vger/README.md

107 lines
3.1 KiB
Markdown
Raw Permalink Normal View History

2020-12-02 09:55:37 +11:00
# A simplistic and secure Gemini server
2021-02-06 07:28:41 +11:00
**Vger** is a gemini server supporting chroot, virtualhosts, CGI,
default language choice, redirections and MIME types detection.
2020-12-02 09:55:37 +11:00
**Vger** design is relying on inetd and a daemon to take care of
TLS. The idea is to delegate TLS and network to daemons which
proved doing it correctly, so vger takes its request from stdin and
output the result to stdout.
The average setup should look like:
```
client
↓ TCP request on port 1965
relayd or haproxy
or stunnel on inetd
↓ TCP request to a port of choice on localhost
vger on inetd
```
**Vger** is perfectly secure if run on **OpenBSD**, using `unveil()`
the filesystem access is restricted to one directory (default to
`/var/gemini/`) and with `pledge()` only systems calls related to
2021-02-06 07:28:41 +11:00
reading files and reading input/output are allowed. More explanations
about Vger security can be found
[on this link](https://dataswamp.org/~solene/2021-01-14-vger-security.html).
2020-12-02 09:55:37 +11:00
For all supported OS, it's possible to run **Vger** in a chroot
and drop privileges to a dedicated user.
2020-12-02 09:55:37 +11:00
# Install
2020-12-02 09:55:37 +11:00
```
2020-12-02 10:01:32 +11:00
git clone https://tildegit.org/solene/vger.git
cd vger
make
doas make install
2020-12-02 09:55:37 +11:00
```
2021-02-04 07:01:07 +11:00
On GNU/Linux, make sure you installed `libbsd`.
2020-12-02 09:55:37 +11:00
# Running tests
**Vger** comes with a test suite you can use with `make test`.
Some files under `/var/gemini/` are required to test the code path
without a `-d` parameter.
# Command line parameters
**Vger** has a few parameters you can use in inetd configuration.
2020-12-04 08:59:39 +11:00
- `-d PATH`: use `PATH` as the data directory to serve files from. Default is `/var/gemini`
- `-l LANG`: change the language in the status return code. Default is no language specified.
- `-v`: enable virtualhost support, the hostname in the query will be considered as a directory name.
2020-12-04 08:59:39 +11:00
- `-u username`: enable chroot to the data directory and drop privileges to `username`.
- `-m MIME` : use MIME as default instead of "application/octet-stream".
- `-i` : Enable auto index if no "index.gmi" file is found in a directory.
2021-02-06 07:28:41 +11:00
- `-c CGI_PATH` : files in CGI_PATH are executed and their output is returned to the client.
2020-12-02 09:55:37 +11:00
# How to configure Vger using relayd and inetd
Create directory `/var/gemini/` (I'd allow this to be configured
later), files will be served from there.
Create an user `gemini_user`.
2020-12-02 09:55:37 +11:00
Add this line to inetd.conf:
```
127.0.0.1:11965 stream tcp nowait gemini_user /usr/local/bin/vger vger
2020-12-02 09:55:37 +11:00
```
Add this to relayd.conf
```
log connection
tcp protocol "gemini" {
tls keypair hostname.example
}
2020-12-02 09:55:37 +11:00
relay "gemini" {
2020-12-04 08:18:26 +11:00
listen on hostname.example port 1965 tls
protocol "gemini"
2020-12-02 09:55:37 +11:00
forward to 127.0.0.1 port 11965
}
```
Make sure certificates files match hostname:
`/etc/ssl/private/hostname.example.key` and
`/etc/ssl/hostname.example.crt`.
2020-12-02 09:55:37 +11:00
On OpenBSD, enable inetd and relayd and start them:
2020-12-02 09:55:37 +11:00
```
# rcctl enable relayd inetd
# rcctl start relayd inetd
```
2021-01-02 07:00:40 +11:00
Don't forget to open the TCP port 1965 in your firewall.
Vger will serve files named `index.gmi` if no explicit filename is given.
2021-01-10 23:11:46 +11:00
If this file doesn't exist and auto index is enabled, an index file
with a link to every file in the directory will be served.