[default] # Can be more than one bind, however beware: # '::' and/or '0.0.0.0' is a 'bind' to all ('::' seems to work for IPv4 as well) - vhost with their own bind and the same ports will result in an error. # 'Address already in use' or something similar. # To bind to more than one address, make the value an array ie: ['192.168.0.24', '10.0.1.1'] # bind can also be set to 'no' which means if vhosts are to be accessed via internet, the vhost will need their own bind option. bind = '::' # To bind to more than one port, make the value an array ie: [1965, 1966, 1967] ports = 1965 # Can specify one or both of these. tls = ['v1.2', 'v1.3'] # UNIX socket, will make all vhost accessible via this socket unless they have their own 'unix' parameter. # Ports parameter will not matter in regards to unix socket. # unix can be set to 'no' where it will not make an unix socket, although vhost can have their own unix parameter. # The path of the unix socket needs to be readable/writable. # If the socket file exists when attempting to use it then this program will delete that file and make a new one. # By default, if unix does not exist, there will be no unix socket. unix = 'no' ## The following options are specific to default and will not work with vhost # Working dir is used as a relative location if a 'pathy' option (like log_file) is not absolute. # If working_dir does not have a path, then the *current working directory* is the used. working_dir = "/etc/jakes-gemini-server" # avoid putting final '/' # Unless path is absolute, it is relative to working_dir log_file = "jakes-gemini-server.log" # if log_to_stdout is true then log_file is ignored and the 'log' is printed (almost unbuffered) to stdout. log_to_stdout = true # Unless path is absolute, it is relative to working_dir. # If this is not specified then it will place it in certs dir (and create the directory if needed, maybe not with the best permissions) cert_key_dir = "certs" # avoid putting final '/' # If the cert_key_dir directory is not writable, then a warning will emit # because generating cert/key pairs will fail and cause the program to die. # Setting the following to 'false' will not emit an error. cert_key_dir_write_warning = true # For each accepted connection a fork() is called. This toggles if that should happen or not. # For debugging or memory reasons, it may help to set this to false, though it may result in clients timing out # Will cause 'timed-out' and 'sysread failed' to appear at the same time in log files. fork = true # When the server accept()s the client needs to send, per the Gemini spec: '' # This timeout option determines how long the server will wait before timing them out. # 0 is equivalent to 'do not timeout'. Naughty bots/people sit there doing nothing but clogging the ports. timeout = 5 ## These are not specific to default and can be used with vhost ## Vhost options will override default options # Default document root, when a vhost has none of its own. root = "default_root" # append 'index.gmi' when the path ends with '/' or is nothing assume_index = true # list the contents of a directory if no index.gmi is found and request is a directory dir_listing = false # otherwise the fallback is 'application/octet-stream' (gemini is primary text based so 'octet-stream' probably not wanted) default_mime = 'text/plain' # redirection allows this program to check for vhost redirect values. # 'no' meaning, no redirection. # 'simple', which is simply "if 'x' key exist, return the value for it" # 'regex' which is a bit more complex and uses Perl's built in regualar expression. See the vhost for an example of one. redirection = 'simple' # gone, a default context dones't really do anything besides let all vhost check for a .gone file if the original path doesn't exist. # vhost setting for this is somewhat more involved gone = true ### Not implimented yet # similar to .htaccess, .gmiaccess #gmi_access = true # automatically reject access to .gmiaccess #gmi_access_request_reject = true # No need for a single config file #include_configs = ["./sites_enabled"] # A Vhost is *required* since it both serves as vhost and server name identification (sni) # Vhost example - probably you want to see that it actually works right away # `$ ncat --ssl localhost 1965'. Quick! You have 5 seconds! type: 'gemini://localhost ' (don't forget the whitespace) # (ncat (probably) packaged with nmap) ['localhost'] # Generate certificate and key automatically? Uses cert_key_dir auto_cert = true # Overrides default setting assume_index = true # A more realistic example #['example.com'] # Listen to more than just 'example.com' with server_alias. No need two vhost configurations. # server_alias can just be a single string, e.g. "server_alias='www.example.com'". An array allows # for more than one alias. If auto_cert is true, then *ON CREATION OF THE CERT* the server_alias's will be added to it. #server_alias=['www.example.com', 'example.org'] # bind can be set to a string or a list or 'no' which will not be accessible via IP address. #bind = ['172.16.0.53', '10.43.14.32'] #ports = [10000,10001,10002] # example.com can only be accesed through this socket, other vhost can use it too. # unix can be set to some path or to 'no' which will not include it in default's unix path if it is set. #unix = '/some/other/path/to/unix.sock' #auto_cert = false # Location to the cert/key pair is relative to cert_key_dir unless the path is absolute # The existance of cert and key option will cause auto_cert to be ignored. #cert = "cert.pem" # a file #key = "key.pem" # a file # # this Vhost's document root #root = "/srv/gemini/example.com" # # Overrides default setting #assume_index = true #dir_listing = true #default_mime = 'text/plain' # ## Regex settings: ## they are checked in the following order: ## certificate, redirection, gone # #redirection = 'regex' #redirect = { # # note the beginning '/'. # # The regex is complied like so: qr{^...$} (^ = beginning of line, $ = end of line) # # In other words, the entire key value MUST match. # # this one would be a simple redirection # '/redirect' = 'gemini://my-other-example.com', # # # these are Perl's regular expression. # '/share/some_(.*)' = "/share/", # # $1 # '/blog/2022/dec/(.+)' = '/blog/2022/jul/$1', # # $1 $2 $3 # '/blog/(20..)/(.+)/(.+)' = '/newsgroup/$1-$2/$3', #} # #cert_req = { # # will accept ANY certificate # '/cert_required(.*) = 'any', # # Same as above but you can set the text that will accopany the header. # '/blog/secret(.*) = [ # 'any', 'This is my secret place.' # ], # # Lock an area off with specific fingerprints (sha256)! # '/payment_club(.*)' = [ # 'pubkey, 'Accepted members only', # # fingerprints (sha256) can have colons and be upper or lower case: program will normalize them. # '0b435dd2efc7c7569d97559c22d4a35abbd19cfd6d15d23989773a69df5556c2', # '...', # ], # # Suppose you have a LOT of pubkeys? This example will solve it. # '/secret_blog(.*)' = [ # # file option allows you to specify files that should have a listing of accepted pubkeys # # the second option '0' just tells the server to serve default meta text # 'file', 0, # '../pubkeys1.txt', # '../pubkeys2.txt', # ], #} # if you dont want a vhost to be able to set gone, leave this hash empty or delete it entirely. #gone = { # # this checks if a path location doesn't exist, but does if '.gone' is appended, which will return a gone gemini status # append = true, # path = [ # # regex matching # '/some/path/that/is/percise/text.gmi', # # This will match pretty a lot of things # '/blog/2021*', # # like '/blog/20215/april/' or even '/blog/2021-converense/' # # in other words: be careful and be as specific as you can be! # ] #}