This is my personal working copy of vger, patched where necessary to run on NetBSD. https://tildegit.org/solene/vger
Find a file
Florian Obser 5a238e8666 Use BUFSIZ for the amount of data to copy through stdio.
According to the book of armaments(posix):
BUFSIZ
    Size of <stdio.h> buffers. This shall expand to a positive value.

There is also no need for the buflen variable since the size never
changes during runtime and the compiler can infer the size via
sizeof().
2020-12-06 13:18:58 +01:00
tests Add a check for OpenBSD unveil() 2020-12-05 17:51:15 +01:00
LICENSE Move the license from the code to dedicated LICENSE file 2020-12-03 21:22:22 +01:00
main.c Use BUFSIZ for the amount of data to copy through stdio. 2020-12-06 13:18:58 +01:00
Makefile Do not include c sources 2020-12-05 09:39:12 +01:00
mimes.c Return a constant string from the mimes database. 2020-12-05 18:05:17 +01:00
mimes.h Return a constant string from the mimes database. 2020-12-05 18:05:17 +01:00
README.md Enhance README with install instructions and tell about chroot for everyone 2020-12-05 20:12:13 +01:00
vger.8 Document exit status in man page 2020-12-04 18:57:15 +01:00

A simplistic and secure Gemini server

Vger is a gemini server supporting chroot, virtualhosts, default language choice and MIME types detection.

Vger design is relying on inetd and a daemon to take care of TLS. The idea is to delegate TLS and network to daemons which proved doing it correctly, so vger takes its request from stdin and output the result to stdout.

The average setup should look like:

         client
           ↓           TCP request on port 1965
       relayd or haproxy
       or stunnel on inetd
           ↓           TCP request to a port of choice on localhost
       vger on inetd

Vger is perfectly secure if run on OpenBSD, using unveil() the filesystem access is restricted to one directory (default to /var/gemini/) and with pledge() only systems calls related to reading files and reading input/output are allowed.

For all supported OS, it's possible to run Vger in a chroot and drop privileges to a dedicated user.

Install

git clone https://tildegit.org/solene/vger.git
cd vger
make
sudo make install

Running tests

Vger comes with a test suite you can use with make test.

Some files under /var/gemini/ are required to test the code path without a -d parameter.

Command line parameters

Vger has a few parameters you can use in inetd configuration.

  • -d PATH: use PATH as the data directory to serve files from. Default is /var/gemini
  • -l LANG: change the language in the status return code. Default is en
  • -v: enable virtualhost support, the hostname in the query will be considered as a directory name.
  • -u username: enable chroot to the data directory and drop privileges to username.

How to configure Vger using relayd and inetd

Create directory /var/gemini/ (I'd allow this to be configured later), files will be served from there.

Add this line to inetd.conf:

11965 stream tcp nowait gemini_user /usr/local/bin/vger vger

Add this to relayd.conf

log connection
relay "gemini" {
    listen on hostname.example port 1965 tls
    forward to 127.0.0.1 port 11965
}

Make links to the certificates and key files according to relayd.conf documentation

# ln -s /etc/ssl/acme/cert.pem /etc/ssl/hostname.example\:1965.crt
# ln -s /etc/ssl/acme/private/privkey.pem /etc/ssl/private/hostname.example\:1965.key

On OpenBSD, enable inetd and relayd and start them:

# rcctl enable relayd inetd
# rcctl start relayd inetd