| Age | Commit message (Collapse) | Author |
|---|
|
|
|
The FreeBSD and Linux' sandbox can't deal with `fastcgi' and `proxy'
configuration rules: new sockets needs to be opened and it's either
impossible (the former) or a huge pain in the arse (the latter).
The sandbox is still always used in case only static files are served.
|
|
I really want to get rid of the `executor' process hack for CGI scripts
and its escalation to allow fastcgi and proxying to work on non-OpenBSD.
This drops the CGI support and the `executor' process entirely and is
the first step towards gmid 2.0. It also allows to have more secure
defaults.
On non-OpenBSD systems this means that the sandbox will be deactivated
as soon as fastcgi or proxying are used: you can't open sockets under
FreeBSD' capsicum(4) and I don't want to go thru the pain of making it
work under linux' seccomp/landlock. Patches are always welcome however.
For folks using CGI scripts (hey, I'm one of you!) not all hope is lost:
fcgiwrap or OpenBSD' slowcgi(8) are ways to run CGI scripts as they were
FastCGI applications.
fixes for the documentation and to the non-OpenBSD sandboxes will
follow.
|
|
|
|
add_mime nows allocate dinamically copies of the passed strings, so
that we can actually free what we parse from the config file.
This matters a lot especially with lengthy `types' block: strings that
reach the internal mapping are never free'd, so every manual addition
is leaked.
|
|
|
|
matches found with
% grep -R '=[ ]*{' . | fgrep -v const
|
|
The `map' rule is powerful but quite annoying to use if you have/need
lots of entries (and clutters the configuration file too.)
The `type' block is blatantly stolen from httpd(8) and allows for a way
more nice usage:
type {
include "/usr/share/misc/mime.types"
}
or even
type {
text/markdown md markdown
text/x-perl pl pm
# ...
}
|
|
|
|
> implicit declaration of function 'asprintf'; did you mean 'vsprintf'?
|
|
add a `sni' option for the `proxy' block: the given name is used instead
of the one extracted by the `relay-to' rule.
|
|
refactor the code that calls validate_against_ca into an helper
function to reuse it in both apply_require_ca and (optionally) in
apply_reverse_proxy.
|
|
as a side effect the order of the content of a server block is relaxed:
options, location or proxy blocks can be put in any order.
|
|
|
|
|
|
|
|
I forgot to free some strings when they're no more used.
|
|
|
|
|
|
it doesn't make any sense to keep the proxying info per-location:
proxying only one per-vhost. It can't work differently, it doesn't make
sense anyway.
|
|
|
|
|
|
Add to gmid the ability to forwad a request to another gemini server and
thus acting like a reverse proxy. The current syntax for the config
file is
server "example.com" {
...
proxy relay-to host:port
}
Further options (like the use of custom certificates) are planned.
cf. github issue #7
|
|
Currently dogfooding this patch at gemini.sgregoratto.me. To test,
run the following command and look for the "OCSP response" header:
openssl s_client -connect "gemini.sgregoratto.me:1965" -status
|
|
This adds a barebone dumping of the parsed configuration. It is not
complete, but I'm interested in dumping the full path to `cert' and
`key' in order to write some scripts that can inspect the
configuration, extract the certificates and renew them when expired
automatically.
It's not easy to parse gmid configuration otherwise because the syntax
is flexible and users can use macros. Instead, the idea is to run
gmid and let it dump the configuration once it's been parsed in a
static and predictable format.
Now is possible to parse gmid configuration with, say, awk or perl.
|
|
the global var file could still be NULL and yyerror would crash.
|
|
|
|
|
|
|
|
Error and warning messages are prefixed with "error: " and "warning: "
correspondingly to ease integration with automated tooling.
`yywarn' function added. Off-by-one line numbers in warnings are fixed.
Two error messages are reworded to avoid repeating like
"error: error in server directive" or "error: syntax error".
|
|
it's used only to parse the -p flag. While there add check_port_num
to check the range for the port.
|
|
|
|
it causes a cascade of warnings on some architectures. Also, for what
we're doing here, the signed/unsigned property isn't important.
|
|
* expand $-macros as string, only the new @-macros get expanded as-is
* rollback changes to characters allowed in bare strings
* optional semicolons in optnl, useful for readable @-macros
|
|
This allows to solve the problem with the \n in the grammar (before
two following macro declaration were treated as invalid. This also
brings in a nice `include' keyword.
|
|
Given that env/param are new features of this release, no support for
the "old" syntax is needed.
|
|
In the same spite of the last commit, add the missing separators
between strings to avoid the auto-concat pitfalls. `=>' is used to
separate between `env' and `param' arguments, while for `fastcgi' the
keyword `port' is required between the hostname/ip address and the
port (if provided).
Since `env', `param' and `fastcgi' are all new stuff, there's no need
to keep compatibility.
|
|
|
|
With the newish automatic string concatenation, options like `mime'
that accepts two strings as parameter start to become ambiguous: which
strings gets concatenated? Instead of trying to document in the
manpage which argument(s) is subject to string concatenation, do the
concat always and introduce a separator. In the case of mime,
`to-ext' now acts as a separator to distinguish. While there, also
use a new keyword because it sounds better.
It's dead-easy to upgrade to the new configuration, possibly with some
sed magic, but for the moment the old `mime' form is preserved: (with
a warning!) Will be dropped in the next release.
|
|
not that it's a bottleneck, but it's fancier this way.
|
|
Now that we have this auto concat string thingy, macros can simply
expand to standalone strings in place, as single words.
Forgot to point it out in previous commits, but now we can
cert = "/etc/keys"
server "foo" {
cert $cert "/foo.crt"
...
}
|
|
|
|
|
|
|
|
Macros can be defined at the top of the configuration file:
dir = "/var/gemini"
cert = "/etc/keys"
and re-used later, for example
server "foo" {
root "$dir/foo" # -> /var/gemini/foo
cert "$cert/foo.pem" # -> /etc/keys/foo.pem
}
|
|
|
|
|
|
|
|
The actual implementation is based off doas' parse.y. This gave us
various benefits, like cleaner code, \ to break long lines, better
handling of quotes etc...
|
|
|
