commit - e58a447a28a416ee719a9e457bfc8160a9b0e771
commit + e308526cf63d7cbbabaa4bf93bae45a27fb58d4b
blob - 726b0cb77e829effb300234bca94a0b4e6b157bd
blob + 510e599ba1aa79e88dad9e8f4320fdf677f7d9af
--- gmid.1
+++ gmid.1
$ chmod +x docs/cgi/hello
$ gmid -x '/cgi/*' docs
.Ed
+.Pp
+An X.509 certificate must be provided to run
+.Nm
+using a configuration file.
+First, the RSA certificate is created using a wildcard common name:
+.Bd -literal -offset indent
+# openssl genrsa \-out /etc/ssl/private/example.com.key 4096
+# openssl req \-new \-x509 \-key /etc/ssl/private/example.com.key \e
+ \-out /etc/ssl/example.com.crt \-days 36500 \-nodes \-subj "/CN=*.com"
+# chmod 600 /etc/ssl/example.com.crt
+# chmod 600 /etc/ssl/private/example.com.key
+.Ed
+.Pp
+In the example above, a certificate is valid for one hundred years from
+the date it was created, which is normal for TOFU.
.Pp
The following is an example of a possible configuration for a site
that enables only TLSv1.3, adds a mime type for the file extension
-"rtf" and defines two virtual host:
+.Qq rtf
+and defines two virtual host:
.Bd -literal -offset indent
ipv6 on # enable ipv6
map "application/rtf" to-ext "rtf"
server "example.com" {
- cert "/path/to/cert.pem"
- key "/path/to/key.pem"
+ cert "/etc/ssl/example.com.crt"
+ key "/etc/ssl/private/example.com.key"
root "/var/gemini/example.com"
}
server "it.example.com" {
- cert "/path/to/cert.pem"
- key "/path/to/key.pem"
+ cert "/etc/ssl/example.com.crt"
+ key "/etc/ssl/private/example.com.key"
root "/var/gemini/it.example.com"
# enable cgi scripts inside "cgi-bin"