Import gemini-from-http

4 files changed, 138 insertions, 0 deletions

diff --git a/README.md b/README.md
index 8a6c519..3aa79bd 100644
--- a/README.md
+++ b/README.md
@@ -4,3 +4,6 @@ Coppewebite is a project exploring interactions between the [Gemini protocol](ht
 
 * [`gemini-to-web`](gemini-to-web): Python library and command-line tools to convert Gemini to web formats.
 * [`apache-configuration`](apache-configuration.md): documentation for configuring Apache httpd to make serve Gemtext as an alternative negotiated content type.
+* [`gemini-from-http`](gemini-from-http): a Gemini proxy server that proxies all content to an http or https server.
+
+`gemini-from-http` is particularly useful paired with an Apache httpd server configured to serve Gemtext as an alternative negotiated content type.
diff --git a/gemini-from-http/README.md b/gemini-from-http/README.md
new file mode 100644
index 0000000..ec8b5d2
--- /dev/null
+++ b/gemini-from-http/README.md
@@ -0,0 +1,54 @@
+# Gemini from http
+
+`proxy.py` is a Gemini server that proxies all content to an http or https server.
+
+`proxy.py` loads certificates following the structure of Apache mod_md.
+
+## Providing the certificates via systemd credentials
+
+With `/etc/systemd/system/gemini-from-http.service`:
+
+```
+[Service]
+LoadCredential=certificates:/etc/apache2/md/domains/
+ExecStart=.../proxy.py --certificates-from-credential certificates
+DynamicUser=true
+CapabilityBoundingSet=
+PrivateDevices=true
+ProtectClock=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+SystemCallArchitectures=native
+MemoryDenyWriteExecute=true
+RestrictNamespaces=true
+ProtectHostname=true
+LockPersonality=true
+ProtectKernelTunables=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictRealtime=true
+# If you don't put proxy.py in a home directory... ProtectHome=true
+ProtectProc=invisible
+ProcSubset=pid
+PrivateUsers=self
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+UMask=7777
+```
+
+Systemd injects the certificates to a private path than only `proxy.py` can read.
+The injection is a one off, so you must restart the service to get updated certificates.
+
+## Providing the certificates manually
+
+To run `proxy.py` as a regular user, you can run the `package-mod-md-certs` script as root to copy the certificates to your user:
+
+```
+su -c ./package-mod-md-certs | tar x
+```
+
+Then you can run:
+
+```
+./proxy.py --certificates-from-path domains/
+```
diff --git a/gemini-from-http/package-mod-md-certs b/gemini-from-http/package-mod-md-certs
new file mode 100755
index 0000000..304f64d
--- /dev/null
+++ b/gemini-from-http/package-mod-md-certs
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec tar c -C /etc/apache2/md/ --exclude '*.json' domains/
diff --git a/gemini-from-http/proxy.py b/gemini-from-http/proxy.py
new file mode 100755
index 0000000..b3411ca
--- /dev/null
+++ b/gemini-from-http/proxy.py
@@ -0,0 +1,78 @@
+#!/usr/bin/env python3
+import argparse
+import logging
+import os
+import pathlib
+import ssl
+import socketserver
+import urllib.parse
+import urllib.request
+
+
+context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+proxied_hosts = []
+
+class Handler(socketserver.BaseRequestHandler):
+    def handle(self):
+        with context.wrap_socket(self.request, server_side=True) as sock:
+            recv = sock.recv(1024)
+            recv = recv.decode("ASCII")
+            assert recv.endswith("\r\n"), f"Received request {repr(recv)} that does not end in \\r\\n"
+            absolute_uri = recv.removesuffix("\r\n")
+            assert absolute_uri.startswith("gemini://"), f"Request for uri {absolute_uri} does not start with gemini://"
+            logging.info(absolute_uri)
+            absolute_uri = urllib.parse.urlparse(absolute_uri)
+            host = absolute_uri.netloc
+
+            global proxied_hosts
+            assert host in proxied_hosts, f"{host} not in {proxied_hosts}"
+            request = urllib.request.Request(absolute_uri._replace(scheme="https").geturl(), headers={"Host": host})
+            request.add_header("Accept", "text/gemini")
+            with urllib.request.urlopen(request) as f:
+                content = f.read().decode("UTF8")
+            response = "20 text/gemini\r\n"
+            response += content
+
+            sock.sendall(response.encode("UTF8"))
+
+
+def main():
+    logging.basicConfig(level=logging.DEBUG, format="%(asctime)s %(message)s")
+    parser = argparse.ArgumentParser()
+    parser.add_argument("--host", default="0.0.0.0")
+    parser.add_argument("--port", type=int, default=1965)
+    parser.add_argument("proxied_host", nargs="+")
+
+    group = parser.add_mutually_exclusive_group()
+    group.add_argument("--certificates-from-path", type=pathlib.Path)
+    group.add_argument("--certificates-from-credential")
+    args = parser.parse_args()
+
+    if args.certificates_from_path:
+        def domain_to_path(server_name):
+            domain_path = args.certificates_from_path / server_name
+            return  (domain_path / "pubcert.pem" , domain_path / "privkey.pem")
+
+    if args.certificates_from_credential:
+        def domain_to_path(server_name):
+            credentials_directory = pathlib.Path(os.environ["CREDENTIALS_DIRECTORY"])
+            return (credentials_directory / f"{args.certificates_from_credential}_{server_name}_pubcert.pem", credentials_directory / f"{args.certificates_from_credential}_{server_name}_privkey.pem")
+
+    def sni_callback(socket: ssl.SSLSocket, server_name, _context):
+        context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+        certfile, keyfile = domain_to_path(server_name)
+        context.load_cert_chain(certfile, keyfile)
+        socket.context = context
+
+    context.sni_callback = sni_callback
+
+    global proxied_hosts
+    proxied_hosts = args.proxied_host
+
+    socketserver.TCPServer.allow_reuse_address = True
+    with socketserver.TCPServer((args.host, args.port), Handler) as server:
+        server.serve_forever()
+
+
+if __name__ == "__main__":
+    main()