1 .\" Copyright (c) 2021 Omar Polo <op@omarpolo.com>
3 .\" Permission to use, copy, modify, and distribute this software for any
4 .\" purpose with or without fee is hereby granted, provided that the above
5 .\" copyright notice and this permission notice appear in all copies.
7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14 .Dd $Mdocdate: January 30 2021$
19 .Nd simple and secure Gemini server
37 is a simple and minimal gemini server that can serve static files and
39 It can run without a configuration file with a limited set of features
43 rereads the configuration file when it receives
46 The options are as follows:
49 Specify the configuration file.
51 Stays and logs on the foreground.
53 Check that the configuration is valid, but don't start the server.
56 If no configuration file is given,
58 will look for the following options
62 .It Fl d Pa certs-path
63 Directory where certificates for the config-less mode are stored.
65 .Pa $XDG_DATA_HOME/gmid ,
67 .Pa ~/.local/share/gmid .
69 The hostname, by default
71 Certificates for the given
73 are searched inside the
75 directory given with the
81 .Pa hostname.key.pem .
82 If a certificate or key don't exists for a given hostname they
83 will be automatically generated.
85 Print the usage and exit.
87 The port to listen on, by default 1965.
92 options increase the verbosity.
94 Enable execution of CGI scripts.
95 See the description of the
102 Cannot be provided more than once.
104 The root directory to serve.
105 By default the current working directory is assumed.
107 .Sh CONFIGURATION FILE
108 The configuration file is divided into two sections:
110 .It Sy Global Options
114 Virtual hosts definition.
117 Within the sections, empty lines are ignored and comments can be put
118 anywhere in the file using a hash mark
120 and extend to the end of the current line.
121 A boolean is either the symbol
125 A string is a sequence of characters wrapped in double quotes,
129 .It Ic chroot Pa path
131 the process to the given
133 The daemon has to be run with root privileges and thus the option
135 needs to be provided, so privileges can be dropped.
138 will enter the chroot after loading the TLS keys, but before opening
139 the virtual host root directories.
140 It's recommended to keep the TLS keys outside the chroot.
145 Enable or disable IPv6 support.
147 .It Ic mime Ar mime-type Ar file-extension
148 Add a mapping for the given
152 Both argument are strings.
153 .It Ic port Ar portno
154 The port to listen on.
156 .It Ic prefork Ar number
157 Run the specified number of server processes.
158 This increases the performance and prevents delays when connecting to
161 runs 3 server processes by default, when not in config-less mode.
162 The maximum number allowed is 16.
163 .It Ic protocols Ar string
164 Specify the TLS protocols to enable.
166 .Xr tls_config_parse_protocols 3
167 for the valid protocol string values.
168 By default, both TLSv1.3 and TLSv1.2 are enabled.
171 to enable only TLSv1.3.
172 .It Ic user Ar string
173 Run the daemon as the given user.
176 Every virtual host is defined by a
180 .It Ic server Ar hostname Brq ...
181 Match the server name using shell globbing rules.
182 This can be an explicit name,
183 .Ar www.example.com ,
184 or a name including a wildcards,
188 Followed by a block of options that is enclosed in curly brackets:
190 .It Ic auto Ic index Ar bool
191 If no index file is found, automatically generate a directory listing.
192 It's disabled by default.
193 .It Ic block Op Ic return Ar code Op Ar meta
194 Send a reply and close the connection;
200 .Dq temporary failure
204 is in the 3x range, then
209 the following special sequences are replaced:
212 is replaced with a single
215 is replaced with the request path.
217 is replaced with the query string of the request.
219 is replaced with the server port.
221 is replaced with the server name.
224 Path to the certificate to use for this server.
227 should contain a PEM encoded certificate.
228 This option is mandatory.
230 Execute CGI scripts that matches
232 using shell globbing rules.
233 .It Ic default type Ar string
234 Set the default media type that is used if the media type for a
235 specified extension is not found.
236 If not specified, the
239 .Dq application/octet-stream .
240 .It Ic entrypoint Pa path
241 Handle all the requests for the current virtual host using the
244 .It Ic index Ar string
245 Set the directory index file.
246 If not specified, it defaults to
249 Specify the private key to use for this server.
252 should contain a PEM encoded private key.
253 This option is mandatory.
254 .It Ic lang Ar string
255 Specify the language tag for the text/gemini content served.
258 parameter will be added in the response.
259 .It Ic location Pa path Brq ...
260 Specify server configuration rules for a specific location.
263 argument will be matched against the request path with shell globbing
265 In case of multiple location statements in the same context, the first
266 matching location will be put into effect and the later ones ignored.
267 Therefore is advisable to match for more specific paths first and for
268 generic ones later on.
271 section may include most of the server configuration rules
273 .Ic cert , Ic key , Ic root , Ic location ,
274 .Ic entrypoint No and Ic cgi .
275 .It Ic root Pa directory
276 Specify the root directory for this server.
277 This option is mandatory.
278 It's relative to the chroot, if enabled.
279 .It Ic require Ic client Ic ca Pa path
280 Allow requests only from clients that provide a certificate signed by
281 the CA certificate in
283 It needs to be a PEM-encoded certificate and it's not relative to the
285 .It Ic strip Ar number
288 components from the beginning of the path.
289 It's only considered for the
291 parameter in the scope of a
295 When a request for an executable file matches the
297 rule, that file will be execute and its output fed to the client.
299 The CGI scripts are executed in the directory they reside and inherit
302 with these additional variables set:
304 .It Ev GATEWAY_INTERFACE
306 .It Ev GEMINI_DOCUMENT_ROOT
307 The root directory of the virtual host.
308 .It Ev GEMINI_SCRIPT_FILENAME
309 Full path to the CGI script being executed.
311 The full IRI of the request.
312 .It Ev GEMINI_URL_PATH
313 The path of the request.
315 The portion of the requested path that is derived from the the IRI
316 path hierarchy following the part that identifies the script itself.
318 .It Ev PATH_TRANSLATED
319 Present if and only if
322 It represent the translation of the
325 builds this by appending the
327 to the virtual host directory root.
329 The decoded query string.
330 .It Ev REMOTE_ADDR , Ev REMOTE_HOST
331 Textual representation of the client IP.
332 .It Ev REQUEST_METHOD
333 This is present only for RFC3875 (CGI) compliance.
334 It's always set to the empty string.
338 that identifies the current CGI script.
340 The name of the server
342 The port the server is listening on.
343 .It Ev SERVER_PROTOCOL
345 .It Ev SERVER_SOFTWARE
346 The name and version of the server, i.e.
349 The string "Certificate" if the client used a certificate, otherwise
352 The subject of the client certificate if provided, otherwise unset.
353 .It Ev TLS_CLIENT_ISSUER
354 The is the issuer of the client certificate if provided, otherwise
356 .It Ev TLS_CLIENT_HASH
357 The hash of the client certificate if provided, otherwise unset.
361 The TLS version negotiated with the peer.
363 The cipher suite negotiated with the peer.
364 .It Ev TLS_CIPHER_STRENGTH
365 The strength in bits for the symmetric cipher that is being used with
367 .It Ev TLS_CLIENT_NOT_AFTER
368 The time corresponding to the end of the validity period of the peer
369 certificate in the ISO 8601 format
370 .Pq e.g. Dq 2021-02-07T20:17:41Z .
371 .It Ev TLS_CLIENT_NOT_BEFORE
372 The time corresponding to the start of the validity period of the peer
373 certificate in the ISO 8601 format.
377 To auto-detect the MIME type of the response
379 looks at the file extension and consults its internal table.
380 By default the following mappings are loaded, but they can be
381 overridden or extended using the
383 configuration option.
384 If no MIME is found, the value of
388 will be used, which is
389 .Dq application/octet-stream
392 .Bl -tag -offset indent -width 14m -compact
419 Serve the current directory
420 .Bd -literal -offset indent
424 To serve the directory
426 and enable CGI scripts inside
429 .Bd -literal -offset indent
431 $ cat <<EOF > docs/cgi/hello
433 printf "20 text/plain\\r\\n"
436 $ chmod +x docs/cgi/hello
437 $ gmid -x '/cgi/*' docs
440 The following is an example of a possible configuration for a site
441 that enables only TLSv1.3, adds a mime type for the file extension
442 "rtf" and defines two virtual host:
443 .Bd -literal -offset indent
444 ipv6 on # enable ipv6
448 mime "application/rtf" "rtf"
450 server "example.com" {
451 cert "/path/to/cert.pem"
452 key "/path/to/key.pem"
453 root "/var/gemini/example.com"
456 server "it.example.com" {
457 cert "/path/to/cert.pem"
458 key "/path/to/key.pem"
459 root "/var/gemini/it.example.com"
465 Yet another example, showing how to enable a
470 .Bd -literal -offset indent
474 server "example.com" {
475 cert "/path/to/cert.pem"
476 key "/path/to/key.pem"
477 root "/example.com" # in the /var/gemini chroot
479 location "/static/*" {
488 .Dq Flexible and Economical
489 UTF-8 decoder written by
490 .An Bjoern Hoehrmann .
495 program was written by
496 .An Omar Polo Aq Mt op@omarpolo.com .
500 The root directories of all virtual hosts are opened during the daemon
501 startup; this means that if a root directory gets deleted and then
504 won't be able to serve files inside that directory until a restart.
505 This restriction applies only to the root directories and not their content.
507 a %2F sequence is indistinguishable from a literal slash: this is not
510 a %00 sequence is treated as invalid character and thus rejected.