search

omar-polo / gmid

a Gemini server
https://gmid.omarpolo.com
ISC License
98 stars 8 forks source link

server "IPv6"? #25

Closed d47081 closed 1 month ago

d47081 commented 3 months ago

I'm using Yggdrasil, and want to host capsule without regular domain name.

By defining in config IPv6, e.g. server "[xxx:xxxx:xxxx:xxxx:xx]" - get incomplete header error.

With /etc/hosts it works using domain alias but with IP not

d47081 commented 3 months ago

Found this in logs:

replying to server #3
handshake: missing SNI
201:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:39532 GET  59 Wrong/malformed host or missing SNI

I've tried to add this option, but not helps, and SNI related to the proxy, not local folder.

Here is my config also:

server "xxx:xxxx:xxxx:xxxx::xx" {

    listen on xxx:xxxx:xxxx:xxxx::xx port 1965

    cert "/home/gmid/host/xxx:xxxx:xxxx:xxxx::xx/cert.pem"
    key "/home/gmid/host/xxx:xxxx:xxxx:xxxx::xx/key.rsa"

    root "/home/gmid/host/xxx:xxxx:xxxx:xxxx::xx/public"

    index "index.gmi"
}
omar-polo commented 3 months ago

Without knowing how Yggdrasil works, I think the issue is that the client connecting to gmid is not providing any SNI (server name indication).

gmid relies on the client to use SNI to understand to which virtual host the client wants to talk to, and from my understanding IPv4 or IPv6 bare addresses can't be used as host names in TLS.

I'm not sure whether gmid should gracefully handle the omission of the SNI, as it's mandatory per the gemini specification. On the other hand, I see how this could be useful for some niche use-cases.

I guess that for your use-case with Yggdrasil you can't use an hostname?

d47081 commented 3 months ago

Yggdrasil works like any IPv6 interface, but in 'death' 0200::/7 range (sometimes validators skipping this fake address)

Just interesting, does gmid support IPv6 in the names? If yes - it will support Yggdrasil also. If no - would be nice to have this option, because I won't to launch another server :)

omar-polo commented 3 months ago

Well, the gemini specification says that

Client and server implementations MUST support TLS SNI (Server Name Indication) and clients MUST include hostname information when making requests for URLs where the authority section is a hostname.

and I probably missed the "where the authority section is a hostname", which seems to imply that it's also OK to make requests without SNI if you want to talk to a bare IPv4 or IPv6 address.

At the moment gmid always require a SNI from the client, I'll see what can be done to relax this requirement.

Thanks!

omar-polo commented 1 month ago

I believe this is now fixed. I've relaxed the requirements for SNI in 1ef0cd0cdb6512fad96ecf0830e581af677d5947 and then added support for IPv6 addresses in the IRI parsing code in b00f71ba97cf4448446fc5ccf715ca0dfda3a93b, and added some tests.

I've tested this configuration

server "::1" {
        listen on ::1 port 10965
        cert "..."
        key  "..."
        root "..."
}

and works for me. Don't wrap IPv6 addresses in braces [...] in the server and listen directive.

omar-polo commented 1 month ago

I've tagged 2.0.3 which also includes this fix, so I'm closing this for now.

Thanks for the report!