💾 Archived View for thrig.me › tech › gemini › localhost.gmi captured on 2023-06-14 at 15:20:09. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-04-19)
-=-=-=-=-=-=-
A laptop might run a gemini server on the loopback interface for testing. Gemini requires Server Name Indication (SNI), so the certificate will need to be associated with some name, probably one from the /etc/hosts file.
$ grep 1 /etc/hosts
127.0.0.1 localhost gear.thrig.me
::1 localhost gear.thrig.me
$ getent hosts localhost
127.0.0.1 localhost
::1 localhost
$ host localhost 8.8.8.8
...
Host localhost not found: 3(NXDOMAIN)
$ ifconfig lo | fgrep inet
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
Portability varies; the above is from OpenBSD. /etc/hosts may not be checked if a DNS-only library does the lookup, as opposed to the system resolver which looks in /etc/hosts, DNS, and maybe elsewhere. The web eats everything, so there is a DNS-over-HTTP which may use neither /etc/hosts nor the usual DNS servers. However, most software will likely use getaddrinfo(3), or similar, which should read from /etc/hosts, or similar. You could also setup a local authoritative DNS infrastructure. This is more work, though may make sense if you have multiple hosts to manage or want to learn DNS.
A self-signed certificate might be created something like as follows
#!/bin/sh
openssl req -x509 -newkey rsa:4096 -sha256 -days 99999 -nodes \
-keyout host.key -out host.cert -subj "/CN=localhost" -addext \
"subjectAltName=DNS:localhost,IP:127.0.0.1,IP:::1"
This will need adjustment if some other name (localhost.localdomain, or whatever) should be used instead, or if you want different filenames or IP addresses.
Section 4.4.2.2 of RFC 8446 is of relevance; "the certificate type MUST be X.509v3 [RFC5280], unless explicitly negotiated otherwise" and you probably do want to be using TLS1.3 or any newer version of the SSL protocol as it comes along, as the older protocol versions tend to be deprecated due to security problems.
$ openssl x509 -noout -text < host.cert | fgrep Version
Version: 3 (0x2)
LibreSSL on OpenBSD 7.2 generates version 3 certificates by default; other software may not.
Another option is to create a local certificate authority and sign certificates against that. This is not necessary for gemini, though could be of use in various situations.
The host.cert and host.key have been stashed to the OpenBSD standard /etc/ssl directory, and this configuration is for gmid.
chroot "/home/jmates/var/gemini"
ipv6 on
user "jmates"
server "localhost" {
cert "/etc/ssl/localhost.pem"
key "/etc/ssl/private/localhost.key"
lang "en"
auto index on
root "/thrig.me"
# what does a loop cause in various gemini clients?
location "/_gemini/3" {
block return 30 "gemini://localhost/_gemini/3"
}
location "/_gemini/4" {
block
}
location "/_gemini/5" {
block return 50 "get off my lawn"
}
}
There are a large number of addresses available in 127.0.0.0/8 that could be aliased on the loopback interface, perhaps if you want to bind different servers to the same port and therefore need to have them listening on a unique IP address.
There may be a security concern if you run something an attacker knows about and they can redirect your gemini client to gemini://localhost/... that then does something bad. If this is a problem, then a less well known hostname or port (or both) could be used that an attacker would be unlikely to guess.
gemini://zaibatsu.circumlunar.space/~solderpunk/gemlog/a-vision-for-gemini-applications.gmi
A loopback server could be good for testing things like encoding.