-- Leo's gemini proxy

-- Connecting to bvnf.space:1965...

-- Connected

-- Sending request

-- Meta line: 20 text/gemini;

Setting up vger(8) on OpenBSD


vger[1] is a Gemini server written by Solene. It is simple and only parses requests on stdin and prints to stdout, leaving networking and TLS management to other components. However, it is still well-featured (support for CGI, virtual hosts, using a chroot) and it is very secure. Running on OpenBSD, it can make use of unveil(2) to restrict filesystem access.


[1] vger repository at tildegit.org


To handle the networking and TLS, on OpenBSD we can use inetd(8) and relayd(8). relayd handles the request, and inetd sends it on stdin to vger and returns stdout.


vger can be installed from ports:


pkg_add vger

Generating a self-signed keypair


Now, we need a keypair for relayd to handle the TLS with:


openssl req \
	-new \
	-subj "/CN=gemini.bvnf.space" \
	-x509 \
	-newkey rsa:2048 \
	-days 1825 \
	-nodes \
	-out /etc/ssl/gemini.bvnf.space.crt \
	-keyout /etc/ssl/private/gemini.bvnf.space.key

EDIT: 2022-01-09

Using a DNS name in the Common Name (CN) field is deprecated; instead DNS names should go in Subject Alt name fields. Just add this option to the above command:


-addext "subjectAltName = DNS:bvnf.space, DNS:gemini.bvnf.space"


This keypair is valid for 5 years. I tried using an ECDH key (replace "-newkey rsa:2048" with "-newkey ec -pkeyopt ec_paramgen_curve:prime256v1") but it seems that relayd can only use RSA keys at the moment.


Configure relayd


/etc/relayd.conf:


log connection
tcp protocol "gemini" {
	tls keypair "gemini.bvnf.space"
}
relay "gemini" {
	listen on "gemini.bvnf.space" port 1965 tls
	protocol "gemini"
	forward to 127.0.0.1 port 11965
}

The argument to "tls keypair" must be the same as the certificate and key names (without .crt or .key) produced by openssl(1) above.


Checking relayd config


relayd -n

Configure inetd


Add this line to /etc/inetd.conf: (the _vger user should have been created by installing vger through ports)


127.0.0.1:11965 stream	tcp	nowait	_vger	/usr/local/bin/vger	vger -m text/plain -i

Options to be passed to vger (see the vger(8) manpage) are specified here. You might want to enable chrooting (-u user) but on OpenBSD this doesn't provide many benefits on top of the use of unveil(2).


Last thing: remember to open TCP 1965 in /etc/pf.conf.


Start it up


Finally, write something in /var/gemini, and start inetd and relayd.


echo "# ben's space" > /var/gemini/index.gmi
rcctl start relayd
rcctl start inetd

--

written 2021-10-27

blog home

home

-- Response ended

-- Page fetched on Sat May 11 05:21:36 2024