2020-12-02 09:55:37 +11:00
|
|
|
# A simplistic and secure Gemini server
|
|
|
|
|
2021-02-06 07:28:41 +11:00
|
|
|
**Vger** is a gemini server supporting chroot, virtualhosts, CGI,
|
|
|
|
default language choice, redirections and MIME types detection.
|
2020-12-03 01:31:21 +11:00
|
|
|
|
2020-12-02 09:55:37 +11:00
|
|
|
**Vger** design is relying on inetd and a daemon to take care of
|
|
|
|
TLS. The idea is to delegate TLS and network to daemons which
|
|
|
|
proved doing it correctly, so vger takes its request from stdin and
|
|
|
|
output the result to stdout.
|
|
|
|
|
|
|
|
The average setup should look like:
|
|
|
|
|
|
|
|
```
|
|
|
|
client
|
|
|
|
↓ TCP request on port 1965
|
|
|
|
relayd or haproxy
|
|
|
|
or stunnel on inetd
|
|
|
|
↓ TCP request to a port of choice on localhost
|
|
|
|
vger on inetd
|
|
|
|
```
|
|
|
|
|
|
|
|
**Vger** is perfectly secure if run on **OpenBSD**, using `unveil()`
|
|
|
|
the filesystem access is restricted to one directory (default to
|
|
|
|
`/var/gemini/`) and with `pledge()` only systems calls related to
|
2021-02-06 07:28:41 +11:00
|
|
|
reading files and reading input/output are allowed. More explanations
|
|
|
|
about Vger security can be found
|
|
|
|
[on this link](https://dataswamp.org/~solene/2021-01-14-vger-security.html).
|
2020-12-02 09:55:37 +11:00
|
|
|
|
2020-12-06 06:12:13 +11:00
|
|
|
For all supported OS, it's possible to run **Vger** in a chroot
|
|
|
|
and drop privileges to a dedicated user.
|
2020-12-02 09:55:37 +11:00
|
|
|
|
2020-12-06 06:12:13 +11:00
|
|
|
|
|
|
|
# Install
|
2020-12-02 09:55:37 +11:00
|
|
|
|
|
|
|
```
|
2020-12-02 10:01:32 +11:00
|
|
|
git clone https://tildegit.org/solene/vger.git
|
2020-12-06 06:12:13 +11:00
|
|
|
cd vger
|
|
|
|
make
|
2020-12-10 00:26:08 +11:00
|
|
|
doas make install
|
2020-12-02 09:55:37 +11:00
|
|
|
```
|
|
|
|
|
2021-02-04 07:01:07 +11:00
|
|
|
On GNU/Linux, make sure you installed `libbsd`.
|
2021-02-04 06:46:36 +11:00
|
|
|
|
2020-12-02 09:55:37 +11:00
|
|
|
# Running tests
|
|
|
|
|
|
|
|
**Vger** comes with a test suite you can use with `make test`.
|
|
|
|
|
|
|
|
Some files under `/var/gemini/` are required to test the code path
|
|
|
|
without a `-d` parameter.
|
|
|
|
|
|
|
|
|
2020-12-03 04:07:10 +11:00
|
|
|
# Command line parameters
|
|
|
|
|
|
|
|
**Vger** has a few parameters you can use in inetd configuration.
|
|
|
|
|
2020-12-04 08:59:39 +11:00
|
|
|
- `-d PATH`: use `PATH` as the data directory to serve files from. Default is `/var/gemini`
|
2021-01-10 19:30:35 +11:00
|
|
|
- `-l LANG`: change the language in the status return code. Default is no language specified.
|
2020-12-03 04:07:10 +11:00
|
|
|
- `-v`: enable virtualhost support, the hostname in the query will be considered as a directory name.
|
2020-12-04 08:59:39 +11:00
|
|
|
- `-u username`: enable chroot to the data directory and drop privileges to `username`.
|
2021-01-10 19:30:35 +11:00
|
|
|
- `-m MIME` : use MIME as default instead of "application/octet-stream".
|
|
|
|
- `-i` : Enable auto index if no "index.gmi" file is found in a directory.
|
2021-02-06 07:28:41 +11:00
|
|
|
- `-c CGI_PATH` : files in CGI_PATH are executed and their output is returned to the client.
|
2020-12-03 04:07:10 +11:00
|
|
|
|
|
|
|
|
2020-12-02 09:55:37 +11:00
|
|
|
# How to configure Vger using relayd and inetd
|
|
|
|
|
|
|
|
Create directory `/var/gemini/` (I'd allow this to be configured
|
|
|
|
later), files will be served from there.
|
|
|
|
|
2020-12-10 00:26:08 +11:00
|
|
|
Create an user `gemini_user`.
|
|
|
|
|
2020-12-02 09:55:37 +11:00
|
|
|
Add this line to inetd.conf:
|
|
|
|
|
|
|
|
```
|
2021-01-04 07:42:18 +11:00
|
|
|
127.0.0.1:11965 stream tcp nowait gemini_user /usr/local/bin/vger vger
|
2020-12-02 09:55:37 +11:00
|
|
|
```
|
|
|
|
|
|
|
|
Add this to relayd.conf
|
|
|
|
```
|
|
|
|
log connection
|
2020-12-10 00:26:08 +11:00
|
|
|
tcp protocol "gemini" {
|
|
|
|
tls keypair hostname.example
|
|
|
|
}
|
|
|
|
|
2020-12-02 09:55:37 +11:00
|
|
|
relay "gemini" {
|
2020-12-04 08:18:26 +11:00
|
|
|
listen on hostname.example port 1965 tls
|
2021-01-04 07:42:18 +11:00
|
|
|
protocol "gemini"
|
2020-12-02 09:55:37 +11:00
|
|
|
forward to 127.0.0.1 port 11965
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2020-12-10 00:26:08 +11:00
|
|
|
Make sure certificates files match hostname:
|
|
|
|
`/etc/ssl/private/hostname.example.key` and
|
|
|
|
`/etc/ssl/hostname.example.crt`.
|
2020-12-02 09:55:37 +11:00
|
|
|
|
2020-12-06 06:12:13 +11:00
|
|
|
On OpenBSD, enable inetd and relayd and start them:
|
2020-12-02 09:55:37 +11:00
|
|
|
```
|
|
|
|
# rcctl enable relayd inetd
|
|
|
|
# rcctl start relayd inetd
|
|
|
|
```
|
2021-01-02 07:00:40 +11:00
|
|
|
|
2021-01-02 22:31:18 +11:00
|
|
|
Don't forget to open the TCP port 1965 in your firewall.
|
|
|
|
|
2021-01-10 19:30:35 +11:00
|
|
|
Vger will serve files named `index.gmi` if no explicit filename is given.
|
2021-01-10 23:11:46 +11:00
|
|
|
If this file doesn't exist and auto index is enabled, an index file
|
|
|
|
with a link to every file in the directory will be served.
|