Blob

Date:
Message:
sync CGI section with actual implementation
Actions:
History | Blame | Raw File
1 .\" Copyright (c) 2021 Omar Polo <op@omarpolo.com>

2 .\"

3 .\" Permission to use, copy, modify, and distribute this software for any

4 .\" purpose with or without fee is hereby granted, provided that the above

5 .\" copyright notice and this permission notice appear in all copies.

6 .\"

7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

14 .Dd $Mdocdate: January 30 2021$

15 .Dt GMIND 1

16 .Os

17 .Sh NAME

18 .Nm gmid

19 .Nd simple and secure Gemini server

20 .Sh SYNOPSIS

21 .Nm

22 .Bk -words

23 .Op Fl fn

24 .Op Fl c Ar config

25 |

26 .Op Fl 6hv

27 .Op Fl d Pa certs-dir

28 .Op Fl H Ar hostname

29 .Op Fl p Ar port

30 .Op Fl x Pa cgi

31 .Op Pa dir

32 .Ek

33 .Sh DESCRIPTION

34 .Nm

35 is a simple and minimal gemini server that can serve static files and

36 execute CGI scripts.

37 It can run without a configuration file with a limited set of features

38 available.

39 If a configuration file is given, no other flags shall be given,

40 except for

41 .Fl f

42 and

43 .Fl n .

44 .Pp

45 The options are as follows:

46 .Bl -tag -width 14m

47 .It Fl c Pa config

48 Specify the configuration file.

49 .It Fl f

50 Stays and logs on the foreground.

51 .It Fl n

52 Check that the configuration is valid, but don't start the server.

53 .El

54 .Pp

55 If no configuration file is given,

56 .Nm

57 will look for the following options

58 .Bl -tag -width 14m

59 .It Fl 6

60 Enable IPv6.

61 .It Fl d Pa certs-path

62 Directory where certificates for the config-less mode are stored.

63 By default is

64 .Pa $XDG_DATA_HOME/gmid ,

65 i.e.

66 .Pa ~/.local/share/gmid .

67 .It Fl H Ar hostname

68 The hostname, by default

69 .Ar localhost .

70 Certificates for the given

71 .Ar hostname

72 are searched inside the

73 .Pa certs-dir

74 directory given with the

75 .Fl d

76 option.

77 They have the form

78 .Pa hostname.cert.pem

79 and

80 .Pa hostname.key.pem .

81 If a certificate and key doesn't exists for a given hostname they

82 will be automatically generated.

83 .It Fl h

84 Print the usage and exit.

85 .It Fl p Ar port

86 The port to listen on, by default 1965.

87 .It Fl v

88 Increase the verbosity of the logs.

89 .It Fl x Pa path

90 Enable execution of CGI scripts.

91 See the description of the

92 .Ic cgi

93 option in the section

94 .Sq Servers

95 below to learn how

96 .Pa path

97 is processed.

98 Cannot be provided more than once.

99 .It Pa dir

100 The root directory to serve.

101 By default the current working directory is assumed.

102 .El

103 .Sh CONFIGURATION FILE

104 The configuration file is divided into two sections:

105 .Bl -tag -width xxxx

106 .It Sy Global Options

107 Global settings for

108 .Nm .

109 .It Sy Servers

110 Virtual hosts definition.

111 .El

112 .Pp

113 Within the sections, empty lines are ignored and comments can be put

114 anywhere in the file using a hash mark

115 .Pq Sq # ,

116 and extend to the end of the current line.

117 A boolean is either the symbol

118 .Sq on

119 or

120 .Sq off .

121 A string is a sequence of characters wrapped in double quotes,

122 .Dq like this .

123 .Ss Global Options

124 .Bl -tag -width 12m

125 .It Ic ipv6 Ar bool

126 Enable or disable IPv6 support.

127 By default is off.

128 .It Ic port Ar portno

129 The port to listen on.

130 By default is 1965.

131 .It Ic protocols Ar string

132 Specify the TLS protocols to enable.

133 Refer to

134 .Xr tls_config_parse_protocols 3

135 for the valid protocol string values.

136 By default, both TLSv1.3 and TLSv1.2 are enabled.

137 Use

138 .Dq tlsv1.3

139 to enable only TLSv1.3.

140 .It Ic mime Ar mime-type Ar file-extension

141 Add a mapping for the given

142 .Ar file-extension

143 to the given

144 .Ar mime-type .

145 Both argument are strings.

146 .It Ic chroot Pa path

147 .Xr chroot 2

148 the process to the given

149 .Pa path .

150 The daemon has to be run with root privileges and thus the option

151 .Ic user

152 needs to be provided, so privileges can be dropped.

153 Note that

154 .Nm

155 will enter the chroot after loading the TLS keys, but before opening

156 the virtual host root directories.

157 It's recommended to keep the TLS keys outside the chroot.

158 Future version of

159 .Nm

160 may require this.

161 .It Ic user Ar string

162 Run the daemon as the given user.

163 .El

164 .Ss Servers

165 Every virtual host is defined by a

166 .Ic server

167 block:

168 .Bl -tag -width Ds

169 .It Ic server Ar hostname Brq ...

170 Match the server name using shell globbing rules.

171 This can be an explicit name,

172 .Ar www.example.com ,

173 or a name including a wildcards,

174 .Ar *.example.com .

175 .El

176 .Pp

177 Followed by a block of options that is enclosed in curly brackets:

178 .Bl -tag -width Ds

179 .It Ic cert Pa file

180 Path to the certificate to use for this server.

181 The

182 .Pa file

183 should contain a PEM encoded certificate.

184 This option is mandatory.

185 .It Ic key Pa file

186 Specify the private key to use for this server.

187 The

188 .Pa file

189 should contain a PEM encoded private key.

190 This option is mandatory.

191 .It Ic root Pa directory

192 Specify the root directory for this server.

193 This option is mandatory.

194 It's relative to the chroot, if enabled.

195 .It Ic cgi Pa path

196 Enable the execution of CGI scripts if

197 .Pa path

198 is a prefix of the user request string.

199 An empty path "" will effectively enable the execution of any file

200 with the executable bit set inside the root directory.

201 .It Ic default type Ar string

202 Set the default media type that is used if the media type for a

203 specified extension is not found.

204 If not specified, the

205 .Ic default type

206 is set to

207 .Dq application/octet-stream .

208 .It Ic lang Ar string

209 Specify the language tag for the text/gemini content served.

210 If not specified, no

211 .Dq lang

212 parameter will be added in the response.

213 .It Ic index Ar string

214 Set the directory index file.

215 If not specified, it defaults to

216 .Pa index.gmi .

217 .It Ic auto Ic index Ar bool

218 If no index file is found, automatically generate a directory listing.

219 It's disabled by default.

220 .It Ic location Pa path Brq ...

221 Specify server configuration rules for a specific location.

222 The

223 .Pa path

224 argument will be matched against the request path with shell globbing

225 rules.

226 In case of multiple location statements in the same context, the first

227 matching location will be put into effect and the later ones ignored.

228 Therefore is advisable to match for more specific paths first and for

229 generic ones later on.

231 .Ic location

232 section may include most of the server configuration rules

233 except

234 .Ic cert , Ic key , Ic root , Ic location No and Ic cgi .

235 .El

236 .Sh CGI

237 When CGI scripts are enabled, a matching request for an executable

238 file will execute it and fed its output to the client.

239 .Pp

240 The CGI scripts are executed in the directory they reside and inherit

241 the environment from

242 .Nm

243 with these additional variables set:

244 .Bl -tag -width 24m

245 .It Ev GATEWAY_INTERFACE

246 .Dq CGI/1.1

247 .It Ev GEMINI_DOCUMENT_ROOT

248 The root directory of the virtual host.

249 .It Ev GEMINI_SCRIPT_FILENAME

250 Full path to the CGI script being executed.

251 .It Ev GEMINI_URL

252 The full IRI of the request.

253 .It Ev GEMINI_URL_PATH

254 The path of the request.

255 .It Ev PATH_INFO

256 The portion of the requested path that is derived from the the IRI

257 path hierarchy following the part that identifies the script itself.

258 Can be unset.

259 .It Ev PATH_TRANSLATED

260 Present if and only if

261 .Ev PATH_INFO

262 is set.

263 It represent the translation of the

264 .Ev PATH_INFO .

265 .Nm

266 builds this by appending the

267 .Ev PATH_INFO

268 to the virtual host directory root.

269 .It Ev QUERY_STRING

270 The decoded query string.

271 .It Ev REMOTE_ADDR , Ev REMOTE_HOST

272 Textual representation of the client IP.

273 .It Ev REQUEST_METHOD

274 This is present only for RFC3875 (CGI) compliance.

275 It's always set to the empty string.

276 .It Ev SCRIPT_NAME

277 The part of the

278 .Ev GEMINI_URL_PATH

279 that identifies the current CGI script.

280 .It Ev SERVER_NAME

281 The name of the server

282 .It Ev SERVER_PORT

283 The port the server is listening on.

284 .It Ev SERVER_PROTOCOL

285 .Dq GEMINI

286 .It Ev SERVER_SOFTWARE

287 The name and version of the server, i.e.

288 .Dq gmid/1.5

289 .It Ev AUTH_TYPE

290 The string "Certificate" if the client used a certificate, otherwise

291 unset.

292 .It Ev REMOTE_USER

293 The subject of the client certificate if provided, otherwise unset.

294 .It Ev TLS_CLIENT_ISSUER

295 The is the issuer of the client certificate if provided, otherwise

296 unset.

297 .It Ev TLS_CLIENT_HASH

298 The hash of the client certificate if provided, otherwise unset.

299 The format is

300 .Dq ALGO:HASH .

301 .El

302 .Pp

303 .Sh MIME

304 To auto-detect the MIME type of the response

305 .Nm

306 looks at the file extension and consults its internal table.

307 By default the following mappings are loaded, but they can be

308 overridden or extended using the

309 .Ic mime

310 configuration option.

311 If no MIME is found, the value of

312 .Ic default type

313 matching the file

314 .Ic location

315 will be used, which is

316 .Dq application/octet-stream

317 by default.

318 .Pp

319 .Bl -tag -offset indent -width 14m -compact

320 .It gemini, gmi

321 text/gemini

322 .It gif

323 image/gif

324 .It jpeg

325 image/jpeg

326 .It jpg

327 image/jpeg

328 .It markdown, md

329 text/markdown

330 .It pdf

331 application/pdf

332 .It png

333 image/png

334 .It svg

335 image/svg+xml

336 .It txt

337 text/plain

338 .It xml

339 text/xml

340 .El

341 .Sh EXAMPLES

342 Serve the current directory

343 .Bd -literal -offset indent

344 $ gmid .

345 .Ed

346 .Pp

347 To serve the directory

348 .Pa docs

349 and enable CGI scripts inside

350 .Pa docs/cgi ,

351 you can

352 .Bd -literal -offset indent

353 $ mkdir docs/cgi

354 $ cat <<EOF > cgi/hello

355 #!/bin/sh

356 printf "20 text/plain\\r\\n"

357 echo "hello world"

358 EOF

359 $ chmod +x docs/cgi/hello

360 $ gmid -x cgi docs

361 .Ed

362 .Pp

363 Note that the argument to the

364 .Fl x

365 option is

366 .Pa cgi

367 and not

368 .Pa docs/cgi ,

369 since it's relative to the document root.

370 .Pp

371 The following is an example of a possible configuration for a site

372 that enables only TLSv1.3, adds a mime type for the file extension

373 "rtf" and defines two virtual host:

374 .Bd -literal -offset indent

375 ipv6 on		# enable ipv6

377 protocols "tlsv1.3"

379 mime "application/rtf" "rtf"

381 server "example.com" {

382 	cert "/path/to/cert.pem"

383 	key  "/path/to/key.pem"

384 	root "/var/gemini/example.com"

387 server "it.example.com" {

388 	cert "/path/to/cert.pem"

389 	key  "/path/to/key.pem"

390 	root "/var/gemini/it.example.com"

391 	cgi  "/cgi-bin"

392 	lang "it"

394 .Ed

395 .Pp

396 Yet another example, showing how to enable a

397 .Ic chroot

398 and use

399 .Ic location

400 rule

401 .Bd -literal -offset indent

402 chroot "/var/gemini"

403 user "_gmid"

405 server "example.com" {

406 	cert "/path/to/cert.pem"

407 	key  "/path/to/key.pem"

408 	root "/example.com" # in the /var/gemini chroot

410 	location "/static/" {

411 		auto index on

412 		index "index.gemini"

415 .Ed

416 .Sh ACKNOWLEDGEMENTS

417 .Nm

418 uses the

419 .Dq Flexible and Economical

420 UTF-8 decoder written by

421 .An Bjoern Hoehrmann .

422 .Sh AUTHORS

423 .An -nosplit

424 The

425 .Nm

426 program was written by

427 .An Omar Polo Aq Mt op@omarpolo.com .

428 .Sh CAVEATS

429 .Bl -bullet

430 .It

431 The root directories of all virtual hosts are opened during the daemon

432 startup; this means that if a root directory gets deleted and then

433 re-created,

434 .Nm

435 won't be able to serve files inside that directory until a restart.

436 This restriction applies only to the root directories and not their content.

437 .It

438 a %2F sequence is indistinguishable from a literal slash: this is not

439 RFC3986-compliant.

440 .It

441 a %00 sequence is treated as invalid character and thus rejected.

442 .El