1 .\" Copyright (c) 2021, 2022 Omar Polo <op@omarpolo.com>
2 .\"
3 .\" Permission to use, copy, modify, and distribute this software for any
4 .\" purpose with or without fee is hereby granted, provided that the above
5 .\" copyright notice and this permission notice appear in all copies.
6 .\"
7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14 .Dd $Mdocdate: January 02 2022$
15 .Dt GMID 1
16 .Os
17 .Sh NAME
18 .Nm gmid
19 .Nd simple and secure Gemini server
20 .Sh SYNOPSIS
21 .Nm
22 .Bk -words
23 .Op Fl fnv
24 .Op Fl c Ar config
25 .Op Fl D Ar macro Ns = Ns Ar value
26 .Op Fl P Ar pidfile
27 .Ek
28 .Nm
29 .Bk -words
30 .Op Fl 6hVv
31 .Op Fl d Ar certs-dir
32 .Op Fl H Ar hostname
33 .Op Fl p Ar port
34 .Op Fl x Ar cgi
35 .Op Ar dir
36 .Ek
37 .Sh DESCRIPTION
38 .Nm
39 is a simple and minimal gemini server that can serve static files,
40 execute CGI scripts and talk to FastCGI applications.
41 It can run without a configuration file with a limited set of features
42 available.
43 .Pp
44 .Nm
45 rereads the configuration file when it receives
46 .Dv SIGHUP .
47 .Pp
48 The options are as follows:
49 .Bl -tag -width 14m
50 .It Fl c Ar config
51 Specify the configuration file.
52 .It Fl D Ar macro Ns = Ns Ar value
53 Define
54 .Ar macro
55 to be set to
56 .Ar value
57 on the command line.
58 Overrides the definition of
59 .Ar macro
60 in the config file if present.
61 .It Fl f
62 Stays and logs on the foreground.
63 .It Fl n
64 Check that the configuration is valid, but don't start the server.
65 If specified two or more time, dump the configuration in addition to
66 verify it.
67 .It Fl P Ar pidfile
68 Write daemon's pid to the given location.
69 .Ar pidfile
70 will also act as lock: if another process is holding a lock on that
71 file,
72 .Nm
73 will refuse to start.
74 .El
75 .Pp
76 If no configuration file is given,
77 .Nm
78 runs in
79 .Dq config-less mode
80 .Pq i.e. runs in the foreground to serve a directory from the shell
81 and looks for the following options
82 .Bl -tag -width 14m
83 .It Fl 6
84 Enable IPv6.
85 .It Fl d Ar certs-path
86 Directory where certificates for the config-less mode are stored.
87 By default it is
88 .Pa $XDG_DATA_HOME/gmid ,
89 i.e.
90 .Pa ~/.local/share/gmid .
91 .It Fl H Ar hostname
92 The hostname
93 .Po
94 .Ar localhost
95 by default
96 .Pc .
97 Certificates for the given
98 .Ar hostname
99 are searched inside the
100 .Ar certs-dir
101 directory given with the
102 .Fl d
103 option.
104 They have the form
105 .Pa hostname.cert.pem
106 and
107 .Pa hostname.key.pem .
108 If a certificate or a key doesn't exist for a given hostname, they
109 will be generated automatically.
110 .It Fl h , Fl -help
111 Print the usage and exit.
112 .It Fl p Ar port
113 The port to listen on, by default 1965.
114 .It Fl V , Fl -version
115 Print the version and exit.
116 .It Fl v
117 Verbose mode.
118 Multiple
119 .Fl v
120 options increase the verbosity.
121 .It Fl x Ar path
122 Enable execution of
123 .Sx CGI
124 scripts.
125 See the description of the
126 .Ic cgi
127 option in the
128 .Sq Servers
129 section below to learn how
130 .Ar path
131 is processed.
132 Cannot be provided more than once.
133 .It Ar dir
134 The root directory to serve.
135 By default the current working directory is assumed.
136 .El
137 .Sh CONFIGURATION FILE
138 The configuration file is divided into three sections:
139 .Bl -tag -width xxxx
140 .It Sy Macros
141 User-defined variables may be defined and used later, simplifying the
142 configuration file.
143 .It Sy Global Options
144 Global settings for
145 .Nm .
146 .It Sy Servers
147 Virtual hosts definition.
148 .El
149 .Pp
150 Within the sections, empty lines are ignored and comments can be put
151 anywhere in the file using a hash mark
152 .Pq Sq # ,
153 and extend to the end of the current line.
154 A boolean is either the symbol
155 .Sq on
156 or
157 .Sq off .
158 A string is a sequence of characters wrapped in double quotes,
159 .Dq like this .
160 Multiple strings one next to the other are joined into a single
161 string:
162 .Bd -literal -offset indent
163 # equivalent to "temporary-failure"
164 block return 40 "temporary" "-" "failure"
165 .Ed
166 .Pp
167 Furthermore, quoting is necessary only when a string needs to contain
168 special characters
169 .Pq like spaces or punctuation ,
170 something that looks like a number or a reserved keyword.
171 The last example could have been written also as:
172 .Bd -literal -offset indent
173 block return 40 temporary "-" failure
174 .Ed
175 .Pp
176 Strict ordering of the sections is not enforced, so that is possible
177 to mix macros, options and
178 .Ic server
179 blocks.
180 However, defining all the
181 .Ic server
182 blocks after the macros and the global options is recommended.
183 .Pp
184 Newlines are often optional, except around top-level instructions, and
185 semicolons
186 .Dq \&;
187 can also be optionally used to separate options.
188 .Pp
189 Additional configuration files can be included with the
190 .Ic include
191 keyword, for example:
192 .Bd -literal -offset indent
193 include "/etc/gmid.conf.local"
194 .Ed
195 .Ss Macros
196 Macros can be defined that will later be expanded in context.
197 Macro names must start with a letter, digit or underscore and may
198 contain any of those characters.
199 Macros names may not be reserved words.
200 Macros are not expanded inside quotes.
201 .Pp
202 Two kinds of macros are supported: variable-like and proper macros.
203 When a macro is invoked with a
204 .Dq $
205 before its name its expanded as a string, whereas when it's invoked
206 with a
207 .Dq @
208 its expanded in-place.
209 .Pp
210 For example:
211 .Bd -literal -offset indent
212 dir = "/var/gemini"
213 certdir = "/etc/keys"
214 common = "lang it; auto index on"
215 
216 server "foo" {
217 	root $dir "/foo"         # -> /var/gemini/foo
218 	cert $certdir "/foo.crt" # -> /etc/keys/foo.crt
219 	key  $certdir "/foo.pem" # -> /etc/keys/foo.pem
220 	@common
221 }
222 .Ed
223 .Ss Global Options
224 .Bl -tag -width 12m
225 .It Ic chroot Ar path
226 .Xr chroot 2
227 the process to the given
228 .Ar path .
229 The daemon has to be run with root privileges and thus the option
230 .Ic user
231 needs to be provided, so privileges can be dropped.
232 Note that
233 .Nm
234 will enter the chroot after loading the TLS keys, but before opening
235 the virtual host root directories.
236 It's recommended to keep the TLS keys outside the chroot.
237 Future version of
238 .Nm
239 may enforce this.
240 .It Ic ipv6 Ar bool
241 Enable or disable IPv6 support, off by default.
242 .It Ic map Ar mime-type Cm to-ext Ar file-extension
243 Map
244 .Ar mime-type
245 to the given
246 .Ar file-extension .
247 Both argument are strings.
248 .It Ic port Ar portno
249 The port to listen on.
250 1965 by default.
251 .It Ic prefork Ar number
252 Run the specified number of server processes.
253 This increases the performance and prevents delays when connecting to
254 a server.
255 When not in config-less mode,
256 .Nm
257 runs 3 server processes by default.
258 The maximum number allowed is 16.
259 .It Ic protocols Ar string
260 Specify the TLS protocols to enable.
261 Refer to
262 .Xr tls_config_parse_protocols 3
263 for the valid protocol string values.
264 By default, both TLSv1.3 and TLSv1.2 are enabled.
265 Use
266 .Dq tlsv1.3
267 to enable only TLSv1.3.
268 .It Ic user Ar string
269 Run the daemon as the given user.
270 .El
271 .Ss Servers
272 Every virtual host is defined by a
273 .Ic server
274 block:
275 .Bl -tag -width Ds
276 .It Ic server Ar hostname Brq ...
277 Match the server name using shell globbing rules.
278 It can be an explicit name,
279 .Ar www.example.com ,
280 or a name including a wildcards,
281 .Ar *.example.com .
282 .El
283 .Pp
284 Followed by a block of options that is enclosed in curly brackets:
285 .Bl -tag -width Ds
286 .It Ic alias Ar name
287 Specify an additional alias
288 .Ar name
289 for this server.
290 .It Ic auto Ic index Ar bool
291 If no index file is found, automatically generate a directory listing.
292 Disabled by default.
293 .It Ic block Op Ic return Ar code Op Ar meta
294 Send a reply and close the connection;
295 by default
296 .Ar code
297 is 40
298 and
299 .Ar meta
300 is
301 .Dq temporary failure .
302 If
303 .Ar code
304 is in the 3x range, then
305 .Ar meta
306 is mandatory.
307 Inside
308 .Ar meta ,
309 the following special sequences are supported:
310 .Bl -tag -width Ds -compact
311 .It \&%\&%
312 is replaced with a single
313 .Sq \&% .
314 .It \&%p
315 is replaced with the request path.
316 .It \&%q
317 is replaced with the query string of the request.
318 .It \&%P
319 is replaced with the server port.
320 .It \&%N
321 is replaced with the server name.
322 .El
323 .It Ic cert Ar file
324 Path to the certificate to use for this server.
325 .Ar file
326 should contain a PEM encoded certificate.
327 This option is mandatory.
328 .It Ic cgi Ar path
329 Execute
330 .Sx CGI
331 scripts that matches
332 .Ar path
333 using shell globbing rules.
334 .It Ic default type Ar string
335 Set the default media type that is used if the media type for a
336 specified extension is not found.
337 If not specified, the
338 .Ic default type
339 is set to
340 .Dq application/octet-stream .
341 .It Ic entrypoint Ar path
342 Handle all the requests for the current virtual host using the
343 .Sx CGI
344 script at
345 .Ar path ,
346 relative to the current document root.
347 .It Ic env Ar name Cm = Ar value
348 Set the environment variable
349 .Ar name
350 to
351 .Ar value
352 when executing CGI scripts.
353 Can be provided more than once.
354 .\" don't document the "spawn <prog>" form because it probably won't
355 .\" be kept.
356 .It Ic fastcgi Oo Ic tcp Oc Ar socket Oo Cm port Ar port Oc
357 Enable
358 .Sx FastCGI
359 instead of serving files.
360 The
361 .Ar socket
362 can either be a UNIX-domain socket or a TCP socket.
363 If the FastCGI application is listening on a UNIX domain socket,
364 .Ar socket
365 is a local path name within the
366 .Xr chroot 2
367 root directory of
368 .Nm .
369 Otherwise, the
370 .Ic tcp
371 keyword must be provided and
372 .Ar socket
373 is interpreted as a hostname or an IP address.
374 .Ar port
375 can be either a port number or the name of a service enclosed in
376 double quotes.
377 If not specified defaults to 9000.
378 .It Ic index Ar string
379 Set the directory index file.
380 If not specified, it defaults to
381 .Pa index.gmi .
382 .It Ic key Ar file
383 Specify the private key to use for this server.
384 .Ar file
385 should contain a PEM encoded private key.
386 This option is mandatory.
387 .It Ic lang Ar string
388 Specify the language tag for the text/gemini content served.
389 If not specified, no
390 .Dq lang
391 parameter will be added in the response.
392 .It Ic location Ar path Brq ...
393 Specify server configuration rules for a specific location.
394 .Ar path
395 argument will be matched against the request path with shell globbing
396 rules.
397 In case of multiple location statements in the same context, the first
398 matching location will be put into effect and the later ones ignored.
399 Therefore is advisable to match for more specific paths first and for
400 generic ones later on.
401 A
402 .Ic location
403 section may include most of the server configuration rules
404 except
405 .Ic alias , Ic cert , Ic cgi , Ic entrypoint , Ic env , Ic key ,
406 .Ic location , Ic param No and Ic proxy .
407 .It Ic log Ar bool
408 Enable or disable the logging for the current server or location block.
409 .It Ic param Ar name Cm = Ar value
410 Set the param
411 .Ar name
412 to
413 .Ar value
414 for FastCGI.
415 .It Ic ocsp Ar file
416 Specify an OCSP response to be stapled during TLS handshakes
417 with this server.
418 The
419 .Ar file
420 should contain a DER-format OCSP response retrieved from an
421 OCSP server for the
422 .Ic cert
423 in use.
424 If the OCSP response in
425 .Ar file
426 is empty, OCSP stapling will not be used.
427 The default is to not use OCSP stapling.
428 .It Ic proxy Oo Cm proto Ar name Oc Oo Cm for-host Ar host : Ns Oo Ar port Oc Oc Brq ...
429 Set up a reverse proxy.
430 The optional matching rules
431 .Cm proto
432 and
433 .Cm for-host
434 can be used to enable proxying only for protocols matching
435 .Ar name
436 .Po Dq gemini
437 by default
438 .Pc
439 and/or whose request IRI matches
440 .Ar host
441 and
442 .Ar port
443 .Pq 1965 by default .
444 Matching happens using shell globbing rules.
445 .Pp
446 In case of multiple matching proxy blocks in the same context, the
447 first matching proxy will be put into effect and the later ones
448 ignored.
449 .Pp
450 Valid options are:
451 .Bl -tag -width Ds
452 .It Ic cert Ar file
453 Specify the client certificate to use when making requests.
454 .It Ic key Ar file
455 Specify the client certificate key to use when making requests.
456 .It Ic protocols Ar string
457 Specify the TLS protocols allowed when making remote requests.
458 Refer to the
459 .Xr tls_config_parse_protocols 3
460 function for the valid protocol string values.
461 By default, both TLSv1.2 and TLSv1.3 are enabled.
462 .It Ic relay-to Ar host : Ns Op Ar port
463 Relay the request to the given
464 .Ar host
465 at the given
466 .Ar port ,
467 1965 by default.
468 This is the only mandatory option in a
469 .Ic proxy
470 block.
471 .It Ic require Ic client Ic ca Ar file
472 Allow the proxying only from clients that provide a certificate
473 signed by the CA certificate in
474 .Ar file .
475 .It Ic use-tls Ar bool
476 Specify whether to use TLS when connecting to the proxied host.
477 Enabled by default.
478 .It Ic verifyname Ar bool
479 Enable or disable the TLS server name verification.
480 Enabled by default.
481 .El
482 .It Ic root Ar directory
483 Specify the root directory for this server
484 .Pq alas the current Dq document root .
485 It's relative to the chroot if enabled.
486 .It Ic require Ic client Ic ca Ar path
487 Allow requests only from clients that provide a certificate signed by
488 the CA certificate in
489 .Ar path .
490 It needs to be a PEM-encoded certificate and it's not relative to the
491 chroot.
492 .It Ic strip Ar number
493 Strip
494 .Ar number
495 components from the beginning of the path before doing a lookup in the
496 root directory.
497 It's also considered for the
498 .Ar meta
499 parameter in the scope of a
500 .Ic block return .
501 .El
502 .Sh CGI
503 When a request for an executable file matches the
504 .Ic cgi
505 rule, that file will be executed and its output fed to the client.
506 .Pp
507 The CGI scripts are executed in the directory they reside and inherit
508 the environment from
509 .Nm
510 with these additional variables set:
511 .Bl -tag -width 24m
512 .It Ev GATEWAY_INTERFACE
513 .Dq CGI/1.1
514 .It Ev GEMINI_DOCUMENT_ROOT
515 The root directory of the virtual host.
516 .It Ev GEMINI_SCRIPT_FILENAME
517 Full path to the CGI script being executed.
518 .It Ev GEMINI_URL
519 The full IRI of the request.
520 .It Ev GEMINI_URL_PATH
521 The path of the request.
522 .It Ev PATH_INFO
523 The portion of the requested path that is derived from the the IRI
524 path hierarchy following the part that identifies the script itself.
525 Can be unset.
526 .It Ev PATH_TRANSLATED
527 Present if and only if
528 .Ev PATH_INFO
529 is set.
530 It represent the translation of the
531 .Ev PATH_INFO .
532 .Nm
533 builds this by appending the
534 .Ev PATH_INFO
535 to the virtual host directory root.
536 .It Ev QUERY_STRING
537 The decoded query string.
538 .It Ev REMOTE_ADDR , Ev REMOTE_HOST
539 Textual representation of the client IP.
540 .It Ev REQUEST_METHOD
541 This is present only for RFC3875 (CGI) compliance.
542 It's always set to the empty string.
543 .It Ev SCRIPT_NAME
544 The part of the
545 .Ev GEMINI_URL_PATH
546 that identifies the current CGI script.
547 .It Ev SERVER_NAME
548 The name of the server
549 .It Ev SERVER_PORT
550 The port the server is listening on.
551 .It Ev SERVER_PROTOCOL
552 .Dq GEMINI
553 .It Ev SERVER_SOFTWARE
554 The name and version of the server, i.e.
555 .Dq gmid/1.7.3
556 .It Ev AUTH_TYPE
557 The string "Certificate" if the client used a certificate, otherwise
558 unset.
559 .It Ev REMOTE_USER
560 The subject of the client certificate if provided, otherwise unset.
561 .It Ev TLS_CLIENT_ISSUER
562 The is the issuer of the client certificate if provided, otherwise
563 unset.
564 .It Ev TLS_CLIENT_HASH
565 The hash of the client certificate if provided, otherwise unset.
566 The format is
567 .Dq ALGO:HASH .
568 .It Ev TLS_VERSION
569 The TLS version negotiated with the peer.
570 .It Ev TLS_CIPHER
571 The cipher suite negotiated with the peer.
572 .It Ev TLS_CIPHER_STRENGTH
573 The strength in bits for the symmetric cipher that is being used with
574 the peer.
575 .It Ev TLS_CLIENT_NOT_AFTER
576 The time corresponding to the end of the validity period of the peer
577 certificate in the ISO 8601 format
578 .Pq e.g. Dq 2021-02-07T20:17:41Z .
579 .It Ev TLS_CLIENT_NOT_BEFORE
580 The time corresponding to the start of the validity period of the peer
581 certificate in the ISO 8601 format.
582 .El
583 .Sh FastCGI
584 .Nm
585 optionally supports FastCGI.
586 A
587 .Ic fastcgi
588 rule must be present in a server or location block.
589 Then, all requests matching that server or location will be handled
590 via the specified FastCGI backend.
591 .Pp
592 By default the following variables
593 .Pq parameters
594 are sent, and carry the same semantics as with CGI.
595 More parameters can be added with the
596 .Ic param
597 option.
598 .Pp
599 .Bl -bullet -compact
600 .It
601 GATEWAY_INTERFACE
602 .It
603 GEMINI_URL_PATH
604 .It
605 QUERY_STRING
606 .It
607 REMOTE_ADDR
608 .It
609 REMOTE_HOST
610 .It
611 REQUEST_METHOD
612 .It
613 SERVER_NAME
614 .It
615 SERVER_PROTOCOL
616 .It
617 SERVER_SOFTWARE
618 .It
619 AUTH_TYPE
620 .It
621 REMOTE_USER
622 .It
623 TLS_CLIENT_ISSUER
624 .It
625 TLS_CLIENT_HASH
626 .It
627 TLS_VERSION
628 .It
629 TLS_CIPHER
630 .It
631 TLS_CIPHER_STRENGTH
632 .It
633 TLS_CLIENT_NOT_BEFORE
634 .It
635 TLS_CLIENT_NOT_AFTER
636 .El
637 .Sh MIME
638 To auto-detect the MIME type of the response
639 .Nm
640 looks at the file extension and consults its internal table.
641 By default the following mappings are loaded, but they can be
642 overridden or extended using the
643 .Ic map
644 configuration option.
645 If no MIME is found, the value of
646 .Ic default type
647 matching the file
648 .Ic location
649 will be used, which is
650 .Dq application/octet-stream
651 by default.
652 .Pp
653 .Bl -tag -offset indent -width 14m -compact
654 .It diff
655 text/x-patch
656 .It gemini, gmi
657 text/gemini
658 .It gif
659 image/gif
660 .It jpeg
661 image/jpeg
662 .It jpg
663 image/jpeg
664 .It markdown, md
665 text/markdown
666 .It patch
667 text/x-patch
668 .It pdf
669 application/pdf
670 .It png
671 image/png
672 .It svg
673 image/svg+xml
674 .It txt
675 text/plain
676 .It xml
677 text/xml
678 .El
679 .Sh LOGGING
680 Messages and requests are logged by
681 .Xr syslog 3
682 using the
683 .Dv DAEMON
684 facility or printed on
685 .Em stderr .
686 .Pp
687 Requests are logged with the
688 .Dv NOTICE
689 severity.
690 Each request log entry has the following fields, separated by
691 whitespace:
692 .Pp
693 .Bl -bullet -compact
694 .It
695 Client IP address and the source port number, separated by a colon
696 .It
697 .Sy GET
698 keyword
699 .It
700 Request URL
701 .It
702 Response status
703 .It
704 Response meta
705 .El
706 .Sh EXAMPLES
707 Serve the current directory
708 .Bd -literal -offset indent
709 $ gmid .
710 .Ed
711 .Pp
712 To serve the directory
713 .Pa docs
714 and enable CGI scripts inside
715 .Pa docs/cgi
716 .Bd -literal -offset indent
717 $ mkdir docs/cgi
718 $ cat <<EOF > docs/cgi/hello
719 #!/bin/sh
720 printf "20 text/plain\er\en"
721 echo "hello world"
722 EOF
723 $ chmod +x docs/cgi/hello
724 $ gmid -x '/cgi/*' docs
725 .Ed
726 .Pp
727 An X.509 certificate must be provided to run
728 .Nm
729 using a configuration file.
730 First, the RSA certificate is created using a wildcard common name:
731 .Bd -literal -offset indent
732 # openssl genrsa \-out /etc/ssl/private/example.com.key 4096
733 # openssl req \-new \-x509 \e
734 	\-key /etc/ssl/private/example.com.key \e
735 	\-out /etc/ssl/example.com.crt \e
736 	\-days 36500 \-nodes \e
737 	\-subj "/CN=example.com"
738 # chmod 600 /etc/ssl/example.com.crt
739 # chmod 600 /etc/ssl/private/example.com.key
740 .Ed
741 .Pp
742 In the example above, a certificate is valid for one hundred years from
743 the date it was created, which is normal for TOFU.
744 .Pp
745 The following is an example of a possible configuration for a site
746 that enables only TLSv1.3, adds a mime type for the file extension
747 .Qq rtf
748 and defines two virtual host:
749 .Bd -literal -offset indent
750 ipv6 on		# enable ipv6
751 
752 protocols "tlsv1.3"
753 
754 map "application/rtf" to-ext "rtf"
755 
756 server "example.com" {
757 	cert "/etc/ssl/example.com.crt"
758 	key  "/etc/ssl/private/example.com.key"
759 	root "/var/gemini/example.com"
760 }
761 
762 server "it.example.com" {
763 	cert "/etc/ssl/example.com.crt"
764 	key  "/etc/ssl/private/example.com.key"
765 	root "/var/gemini/it.example.com"
766 
767 	# enable cgi scripts inside "cgi-bin"
768 	cgi  "/cgi-bin/*"
769 
770 	# set the language for text/gemini files
771 	lang "it"
772 }
773 .Ed
774 .Pp
775 Yet another example, showing how to enable a
776 .Ic chroot
777 and use
778 .Ic location
779 rule
780 .Bd -literal -offset indent
781 chroot "/var/gemini"
782 user "_gmid"
783 
784 server "example.com" {
785 	cert "/path/to/cert.pem" # absolute path
786 	key  "/path/to/key.pem"  # also absolute
787 	root "/example.com"      # relative to the chroot
788 
789 	location "/static/*" {
790 		# load the following rules only for
791 		# requests that matches "/static/*"
792 
793 		auto index on
794 		index "index.gemini"
795 	}
796 }
797 .Ed
798 .Sh ACKNOWLEDGEMENTS
799 .Nm
800 uses the
801 .Dq Flexible and Economical
802 UTF-8 decoder written by
803 .An Bjoern Hoehrmann .
804 .Sh AUTHORS
805 .An -nosplit
806 The
807 .Nm
808 program was written by
809 .An Omar Polo Aq Mt op@omarpolo.com .
810 .Sh CAVEATS
811 .Bl -bullet
812 .It
813 All the root directories are opened during the daemon startup; if a
814 root directory is deleted and then re-created,
815 .Nm
816 won't be able to serve files inside that directory until a restart.
817 This restriction only applies to the root directories and not their
818 content.
819 .It
820 a %2F sequence is indistinguishable from a literal slash: this is not
821 RFC3986-compliant.
822 .It
823 a %00 sequence is treated as invalid character and thus rejected.
824 .El