From a0239f0024e07aca71de35828c3f47df77abf9ff Mon Sep 17 00:00:00 2001 From: alex Date: Sat, 14 Feb 2026 21:46:55 +0100 Subject: Import gemini-from-http --- README.md | 3 ++ gemini-from-http/README.md | 54 ++++++++++++++++++++++++ gemini-from-http/package-mod-md-certs | 3 ++ gemini-from-http/proxy.py | 78 +++++++++++++++++++++++++++++++++++ 4 files changed, 138 insertions(+) create mode 100644 gemini-from-http/README.md create mode 100755 gemini-from-http/package-mod-md-certs create mode 100755 gemini-from-http/proxy.py diff --git a/README.md b/README.md index 8a6c519..3aa79bd 100644 --- a/README.md +++ b/README.md @@ -4,3 +4,6 @@ Coppewebite is a project exploring interactions between the [Gemini protocol](ht * [`gemini-to-web`](gemini-to-web): Python library and command-line tools to convert Gemini to web formats. * [`apache-configuration`](apache-configuration.md): documentation for configuring Apache httpd to make serve Gemtext as an alternative negotiated content type. +* [`gemini-from-http`](gemini-from-http): a Gemini proxy server that proxies all content to an http or https server. + +`gemini-from-http` is particularly useful paired with an Apache httpd server configured to serve Gemtext as an alternative negotiated content type. diff --git a/gemini-from-http/README.md b/gemini-from-http/README.md new file mode 100644 index 0000000..ec8b5d2 --- /dev/null +++ b/gemini-from-http/README.md @@ -0,0 +1,54 @@ +# Gemini from http + +`proxy.py` is a Gemini server that proxies all content to an http or https server. + +`proxy.py` loads certificates following the structure of Apache mod_md. + +## Providing the certificates via systemd credentials + +With `/etc/systemd/system/gemini-from-http.service`: + +``` +[Service] +LoadCredential=certificates:/etc/apache2/md/domains/ +ExecStart=.../proxy.py --certificates-from-credential certificates +DynamicUser=true +CapabilityBoundingSet= +PrivateDevices=true +ProtectClock=true +ProtectKernelLogs=true +ProtectControlGroups=true +ProtectKernelModules=true +SystemCallArchitectures=native +MemoryDenyWriteExecute=true +RestrictNamespaces=true +ProtectHostname=true +LockPersonality=true +ProtectKernelTunables=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictRealtime=true +# If you don't put proxy.py in a home directory... ProtectHome=true +ProtectProc=invisible +ProcSubset=pid +PrivateUsers=self +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +UMask=7777 +``` + +Systemd injects the certificates to a private path than only `proxy.py` can read. +The injection is a one off, so you must restart the service to get updated certificates. + +## Providing the certificates manually + +To run `proxy.py` as a regular user, you can run the `package-mod-md-certs` script as root to copy the certificates to your user: + +``` +su -c ./package-mod-md-certs | tar x +``` + +Then you can run: + +``` +./proxy.py --certificates-from-path domains/ +``` diff --git a/gemini-from-http/package-mod-md-certs b/gemini-from-http/package-mod-md-certs new file mode 100755 index 0000000..304f64d --- /dev/null +++ b/gemini-from-http/package-mod-md-certs @@ -0,0 +1,3 @@ +#!/bin/sh + +exec tar c -C /etc/apache2/md/ --exclude '*.json' domains/ diff --git a/gemini-from-http/proxy.py b/gemini-from-http/proxy.py new file mode 100755 index 0000000..b3411ca --- /dev/null +++ b/gemini-from-http/proxy.py @@ -0,0 +1,78 @@ +#!/usr/bin/env python3 +import argparse +import logging +import os +import pathlib +import ssl +import socketserver +import urllib.parse +import urllib.request + + +context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) +proxied_hosts = [] + +class Handler(socketserver.BaseRequestHandler): + def handle(self): + with context.wrap_socket(self.request, server_side=True) as sock: + recv = sock.recv(1024) + recv = recv.decode("ASCII") + assert recv.endswith("\r\n"), f"Received request {repr(recv)} that does not end in \\r\\n" + absolute_uri = recv.removesuffix("\r\n") + assert absolute_uri.startswith("gemini://"), f"Request for uri {absolute_uri} does not start with gemini://" + logging.info(absolute_uri) + absolute_uri = urllib.parse.urlparse(absolute_uri) + host = absolute_uri.netloc + + global proxied_hosts + assert host in proxied_hosts, f"{host} not in {proxied_hosts}" + request = urllib.request.Request(absolute_uri._replace(scheme="https").geturl(), headers={"Host": host}) + request.add_header("Accept", "text/gemini") + with urllib.request.urlopen(request) as f: + content = f.read().decode("UTF8") + response = "20 text/gemini\r\n" + response += content + + sock.sendall(response.encode("UTF8")) + + +def main(): + logging.basicConfig(level=logging.DEBUG, format="%(asctime)s %(message)s") + parser = argparse.ArgumentParser() + parser.add_argument("--host", default="0.0.0.0") + parser.add_argument("--port", type=int, default=1965) + parser.add_argument("proxied_host", nargs="+") + + group = parser.add_mutually_exclusive_group() + group.add_argument("--certificates-from-path", type=pathlib.Path) + group.add_argument("--certificates-from-credential") + args = parser.parse_args() + + if args.certificates_from_path: + def domain_to_path(server_name): + domain_path = args.certificates_from_path / server_name + return (domain_path / "pubcert.pem" , domain_path / "privkey.pem") + + if args.certificates_from_credential: + def domain_to_path(server_name): + credentials_directory = pathlib.Path(os.environ["CREDENTIALS_DIRECTORY"]) + return (credentials_directory / f"{args.certificates_from_credential}_{server_name}_pubcert.pem", credentials_directory / f"{args.certificates_from_credential}_{server_name}_privkey.pem") + + def sni_callback(socket: ssl.SSLSocket, server_name, _context): + context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) + certfile, keyfile = domain_to_path(server_name) + context.load_cert_chain(certfile, keyfile) + socket.context = context + + context.sni_callback = sni_callback + + global proxied_hosts + proxied_hosts = args.proxied_host + + socketserver.TCPServer.allow_reuse_address = True + with socketserver.TCPServer((args.host, args.port), Handler) as server: + server.serve_forever() + + +if __name__ == "__main__": + main() -- cgit v1.2.3