Commit Briefs
get rid of the CGI support
I really want to get rid of the `executor' process hack for CGI scripts and its escalation to allow fastcgi and proxying to work on non-OpenBSD. This drops the CGI support and the `executor' process entirely and is the first step towards gmid 2.0. It also allows to have more secure defaults. On non-OpenBSD systems this means that the sandbox will be deactivated as soon as fastcgi or proxying are used: you can't open sockets under FreeBSD' capsicum(4) and I don't want to go thru the pain of making it work under linux' seccomp/landlock. Patches are always welcome however. For folks using CGI scripts (hey, I'm one of you!) not all hope is lost: fcgiwrap or OpenBSD' slowcgi(8) are ways to run CGI scripts as they were FastCGI applications. fixes for the documentation and to the non-OpenBSD sandboxes will follow.
allow add_mime to fail
add_mime nows allocate dinamically copies of the passed strings, so that we can actually free what we parse from the config file. This matters a lot especially with lengthy `types' block: strings that reach the internal mapping are never free'd, so every manual addition is leaked.
const-ify some tables
matches found with % grep -R '=[ ]*{' . | fgrep -v const
allow using a custom hostname for SNI during proxying
add a `sni' option for the `proxy' block: the given name is used instead of the one extracted by the `relay-to' rule.
proxy: allow multiple proxy blocks, matching options and validations
as a side effect the order of the content of a server block is relaxed: options, location or proxy blocks can be put in any order.
simplify the proxying code
it doesn't make any sense to keep the proxying info per-location: proxying only one per-vhost. It can't work differently, it doesn't make sense anyway.
add ability to proxy requests
Add to gmid the ability to forwad a request to another gemini server and thus acting like a reverse proxy. The current syntax for the config file is server "example.com" { ... proxy relay-to host:port } Further options (like the use of custom certificates) are planned. cf. github issue #7
free OCSP path when clearing the config
was forgotten in ff05125eb81e5bbf2cf05b8434d03bce584936e0
Implement OCSP stapling support
Currently dogfooding this patch at gemini.sgregoratto.me. To test, run the following command and look for the "OCSP response" header: openssl s_client -connect "gemini.sgregoratto.me:1965" -status