mike/vger
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Fix virtualhost support changing the way request is parsed

Browse source
This commit is contained in:
prx 2021-03-22 21:44:23 +01:00
parent 365e99400a
commit 4972df5999
6 changed files with 199 additions and 162 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

302
main.c
View file

@ -20,24 +20,47 @@
#include "opts.h"
#include "utils.h"
/* lenght of "gemini://" */
#define GEMINI_PART 9
/* 2014 + 1
* see https://gemini.circumlunar.space/docs/specification.html.
/*
* number of bytes to read with fgets() : 2014 + 1
* fgets() reads at most size-1 (1024 here)
* see https://gemini.circumlunar.space/docs/specification.html.
*/
#define GEMINI_REQUEST_MAX 1025
int virtualhost;
void autoindex(const char *);
void cgi(const char *cgicmd);
void display_file(const char *);
void drop_privileges(const char *, const char *);
void echdir(const char *);
void status(const int, const char *);
void status_redirect(const int, const char *);
void status_error(const int, const char*);
void drop_privileges(const char *, const char *);
int uridecode(char *);
void
echdir(const char *path)
{
if (chdir(path) == -1) {
switch (errno) {
case ENOTDIR: /* FALLTHROUGH */
case ENOENT:
status_error(51, "file not found");
break;
case EACCES:
status_error(50, "Forbidden path");
break;
default:
status_error(50, "Internal server error");
break;
}
errlog("failed to chdir(%s)", path);
}
}
int
uridecode(char *uri)
{
@ -78,7 +101,6 @@ void
drop_privileges(const char *user, const char *path)
{
struct passwd *pw;
int chrooted = 0;
/*
* use chroot() if an user is specified requires root user to be
@ -99,9 +121,7 @@ drop_privileges(const char *user, const char *path)
errlog("the chroot_dir %s can't be used for chroot", path);
}
chrooted = 1;
if (chdir("/") == -1) {
errlog("failed to chdir(\"/\")");
}
echdir("/");
/* drop privileges */
if (setgroups(1, &pw->pw_gid) ||
setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
@ -110,8 +130,6 @@ drop_privileges(const char *user, const char *path)
user, pw->pw_uid);
}
/* base directory is now / */
estrlcpy(chroot_dir, "/", sizeof(chroot_dir));
}
#ifdef __OpenBSD__
/*
@ -122,25 +140,17 @@ drop_privileges(const char *user, const char *path)
} else {
eunveil(path, "r");
}
/* permission to execute what's inside cgipath */
if (strlen(cgibin) > 0) {
/* first, build the full path of cgi (not in chroot) */
char cgifullpath[PATH_MAX] = {'\0'};
estrlcpy(cgifullpath, path, sizeof(cgifullpath));
estrlcat(cgifullpath, cgibin, sizeof(cgifullpath));
eunveil(cgifullpath, "rx");
/* permission to execute what's inside cgidir */
if (strlen(cgidir) > 0) {
eunveil(cgidir, "rx");
}
eunveil(NULL,NULL); /* no more call to unveil() */
/*
* prevent system calls other parsing queryfor fread file and
* write to stdio
*/
if (strlen(cgibin) > 0) {
/* cgi need execlp() (exec) */
/* promise permissions */
if (strlen(cgidir) > 0) {
epledge("stdio rpath exec", NULL);
} else {
epledge("stdio rpath", NULL);
epledge("stdio rpath unveil", NULL);
}
#endif
}
@ -148,8 +158,11 @@ drop_privileges(const char *user, const char *path)
void
status(const int code, const char *file_mime)
{
printf("%i %s; %s\r\n",
code, file_mime, lang);
if (strcmp(file_mime, "text/gemini") == 0) {
printf("%i %s; %s\r\n", code, file_mime, lang);
} else {
printf("%i %s\r\n", code, file_mime);
}
}
void
@ -167,7 +180,7 @@ status_error(const int code, const char *reason)
}
void
display_file(const char *uri)
display_file(const char *fname)
{
FILE *fd = NULL;
struct stat sb = {0};
@ -175,19 +188,28 @@ display_file(const char *uri)
const char *file_mime;
char *buffer[BUFSIZ];
char target[FILENAME_MAX] = {'\0'};
char fp[PATH_MAX] = {'\0'};
char tmp[PATH_MAX] = {'\0'}; /* used to build temporary path */
/* build file path inside chroot */
estrlcpy(fp, chroot_dir, sizeof(fp));
estrlcat(fp, uri, sizeof(fp));
/* special case : fname empty. The user requested just the directory name */
if (strlen(fname) == 0) {
if (stat("index.gmi", &sb) == 0) {
/* there is index.gmi in the current directory */
display_file("index.gmi");
return;
} else if (doautoidx) {
/* no index.gmi, so display autoindex if enabled */
autoindex(".");
return;
} else {
goto err;
}
}
/* this is to check if path exists and obtain metadata later */
if (stat(fp, &sb) == -1) {
/* check if fp is a symbolic link
if (stat(fname, &sb) == -1) {
/* check if fname is a symbolic link
* if so, redirect using its target */
if (lstat(fp, &sb) != -1 && S_ISLNK(sb.st_mode) == 1)
if (lstat(fname, &sb) != -1 && S_ISLNK(sb.st_mode) == 1)
goto redirect;
else
goto err;
@ -195,61 +217,42 @@ display_file(const char *uri)
/* check if directory */
if (S_ISDIR(sb.st_mode) != 0) {
if (fp[strlen(fp) -1 ] != '/') {
/* no ending "/", redirect to "path/" */
if (virtualhost)
estrlcat(tmp, "gemini://", sizeof(tmp));
estrlcat(tmp, uri, sizeof(tmp));
estrlcat(tmp, "/", sizeof(tmp));
status_redirect(31, tmp);
return;
} else {
/* there is a leading "/", display index.gmi */
estrlcpy(tmp, fp, sizeof(tmp));
estrlcat(tmp, "index.gmi", sizeof(tmp));
/* check if index.gmi exists or show autoindex */
if (stat(tmp, &sb) == 0) {
estrlcpy(fp, tmp, sizeof(fp));
} else if (doautoidx != 0) {
autoindex(fp);
return;
} else {
goto err;
}
}
/* no ending "/", redirect to "fname/" */
estrlcpy(tmp, fname, sizeof(tmp));
estrlcat(tmp, "/", sizeof(tmp));
status_redirect(31, tmp);
return;
}
/* open the file requested */
if ((fd = fopen(fp, "r")) == NULL) { goto err; }
if ((fd = fopen(fname, "r")) == NULL) { goto err; }
file_mime = get_file_mime(fp, default_mime);
file_mime = get_file_mime(fname, default_mime);
status(20, file_mime);
/* read the file byte after byte in buffer and write it to stdout */
while ((nread = fread(buffer, 1, sizeof(buffer), fd)) != 0)
fwrite(buffer, 1, nread, stdout);
goto closefd;
syslog(LOG_DAEMON, "path served %s", fp);
goto closefd; /* close file descriptor */
syslog(LOG_DAEMON, "path served %s", fname);
return;
err:
/* return an error code and no content */
status_error(51, "file not found");
syslog(LOG_DAEMON, "path invalid %s", fp);
syslog(LOG_DAEMON, "path invalid %s", fname);
goto closefd;
redirect:
/* read symbolic link target to redirect */
if (readlink(fp, target, FILENAME_MAX) == -1) {
if (readlink(fname, target, FILENAME_MAX) == -1) {
goto err;
}
status_redirect(30, target);
syslog(LOG_DAEMON, "redirection from %s to %s", fp, target);
syslog(LOG_DAEMON, "redirection from %s to %s", fname, target);
closefd:
if (S_ISREG(sb.st_mode) != 0) {
@ -260,33 +263,20 @@ closefd:
void
autoindex(const char *path)
{
/* display liks to files in path + a link to parent (..) */
int n = 0;
char *pos = NULL;
struct dirent **namelist; /* this must be freed at last */
syslog(LOG_DAEMON, "autoindex: %s", path);
/* display link to parent */
char parent[PATH_MAX] = {'\0'};
/* parent is "path" without chroot_dir */
estrlcpy(parent, path+strlen(chroot_dir), sizeof(parent));
/* remove ending '/' */
while (parent[strlen(parent)-1] == '/') {
parent[strlen(parent)-1] = '\0';
}
/* remove last part after '/' */
pos = strrchr(parent, '/');
if (pos != NULL) {
pos[1] = '\0'; /* at worse, parent is now "/" */
}
/* use alphasort to always have the same order on every system */
if ((n = scandir(path, &namelist, NULL, alphasort)) < 0) {
status_error(50, "Internal server error");
errlog("Can't scan %s", path);
} else {
status(20, "text/gemini");
printf("=> %s ../\n", parent);
printf("=> .. ../\n"); /* display link to parent */
for(int j = 0; j < n; j++) {
/* skip self and parent */
if ((strcmp(namelist[j]->d_name, ".") == 0) ||
@ -308,6 +298,7 @@ autoindex(const char *path)
void
cgi(const char *cgicmd)
{
/* run cgicmd replacing current process */
execlp(cgicmd, cgicmd, NULL);
/* if execlp is ok, this will never be reached */
status(42, "Couldn't execute CGI script");
@ -318,13 +309,27 @@ cgi(const char *cgicmd)
int
main(int argc, char **argv)
{
char request [GEMINI_REQUEST_MAX] = {'\0'};
char hostname [GEMINI_REQUEST_MAX] = {'\0'};
char uri [PATH_MAX] = {'\0'};
char user [_SC_LOGIN_NAME_MAX] = "";
char query[PATH_MAX] = {'\0'};
int option = 0;
char *pos = NULL;
char request [GEMINI_REQUEST_MAX] = {'\0'};
char user [_SC_LOGIN_NAME_MAX] = "";
char hostname [GEMINI_REQUEST_MAX] = {'\0'};
char query [PATH_MAX] = {'\0'};
char chroot_dir[PATH_MAX] = DEFAULT_CHROOT;
char file [FILENAME_MAX] = DEFAULT_INDEX;
char dir [PATH_MAX] = {'\0'};
char *pos = NULL;
int option = 0;
int virtualhost = 0;
int docgi = 0;
/*
* request : contain the whole request from client : gemini://...\r\n
* user : username, used in drop_privileges()
* hostname : extracted from hostname. used with virtualhosts and cgi SERVER_NAME
* query : file requested in cgi : gemini://...?query
* file : file basename to display. Emtpy is a directory has been requested
* dir : directory requested. vger will chdir() in to find file
* pos : used to parse request and split into interesting parts
*/
while ((option = getopt(argc, argv, ":d:l:m:u:c:vi")) != -1) {
switch (option) {
@ -342,7 +347,8 @@ main(int argc, char **argv)
estrlcpy(user, optarg, sizeof(user));
break;
case 'c':
estrlcpy(cgibin, optarg, sizeof(cgibin));
estrlcpy(cgidir, optarg, sizeof(cgidir));
docgi = 1;
break;
case 'v':
virtualhost = 1;
@ -354,13 +360,14 @@ main(int argc, char **argv)
}
/*
* do chroot if an user is supplied run pledge/unveil if OpenBSD
* do chroot if an user is supplied
*/
drop_privileges(user, chroot_dir);
/*
* read 1024 chars from stdin
* to get the request
* (actually 1024 + \0)
*/
if (fgets(request, GEMINI_REQUEST_MAX, stdin) == NULL) {
/* EOF reached before reading anything */
@ -405,67 +412,90 @@ main(int argc, char **argv)
memmove(request, pos+3, strlen(pos) +1 - 3); /* "/.." = 3 */
}
/*
* look for the first / after the hostname
* in order to split hostname and uri
*/
pos = strchr(request, '/');
echdir(chroot_dir); /* move to chroot */
/* look for hostname in request : first thing before first / if any */
pos = strchr(request, '/');
if (pos != NULL) {
/* if there is a / found */
/* separate hostname and uri */
estrlcpy(uri, pos, strlen(pos)+1);
/* just keep hostname in request */
/* copy what's after hostname in dir */
estrlcpy(dir, pos, strlen(pos)+1);
/* just keep hostname in request : stop the string with \0 */
pos[0] = '\0';
}
/* check if client added :port at end of request */
/* check if client added :port at end of hostname and remove it */
pos = strchr(request, ':');
if (pos != NULL) {
/* end string at :*/
pos[0] = '\0';
/* end string at :*/
pos[0] = '\0';
}
/* copy hostname from request */
estrlcpy(hostname, request, sizeof(hostname));
/* look for "?" if any to set query for cgi, or remove it*/
pos = strchr(uri, '?');
if (pos != NULL) {
estrlcpy(query, pos+1, sizeof(query));
esetenv("QUERY_STRING", query, 1);
pos[0] = '\0';
/* remove leading '/' in dir */
while (dir[0] == '/') {
memmove(dir, dir+1, strlen(dir+1)+1);
}
/*
* if virtualhost feature is actived looking under the chroot_path +
* hostname directory gemini://foobar/hello will look for
* chroot_path/foobar/hello
*/
if (virtualhost) {
if (strlen(uri) == 0) {
estrlcpy(uri, "/index.gmi", sizeof(uri));
}
/* add hostname at the beginning of the dir path */
char tmp[PATH_MAX] = {'\0'};
estrlcpy(tmp, hostname, sizeof(tmp));
estrlcat(tmp, uri, sizeof(tmp));
estrlcpy(uri, tmp, sizeof(uri));
estrlcat(tmp, "/", sizeof(tmp));
estrlcat(tmp, dir, sizeof(tmp));
estrlcpy(dir, tmp, sizeof(dir));
}
/* check if uri is cgibin */
if ((strlen(cgibin) > 0) &&
(strncmp(uri, cgibin, strlen(cgibin)) == 0)) {
/* percent decode */
uridecode(dir);
/* cgipath with chroot_dir at the beginning */
char cgipath[PATH_MAX] = {'\0'};
estrlcpy(cgipath, chroot_dir, sizeof(cgipath));
estrlcat(cgipath, uri, sizeof(cgipath));
/*
* split dir and filename.
* file is last part after last '/'.
* if none found, then requested file is actually a directory
*/
if (strlen(dir) > 0) {
pos = strrchr(dir, '/');
if (pos != NULL) {
estrlcpy(file, pos+1, sizeof(file)); /* +1 : no leading '/' */
pos[0] = '\0';
if (strlen(dir) > 0) {
echdir(dir); /* change directory to requested directory */
}
} else {
estrlcpy(file, dir, sizeof(file));
}
}
if (docgi) {
/* check if directory is cgidir */
char cgifp[PATH_MAX] = {'\0'};
estrlcpy(cgifp, chroot_dir, sizeof(chroot_dir));
if (cgifp[strlen(cgifp)-1] != '/') {
estrlcat(cgifp, "/", sizeof(chroot_dir));
}
estrlcat(cgifp, dir, sizeof(chroot_dir));
if (strcmp(cgifp, cgidir) != 0) {
/* not cgipath, display file content */
goto file_to_stdout;
}
/* set env variables for CGI */
/* see https://lists.orbitalfox.eu/archives/gemini/2020/000315.html */
esetenv("GATEWAY_INTERFACE", "CGI/1.1", 1);
esetenv("SERVER_PROTOCOL", "GEMINI", 1);
esetenv("SERVER_SOFTWARE", "vger/1", 1);
/* look for "?" if any to set query for cgi, remove it*/
pos = strchr(file, '?');
if (pos != NULL) {
estrlcpy(query, pos+1, sizeof(query));
esetenv("QUERY_STRING", query, 1);
pos[0] = '\0';
}
/* look for an extension to find PATH_INFO */
pos = strrchr(cgipath, '.');
pos = strrchr(file, '.');
if (pos != NULL) {
/* found a dot */
pos = strchr(pos, '/');
@ -474,16 +504,16 @@ main(int argc, char **argv)
pos[0] = '\0'; /* keep only script name */
}
}
esetenv("SCRIPT_NAME", cgipath, 1);
esetenv("SCRIPT_NAME", file, 1);
esetenv("SERVER_NAME", hostname, 1);
cgi(cgipath);
} else {
uridecode(uri);
/* open file and send it to stdout */
display_file(uri);
cgi(file);
return 0;
}
file_to_stdout:
/* regular file to stdout */
display_file(file);
return (0);
}

2
mimes.c
View file

@ -5,6 +5,7 @@
#include "mimes.h"
#include "opts.h"
/* extension to mimetype table */
static const struct {
const char *extension;
const char *type;
@ -124,6 +125,7 @@ get_file_mime(const char *path, const char *default_mime)
size_t i;
char *extension;
/* search for extension after last '.' in path */
if ((extension = strrchr(path, '.')) == NULL)
goto out;

11
opts.h
View file

@ -1,13 +1,18 @@
#include <limits.h> /* PATH_MAX */
/* Defaults values */
#define DEFAULT_MIME "application/octet-stream"
#define DEFAULT_LANG ""
#define DEFAULT_CHROOT "/var/gemini"
#define DEFAULT_INDEX "index.gmi"
#define DEFAULT_AUTOIDX 0
/* longest is 56 so 64 should be enough */
/*
* Options used later
*/
/* longest hardcoded mimetype is 56 long so 64 should be enough */
static char default_mime[64] = DEFAULT_MIME;
static char chroot_dir[PATH_MAX] = DEFAULT_CHROOT;
static char lang[16] = DEFAULT_LANG;
static unsigned int doautoidx = DEFAULT_AUTOIDX;
static char cgibin[PATH_MAX] = {'\0'};
static char cgidir[PATH_MAX] = {'\0'};
static int chrooted = 0;

28
tests/test.sh
View file

@ -29,23 +29,23 @@ if ! [ $OUT = "fcc5a293f316e01f7b3103f97eca26b1" ] ; then echo "error" ; exit 1
# redirect to uri with trailing / if directory
OUT=$(printf "gemini://host.name/subdir\r\n" | ../vger -d var/gemini/ | tee /dev/stderr | MD5)
if ! [ $OUT = "84e5e7bb3eee0dfcc8db14865dc83e77" ] ; then echo "error" ; exit 1 ; fi
if ! [ $OUT = "b0e7e20db5ca7b80918025e7c15a8b02" ] ; then echo "error" ; exit 1 ; fi
# redirect to uri with trailing / if directory and vhost enabled
OUT=$(printf "gemini://perso.pw/cgi-bin\r\n" | ../vger -vd var/gemini | tee /dev/stderr | MD5)
if ! [ $OUT = "c782da4173898f57033a0804b8e96fc3" ] ; then echo "error" ; exit 1 ; fi
if ! [ $OUT = "827eef65a3cd71e2ce805bc1e05eac44" ] ; then echo "error" ; exit 1 ; fi
# file from local directory with lang=fr and markdown MIME type
OUT=$(printf "gemini://perso.pw/file.md\r\n" | ../vger -d var/gemini/ -l fr | tee /dev/stderr | MD5)
if ! [ $OUT = "e663f17730d5ddc24010c14a238e1e78" ] ; then echo "error" ; exit 1 ; fi
if ! [ $OUT = "09c82ffe243ce3b3cfb04c2bc4a91acb" ] ; then echo "error" ; exit 1 ; fi
# file from local directory with lang=fr and unknown MIME type (default to application/octet-stream)
OUT=$(printf "gemini://perso.pw/foobar.unknown\r\n" | ../vger -d var/gemini/ -l fr | tee /dev/stderr | MD5)
if ! [ $OUT = "a23b0053d759863a45da4afbffd847d2" ] ; then echo "error" ; exit 1 ; fi
if ! [ $OUT = "2c73bfb33dd2d12be322ebb85e03c015" ] ; then echo "error" ; exit 1 ; fi
# file from local directory and unknown MIME type, default forced to text/plain
OUT=$(printf "gemini://perso.pw/foobar.unknown\r\n" | ../vger -d var/gemini/ -m text/plain | tee /dev/stderr | MD5)
if ! [ $OUT = "383a5a5ddb7bb30e3553ecb666378ebc" ] ; then echo "error" ; exit 1 ; fi
if ! [ $OUT = "8169f43fbb2032f4054b153c38fe61d6" ] ; then echo "error" ; exit 1 ; fi
# redirect file
OUT=$(printf "gemini://perso.pw/old_location\r\n" | ../vger -d var/gemini/ | tee /dev/stderr | MD5)
@ -73,30 +73,26 @@ if ! [ $OUT = "e354a1a29ea8273faaf0cdc29c1d8583" ] ; then echo "error" ; exit 1
# auto index in directory without index.gmi must redirect
OUT=$(printf "gemini://host.name/autoidx\r\n" | ../vger -d var/gemini/ -i | tee /dev/stderr | MD5)
if ! [ $OUT = "874f5e1af67eff6b93bedf8ac8033066" ] ; then echo "error" ; exit 1 ; fi
if ! [ $OUT = "5742b21d465e377074408045a71656dc" ] ; then echo "error" ; exit 1 ; fi
# auto index in directory
OUT=$(printf "gemini://host.name/autoidx/\r\n" | ../vger -d var/gemini/ -i | tee /dev/stderr | MD5)
if ! [ $OUT = "515bcb4ba5f8869360f53afe2841e044" ] ; then echo "error" ; exit 1 ; fi
if ! [ $OUT = "2d4a82fea3f10ab3e123e9f9d5dd1fbc" ] ; then echo "error" ; exit 1 ; fi
# cgi simple script
OUT=$(printf "gemini://host.name/cgi-bin/test.cgi\r\n" | ../vger -d var/gemini/ -c /cgi-bin | tee /dev/stderr | MD5)
OUT=$(printf "gemini://host.name/cgi-bin/test.cgi\r\n" | ../vger -d var/gemini/ -c var/gemini/cgi-bin | tee /dev/stderr | MD5)
if ! [ $OUT = "666e48200f90018b5e96c2cf974882dc" ] ; then echo "error" ; exit 1 ; fi
# cgi with use of variables
OUT=$(printf "gemini://host.name/cgi-bin/who.cgi?user=jean-mi\r\n" | ../vger -d var/gemini/ -c /cgi-bin | tee /dev/stderr | MD5)
OUT=$(printf "gemini://host.name/cgi-bin/who.cgi?user=jean-mi\r\n" | ../vger -d var/gemini/ -c var/gemini/cgi-bin | tee /dev/stderr | MD5)
if ! [ $OUT = "fa065a67d1f7c973501d4a9e3ca2ea57" ] ; then echo "error" ; exit 1 ; fi
# cgi with error
OUT=$(printf "gemini://host.name/cgi-bin/nope\r\n" | ../vger -d var/gemini/ -c /cgi-bin | tee /dev/stderr | MD5)
if ! [ $OUT = "4156170c2aa8a6a8a0892ff5a61bf5f5" ] ; then echo "error" ; exit 1 ; fi
# remove ?.* if any
OUT=$(printf "gemini://host.name/main.gmi?anything-here\r\n" | ../vger -d var/gemini/ | tee /dev/stderr | MD5)
if ! [ $OUT = "c7e352d6aae4ee7e7604548f7874fb9d" ] ; then echo "error" ; exit 1 ; fi
OUT=$(printf "gemini://host.name/cgi-bin/nope\r\n" | ../vger -d var/gemini/ -c var/gemini/cgi-bin | tee /dev/stderr | MD5)
if ! [ $OUT = "74ba4b36dcebec9ce9dae33033f3378a" ] ; then echo "error" ; exit 1 ; fi
# virtualhost + cgi
OUT=$(printf "gemini://perso.pw/cgi-bin/test.cgi\r\n" | ../vger -v -d var/gemini/ -c perso.pw/cgi-bin | tee /dev/stderr | MD5)
OUT=$(printf "gemini://perso.pw/cgi-bin/test.cgi\r\n" | ../vger -v -d var/gemini/ -c var/gemini/perso.pw/cgi-bin | tee /dev/stderr | MD5)
if ! [ $OUT = "666e48200f90018b5e96c2cf974882dc" ] ; then echo "error" ; exit 1 ; fi
# percent-decoding

7
utils.c
View file

@ -14,6 +14,12 @@
#include <bsd/string.h>
#endif
/* e*foo() functions are the equivalent of foo() but handle errors.
* In case an error happens:
* The error is printed to stdout
* return 1
*/
#ifdef __OpenBSD__
void
eunveil(const char *path, const char *permissions)
@ -70,6 +76,7 @@ esetenv(const char *name, const char *value, int overwrite)
return ret;
}
/* send error in syslog, to stdout and die */
void
errlog(const char *format, ...)
{

11
vger.8
View file

@ -44,17 +44,14 @@ will read the file /var/gemini/hostname.example/file.gmi
.It Op Fl c
Enable CGI support.
.Ar cgi_path
will be executed as a cgi script instead of returning its content.
This path is relative to the directory set with
.Fl d
flag. If using virtualhost, you must insert the virtualhost directory in the cgi path.
files will be executed as a cgi script instead of returning their content.
.Ar cgi_path must not end with '/'.
If using virtualhost, you must insert the virtualhost directory in the cgi path.
As example, for a request gemini://hostname.example/cgi-bin/hello.cgi, one must set:
.Bd -literal -offset indent
vger -c /cgi-bin/hello.cgi
vger -c /var/gemini/hostname.example/cgi-bin/hello.cgi
.Ed
.Pp
Note you can define a directory instead of a single file.
.Pp
In this case,
.Xr pledge 2
promises and unveil permission are set to enable cgi execution.