Blob

Date:
Message:
use `text/x-patch' for .patch and .diff files
Actions:
History | Blame | Raw File
1 .\" Copyright (c) 2021 Omar Polo <op@omarpolo.com>

2 .\"

3 .\" Permission to use, copy, modify, and distribute this software for any

4 .\" purpose with or without fee is hereby granted, provided that the above

5 .\" copyright notice and this permission notice appear in all copies.

6 .\"

7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

14 .Dd $Mdocdate: January 30 2021$

15 .Dt GMID 1

16 .Os

17 .Sh NAME

18 .Nm gmid

19 .Nd simple and secure Gemini server

20 .Sh SYNOPSIS

21 .Nm

22 .Bk -words

23 .Op Fl fnv

24 .Op Fl c Ar config

25 .Ek

26 .Nm

27 .Bk -words

28 .Op Fl 6hv

29 .Op Fl d Pa certs-dir

30 .Op Fl H Ar hostname

31 .Op Fl p Ar port

32 .Op Fl x Pa cgi

33 .Op Pa dir

34 .Ek

35 .Sh DESCRIPTION

36 .Nm

37 is a simple and minimal gemini server that can serve static files and

38 execute CGI scripts.

39 It can run without a configuration file with a limited set of features

40 available.

41 .Pp

42 .Nm

43 rereads the configuration file when it receives

44 .Dv SIGHUP .

45 .Pp

46 The options are as follows:

47 .Bl -tag -width 14m

48 .It Fl c Pa config

49 Specify the configuration file.

50 .It Fl f

51 Stays and logs on the foreground.

52 .It Fl n

53 Check that the configuration is valid, but don't start the server.

54 .El

55 .Pp

56 If no configuration file is given,

57 .Nm

58 will look for the following options

59 .Bl -tag -width 14m

60 .It Fl 6

61 Enable IPv6.

62 .It Fl d Pa certs-path

63 Directory where certificates for the config-less mode are stored.

64 By default is

65 .Pa $XDG_DATA_HOME/gmid ,

66 i.e.

67 .Pa ~/.local/share/gmid .

68 .It Fl H Ar hostname

69 The hostname, by default

70 .Ar localhost .

71 Certificates for the given

72 .Ar hostname

73 are searched inside the

74 .Pa certs-dir

75 directory given with the

76 .Fl d

77 option.

78 They have the form

79 .Pa hostname.cert.pem

80 and

81 .Pa hostname.key.pem .

82 If a certificate or key don't exists for a given hostname they

83 will be automatically generated.

84 .It Fl h

85 Print the usage and exit.

86 .It Fl p Ar port

87 The port to listen on, by default 1965.

88 .It Fl v

89 Verbose mode.

90 Multiple

91 .Fl v

92 options increase the verbosity.

93 .It Fl x Pa path

94 Enable execution of CGI scripts.

95 See the description of the

96 .Ic cgi

97 option in the section

98 .Sq Servers

99 below to learn how

100 .Pa path

101 is processed.

102 Cannot be provided more than once.

103 .It Pa dir

104 The root directory to serve.

105 By default the current working directory is assumed.

106 .El

107 .Sh CONFIGURATION FILE

108 The configuration file is divided into two sections:

109 .Bl -tag -width xxxx

110 .It Sy Global Options

111 Global settings for

112 .Nm .

113 .It Sy Servers

114 Virtual hosts definition.

115 .El

116 .Pp

117 Within the sections, empty lines are ignored and comments can be put

118 anywhere in the file using a hash mark

119 .Pq Sq # ,

120 and extend to the end of the current line.

121 A boolean is either the symbol

122 .Sq on

123 or

124 .Sq off .

125 A string is a sequence of characters wrapped in double quotes,

126 .Dq like this .

127 .Ss Global Options

128 .Bl -tag -width 12m

129 .It Ic chroot Pa path

130 .Xr chroot 2

131 the process to the given

132 .Pa path .

133 The daemon has to be run with root privileges and thus the option

134 .Ic user

135 needs to be provided, so privileges can be dropped.

136 Note that

137 .Nm

138 will enter the chroot after loading the TLS keys, but before opening

139 the virtual host root directories.

140 It's recommended to keep the TLS keys outside the chroot.

141 Future version of

142 .Nm

143 may enforce this.

144 .It Ic ipv6 Ar bool

145 Enable or disable IPv6 support.

146 By default is off.

147 .It Ic mime Ar mime-type Ar file-extension

148 Add a mapping for the given

149 .Ar file-extension

150 to the given

151 .Ar mime-type .

152 Both argument are strings.

153 .It Ic port Ar portno

154 The port to listen on.

155 By default is 1965.

156 .It Ic prefork Ar number

157 Run the specified number of server processes.

158 This increases the performance and prevents delays when connecting to

159 a server.

160 .Nm

161 runs 3 server processes by default, when not in config-less mode.

162 The maximum number allowed is 16.

163 .It Ic protocols Ar string

164 Specify the TLS protocols to enable.

165 Refer to

166 .Xr tls_config_parse_protocols 3

167 for the valid protocol string values.

168 By default, both TLSv1.3 and TLSv1.2 are enabled.

169 Use

170 .Dq tlsv1.3

171 to enable only TLSv1.3.

172 .It Ic user Ar string

173 Run the daemon as the given user.

174 .El

175 .Ss Servers

176 Every virtual host is defined by a

177 .Ic server

178 block:

179 .Bl -tag -width Ds

180 .It Ic server Ar hostname Brq ...

181 Match the server name using shell globbing rules.

182 This can be an explicit name,

183 .Ar www.example.com ,

184 or a name including a wildcards,

185 .Ar *.example.com .

186 .El

187 .Pp

188 Followed by a block of options that is enclosed in curly brackets:

189 .Bl -tag -width Ds

190 .It Ic auto Ic index Ar bool

191 If no index file is found, automatically generate a directory listing.

192 It's disabled by default.

193 .It Ic block Op Ic return Ar code Op Ar meta

194 Send a reply and close the connection;

195 .Ar code

196 is 40

197 and

198 .Ar meta

199 is

200 .Dq temporary failure

201 by default.

202 If

203 .Ar code

204 is in the 3x range, then

205 .Ar meta

206 must be provided.

207 Inside

208 .Ar meta ,

209 the following special sequences are replaced:

210 .Bl -tag -compact

211 .It \&%\&%

212 is replaced with a single

213 .Sq \&% .

214 .It \&%p

215 is replaced with the request path.

216 .It \&%q

217 is replaced with the query string of the request.

218 .It \&%P

219 is replaced with the server port.

220 .It \&%N

221 is replaced with the server name.

222 .El

223 .It Ic cert Pa file

224 Path to the certificate to use for this server.

225 The

226 .Pa file

227 should contain a PEM encoded certificate.

228 This option is mandatory.

229 .It Ic cgi Pa path

230 Execute CGI scripts that matches

231 .Pa path

232 using shell globbing rules.

233 .It Ic default type Ar string

234 Set the default media type that is used if the media type for a

235 specified extension is not found.

236 If not specified, the

237 .Ic default type

238 is set to

239 .Dq application/octet-stream .

240 .It Ic entrypoint Pa path

241 Handle all the requests for the current virtual host using the

242 CGI script at

243 .Pa path .

244 .It Ic index Ar string

245 Set the directory index file.

246 If not specified, it defaults to

247 .Pa index.gmi .

248 .It Ic key Pa file

249 Specify the private key to use for this server.

250 The

251 .Pa file

252 should contain a PEM encoded private key.

253 This option is mandatory.

254 .It Ic lang Ar string

255 Specify the language tag for the text/gemini content served.

256 If not specified, no

257 .Dq lang

258 parameter will be added in the response.

259 .It Ic location Pa path Brq ...

260 Specify server configuration rules for a specific location.

261 The

262 .Pa path

263 argument will be matched against the request path with shell globbing

264 rules.

265 In case of multiple location statements in the same context, the first

266 matching location will be put into effect and the later ones ignored.

267 Therefore is advisable to match for more specific paths first and for

268 generic ones later on.

270 .Ic location

271 section may include most of the server configuration rules

272 except

273 .Ic cert , Ic key , Ic root , Ic location ,

274 .Ic entrypoint No and Ic cgi .

275 .It Ic root Pa directory

276 Specify the root directory for this server.

277 This option is mandatory.

278 It's relative to the chroot, if enabled.

279 .It Ic require Ic client Ic ca Pa path

280 Allow requests only from clients that provide a certificate signed by

281 the CA certificate in

282 .Pa path .

283 It needs to be a PEM-encoded certificate and it's not relative to the

284 chroot.

285 .It Ic strip Ar number

286 Strip

287 .Ar number

288 components from the beginning of the path.

289 It's only considered for the

290 .Ar meta

291 parameter in the scope of a

292 .Ic block return .

293 .El

294 .Sh CGI

295 When a request for an executable file matches the

296 .Ic cgi

297 rule, that file will be execute and its output fed to the client.

298 .Pp

299 The CGI scripts are executed in the directory they reside and inherit

300 the environment from

301 .Nm

302 with these additional variables set:

303 .Bl -tag -width 24m

304 .It Ev GATEWAY_INTERFACE

305 .Dq CGI/1.1

306 .It Ev GEMINI_DOCUMENT_ROOT

307 The root directory of the virtual host.

308 .It Ev GEMINI_SCRIPT_FILENAME

309 Full path to the CGI script being executed.

310 .It Ev GEMINI_URL

311 The full IRI of the request.

312 .It Ev GEMINI_URL_PATH

313 The path of the request.

314 .It Ev PATH_INFO

315 The portion of the requested path that is derived from the the IRI

316 path hierarchy following the part that identifies the script itself.

317 Can be unset.

318 .It Ev PATH_TRANSLATED

319 Present if and only if

320 .Ev PATH_INFO

321 is set.

322 It represent the translation of the

323 .Ev PATH_INFO .

324 .Nm

325 builds this by appending the

326 .Ev PATH_INFO

327 to the virtual host directory root.

328 .It Ev QUERY_STRING

329 The decoded query string.

330 .It Ev REMOTE_ADDR , Ev REMOTE_HOST

331 Textual representation of the client IP.

332 .It Ev REQUEST_METHOD

333 This is present only for RFC3875 (CGI) compliance.

334 It's always set to the empty string.

335 .It Ev SCRIPT_NAME

336 The part of the

337 .Ev GEMINI_URL_PATH

338 that identifies the current CGI script.

339 .It Ev SERVER_NAME

340 The name of the server

341 .It Ev SERVER_PORT

342 The port the server is listening on.

343 .It Ev SERVER_PROTOCOL

344 .Dq GEMINI

345 .It Ev SERVER_SOFTWARE

346 The name and version of the server, i.e.

347 .Dq gmid/1.5

348 .It Ev AUTH_TYPE

349 The string "Certificate" if the client used a certificate, otherwise

350 unset.

351 .It Ev REMOTE_USER

352 The subject of the client certificate if provided, otherwise unset.

353 .It Ev TLS_CLIENT_ISSUER

354 The is the issuer of the client certificate if provided, otherwise

355 unset.

356 .It Ev TLS_CLIENT_HASH

357 The hash of the client certificate if provided, otherwise unset.

358 The format is

359 .Dq ALGO:HASH .

360 .It Ev TLS_VERSION

361 The TLS version negotiated with the peer.

362 .It Ev TLS_CIPHER

363 The cipher suite negotiated with the peer.

364 .It Ev TLS_CIPHER_STRENGTH

365 The strength in bits for the symmetric cipher that is being used with

366 the peer.

367 .It Ev TLS_CLIENT_NOT_AFTER

368 The time corresponding to the end of the validity period of the peer

369 certificate in the ISO 8601 format

370 .Pq e.g. Dq 2021-02-07T20:17:41Z .

371 .It Ev TLS_CLIENT_NOT_BEFORE

372 The time corresponding to the start of the validity period of the peer

373 certificate in the ISO 8601 format.

374 .El

375 .Pp

376 .Sh MIME

377 To auto-detect the MIME type of the response

378 .Nm

379 looks at the file extension and consults its internal table.

380 By default the following mappings are loaded, but they can be

381 overridden or extended using the

382 .Ic mime

383 configuration option.

384 If no MIME is found, the value of

385 .Ic default type

386 matching the file

387 .Ic location

388 will be used, which is

389 .Dq application/octet-stream

390 by default.

391 .Pp

392 .Bl -tag -offset indent -width 14m -compact

393 .It diff

394 text/x-patch

395 .It gemini, gmi

396 text/gemini

397 .It gif

398 image/gif

399 .It jpeg

400 image/jpeg

401 .It jpg

402 image/jpeg

403 .It markdown, md

404 text/markdown

405 .It patch

406 text/x-patch

407 .It pdf

408 application/pdf

409 .It png

410 image/png

411 .It svg

412 image/svg+xml

413 .It txt

414 text/plain

415 .It xml

416 text/xml

417 .El

418 .Sh EXAMPLES

419 Serve the current directory

420 .Bd -literal -offset indent

421 $ gmid .

422 .Ed

423 .Pp

424 To serve the directory

425 .Pa docs

426 and enable CGI scripts inside

427 .Pa docs/cgi ,

428 you can

429 .Bd -literal -offset indent

430 $ mkdir docs/cgi

431 $ cat <<EOF > docs/cgi/hello

432 #!/bin/sh

433 printf "20 text/plain\\r\\n"

434 echo "hello world"

435 EOF

436 $ chmod +x docs/cgi/hello

437 $ gmid -x '/cgi/*' docs

438 .Ed

439 .Pp

440 The following is an example of a possible configuration for a site

441 that enables only TLSv1.3, adds a mime type for the file extension

442 "rtf" and defines two virtual host:

443 .Bd -literal -offset indent

444 ipv6 on		# enable ipv6

446 protocols "tlsv1.3"

448 mime "application/rtf" "rtf"

450 server "example.com" {

451 	cert "/path/to/cert.pem"

452 	key  "/path/to/key.pem"

453 	root "/var/gemini/example.com"

456 server "it.example.com" {

457 	cert "/path/to/cert.pem"

458 	key  "/path/to/key.pem"

459 	root "/var/gemini/it.example.com"

460 	cgi  "/cgi-bin/*"

461 	lang "it"

463 .Ed

464 .Pp

465 Yet another example, showing how to enable a

466 .Ic chroot

467 and use

468 .Ic location

469 rule

470 .Bd -literal -offset indent

471 chroot "/var/gemini"

472 user "_gmid"

474 server "example.com" {

475 	cert "/path/to/cert.pem"

476 	key  "/path/to/key.pem"

477 	root "/example.com" # in the /var/gemini chroot

479 	location "/static/*" {

480 		auto index on

481 		index "index.gemini"

484 .Ed

485 .Sh ACKNOWLEDGEMENTS

486 .Nm

487 uses the

488 .Dq Flexible and Economical

489 UTF-8 decoder written by

490 .An Bjoern Hoehrmann .

491 .Sh AUTHORS

492 .An -nosplit

493 The

494 .Nm

495 program was written by

496 .An Omar Polo Aq Mt op@omarpolo.com .

497 .Sh CAVEATS

498 .Bl -bullet

499 .It

500 The root directories of all virtual hosts are opened during the daemon

501 startup; this means that if a root directory gets deleted and then

502 re-created,

503 .Nm

504 won't be able to serve files inside that directory until a restart.

505 This restriction applies only to the root directories and not their content.

506 .It

507 a %2F sequence is indistinguishable from a literal slash: this is not

508 RFC3986-compliant.

509 .It

510 a %00 sequence is treated as invalid character and thus rejected.

511 .El