-- Leo's gemini proxy
-- Connecting to ew.srht.site:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini
perplexing.space has wise words about securing gemini servers:
> In what is bound to be a refreshing break from whining about software I thought I might make a short post on some avenues toward securing gemini servers. There were a few recent instances of path traversal bugs exposing peoples' servers — what are some options for mitigating that sort of risk?
This made me realize, that my local instance, which is served as an .onion service, is in dire need of care.
So for the first time (no kiddin') I looked at the logs. Is anyone at all requesting these pages? Yes, there is traffic. Turns out that is Stephanes lupa crawler. Nice! lupa is able to crawl .onions. Cool!
However, there are quite a number of NotFound errors logged. Those are originating from links inside those files, which I collected into The Library. Buried deep into a post there is this:
> Please note, that any of the in-capsule links within that copy will not work here. But the text at least should be there.
But of course, the crawler won't read this, let alone adhere to it. So I created a robots.txt file:
User-agent: * Disallow: /library Disallow: /file
While this should cure the the above errors, it entails that the crawler will not see the contents of the library at all. So I would like to have something like a "crawl the files, but ignore the links in them" rule, like
AllowFiles: /library
Obviously, this would be an addition to the companion spec, and most probably it's going to be shot down by the guardians of simplicity. And honestly, I did not see this coming. Which just proofs, that I'm not a network protocol person.
Now back to the thing about the server. I use agate, just because it happened to work immediately. I could try to set up the inetd/vger combo, but that is for another day. Yes, my installation was in need of some love:
create a separate user! NOW!
move the files to be served below /srv/gemini
move the certs to be used near there, owned by root and readonly
change the systemd unit accordingly
And while I was at it, I added the whole phletora of directives to the unit file as suggested by perplexing space. I did not create a chroot or another container.
So, now I'm feeling better! And it still works!
Thanks to perplexing.space to motivate me to look at it and change it.
Cheers,
~ew
-- Response ended
-- Page fetched on Wed Apr 24 20:17:48 2024