Server software recommendations

[solderpunk]

On Thu, May 14, 2020 at 12:35:45PM +0000, tiwesdaeg at tilde.pink wrote:
 
> I'm using molly-brown currently, because I like how it handles user
> public_gemini directories. Full cgi support would be nice.

I've been meaning to write a gemlog about this for ages, but never seem
to have the time...

GCI support in Molly Brown scares the pants off me.  Go doesn't reliably
support setuid() and this totally breaks all the standard pradigms of
unix server design.  In particular, I can find no way for MB to spawn a
CGI process which doesn't run as the same user as MB itself, and
therefore necessarily has the ability to read the TLS private key files
and write to the log file, which is obviously a massive security hole.
Because the MB process never runs as root, it's not possible to chroot
the CGI processes somewhere they couldn't see those files, either.

I'm frankly baffled that a language with Ken Thompson and Rob Pike as
designers, created specifically to help Google engineers write server
software, could turn out to be so terrible for...writing servers on
unix.  I can only imagine this has happened because nobody at Google
would ever do something so terribly mundane and non-scalable as fork
off an entire whole new process on the same machine to generate some
content.  Probably there'd be ten layers of containers and proxying and
reverse-proxying and other Cloudian faff keeping the content-generating
processes separated from the server processes so that uids were a quaint
and irrelevant consideration.

(if any Go wizards have recently joined the list and can correct me on
any of the above I'd be thrilled)

If you're just running your own server and you have control over the CGI
code, then go for it and be careful.  In a pubnix type environment where
you are letting third parties upload stuff, you basically need to be
extremely careful, use the configuration to restrict CGI to directories
writable only by people you really trust or will actively verify the
code of.

This was the reason that I pondered a few months back on this list some
kind of FastCGI-esque system for a Gemini server to communicate with a
process it didn't spawn itself over a domain socket or similar.  But
maybe I should just give up on Go for servers (this exact same issue
affects Shizaru, too.).

Cheers,
Solderpunk

> Thanks for all the hard work all you software developers are doing!
> 
> On Thu, May 14, 2020 at 04:50:41AM -0400, Sean Conner wrote:
> > It was thus said that the Great Ecmel Berk Canl?er once stated:
> > > Hello all!
> > > 
> > > I've been checking out the mailing list and reading about Gemini every
> > > now and then, and decided to try and host a Gemini server for my blog.
> > > 
> > > One question I had is: Which server software is the most mature one?
> > 
> >   What do you mean by "most mature"?  By age, it's GLV-1.12556 (disclaimer:
> > I wrote it).  By feature set, it's a toss-up between GLV-1.12556:
> > 
> > 		* support for any type of documents (from multiple directories)
> > 		* CGI (both Gemini and HTTP specific, RFC-3875 compliant)
> > 		* user directories
> > 		* client certificate support
> > 		* easy to extend with custom modules (if you know Lua)
> > 
> > and Gemserv:
> > 
> > 		* support for any type of document
> > 		* CGI (Gemini only, not quite RFC-3875 compliant)
> > 		* user directories
> > 		* reverse proxy
> > 		* virtual hosts
> > 
> > Both have recent updates. By popularity, last time I checked, it was
> > JetForce (which also has had recent updates).  Of the three mentioned,
> > JetForce is in Python, Gemserv in Rust, and GLV-1.12556 in Lua.  The lack of
> > virtual hosting in GLV-1.12556 is because I lack experience in dealing with
> > server certificates with multple hosts, and because of that, I can't exactly
> > test that feature.
> > 
> > > On the software list [1], there is no description about the state and
> > > feature set of any of the listed server software.
> > > 
> > > [1]: gemini://gemini.circumlunar.space/software/ 
> > > 
> > > I only need to serve static files, as everything else happens on a
> > > static site generator before being uploaded.
> > 
> >   If that's the case, then most of the servers would probably work, it then
> > comes down to which language do you have available for compiling/running the
> > server.
> > 
> >   -spc