Blob

Date:
Message:
added prefork option
Actions:
History | Blame | Raw File
1 .\" Copyright (c) 2021 Omar Polo <op@omarpolo.com>

2 .\"

3 .\" Permission to use, copy, modify, and distribute this software for any

4 .\" purpose with or without fee is hereby granted, provided that the above

5 .\" copyright notice and this permission notice appear in all copies.

6 .\"

7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

14 .Dd $Mdocdate: January 30 2021$

15 .Dt GMIND 1

16 .Os

17 .Sh NAME

18 .Nm gmid

19 .Nd simple and secure Gemini server

20 .Sh SYNOPSIS

21 .Nm

22 .Bk -words

23 .Op Fl fnv

24 .Op Fl c Ar config

25 .Ek

26 .Nm

27 .Bk -words

28 .Op Fl 6hv

29 .Op Fl d Pa certs-dir

30 .Op Fl H Ar hostname

31 .Op Fl p Ar port

32 .Op Fl x Pa cgi

33 .Op Pa dir

34 .Ek

35 .Sh DESCRIPTION

36 .Nm

37 is a simple and minimal gemini server that can serve static files and

38 execute CGI scripts.

39 It can run without a configuration file with a limited set of features

40 available.

41 .Pp

42 .Nm

43 rereads the configuration file when it receives

44 .Dv SIGHUP .

45 .Pp

46 The options are as follows:

47 .Bl -tag -width 14m

48 .It Fl c Pa config

49 Specify the configuration file.

50 .It Fl f

51 Stays and logs on the foreground.

52 .It Fl n

53 Check that the configuration is valid, but don't start the server.

54 .El

55 .Pp

56 If no configuration file is given,

57 .Nm

58 will look for the following options

59 .Bl -tag -width 14m

60 .It Fl 6

61 Enable IPv6.

62 .It Fl d Pa certs-path

63 Directory where certificates for the config-less mode are stored.

64 By default is

65 .Pa $XDG_DATA_HOME/gmid ,

66 i.e.

67 .Pa ~/.local/share/gmid .

68 .It Fl H Ar hostname

69 The hostname, by default

70 .Ar localhost .

71 Certificates for the given

72 .Ar hostname

73 are searched inside the

74 .Pa certs-dir

75 directory given with the

76 .Fl d

77 option.

78 They have the form

79 .Pa hostname.cert.pem

80 and

81 .Pa hostname.key.pem .

82 If a certificate and key doesn't exists for a given hostname they

83 will be automatically generated.

84 .It Fl h

85 Print the usage and exit.

86 .It Fl p Ar port

87 The port to listen on, by default 1965.

88 .It Fl v

89 Increase the verbosity of the logs.

90 .It Fl x Pa path

91 Enable execution of CGI scripts.

92 See the description of the

93 .Ic cgi

94 option in the section

95 .Sq Servers

96 below to learn how

97 .Pa path

98 is processed.

99 Cannot be provided more than once.

100 .It Pa dir

101 The root directory to serve.

102 By default the current working directory is assumed.

103 .El

104 .Sh CONFIGURATION FILE

105 The configuration file is divided into two sections:

106 .Bl -tag -width xxxx

107 .It Sy Global Options

108 Global settings for

109 .Nm .

110 .It Sy Servers

111 Virtual hosts definition.

112 .El

113 .Pp

114 Within the sections, empty lines are ignored and comments can be put

115 anywhere in the file using a hash mark

116 .Pq Sq # ,

117 and extend to the end of the current line.

118 A boolean is either the symbol

119 .Sq on

120 or

121 .Sq off .

122 A string is a sequence of characters wrapped in double quotes,

123 .Dq like this .

124 .Ss Global Options

125 .Bl -tag -width 12m

126 .It Ic chroot Pa path

127 .Xr chroot 2

128 the process to the given

129 .Pa path .

130 The daemon has to be run with root privileges and thus the option

131 .Ic user

132 needs to be provided, so privileges can be dropped.

133 Note that

134 .Nm

135 will enter the chroot after loading the TLS keys, but before opening

136 the virtual host root directories.

137 It's recommended to keep the TLS keys outside the chroot.

138 Future version of

139 .Nm

140 may require this.

141 .It Ic ipv6 Ar bool

142 Enable or disable IPv6 support.

143 By default is off.

144 .It Ic mime Ar mime-type Ar file-extension

145 Add a mapping for the given

146 .Ar file-extension

147 to the given

148 .Ar mime-type .

149 Both argument are strings.

150 .It Ic port Ar portno

151 The port to listen on.

152 By default is 1965.

153 .It Ic prefork Ar number

154 Run the specified number of server processes.

155 This increases the performance and prevents delays when connecting to

156 a server.

157 .Nm

158 runs 3 server processes by default, when not in config-less mode.

159 .It Ic protocols Ar string

160 Specify the TLS protocols to enable.

161 Refer to

162 .Xr tls_config_parse_protocols 3

163 for the valid protocol string values.

164 By default, both TLSv1.3 and TLSv1.2 are enabled.

165 Use

166 .Dq tlsv1.3

167 to enable only TLSv1.3.

168 .It Ic user Ar string

169 Run the daemon as the given user.

170 .El

171 .Ss Servers

172 Every virtual host is defined by a

173 .Ic server

174 block:

175 .Bl -tag -width Ds

176 .It Ic server Ar hostname Brq ...

177 Match the server name using shell globbing rules.

178 This can be an explicit name,

179 .Ar www.example.com ,

180 or a name including a wildcards,

181 .Ar *.example.com .

182 .El

183 .Pp

184 Followed by a block of options that is enclosed in curly brackets:

185 .Bl -tag -width Ds

186 .It Ic auto Ic index Ar bool

187 If no index file is found, automatically generate a directory listing.

188 It's disabled by default.

189 .It Ic block Op Ic return Ar code Op Ar meta

190 Send a reply and close the connection;

191 .Ar code

192 is 40

193 and

194 .Ar meta

195 is

196 .Dq temporary failure

197 by default.

198 If

199 .Ar code

200 is in the 3x range, then

201 .Ar meta

202 must be provided.

203 Inside

204 .Ar meta ,

205 the following special sequences are replaced:

206 .Bl -tag -compact

207 .It \&%\&%

208 is replaced with a single

209 .Sq \&% .

210 .It \&%p

211 is replaced with the request path.

212 .It \&%q

213 is replaced with the query string of the request.

214 .It \&%P

215 is replaced with the server port.

216 .It \&%N

217 is replaced with the server name.

218 .El

219 .It Ic cert Pa file

220 Path to the certificate to use for this server.

221 The

222 .Pa file

223 should contain a PEM encoded certificate.

224 This option is mandatory.

225 .It Ic cgi Pa path

226 Execute CGI scripts that matches

227 .Pa path

228 using shell globbing rules.

229 .It Ic default type Ar string

230 Set the default media type that is used if the media type for a

231 specified extension is not found.

232 If not specified, the

233 .Ic default type

234 is set to

235 .Dq application/octet-stream .

236 .It Ic entrypoint Pa path

237 Make the CGI script at

238 .Pa path

239 .Pq relative to the Ic root No directory

240 handle all the requests for the current virtual host

241 .It Ic index Ar string

242 Set the directory index file.

243 If not specified, it defaults to

244 .Pa index.gmi .

245 .It Ic key Pa file

246 Specify the private key to use for this server.

247 The

248 .Pa file

249 should contain a PEM encoded private key.

250 This option is mandatory.

251 .It Ic lang Ar string

252 Specify the language tag for the text/gemini content served.

253 If not specified, no

254 .Dq lang

255 parameter will be added in the response.

256 .It Ic location Pa path Brq ...

257 Specify server configuration rules for a specific location.

258 The

259 .Pa path

260 argument will be matched against the request path with shell globbing

261 rules.

262 In case of multiple location statements in the same context, the first

263 matching location will be put into effect and the later ones ignored.

264 Therefore is advisable to match for more specific paths first and for

265 generic ones later on.

267 .Ic location

268 section may include most of the server configuration rules

269 except

270 .Ic cert , Ic key , Ic root , Ic location ,

271 .Ic entrypoint No and Ic cgi .

272 .It Ic root Pa directory

273 Specify the root directory for this server.

274 This option is mandatory.

275 It's relative to the chroot, if enabled.

276 .It Ic strip Ar number

277 Strip

278 .Ar number

279 components from the beginning of the path.

280 It's only considered for the

281 .Ar meta

282 parameter in the scope of a

283 .Ic block return .

284 .El

285 .Sh CGI

286 When a request for an executable file matches the

287 .Ic cgi

288 rule, that file will be execute and its output fed to the client.

289 .Pp

290 The CGI scripts are executed in the directory they reside and inherit

291 the environment from

292 .Nm

293 with these additional variables set:

294 .Bl -tag -width 24m

295 .It Ev GATEWAY_INTERFACE

296 .Dq CGI/1.1

297 .It Ev GEMINI_DOCUMENT_ROOT

298 The root directory of the virtual host.

299 .It Ev GEMINI_SCRIPT_FILENAME

300 Full path to the CGI script being executed.

301 .It Ev GEMINI_URL

302 The full IRI of the request.

303 .It Ev GEMINI_URL_PATH

304 The path of the request.

305 .It Ev PATH_INFO

306 The portion of the requested path that is derived from the the IRI

307 path hierarchy following the part that identifies the script itself.

308 Can be unset.

309 .It Ev PATH_TRANSLATED

310 Present if and only if

311 .Ev PATH_INFO

312 is set.

313 It represent the translation of the

314 .Ev PATH_INFO .

315 .Nm

316 builds this by appending the

317 .Ev PATH_INFO

318 to the virtual host directory root.

319 .It Ev QUERY_STRING

320 The decoded query string.

321 .It Ev REMOTE_ADDR , Ev REMOTE_HOST

322 Textual representation of the client IP.

323 .It Ev REQUEST_METHOD

324 This is present only for RFC3875 (CGI) compliance.

325 It's always set to the empty string.

326 .It Ev SCRIPT_NAME

327 The part of the

328 .Ev GEMINI_URL_PATH

329 that identifies the current CGI script.

330 .It Ev SERVER_NAME

331 The name of the server

332 .It Ev SERVER_PORT

333 The port the server is listening on.

334 .It Ev SERVER_PROTOCOL

335 .Dq GEMINI

336 .It Ev SERVER_SOFTWARE

337 The name and version of the server, i.e.

338 .Dq gmid/1.5

339 .It Ev AUTH_TYPE

340 The string "Certificate" if the client used a certificate, otherwise

341 unset.

342 .It Ev REMOTE_USER

343 The subject of the client certificate if provided, otherwise unset.

344 .It Ev TLS_CLIENT_ISSUER

345 The is the issuer of the client certificate if provided, otherwise

346 unset.

347 .It Ev TLS_CLIENT_HASH

348 The hash of the client certificate if provided, otherwise unset.

349 The format is

350 .Dq ALGO:HASH .

351 .El

352 .Pp

353 .Sh MIME

354 To auto-detect the MIME type of the response

355 .Nm

356 looks at the file extension and consults its internal table.

357 By default the following mappings are loaded, but they can be

358 overridden or extended using the

359 .Ic mime

360 configuration option.

361 If no MIME is found, the value of

362 .Ic default type

363 matching the file

364 .Ic location

365 will be used, which is

366 .Dq application/octet-stream

367 by default.

368 .Pp

369 .Bl -tag -offset indent -width 14m -compact

370 .It gemini, gmi

371 text/gemini

372 .It gif

373 image/gif

374 .It jpeg

375 image/jpeg

376 .It jpg

377 image/jpeg

378 .It markdown, md

379 text/markdown

380 .It pdf

381 application/pdf

382 .It png

383 image/png

384 .It svg

385 image/svg+xml

386 .It txt

387 text/plain

388 .It xml

389 text/xml

390 .El

391 .Sh EXAMPLES

392 Serve the current directory

393 .Bd -literal -offset indent

394 $ gmid .

395 .Ed

396 .Pp

397 To serve the directory

398 .Pa docs

399 and enable CGI scripts inside

400 .Pa docs/cgi ,

401 you can

402 .Bd -literal -offset indent

403 $ mkdir docs/cgi

404 $ cat <<EOF > cgi/hello

405 #!/bin/sh

406 printf "20 text/plain\\r\\n"

407 echo "hello world"

408 EOF

409 $ chmod +x docs/cgi/hello

410 $ gmid -x cgi docs

411 .Ed

412 .Pp

413 The following is an example of a possible configuration for a site

414 that enables only TLSv1.3, adds a mime type for the file extension

415 "rtf" and defines two virtual host:

416 .Bd -literal -offset indent

417 ipv6 on		# enable ipv6

419 protocols "tlsv1.3"

421 mime "application/rtf" "rtf"

423 server "example.com" {

424 	cert "/path/to/cert.pem"

425 	key  "/path/to/key.pem"

426 	root "/var/gemini/example.com"

429 server "it.example.com" {

430 	cert "/path/to/cert.pem"

431 	key  "/path/to/key.pem"

432 	root "/var/gemini/it.example.com"

433 	cgi  "/cgi-bin/*"

434 	lang "it"

436 .Ed

437 .Pp

438 Yet another example, showing how to enable a

439 .Ic chroot

440 and use

441 .Ic location

442 rule

443 .Bd -literal -offset indent

444 chroot "/var/gemini"

445 user "_gmid"

447 server "example.com" {

448 	cert "/path/to/cert.pem"

449 	key  "/path/to/key.pem"

450 	root "/example.com" # in the /var/gemini chroot

452 	location "/static/*" {

453 		auto index on

454 		index "index.gemini"

457 .Ed

458 .Sh ACKNOWLEDGEMENTS

459 .Nm

460 uses the

461 .Dq Flexible and Economical

462 UTF-8 decoder written by

463 .An Bjoern Hoehrmann .

464 .Sh AUTHORS

465 .An -nosplit

466 The

467 .Nm

468 program was written by

469 .An Omar Polo Aq Mt op@omarpolo.com .

470 .Sh CAVEATS

471 .Bl -bullet

472 .It

473 The root directories of all virtual hosts are opened during the daemon

474 startup; this means that if a root directory gets deleted and then

475 re-created,

476 .Nm

477 won't be able to serve files inside that directory until a restart.

478 This restriction applies only to the root directories and not their content.

479 .It

480 a %2F sequence is indistinguishable from a literal slash: this is not

481 RFC3986-compliant.

482 .It

483 a %00 sequence is treated as invalid character and thus rejected.

484 .El