FreeBSD Manual Pages
GMID.CONF(5) File Formats Manual GMID.CONF(5) NAME gmid.conf -- gmid Gemini server configuration file DESCRIPTION gmid.conf is the configuration file format for the gmid(8) Gemini server. The configuration file is divided into the following sections: Macros User-defined variables may be defined and used later, simplify- ing the configuration file. Global Options Global settings for gmid(8). Types Media types and extensions. Servers Virtual hosts definition. Within the sections, empty lines are ignored and comments can be put anywhere in the file using a hash mark (`#') and extend to the end of the current line. A boolean is either the symbol `on' or `off'. A string is a sequence of characters wrapped in double quotes, "like this". Multiple strings one next to the other are joined into a single string: # equivalent to "temporary-failure" block return 40 "temporary" "-" "failure" Furthermore, quoting is necessary only when a string needs to contain special characters (like spaces or punctuation), something that looks like a number or a reserved keyword. The last example could have been written also as: block return 40 temporary "-" failure Strict ordering of the sections is not enforced, so that is possible to mix macros, options and server blocks. However, defining all the server blocks after the macros and the global options is recommended. Newlines are often optional, except around top-level instructions, and semicolons ";" can also be optionally used to separate options. Additional configuration files can be included with the include key- word, for example: include "/etc/gmid.conf.local" Macros Macros can be defined that will later be expanded in context. Macro names must start with a letter, digit or underscore and may contain any of those characters. Macros names may not be reserved words. Macros are not expanded inside quotes. Two kinds of macros are supported: variable-like and proper macros. When a macro is invoked with a "$" before its name its expanded as a string, whereas when it's invoked with a "@" its expanded in-place. For example: ext_ip = "10.0.0.1" dir = "/var/gemini" certdir = "/etc/keys" common = "lang it; auto index on" server "foo" { listen on $ext_ip root $dir "/foo" # "/var/gemini/foo" cert $certdir "/foo.pem" # "/etc/keys/foo.pem" key $certdir "/foo.key" # "/etc/keys/foo.key" @common } Global Options chroot path chroot(2) the process to the given path. The daemon has to be run with root privileges and thus the option user needs to be provided too, so privileges can be dropped afterwards. All the paths in the configuration file are relative to the chroot directory, except for the cert, key and ocsp paths. Defaults to the user home directory, if provided. log options Specify logging options. Multiple options may be pro- vided within curly braces. The available options are as follows: access file Log the requests to file. The path is relative to the chroot. style style Set the logging style, defaults to legacy. The style can be one of: common Attempt to be compatible with the default Apache httpd log format. Each line is formatted as follows: the matching host name, the remote IP address, one dash `-', Common Name of the client certifi- cate (if provided, '-' otherwise), the timestamp of the request, the request URI wrapped in double quotes, the response code and the size of the response. combined Attempt to be compatible with the default nginx log format. Each line is formatted as follows: the remote IP address, one dash `-', Common Name of the client cer- tificate (if provided, '-' otherwise), the timestamp wrapped in square brackets, the request URI wrapped in double quotes, the response code, the size of the re- sponse, a dash wrapped in double quotes and "". The strangness of these two last fields is because Gemini doesn't have the notion of the "Referer" header nor the "User-agent". legacy Each line is formatted as follows: the remote IP address and port, the `GET' keyword, the request URI, the response code and meta. syslog [off] Log to syslog. It is enabled by default, use the off argument to disable. syslog facility facility Log to syslog(3) using specified facility. Available facilities are as follows: daemon, ftp, local0 through local7 and user. These are case insensitive and can be prefixed with `LOG_'. Not all level may be available on all operating sys- tems. The default facility is LOG_DAEMON. prefork number Run the specified number of server processes. This in- creases the performance and prevents delays when connect- ing to a server. gmid(8) runs 3 server processes by de- fault. The maximum number allowed is 16. protocols string Specify the TLS protocols to enable. Refer to tls_config_parse_protocols(3) for the valid protocol string values. By default, both TLSv1.3 and TLSv1.2 are enabled. Use "tlsv1.3" to enable only TLSv1.3. user string Run the daemon as the given user. Mandatory if the chroot option is used. Servers Every virtual host is defined by a server block: server hostname {...} Match the server name using shell globbing rules. It can be an explicit name, www.example.com, or a name including wildcards, *.example.com. Followed by a block of options that is enclosed in curly brackets: alias name Specify an additional alias name for this server. auto index bool If no index file is found, automatically generate a directory listing. Disabled by default. block [return code [meta]] Send a reply and close the connection; by default code is 40 and meta is "temporary failure". If code is in the 3x range, then meta is mandatory. Inside meta, the following special se- quences are supported: %% is replaced with a single `%'. %p is replaced with the request path. %q is replaced with the query string of the request. %P is replaced with the server port. %N is replaced with the server name. cert file Path to the certificate to use for this server. file should contain a PEM encoded certificate. This option is mandatory. default type string Set the default media type that is used if the media type for a specified extension is not found. If not specified, the default type is set to "application/octet-stream". fastcgi option Enable FastCGI instead of serving files. Multiple options may be specified within curly braces. Valid options are: param name = value Set the param name to value. socket [tcp] socket [port port] The socket can either be a UNIX-domain socket or a TCP socket. If the FastCGI application is listening on a UNIX domain socket, socket is a local path name within the chroot(2) root directory of gmid(8). Otherwise, the tcp keyword must be provided and socket is inter- preted as a hostname or an IP address. port can be ei- ther a port number or the name of a service enclosed in double quotes. If not specified defaults to 9000. strip number Strip number leading path components from the request URL before splitting it in SCRIPT_NAME and PATH_INFO. The FastCGI handler will be given the following variables by default: GEMINI_URL_PATH Full path of the request. GEMINI_SEARCH_STRING The decoded QUERY_STRING if defined in the request and if it doesn't con- tain any unencoded `=' characters, otherwise unset. GATEWAY_INTERFACE "CGI/1.1" AUTH_TYPE The string "Certificate" if the client used a certificate, otherwise unset. PATH_INFO The portion of the requested path that is derived from the the IRI path hierarchy following SCRIPT_NAME. Can be unset. PATH_TRANSLATED Present if and only if PATH_INFO is set. It represent the translation of the PATH_INFO. gmid builds this by appending the PATH_INFO to the vir- tual host directory root. QUERY_STRING The URL-encoded search or parameter string. REMOTE_ADDR, REMOTE_HOST Textual representation of the client IP. REQUEST_METHOD This is present only for RFC3875 (CGI) compliance. It's always set to "GET". SCRIPT_NAME The virtual URI path to the script. Since it's impossible to determine in all cases the correct SCRIPT_NAME programmatically gmid assumes it's the empty string. It is recommended to manually specify this parameter when serving a sub-tree of a virtual host via FastCGI. SERVER_NAME The name of the server SERVER_PORT The port the server is listening on. SERVER_PROTOCOL "GEMINI" SERVER_SOFTWARE The name and version of the server, i.e. "gmid/2.1.1" REMOTE_USER The subject of the client certificate if provided, otherwise unset. TLS_CLIENT_ISSUER The is the issuer of the client cer- tificate if provided, otherwise un- set. TLS_CLIENT_HASH The hash of the client certificate if provided, otherwise unset. The for- mat is "ALGO:HASH". TLS_VERSION The TLS version negotiated with the peer. TLS_CIPHER The cipher suite negotiated with the peer. TLS_CIPHER_STRENGTH The strength in bits for the symmet- ric cipher that is being used with the peer. TLS_CLIENT_NOT_AFTER The time corresponding to the end of the validity period of the peer cer- tificate in the ISO 8601 format (e.g. "2021-02-07T20:17:41Z"). TLS_CLIENT_NOT_BEFORE The time corresponding to the start of the validity period of the peer certificate in the ISO 8601 format. fastcgi off Disable FastCGI handling in the current location. index string Set the directory index file. If not specified, it defaults to index.gmi. key file Specify the private key to use for this server. file should contain a PEM encoded private key. This option is mandatory. lang string Specify the language tag for the text/gemini content served. If not specified, no "lang" parameter will be added in the re- sponse. listen on address [port number] [proxy-v1] Set the listen address and port which defaults to `1965'. This statement can be specified multiple times. If address is `*' then gmid(8) will listen on all IPv4 and IPv6 addresses. 0.0.0.0 can be used to listen on all IPv4 addresses and :: on all IPv6 addresses. If proxy-v1 is specified, then connections speaking the proxy protocol v1 are expected on this listener. If multiple listen directive share the same address and port, then all of them must have or lack proxy-v1. location path {...} Specify server configuration rules for a specific location. path argument will be matched against the request path with shell globbing rules. In case of multiple location statements in the same context, the first matching location will be put into effect and the later ones ignored. Therefore is advisable to match for more specific paths first and for generic ones later on. A location section may include most of the server configuration rules except alias, cert, key, listen, location and proxy. log bool Enable or disable the logging for the current server or loca- tion block. ocsp file Specify an OCSP response to be stapled during TLS handshakes with this server. The file should contain a DER-format OCSP response retrieved from an OCSP server for the cert in use. If the OCSP response in file is empty, OCSP stapling will not be used. The default is to not use OCSP stapling. proxy [proto name] [for-host host [port port]] {...} Set up a reverse proxy. The optional matching rules proto and for-host can be used to enable proxying only for protocols matching name ("gemini" by default) and/or whose request IRI matches host and port (1965 by default). Matching happens us- ing shell globbing rules. In case of multiple matching proxy blocks in the same context, the first matching proxy will be put into effect and the later ones ignored. Valid options are: cert file Specify the client certificate to use when making re- quests. key file Specify the client certificate key to use when making requests. protocols string Specify the TLS protocols allowed when making remote requests. Refer to the tls_config_parse_protocols(3) function for the valid protocol string values. By de- fault, both TLSv1.2 and TLSv1.3 are enabled. proxy-v1 Use the proxy protocol v1. If supported by the remote server, this is useful to propagate the information about the originating IP address and port. relay-to host [port port] Relay the request to the given host at the given port, 1965 by default. This is the only mandatory option in a proxy block. require client ca file Allow the proxying only from clients that provide a certificate signed by the CA certificate in file. sni hostname Use the given hostname instead of the one extracted from the relay-to rule for the TLS handshake with the proxied gemini server. use-tls bool Specify whether to use TLS when connecting to the prox- ied host. Enabled by default. verifyname bool Enable or disable the TLS server name verification. Enabled by default. root directory Specify the root directory for this server (alas the current "document root"). It's relative to the chroot if enabled. require client ca path Allow requests only from clients that provide a certificate signed by the CA certificate in path. It needs to be a PEM-en- coded certificate and it's not relative to the chroot. strip number Strip number components from the beginning of the path before doing a lookup in the root directory. It's also considered for the meta parameter in the scope of a block return. Types The types section must include one or more lines of the following syn- tax, enclosed in curly brances: type/subtype name [name ...] Set the media type and subtype to the specified extension name. One or more names can be specified per line. Earch line may end with an optional semicolon. include file Include types definition from an external file, for example /usr/share/misc/mime.types. By default gmid uses the following mapping if no types block is de- fined: application/pdf pdf image/gif gif image/jpeg jpg jpeg image/png png image/svg+xml svg text/gemini gemini gmi text/markdown markdown md text/x-patch diff patch text/xml xml As an exception, gmid uses the MIME type text/gemini for file exten- sions gemini or gmi if no mapping was found. EXAMPLES The following is an example of a possible configuration for a site that enables only TLSv1.3, adds the MIME types mapping from /usr/share/misc/mime.types and defines two virtual hosts: protocols "tlsv1.3" types { include "/usr/share/misc/mime.types" } server "example.com" { listen on * port 1965 cert "/etc/ssl/example.com.pem" key "/etc/ssl/private/example.com.key" root "/var/gemini/example.com" } server "example.it" { listen on * port 1965 cert "/etc/ssl/example.it.pem" key "/etc/ssl/private/example.it.key" root "/var/gemini/example.it" # set the language for text/gemini files lang "it" } This example shows how to enable the chroot and use a location rule chroot "/var/gemini" user "_gmid" server "example.com" { listen on * port 1965 # absolute paths: cert "/etc/ssl/example.com.pem" key "/etc/ssl/private/example.com.key" # relative to the chroot: root "/example.com" location "/static/*" { # load the following rules only for # requests that matches "/static/*" auto index on index "index.gemini" } } This example shows how to log requests to /var/gemini/logs/access.log when running in the /var/gemini chroot. The file will be created if not exists. chroot "/var/gemini" user "_gmid" log { access "/logs/access.log" # relative to the chroot } This example shows how to set up a reverse proxy: all request for `example.com' will be forwarded to 10.0.0.6 transparently. Proxying establish a new TLS connection, so any client-certificates used to con- nect to gmid(8) cannot be provided to the proxied server. server "example.com" { listen on * port 1965 cert "/etc/ssl/example.com.pem" key "/etc/ssl/private/example.com.key" proxy { relay-to 10.0.0.6 port 1965 } } SEE ALSO gmid(8), slowcgi(8) AUTHORS The gmid program was written by Omar Polo <op@omarpolo.com>. FreeBSD Ports 14.quarterly August 25, 2024 GMID.CONF(5)
NAME | DESCRIPTION | EXAMPLES | SEE ALSO | AUTHORS
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=gmid.conf&sektion=5&manpath=FreeBSD+Ports+14.3.quarterly>