💾 Archived View for bvnf.space › blog › 001_setting_up_vger.gmi captured on 2022-07-16 at 13:38:31. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-03-01)
-=-=-=-=-=-=-
vger[1] is a Gemini server written by Solene. It is simple and only parses requests on stdin and prints to stdout, leaving networking and TLS management to other components. However, it is still well-featured (support for CGI, virtual hosts, using a chroot) and it is very secure. Running on OpenBSD, it can make use of unveil(2) to restrict filesystem access.
[1] vger repository at tildegit.org
To handle the networking and TLS, on OpenBSD we can use inetd(8) and relayd(8). relayd handles the request, and inetd sends it on stdin to vger and returns stdout.
vger can be installed from ports:
pkg_add vger
Now, we need a keypair for relayd to handle the TLS with:
openssl req \ -new \ -subj "/CN=gemini.bvnf.space" \ -x509 \ -newkey rsa:2048 \ -days 1825 \ -nodes \ -out /etc/ssl/gemini.bvnf.space.crt \ -keyout /etc/ssl/private/gemini.bvnf.space.key
Using a DNS name in the Common Name (CN) field is deprecated; instead DNS names should go in Subject Alt name fields. Just add this option to the above command:
-addext "subjectAltName = DNS:bvnf.space, DNS:gemini.bvnf.space"
This keypair is valid for 5 years. I tried using an ECDH key (replace "-newkey rsa:2048" with "-newkey ec -pkeyopt ec_paramgen_curve:prime256v1") but it seems that relayd can only use RSA keys at the moment.
/etc/relayd.conf:
log connection tcp protocol "gemini" { tls keypair "gemini.bvnf.space" } relay "gemini" { listen on "gemini.bvnf.space" port 1965 tls protocol "gemini" forward to 127.0.0.1 port 11965 }
The argument to "tls keypair" must be the same as the certificate and key names (without .crt or .key) produced by openssl(1) above.
relayd -n
Add this line to /etc/inetd.conf: (the _vger user should have been created by installing vger through ports)
127.0.0.1:11965 stream tcp nowait _vger /usr/local/bin/vger vger -m text/plain -i
Options to be passed to vger (see the vger(8) manpage) are specified here. You might want to enable chrooting (-u user) but on OpenBSD this doesn't provide many benefits on top of the use of unveil(2).
Last thing: remember to open TCP 1965 in /etc/pf.conf.
Finally, write something in /var/gemini, and start inetd and relayd.
echo "# ben's space" > /var/gemini/index.gmi rcctl start relayd rcctl start inetd
--
written 2021-10-27