1 .\" Copyright (c) 2021, 2022 Omar Polo <op@omarpolo.com>
2 .\"
3 .\" Permission to use, copy, modify, and distribute this software for any
4 .\" purpose with or without fee is hereby granted, provided that the above
5 .\" copyright notice and this permission notice appear in all copies.
6 .\"
7 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
10 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14 .Dd $Mdocdate: January 30 2022$
15 .Dt GMID 1
16 .Os
17 .Sh NAME
18 .Nm gmid
19 .Nd simple and secure Gemini server
20 .Sh SYNOPSIS
21 .Nm
22 .Bk -words
23 .Op Fl fnv
24 .Op Fl c Ar config
25 .Op Fl D Ar macro Ns = Ns Ar value
26 .Op Fl P Ar pidfile
27 .Ek
28 .Nm
29 .Bk -words
30 .Op Fl 6hVv
31 .Op Fl d Ar certs-dir
32 .Op Fl H Ar hostname
33 .Op Fl p Ar port
34 .Op Fl x Ar cgi
35 .Op Ar dir
36 .Ek
37 .Sh DESCRIPTION
38 .Nm
39 is a simple and minimal gemini server that can serve static files,
40 execute CGI scripts and talk to FastCGI applications.
41 It can run without a configuration file with a limited set of features
42 available.
43 .Pp
44 .Nm
45 rereads the configuration file when it receives
46 .Dv SIGHUP .
47 .Pp
48 The options are as follows:
49 .Bl -tag -width 14m
50 .It Fl c Ar config
51 Specify the configuration file.
52 .It Fl D Ar macro Ns = Ns Ar value
53 Define
54 .Ar macro
55 to be set to
56 .Ar value
57 on the command line.
58 Overrides the definition of
59 .Ar macro
60 in the config file if present.
61 .It Fl f
62 Stays and logs on the foreground.
63 .It Fl n
64 Check that the configuration is valid, but don't start the server.
65 If specified two or more time, dump the configuration in addition to
66 verify it.
67 .It Fl P Ar pidfile
68 Write daemon's pid to the given location.
69 .Ar pidfile
70 will also act as lock: if another process is holding a lock on that
71 file,
72 .Nm
73 will refuse to start.
74 .El
75 .Pp
76 If no configuration file is given,
77 .Nm
78 runs in
79 .Dq config-less mode
80 .Pq i.e. runs in the foreground to serve a directory from the shell
81 and looks for the following options
82 .Bl -tag -width 14m
83 .It Fl 6
84 Enable IPv6.
85 .It Fl d Ar certs-path
86 Directory where certificates for the config-less mode are stored.
87 By default it is
88 .Pa $XDG_DATA_HOME/gmid ,
89 i.e.
90 .Pa ~/.local/share/gmid .
91 .It Fl H Ar hostname
92 The hostname
93 .Po
94 .Ar localhost
95 by default
96 .Pc .
97 Certificates for the given
98 .Ar hostname
99 are searched inside the
100 .Ar certs-dir
101 directory given with the
102 .Fl d
103 option.
104 They have the form
105 .Pa hostname.cert.pem
106 and
107 .Pa hostname.key.pem .
108 If a certificate or a key doesn't exist for a given hostname, they
109 will be generated automatically.
110 .It Fl h , Fl -help
111 Print the usage and exit.
112 .It Fl p Ar port
113 The port to listen on, by default 1965.
114 .It Fl V , Fl -version
115 Print the version and exit.
116 .It Fl v
117 Verbose mode.
118 Multiple
119 .Fl v
120 options increase the verbosity.
121 .It Fl x Ar path
122 Enable execution of
123 .Sx CGI
124 scripts.
125 See the description of the
126 .Ic cgi
127 option in the
128 .Sq Servers
129 section below to learn how
130 .Ar path
131 is processed.
132 Cannot be provided more than once.
133 .It Ar dir
134 The root directory to serve.
135 By default the current working directory is assumed.
136 .El
137 .Sh CONFIGURATION FILE
138 The configuration file is divided into three sections:
139 .Bl -tag -width xxxx
140 .It Sy Macros
141 User-defined variables may be defined and used later, simplifying the
142 configuration file.
143 .It Sy Global Options
144 Global settings for
145 .Nm .
146 .It Sy Servers
147 Virtual hosts definition.
148 .It Sy Types
149 Media types and extensions.
150 .El
151 .Pp
152 Within the sections, empty lines are ignored and comments can be put
153 anywhere in the file using a hash mark
154 .Pq Sq # ,
155 and extend to the end of the current line.
156 A boolean is either the symbol
157 .Sq on
158 or
159 .Sq off .
160 A string is a sequence of characters wrapped in double quotes,
161 .Dq like this .
162 Multiple strings one next to the other are joined into a single
163 string:
164 .Bd -literal -offset indent
165 # equivalent to "temporary-failure"
166 block return 40 "temporary" "-" "failure"
167 .Ed
168 .Pp
169 Furthermore, quoting is necessary only when a string needs to contain
170 special characters
171 .Pq like spaces or punctuation ,
172 something that looks like a number or a reserved keyword.
173 The last example could have been written also as:
174 .Bd -literal -offset indent
175 block return 40 temporary "-" failure
176 .Ed
177 .Pp
178 Strict ordering of the sections is not enforced, so that is possible
179 to mix macros, options and
180 .Ic server
181 blocks.
182 However, defining all the
183 .Ic server
184 blocks after the macros and the global options is recommended.
185 .Pp
186 Newlines are often optional, except around top-level instructions, and
187 semicolons
188 .Dq \&;
189 can also be optionally used to separate options.
190 .Pp
191 Additional configuration files can be included with the
192 .Ic include
193 keyword, for example:
194 .Bd -literal -offset indent
195 include "/etc/gmid.conf.local"
196 .Ed
197 .Ss Macros
198 Macros can be defined that will later be expanded in context.
199 Macro names must start with a letter, digit or underscore and may
200 contain any of those characters.
201 Macros names may not be reserved words.
202 Macros are not expanded inside quotes.
203 .Pp
204 Two kinds of macros are supported: variable-like and proper macros.
205 When a macro is invoked with a
206 .Dq $
207 before its name its expanded as a string, whereas when it's invoked
208 with a
209 .Dq @
210 its expanded in-place.
211 .Pp
212 For example:
213 .Bd -literal -offset indent
214 dir = "/var/gemini"
215 certdir = "/etc/keys"
216 common = "lang it; auto index on"
217 
218 server "foo" {
219 	root $dir "/foo"         # -> /var/gemini/foo
220 	cert $certdir "/foo.crt" # -> /etc/keys/foo.crt
221 	key  $certdir "/foo.pem" # -> /etc/keys/foo.pem
222 	@common
223 }
224 .Ed
225 .Ss Global Options
226 .Bl -tag -width 12m
227 .It Ic chroot Ar path
228 .Xr chroot 2
229 the process to the given
230 .Ar path .
231 The daemon has to be run with root privileges and thus the option
232 .Ic user
233 needs to be provided, so privileges can be dropped.
234 Note that
235 .Nm
236 will enter the chroot after loading the TLS keys, but before opening
237 the virtual host root directories.
238 It's recommended to keep the TLS keys outside the chroot.
239 Future version of
240 .Nm
241 may enforce this.
242 .It Ic ipv6 Ar bool
243 Enable or disable IPv6 support, off by default.
244 .It Ic map Ar mime-type Cm to-ext Ar file-extension
245 Map
246 .Ar mime-type
247 to the given
248 .Ar file-extension .
249 Both argument are strings.
250 .It Ic port Ar portno
251 The port to listen on.
252 1965 by default.
253 .It Ic prefork Ar number
254 Run the specified number of server processes.
255 This increases the performance and prevents delays when connecting to
256 a server.
257 When not in config-less mode,
258 .Nm
259 runs 3 server processes by default.
260 The maximum number allowed is 16.
261 .It Ic protocols Ar string
262 Specify the TLS protocols to enable.
263 Refer to
264 .Xr tls_config_parse_protocols 3
265 for the valid protocol string values.
266 By default, both TLSv1.3 and TLSv1.2 are enabled.
267 Use
268 .Dq tlsv1.3
269 to enable only TLSv1.3.
270 .It Ic user Ar string
271 Run the daemon as the given user.
272 .El
273 .Ss Servers
274 Every virtual host is defined by a
275 .Ic server
276 block:
277 .Bl -tag -width Ds
278 .It Ic server Ar hostname Brq ...
279 Match the server name using shell globbing rules.
280 It can be an explicit name,
281 .Ar www.example.com ,
282 or a name including a wildcards,
283 .Ar *.example.com .
284 .El
285 .Pp
286 Followed by a block of options that is enclosed in curly brackets:
287 .Bl -tag -width Ds
288 .It Ic alias Ar name
289 Specify an additional alias
290 .Ar name
291 for this server.
292 .It Ic auto Ic index Ar bool
293 If no index file is found, automatically generate a directory listing.
294 Disabled by default.
295 .It Ic block Op Ic return Ar code Op Ar meta
296 Send a reply and close the connection;
297 by default
298 .Ar code
299 is 40
300 and
301 .Ar meta
302 is
303 .Dq temporary failure .
304 If
305 .Ar code
306 is in the 3x range, then
307 .Ar meta
308 is mandatory.
309 Inside
310 .Ar meta ,
311 the following special sequences are supported:
312 .Bl -tag -width Ds -compact
313 .It \&%\&%
314 is replaced with a single
315 .Sq \&% .
316 .It \&%p
317 is replaced with the request path.
318 .It \&%q
319 is replaced with the query string of the request.
320 .It \&%P
321 is replaced with the server port.
322 .It \&%N
323 is replaced with the server name.
324 .El
325 .It Ic cert Ar file
326 Path to the certificate to use for this server.
327 .Ar file
328 should contain a PEM encoded certificate.
329 This option is mandatory.
330 .It Ic cgi Ar path
331 Execute
332 .Sx CGI
333 scripts that matches
334 .Ar path
335 using shell globbing rules.
336 .It Ic default type Ar string
337 Set the default media type that is used if the media type for a
338 specified extension is not found.
339 If not specified, the
340 .Ic default type
341 is set to
342 .Dq application/octet-stream .
343 .It Ic entrypoint Ar path
344 Handle all the requests for the current virtual host using the
345 .Sx CGI
346 script at
347 .Ar path ,
348 relative to the current document root.
349 .It Ic env Ar name Cm = Ar value
350 Set the environment variable
351 .Ar name
352 to
353 .Ar value
354 when executing CGI scripts.
355 Can be provided more than once.
356 .\" don't document the "spawn <prog>" form because it probably won't
357 .\" be kept.
358 .It Ic fastcgi Oo Ic tcp Oc Ar socket Oo Cm port Ar port Oc
359 Enable
360 .Sx FastCGI
361 instead of serving files.
362 The
363 .Ar socket
364 can either be a UNIX-domain socket or a TCP socket.
365 If the FastCGI application is listening on a UNIX domain socket,
366 .Ar socket
367 is a local path name within the
368 .Xr chroot 2
369 root directory of
370 .Nm .
371 Otherwise, the
372 .Ic tcp
373 keyword must be provided and
374 .Ar socket
375 is interpreted as a hostname or an IP address.
376 .Ar port
377 can be either a port number or the name of a service enclosed in
378 double quotes.
379 If not specified defaults to 9000.
380 .It Ic index Ar string
381 Set the directory index file.
382 If not specified, it defaults to
383 .Pa index.gmi .
384 .It Ic key Ar file
385 Specify the private key to use for this server.
386 .Ar file
387 should contain a PEM encoded private key.
388 This option is mandatory.
389 .It Ic lang Ar string
390 Specify the language tag for the text/gemini content served.
391 If not specified, no
392 .Dq lang
393 parameter will be added in the response.
394 .It Ic location Ar path Brq ...
395 Specify server configuration rules for a specific location.
396 .Ar path
397 argument will be matched against the request path with shell globbing
398 rules.
399 In case of multiple location statements in the same context, the first
400 matching location will be put into effect and the later ones ignored.
401 Therefore is advisable to match for more specific paths first and for
402 generic ones later on.
403 A
404 .Ic location
405 section may include most of the server configuration rules
406 except
407 .Ic alias , Ic cert , Ic cgi , Ic entrypoint , Ic env , Ic key ,
408 .Ic location , Ic param No and Ic proxy .
409 .It Ic log Ar bool
410 Enable or disable the logging for the current server or location block.
411 .It Ic param Ar name Cm = Ar value
412 Set the param
413 .Ar name
414 to
415 .Ar value
416 for FastCGI.
417 .It Ic ocsp Ar file
418 Specify an OCSP response to be stapled during TLS handshakes
419 with this server.
420 The
421 .Ar file
422 should contain a DER-format OCSP response retrieved from an
423 OCSP server for the
424 .Ic cert
425 in use.
426 If the OCSP response in
427 .Ar file
428 is empty, OCSP stapling will not be used.
429 The default is to not use OCSP stapling.
430 .It Ic proxy Oo Cm proto Ar name Oc Oo Cm for-host Ar host : Ns Oo Ar port Oc Oc Brq ...
431 Set up a reverse proxy.
432 The optional matching rules
433 .Cm proto
434 and
435 .Cm for-host
436 can be used to enable proxying only for protocols matching
437 .Ar name
438 .Po Dq gemini
439 by default
440 .Pc
441 and/or whose request IRI matches
442 .Ar host
443 and
444 .Ar port
445 .Pq 1965 by default .
446 Matching happens using shell globbing rules.
447 .Pp
448 In case of multiple matching proxy blocks in the same context, the
449 first matching proxy will be put into effect and the later ones
450 ignored.
451 .Pp
452 Valid options are:
453 .Bl -tag -width Ds
454 .It Ic cert Ar file
455 Specify the client certificate to use when making requests.
456 .It Ic key Ar file
457 Specify the client certificate key to use when making requests.
458 .It Ic protocols Ar string
459 Specify the TLS protocols allowed when making remote requests.
460 Refer to the
461 .Xr tls_config_parse_protocols 3
462 function for the valid protocol string values.
463 By default, both TLSv1.2 and TLSv1.3 are enabled.
464 .It Ic relay-to Ar host : Ns Op Ar port
465 Relay the request to the given
466 .Ar host
467 at the given
468 .Ar port ,
469 1965 by default.
470 This is the only mandatory option in a
471 .Ic proxy
472 block.
473 .It Ic require Ic client Ic ca Ar file
474 Allow the proxying only from clients that provide a certificate
475 signed by the CA certificate in
476 .Ar file .
477 .It Ic sni Ar hostname
478 Use the given
479 .Ar hostname
480 instead of the one extracted from the
481 .Ic relay-to
482 rule for the TLS handshake with the proxied gemini server.
483 .It Ic use-tls Ar bool
484 Specify whether to use TLS when connecting to the proxied host.
485 Enabled by default.
486 .It Ic verifyname Ar bool
487 Enable or disable the TLS server name verification.
488 Enabled by default.
489 .El
490 .It Ic root Ar directory
491 Specify the root directory for this server
492 .Pq alas the current Dq document root .
493 It's relative to the chroot if enabled.
494 .It Ic require Ic client Ic ca Ar path
495 Allow requests only from clients that provide a certificate signed by
496 the CA certificate in
497 .Ar path .
498 It needs to be a PEM-encoded certificate and it's not relative to the
499 chroot.
500 .It Ic strip Ar number
501 Strip
502 .Ar number
503 components from the beginning of the path before doing a lookup in the
504 root directory.
505 It's also considered for the
506 .Ar meta
507 parameter in the scope of a
508 .Ic block return .
509 .El
510 .Ss Types
511 The
512 .Ic types
513 section must include one or more lines of the following syntax, enclosed
514 in curly brances:
515 .Bl -tag -width Ds
516 .It Ar type/subtype Ar name Op Ar name ...
517 Set the media
518 .Ar type
519 and
520 .Ar subtype
521 to the specified extension
522 .Ar name .
523 One or more names can be specified per line.
524 Earch line may end with an optional semicolon.
525 .It Ic include Ar file
526 Include types definition from an external file, for example
527 .Pa /usr/share/misc/mime.types .
528 .El
529 .Sh CGI
530 When a request for an executable file matches the
531 .Ic cgi
532 rule, that file will be executed and its output fed to the client.
533 .Pp
534 The CGI scripts are executed in the directory they reside and inherit
535 the environment from
536 .Nm
537 with these additional variables set:
538 .Bl -tag -width 24m
539 .It Ev GATEWAY_INTERFACE
540 .Dq CGI/1.1
541 .It Ev GEMINI_DOCUMENT_ROOT
542 The root directory of the virtual host.
543 .It Ev GEMINI_SCRIPT_FILENAME
544 Full path to the CGI script being executed.
545 .It Ev GEMINI_URL
546 The full IRI of the request.
547 .It Ev GEMINI_URL_PATH
548 The path of the request.
549 .It Ev PATH_INFO
550 The portion of the requested path that is derived from the the IRI
551 path hierarchy following the part that identifies the script itself.
552 Can be unset.
553 .It Ev PATH_TRANSLATED
554 Present if and only if
555 .Ev PATH_INFO
556 is set.
557 It represent the translation of the
558 .Ev PATH_INFO .
559 .Nm
560 builds this by appending the
561 .Ev PATH_INFO
562 to the virtual host directory root.
563 .It Ev QUERY_STRING
564 The decoded query string.
565 .It Ev REMOTE_ADDR , Ev REMOTE_HOST
566 Textual representation of the client IP.
567 .It Ev REQUEST_METHOD
568 This is present only for RFC3875 (CGI) compliance.
569 It's always set to the empty string.
570 .It Ev SCRIPT_NAME
571 The part of the
572 .Ev GEMINI_URL_PATH
573 that identifies the current CGI script.
574 .It Ev SERVER_NAME
575 The name of the server
576 .It Ev SERVER_PORT
577 The port the server is listening on.
578 .It Ev SERVER_PROTOCOL
579 .Dq GEMINI
580 .It Ev SERVER_SOFTWARE
581 The name and version of the server, i.e.
582 .Dq gmid/1.8
583 .It Ev AUTH_TYPE
584 The string "Certificate" if the client used a certificate, otherwise
585 unset.
586 .It Ev REMOTE_USER
587 The subject of the client certificate if provided, otherwise unset.
588 .It Ev TLS_CLIENT_ISSUER
589 The is the issuer of the client certificate if provided, otherwise
590 unset.
591 .It Ev TLS_CLIENT_HASH
592 The hash of the client certificate if provided, otherwise unset.
593 The format is
594 .Dq ALGO:HASH .
595 .It Ev TLS_VERSION
596 The TLS version negotiated with the peer.
597 .It Ev TLS_CIPHER
598 The cipher suite negotiated with the peer.
599 .It Ev TLS_CIPHER_STRENGTH
600 The strength in bits for the symmetric cipher that is being used with
601 the peer.
602 .It Ev TLS_CLIENT_NOT_AFTER
603 The time corresponding to the end of the validity period of the peer
604 certificate in the ISO 8601 format
605 .Pq e.g. Dq 2021-02-07T20:17:41Z .
606 .It Ev TLS_CLIENT_NOT_BEFORE
607 The time corresponding to the start of the validity period of the peer
608 certificate in the ISO 8601 format.
609 .El
610 .Sh FastCGI
611 .Nm
612 optionally supports FastCGI.
613 A
614 .Ic fastcgi
615 rule must be present in a server or location block.
616 Then, all requests matching that server or location will be handled
617 via the specified FastCGI backend.
618 .Pp
619 By default the following variables
620 .Pq parameters
621 are sent, and carry the same semantics as with CGI.
622 More parameters can be added with the
623 .Ic param
624 option.
625 .Pp
626 .Bl -bullet -compact
627 .It
628 GATEWAY_INTERFACE
629 .It
630 GEMINI_URL_PATH
631 .It
632 QUERY_STRING
633 .It
634 REMOTE_ADDR
635 .It
636 REMOTE_HOST
637 .It
638 REQUEST_METHOD
639 .It
640 SERVER_NAME
641 .It
642 SERVER_PROTOCOL
643 .It
644 SERVER_SOFTWARE
645 .It
646 AUTH_TYPE
647 .It
648 REMOTE_USER
649 .It
650 TLS_CLIENT_ISSUER
651 .It
652 TLS_CLIENT_HASH
653 .It
654 TLS_VERSION
655 .It
656 TLS_CIPHER
657 .It
658 TLS_CIPHER_STRENGTH
659 .It
660 TLS_CLIENT_NOT_BEFORE
661 .It
662 TLS_CLIENT_NOT_AFTER
663 .El
664 .Sh MEDIA TYPES
665 To auto-detect the MIME type of the response
666 .Nm
667 looks at the file extension and consults an internal table.
668 If no MIME is found, the value of
669 .Ic default type
670 matching the file
671 .Ic location
672 will be used, or
673 .Dq application/octet-stream .
674 .Pp
675 By default the following mappings are loaded, but they can be
676 overridden or extended using the
677 .Ic map
678 option or the
679 .Ic type Brq ...
680 block.
681 .Pp
682 .Bl -tag -offset indent -width 14m -compact
683 .It diff
684 text/x-patch
685 .It gemini, gmi
686 text/gemini
687 .It gif
688 image/gif
689 .It jpeg
690 image/jpeg
691 .It jpg
692 image/jpeg
693 .It markdown, md
694 text/markdown
695 .It patch
696 text/x-patch
697 .It pdf
698 application/pdf
699 .It png
700 image/png
701 .It svg
702 image/svg+xml
703 .It txt
704 text/plain
705 .It xml
706 text/xml
707 .El
708 .Sh LOGGING
709 Messages and requests are logged by
710 .Xr syslog 3
711 using the
712 .Dv DAEMON
713 facility or printed on
714 .Em stderr .
715 .Pp
716 Requests are logged with the
717 .Dv NOTICE
718 severity.
719 Each request log entry has the following fields, separated by
720 whitespace:
721 .Pp
722 .Bl -bullet -compact
723 .It
724 Client IP address and the source port number, separated by a colon
725 .It
726 .Sy GET
727 keyword
728 .It
729 Request URL
730 .It
731 Response status
732 .It
733 Response meta
734 .El
735 .Sh EXAMPLES
736 Serve the current directory
737 .Bd -literal -offset indent
738 $ gmid .
739 .Ed
740 .Pp
741 To serve the directory
742 .Pa docs
743 and enable CGI scripts inside
744 .Pa docs/cgi
745 .Bd -literal -offset indent
746 $ mkdir docs/cgi
747 $ cat <<EOF > docs/cgi/hello
748 #!/bin/sh
749 printf "20 text/plain\er\en"
750 echo "hello world"
751 EOF
752 $ chmod +x docs/cgi/hello
753 $ gmid -x '/cgi/*' docs
754 .Ed
755 .Pp
756 An X.509 certificate must be provided to run
757 .Nm
758 using a configuration file.
759 First, the RSA certificate is created using a wildcard common name:
760 .Bd -literal -offset indent
761 # openssl genrsa \-out /etc/ssl/private/example.com.key 4096
762 # openssl req \-new \-x509 \e
763 	\-key /etc/ssl/private/example.com.key \e
764 	\-out /etc/ssl/example.com.crt \e
765 	\-days 36500 \-nodes \e
766 	\-subj "/CN=example.com"
767 # chmod 600 /etc/ssl/example.com.crt
768 # chmod 600 /etc/ssl/private/example.com.key
769 .Ed
770 .Pp
771 In the example above, a certificate is valid for one hundred years from
772 the date it was created, which is normal for TOFU.
773 .Pp
774 The following is an example of a possible configuration for a site
775 that enables only TLSv1.3, adds a mime type for the file extension
776 .Qq rtf
777 and defines two virtual host:
778 .Bd -literal -offset indent
779 ipv6 on		# enable ipv6
780 
781 protocols "tlsv1.3"
782 
783 map "application/rtf" to-ext "rtf"
784 
785 server "example.com" {
786 	cert "/etc/ssl/example.com.crt"
787 	key  "/etc/ssl/private/example.com.key"
788 	root "/var/gemini/example.com"
789 }
790 
791 server "it.example.com" {
792 	cert "/etc/ssl/example.com.crt"
793 	key  "/etc/ssl/private/example.com.key"
794 	root "/var/gemini/it.example.com"
795 
796 	# enable cgi scripts inside "cgi-bin"
797 	cgi  "/cgi-bin/*"
798 
799 	# set the language for text/gemini files
800 	lang "it"
801 }
802 .Ed
803 .Pp
804 Yet another example, showing how to enable a
805 .Ic chroot
806 and use
807 .Ic location
808 rule
809 .Bd -literal -offset indent
810 chroot "/var/gemini"
811 user "_gmid"
812 
813 server "example.com" {
814 	cert "/path/to/cert.pem" # absolute path
815 	key  "/path/to/key.pem"  # also absolute
816 	root "/example.com"      # relative to the chroot
817 
818 	location "/static/*" {
819 		# load the following rules only for
820 		# requests that matches "/static/*"
821 
822 		auto index on
823 		index "index.gemini"
824 	}
825 }
826 .Ed
827 .Sh ACKNOWLEDGEMENTS
828 .Nm
829 uses the
830 .Dq Flexible and Economical
831 UTF-8 decoder written by
832 .An Bjoern Hoehrmann .
833 .Sh AUTHORS
834 .An -nosplit
835 The
836 .Nm
837 program was written by
838 .An Omar Polo Aq Mt op@omarpolo.com .
839 .Sh CAVEATS
840 .Bl -bullet
841 .It
842 All the root directories are opened during the daemon startup; if a
843 root directory is deleted and then re-created,
844 .Nm
845 won't be able to serve files inside that directory until a restart.
846 This restriction only applies to the root directories and not their
847 content.
848 .It
849 a %2F sequence is indistinguishable from a literal slash: this is not
850 RFC3986-compliant.
851 .It
852 a %00 sequence is treated as invalid character and thus rejected.
853 .El