212 Inside

213 .Ar meta ,

214 the following special sequences are replaced:

215 .Bl -tag -compact

216 .It \&%\&%

217 is replaced with a single

218 .Sq \&% .

219 .It \&%p

220 is replaced with the request path.

221 .It \&%q

222 is replaced with the query string of the request.

223 .It \&%P

224 is replaced with the server port.

225 .It \&%N

226 is replaced with the server name.

227 .El

228 .It Ic cert Pa file

229 Path to the certificate to use for this server.

230 The

231 .Pa file

232 should contain a PEM encoded certificate.

233 This option is mandatory.

234 .It Ic cgi Pa path

235 Execute CGI scripts that matches

236 .Pa path

237 using shell globbing rules.

238 .It Ic default type Ar string

239 Set the default media type that is used if the media type for a

240 specified extension is not found.

241 If not specified, the

242 .Ic default type

243 is set to

244 .Dq application/octet-stream .

245 .It Ic entrypoint Pa path

246 Handle all the requests for the current virtual host using the

247 CGI script at

248 .Pa path .

249 .It Ic env Ar name Ar value

250 Set the environment variable

251 .Ar name

252 to

253 .Ar value

254 when executing CGI scripts.

255 Can be provided more than once.

256 .It Ic index Ar string

257 Set the directory index file.

258 If not specified, it defaults to

259 .Pa index.gmi .

260 .It Ic key Pa file

261 Specify the private key to use for this server.

262 The

263 .Pa file

264 should contain a PEM encoded private key.

265 This option is mandatory.

266 .It Ic lang Ar string

267 Specify the language tag for the text/gemini content served.

268 If not specified, no

269 .Dq lang

270 parameter will be added in the response.

271 .It Ic location Pa path Brq ...

272 Specify server configuration rules for a specific location.

273 The

274 .Pa path

275 argument will be matched against the request path with shell globbing

276 rules.

277 In case of multiple location statements in the same context, the first

278 matching location will be put into effect and the later ones ignored.

279 Therefore is advisable to match for more specific paths first and for

280 generic ones later on.

282 .Ic location

283 section may include most of the server configuration rules

284 except

285 .Ic cert , Ic env , Ic key , Ic root , Ic location ,

286 .Ic entrypoint No and Ic cgi .

287 .It Ic root Pa directory

288 Specify the root directory for this server.

289 This option is mandatory.

290 It's relative to the chroot, if enabled.

291 .It Ic require Ic client Ic ca Pa path

292 Allow requests only from clients that provide a certificate signed by

293 the CA certificate in

294 .Pa path .

295 It needs to be a PEM-encoded certificate and it's not relative to the

296 chroot.

297 .It Ic strip Ar number

298 Strip

299 .Ar number

300 components from the beginning of the path.

301 It's only considered for the

302 .Ar meta

303 parameter in the scope of a

304 .Ic block return .

305 .El

306 .Sh CGI

307 When a request for an executable file matches the

308 .Ic cgi

309 rule, that file will be execute and its output fed to the client.

310 .Pp

311 The CGI scripts are executed in the directory they reside and inherit

312 the environment from

313 .Nm

314 with these additional variables set:

315 .Bl -tag -width 24m

316 .It Ev GATEWAY_INTERFACE

317 .Dq CGI/1.1

318 .It Ev GEMINI_DOCUMENT_ROOT

319 The root directory of the virtual host.

320 .It Ev GEMINI_SCRIPT_FILENAME

321 Full path to the CGI script being executed.

322 .It Ev GEMINI_URL

323 The full IRI of the request.

324 .It Ev GEMINI_URL_PATH

325 The path of the request.

326 .It Ev PATH_INFO

327 The portion of the requested path that is derived from the the IRI

328 path hierarchy following the part that identifies the script itself.

329 Can be unset.

330 .It Ev PATH_TRANSLATED

331 Present if and only if

332 .Ev PATH_INFO

333 is set.

334 It represent the translation of the

335 .Ev PATH_INFO .

336 .Nm

337 builds this by appending the

338 .Ev PATH_INFO

339 to the virtual host directory root.

340 .It Ev QUERY_STRING

341 The decoded query string.

342 .It Ev REMOTE_ADDR , Ev REMOTE_HOST

343 Textual representation of the client IP.

344 .It Ev REQUEST_METHOD

345 This is present only for RFC3875 (CGI) compliance.

346 It's always set to the empty string.

347 .It Ev SCRIPT_NAME

348 The part of the

349 .Ev GEMINI_URL_PATH

350 that identifies the current CGI script.

351 .It Ev SERVER_NAME

352 The name of the server

353 .It Ev SERVER_PORT

354 The port the server is listening on.

355 .It Ev SERVER_PROTOCOL

356 .Dq GEMINI

357 .It Ev SERVER_SOFTWARE

358 The name and version of the server, i.e.

359 .Dq gmid/1.5

360 .It Ev AUTH_TYPE

361 The string "Certificate" if the client used a certificate, otherwise

362 unset.

363 .It Ev REMOTE_USER

364 The subject of the client certificate if provided, otherwise unset.

365 .It Ev TLS_CLIENT_ISSUER

366 The is the issuer of the client certificate if provided, otherwise

367 unset.

368 .It Ev TLS_CLIENT_HASH

369 The hash of the client certificate if provided, otherwise unset.

370 The format is

371 .Dq ALGO:HASH .

372 .It Ev TLS_VERSION

373 The TLS version negotiated with the peer.

374 .It Ev TLS_CIPHER

375 The cipher suite negotiated with the peer.

376 .It Ev TLS_CIPHER_STRENGTH

377 The strength in bits for the symmetric cipher that is being used with

378 the peer.

379 .It Ev TLS_CLIENT_NOT_AFTER

380 The time corresponding to the end of the validity period of the peer

381 certificate in the ISO 8601 format

382 .Pq e.g. Dq 2021-02-07T20:17:41Z .

383 .It Ev TLS_CLIENT_NOT_BEFORE

384 The time corresponding to the start of the validity period of the peer

385 certificate in the ISO 8601 format.

386 .El

387 .Pp

388 .Sh MIME

389 To auto-detect the MIME type of the response

390 .Nm

391 looks at the file extension and consults its internal table.

392 By default the following mappings are loaded, but they can be

393 overridden or extended using the

394 .Ic mime

395 configuration option.

396 If no MIME is found, the value of

397 .Ic default type

398 matching the file

399 .Ic location

400 will be used, which is

401 .Dq application/octet-stream

402 by default.

403 .Pp

404 .Bl -tag -offset indent -width 14m -compact

405 .It diff

406 text/x-patch

407 .It gemini, gmi

408 text/gemini

409 .It gif

410 image/gif

411 .It jpeg

412 image/jpeg

413 .It jpg

414 image/jpeg

415 .It markdown, md

416 text/markdown

417 .It patch

418 text/x-patch

419 .It pdf

420 application/pdf

421 .It png

422 image/png

423 .It svg

424 image/svg+xml

425 .It txt

426 text/plain

427 .It xml

428 text/xml

429 .El

430 .Sh EXAMPLES

431 Serve the current directory

432 .Bd -literal -offset indent

433 $ gmid .

434 .Ed

435 .Pp

436 To serve the directory

437 .Pa docs

438 and enable CGI scripts inside

439 .Pa docs/cgi ,

440 you can

441 .Bd -literal -offset indent

442 $ mkdir docs/cgi

443 $ cat <<EOF > docs/cgi/hello

444 #!/bin/sh

445 printf "20 text/plain\\r\\n"

446 echo "hello world"

447 EOF

448 $ chmod +x docs/cgi/hello

449 $ gmid -x '/cgi/*' docs

450 .Ed

451 .Pp

452 The following is an example of a possible configuration for a site

453 that enables only TLSv1.3, adds a mime type for the file extension

454 "rtf" and defines two virtual host:

455 .Bd -literal -offset indent

456 ipv6 on		# enable ipv6

458 protocols "tlsv1.3"

460 mime "application/rtf" "rtf"

462 server "example.com" {

463 	cert "/path/to/cert.pem"

464 	key  "/path/to/key.pem"

465 	root "/var/gemini/example.com"

468 server "it.example.com" {

469 	cert "/path/to/cert.pem"

470 	key  "/path/to/key.pem"

471 	root "/var/gemini/it.example.com"

472 	cgi  "/cgi-bin/*"

473 	lang "it"

475 .Ed

476 .Pp

477 Yet another example, showing how to enable a

478 .Ic chroot

479 and use

480 .Ic location

481 rule

482 .Bd -literal -offset indent

483 chroot "/var/gemini"

484 user "_gmid"

486 server "example.com" {

487 	cert "/path/to/cert.pem"

488 	key  "/path/to/key.pem"

489 	root "/example.com" # in the /var/gemini chroot

491 	location "/static/*" {

492 		auto index on

493 		index "index.gemini"

496 .Ed

497 .Sh ACKNOWLEDGEMENTS

498 .Nm

499 uses the

500 .Dq Flexible and Economical

501 UTF-8 decoder written by

502 .An Bjoern Hoehrmann .

503 .Sh AUTHORS

504 .An -nosplit

505 The

506 .Nm

507 program was written by

508 .An Omar Polo Aq Mt op@omarpolo.com .

509 .Sh CAVEATS

510 .Bl -bullet

511 .It

512 The root directories of all virtual hosts are opened during the daemon

513 startup; this means that if a root directory gets deleted and then

514 re-created,

515 .Nm

516 won't be able to serve files inside that directory until a restart.

517 This restriction applies only to the root directories and not their content.

518 .It

519 a %2F sequence is indistinguishable from a literal slash: this is not

520 RFC3986-compliant.

521 .It

522 a %00 sequence is treated as invalid character and thus rejected.

523 .El