1 .\" Copyright (c) 2022, 2023, 2024 Omar Polo <op@omarpolo.com>
2 .\"
3 .\" Permission to use, copy, modify, and distribute this software for any
4 .\" purpose with or without fee is hereby granted, provided that the above
5 .\" copyright notice and this permission notice appear in all copies.
6 .\"
7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14 .Dd March 3, 2024
15 .Dt GMID.CONF 5
16 .Os
17 .Sh NAME
18 .Nm gmid.conf
19 .Nd gmid Gemini server configuration file
20 .Sh DESCRIPTION
21 .Nm
22 is the configuration file format for the
23 .Xr gmid 8
24 Gemini server.
25 .Pp
26 The configuration file is divided into the following sections:
27 .Bl -tag -width Ds
28 .It Sy Macros
29 User-defined variables may be defined and used later, simplifying the
30 configuration file.
31 .It Sy Global Options
32 Global settings for
33 .Xr gmid 8 .
34 .It Sy Types
35 Media types and extensions.
36 .It Sy Servers
37 Virtual hosts definition.
38 .El
39 .Pp
40 Within the sections, empty lines are ignored and comments can be put
41 anywhere in the file using a hash mark
42 .Pq Sq #
43 and extend to the end of the current line.
44 A boolean is either the symbol
45 .Sq on
46 or
47 .Sq off .
48 A string is a sequence of characters wrapped in double quotes,
49 .Dq like this .
50 Multiple strings one next to the other are joined into a single
51 string:
52 .Bd -literal -offset indent
53 # equivalent to "temporary-failure"
54 block return 40 "temporary" "-" "failure"
55 .Ed
56 .Pp
57 Furthermore, quoting is necessary only when a string needs to contain
58 special characters
59 .Pq like spaces or punctuation ,
60 something that looks like a number or a reserved keyword.
61 The last example could have been written also as:
62 .Bd -literal -offset indent
63 block return 40 temporary "-" failure
64 .Ed
65 .Pp
66 Strict ordering of the sections is not enforced, so that is possible
67 to mix macros, options and
68 .Ic server
69 blocks.
70 However, defining all the
71 .Ic server
72 blocks after the macros and the global options is recommended.
73 .Pp
74 Newlines are often optional, except around top-level instructions, and
75 semicolons
76 .Dq \&;
77 can also be optionally used to separate options.
78 .Pp
79 Additional configuration files can be included with the
80 .Ic include
81 keyword, for example:
82 .Bd -literal -offset indent
83 include "/etc/gmid.conf.local"
84 .Ed
85 .Ss Macros
86 Macros can be defined that will later be expanded in context.
87 Macro names must start with a letter, digit or underscore and may
88 contain any of those characters.
89 Macros names may not be reserved words.
90 Macros are not expanded inside quotes.
91 .Pp
92 Two kinds of macros are supported: variable-like and proper macros.
93 When a macro is invoked with a
94 .Dq $
95 before its name its expanded as a string, whereas when it's invoked
96 with a
97 .Dq @
98 its expanded in-place.
99 .Pp
100 For example:
101 .Bd -literal -offset indent
102 ext_ip = "10.0.0.1"
103 dir = "/var/gemini"
104 certdir = "/etc/keys"
105 common = "lang it; auto index on"
106 
107 server "foo" {
108 	listen on $ext_ip
109 	root $dir "/foo"         # "/var/gemini/foo"
110 	cert $certdir "/foo.pem" # "/etc/keys/foo.pem"
111 	key  $certdir "/foo.key" # "/etc/keys/foo.key"
112 	@common
113 }
114 .Ed
115 .Ss Global Options
116 .Bl -tag -width 12m
117 .It Ic chroot Ar path
118 .Xr chroot 2
119 the process to the given
120 .Ar path .
121 The daemon has to be run with root privileges and thus the option
122 .Ic user
123 needs to be provided too, so privileges can be dropped afterwards.
124 If enabled all the paths in the configuration file are relative to the
125 chroot directory, except for the
126 .Ic cert ,
127 .Ic key ,
128 .Ic ocsp
129 and
130 .Ic log access
131 paths.
132 Defaults to the
133 .Ic user
134 home directory, if provided.
135 .It Ic log Ar options
136 Specify logging options.
137 Multiple options may be provided within curly braces.
138 The available options are as follows:
139 .Bl -tag -width Ds
140 .It Ic access Ar file
141 Log the requests to
142 .Ar file .
143 The path is not relative to the
144 .Ic chroot .
145 .It Ic style Ar style
146 Set the logging style, defaults to
147 .Ic legacy .
148 The
149 .Ar style
150 can be one of:
151 .Bl -tag -width Ds
152 .It Ic common
153 Attempt to be compatible with the default Apache httpd log format.
154 Each line is formatted as follows: the matching host name,
155 the remote IP address, one dash
156 .Sq - ,
157 Common Name of the client certificate
158 .Pq if provided, '-' otherwise ,
159 the timestamp of the request, the request URI wrapped in double quotes,
160 the response code and the size of the response.
161 .It Ic combined
162 Attempt to be compatible with the default nginx log format.
163 Each line is formatted as follows: the remote IP address, one dash
164 .Sq - ,
165 Common Name of the client certificate
166 .Pq if provided, '-' otherwise ,
167 the timestamp wrapped in square brackets, the request URI wrapped in
168 double quotes, the response code, the size of the response, a dash
169 wrapped in double quotes and "".
170 The strangness of these two last fields is because Gemini doesn't have
171 the notion of the
172 .Dq Referer
173 header nor the
174 .Dq User-agent .
175 .\" .It Ic condensed
176 .\" The native
177 .\" .Xr gmid 8
178 .\" format since 2.0.
179 .\" Each line is formatted as follows: RFC 3339 date time,
180 .\" remote IP address, Common Name of the client certificate
181 .\" .Pq if provided, '-' otherwise ,
182 .\" the matching host name, the request URI, the size of the request,
183 .\" the size of the response, the response code and meta.
184 .It Ic legacy
185 Each line is formatted as follows: the remote IP address and port, the
186 .Sq GET
187 keyword, the request URI, the response code and meta.
188 .El
189 .It Ic syslog Op Ic off
190 Log to syslog.
191 It is enabled by default, use the
192 .Ic off
193 argument to disable.
194 .It Ic syslog facility Ar facility
195 Log to
196 .Xr syslog 3
197 using specified
198 .Ar facility .
199 Available facilities are as follows: daemon, ftp, local0 through local7 and
200 user.
201 These are case insensitive and can be prefixed with
202 .Sq LOG_ .
203 Not all level may be available on all operating systems.
204 The default facility is
205 .Ev LOG_DAEMON .
206 .El
207 .It Ic prefork Ar number
208 Run the specified number of server processes.
209 This increases the performance and prevents delays when connecting to
210 a server.
211 .Xr gmid 8
212 runs 3 server processes by default.
213 The maximum number allowed is 16.
214 .It Ic protocols Ar string
215 Specify the TLS protocols to enable.
216 Refer to
217 .Xr tls_config_parse_protocols 3
218 for the valid protocol string values.
219 By default, both TLSv1.3 and TLSv1.2 are enabled.
220 Use
221 .Dq tlsv1.3
222 to enable only TLSv1.3.
223 .It Ic user Ar string
224 Run the daemon as the given user.
225 Mandatory if the
226 .Ic chroot
227 option is used.
228 .El
229 .Ss Servers
230 Every virtual host is defined by a
231 .Ic server
232 block:
233 .Bl -tag -width Ds
234 .It Ic server Ar hostname Brq ...
235 Match the server name using shell globbing rules.
236 It can be an explicit name,
237 .Ar www.example.com ,
238 or a name including wildcards,
239 .Ar *.example.com .
240 .El
241 .Pp
242 Followed by a block of options that is enclosed in curly brackets:
243 .Bl -tag -width Ds
244 .It Ic alias Ar name
245 Specify an additional alias
246 .Ar name
247 for this server.
248 .It Ic auto Ic index Ar bool
249 If no index file is found, automatically generate a directory listing.
250 Disabled by default.
251 .It Ic block Op Ic return Ar code Op Ar meta
252 Send a reply and close the connection;
253 by default
254 .Ar code
255 is 40
256 and
257 .Ar meta
258 is
259 .Dq temporary failure .
260 If
261 .Ar code
262 is in the 3x range, then
263 .Ar meta
264 is mandatory.
265 Inside
266 .Ar meta ,
267 the following special sequences are supported:
268 .Bl -tag -width Ds -compact
269 .It \&%\&%
270 is replaced with a single
271 .Sq \&% .
272 .It \&%p
273 is replaced with the request path.
274 .It \&%q
275 is replaced with the query string of the request.
276 .It \&%P
277 is replaced with the server port.
278 .It \&%N
279 is replaced with the server name.
280 .El
281 .It Ic cert Ar file
282 Path to the certificate to use for this server.
283 .Ar file
284 should contain a PEM encoded certificate.
285 This option is mandatory.
286 .It Ic default type Ar string
287 Set the default media type that is used if the media type for a
288 specified extension is not found.
289 If not specified, the
290 .Ic default type
291 is set to
292 .Dq application/octet-stream .
293 .It Ic fastcgi Ar option
294 Enable FastCGI instead of serving files.
295 Multiple options may be specified within curly braces.
296 Valid options are:
297 .Bl -tag -width Ds
298 .It Ic param Ar name Cm = Ar value
299 Set the param
300 .Ar name
301 to
302 .Ar value .
303 .It Ic socket Oo Ic tcp Oc Ar socket Oo Cm port Ar port Oc
304 The
305 .Ar socket
306 can either be a UNIX-domain socket or a TCP socket.
307 If the FastCGI application is listening on a UNIX domain socket,
308 .Ar socket
309 is a local path name within the
310 .Xr chroot 2
311 root directory of
312 .Xr gmid 8 .
313 Otherwise, the
314 .Ic tcp
315 keyword must be provided and
316 .Ar socket
317 is interpreted as a hostname or an IP address.
318 .Ar port
319 can be either a port number or the name of a service enclosed in
320 double quotes.
321 If not specified defaults to 9000.
322 .It Ic strip Ar number
323 Strip
324 .Ar number
325 leading path components from the request URL before splitting it in
326 .Ev SCRIPT_NAME
327 and
328 .Ev PATH_INFO .
329 .El
330 .Pp
331 The FastCGI handler will be given the following variables by default:
332 .Bl -tag -width 24m
333 .\" .It Ev GEMINI_DOCUMENT_ROOT
334 .\" The root directory of the virtual host.
335 .It Ev GEMINI_URL_PATH
336 Full path of the request.
337 .It Ev GEMINI_SEARCH_STRING
338 The decoded
339 .Ev QUERY_STRING
340 if defined in the request and if it doesn't contain any unencoded
341 .Sq =
342 characters, otherwise unset.
343 .It Ev GATEWAY_INTERFACE
344 .Dq CGI/1.1
345 .It Ev AUTH_TYPE
346 The string "Certificate" if the client used a certificate, otherwise
347 unset.
348 .It Ev PATH_INFO
349 The portion of the requested path that is derived from the the IRI
350 path hierarchy following
351 .Ev SCRIPT_NAME .
352 Can be unset.
353 .It Ev PATH_TRANSLATED
354 Present if and only if
355 .Ev PATH_INFO
356 is set.
357 It represent the translation of the
358 .Ev PATH_INFO .
359 .Nm gmid
360 builds this by appending the
361 .Ev PATH_INFO
362 to the virtual host directory root.
363 .It Ev QUERY_STRING
364 The URL-encoded search or parameter string.
365 .It Ev REMOTE_ADDR , Ev REMOTE_HOST
366 Textual representation of the client IP.
367 .It Ev REQUEST_METHOD
368 This is present only for RFC3875 (CGI) compliance.
369 It's always set to
370 .Dq GET .
371 .It Ev SCRIPT_NAME
372 The virtual URI path to the script.
373 Since it's impossible to determine in all cases the correct
374 .Ev SCRIPT_NAME
375 programmatically
376 .Nm gmid
377 assumes it's the empty string.
378 It is recommended to manually specify this parameter when serving a
379 sub-tree of a virtual host via FastCGI.
380 .It Ev SERVER_NAME
381 The name of the server
382 .It Ev SERVER_PORT
383 The port the server is listening on.
384 .It Ev SERVER_PROTOCOL
385 .Dq GEMINI
386 .It Ev SERVER_SOFTWARE
387 The name and version of the server, i.e.
388 .Dq gmid/2.0.1
389 .It Ev REMOTE_USER
390 The subject of the client certificate if provided, otherwise unset.
391 .It Ev TLS_CLIENT_ISSUER
392 The is the issuer of the client certificate if provided, otherwise
393 unset.
394 .It Ev TLS_CLIENT_HASH
395 The hash of the client certificate if provided, otherwise unset.
396 The format is
397 .Dq ALGO:HASH .
398 .It Ev TLS_VERSION
399 The TLS version negotiated with the peer.
400 .It Ev TLS_CIPHER
401 The cipher suite negotiated with the peer.
402 .It Ev TLS_CIPHER_STRENGTH
403 The strength in bits for the symmetric cipher that is being used with
404 the peer.
405 .It Ev TLS_CLIENT_NOT_AFTER
406 The time corresponding to the end of the validity period of the peer
407 certificate in the ISO 8601 format
408 .Pq e.g. Dq 2021-02-07T20:17:41Z .
409 .It Ev TLS_CLIENT_NOT_BEFORE
410 The time corresponding to the start of the validity period of the peer
411 certificate in the ISO 8601 format.
412 .El
413 .It Ic fastcgi off
414 Disable FastCGI handling in the current location.
415 .It Ic index Ar string
416 Set the directory index file.
417 If not specified, it defaults to
418 .Pa index.gmi .
419 .It Ic key Ar file
420 Specify the private key to use for this server.
421 .Ar file
422 should contain a PEM encoded private key.
423 This option is mandatory.
424 .It Ic lang Ar string
425 Specify the language tag for the text/gemini content served.
426 If not specified, no
427 .Dq lang
428 parameter will be added in the response.
429 .It Ic listen on Ar address Op Ic port Ar number
430 Set the listen
431 .Ar address
432 and
433 .Ar port
434 which defaults to
435 .Sq 1965 .
436 This statement can be specified multiple times.
437 If
438 .Ar address
439 is
440 .Sq *
441 then
442 .Xr gmid 8
443 will listen on all IPv4 and IPv6 addresses.
444 .Ar 0.0.0.0
445 can be used to listen on all IPv4 addresses and
446 .Ar ::
447 on all IPv6 addresses.
448 .It Ic location Ar path Brq ...
449 Specify server configuration rules for a specific location.
450 .Ar path
451 argument will be matched against the request path with shell globbing
452 rules.
453 In case of multiple location statements in the same context, the first
454 matching location will be put into effect and the later ones ignored.
455 Therefore is advisable to match for more specific paths first and for
456 generic ones later on.
457 A
458 .Ic location
459 section may include most of the server configuration rules
460 except
461 .Ic alias , Ic cert , Ic key , Ic listen , Ic location
462 and
463 .Ic proxy .
464 .It Ic log Ar bool
465 Enable or disable the logging for the current server or location block.
466 .It Ic ocsp Ar file
467 Specify an OCSP response to be stapled during TLS handshakes
468 with this server.
469 The
470 .Ar file
471 should contain a DER-format OCSP response retrieved from an
472 OCSP server for the
473 .Ic cert
474 in use.
475 If the OCSP response in
476 .Ar file
477 is empty, OCSP stapling will not be used.
478 The default is to not use OCSP stapling.
479 .It Ic proxy Oo Cm proto Ar name Oc Oo Cm for-host Ar host Oo Cm port Ar port Oc Oc Brq ...
480 Set up a reverse proxy.
481 The optional matching rules
482 .Cm proto
483 and
484 .Cm for-host
485 can be used to enable proxying only for protocols matching
486 .Ar name
487 .Po Dq gemini
488 by default
489 .Pc
490 and/or whose request IRI matches
491 .Ar host
492 and
493 .Ar port
494 .Pq 1965 by default .
495 Matching happens using shell globbing rules.
496 .Pp
497 In case of multiple matching proxy blocks in the same context, the
498 first matching proxy will be put into effect and the later ones
499 ignored.
500 .Pp
501 Valid options are:
502 .Bl -tag -width Ds
503 .It Ic cert Ar file
504 Specify the client certificate to use when making requests.
505 .It Ic key Ar file
506 Specify the client certificate key to use when making requests.
507 .It Ic protocols Ar string
508 Specify the TLS protocols allowed when making remote requests.
509 Refer to the
510 .Xr tls_config_parse_protocols 3
511 function for the valid protocol string values.
512 By default, both TLSv1.2 and TLSv1.3 are enabled.
513 .It Ic relay-to Ar host Op Cm port Ar port
514 Relay the request to the given
515 .Ar host
516 at the given
517 .Ar port ,
518 1965 by default.
519 This is the only mandatory option in a
520 .Ic proxy
521 block.
522 .It Ic require Ic client Ic ca Ar file
523 Allow the proxying only from clients that provide a certificate
524 signed by the CA certificate in
525 .Ar file .
526 .It Ic sni Ar hostname
527 Use the given
528 .Ar hostname
529 instead of the one extracted from the
530 .Ic relay-to
531 rule for the TLS handshake with the proxied gemini server.
532 .It Ic use-tls Ar bool
533 Specify whether to use TLS when connecting to the proxied host.
534 Enabled by default.
535 .It Ic verifyname Ar bool
536 Enable or disable the TLS server name verification.
537 Enabled by default.
538 .El
539 .It Ic root Ar directory
540 Specify the root directory for this server
541 .Pq alas the current Dq document root .
542 It's relative to the chroot if enabled.
543 .It Ic require Ic client Ic ca Ar path
544 Allow requests only from clients that provide a certificate signed by
545 the CA certificate in
546 .Ar path .
547 It needs to be a PEM-encoded certificate and it's not relative to the
548 chroot.
549 .It Ic strip Ar number
550 Strip
551 .Ar number
552 components from the beginning of the path before doing a lookup in the
553 root directory.
554 It's also considered for the
555 .Ar meta
556 parameter in the scope of a
557 .Ic block return .
558 .El
559 .Ss Types
560 The
561 .Ic types
562 section must include one or more lines of the following syntax, enclosed
563 in curly brances:
564 .Bl -tag -width Ds
565 .It Ar type Ns / Ns Ar subtype Ar name Op Ar name ...
566 Set the media
567 .Ar type
568 and
569 .Ar subtype
570 to the specified extension
571 .Ar name .
572 One or more names can be specified per line.
573 Earch line may end with an optional semicolon.
574 .It Ic include Ar file
575 Include types definition from an external file, for example
576 .Pa /usr/share/misc/mime.types .
577 .El
578 .Pp
579 By default
580 .Nm gmid
581 uses the following mapping if no
582 .Ic types
583 block is defined:
584 .Pp
585 .Bl -tag -offset indent -width 15m -compact
586 .It application/pdf
587 pdf
588 .It image/gif
589 gif
590 .It image/jpeg
591 jpg jpeg
592 .It image/png
593 png
594 .It image/svg+xml
595 svg
596 .It text/gemini
597 gemini gmi
598 .It text/markdown
599 markdown md
600 .It text/x-patch
601 diff patch
602 .It text/xml
603 xml
604 .El
605 .Pp
606 As an exception,
607 .Nm gmid
608 uses the MIME type
609 .Ar text/gemini
610 for file extensions
611 .Ar gemini
612 or
613 .Ar gmi
614 if no mapping was found.
615 .Sh EXAMPLES
616 The following is an example of a possible configuration for a site
617 that enables only TLSv1.3, adds the MIME types mapping from
618 .Pa /usr/share/misc/mime.types
619 and defines two virtual host:
620 .Bd -literal -offset indent
621 protocols "tlsv1.3"
622 
623 types {
624 	include "/usr/share/misc/mime.types"
625 }
626 
627 server "example.com" {
628 	listen on * port 1965
629 	cert "/etc/ssl/example.com.pem"
630 	key  "/etc/ssl/private/example.com.key"
631 	root "/var/gemini/example.com"
632 }
633 
634 server "example.it" {
635 	listen on * port 1965
636 	cert "/etc/ssl/example.it.pem"
637 	key  "/etc/ssl/private/example.it.key"
638 	root "/var/gemini/example.it"
639 
640 	# set the language for text/gemini files
641 	lang "it"
642 }
643 .Ed
644 .Pp
645 Yet another example, showing how to enable a
646 .Ic chroot
647 and use
648 .Ic location
649 rule
650 .Bd -literal -offset indent
651 chroot "/var/gemini"
652 user "_gmid"
653 
654 server "example.com" {
655 	listen on * port 1965
656 
657 	# absolute paths:
658 	cert "/etc/ssl/example.com.pem"
659 	key  "/etc/ssl/private/example.com.key"
660 
661 	# relative to the chroot:
662 	root "/example.com"
663 
664 	location "/static/*" {
665 		# load the following rules only for
666 		# requests that matches "/static/*"
667 
668 		auto index on
669 		index "index.gemini"
670 	}
671 }
672 .Ed
673 .Pp
674 This shows how to set up a reverse proxy: all request for
675 .Sq example.com
676 will be forwarded to 10.0.0.6 transparently.
677 Proxying establish a new TLS connection, so any client-certificates used
678 to connect to
679 .Xr gmid 8
680 cannot be provided to the proxied server as well.
681 .Bd -literal -offset indent
682 server "example.com" {
683 	listen on * port 1965
684 	cert "/etc/ssl/example.com.pem"
685 	key "/etc/ssl/private/example.com.key"
686 	proxy {
687 		relay-to 10.0.0.6 port 1965
688 	}
689 }
690 .Ed
691 .Sh SEE ALSO
692 .Xr gmid 8 ,
693 .Xr slowcgi 8
694 .Sh AUTHORS
695 .An -nosplit
696 The
697 .Nm gmid
698 program was written by
699 .An Omar Polo Aq Mt op@omarpolo.com .