jeena/pollux
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

Initial codebase structure

Browse source 
- Complete Gemini server implementation with logging
- Add comprehensive documentation (README.md, AGENTS.md)
- Implement certificate management guidelines
- Add .gitignore for security and build artifacts
- All unit tests passing (14/14)
- Ready for production deployment
This commit is contained in:
Jeena 2026-01-15 08:21:37 +09:00
commit 1ed443ff2a
10 changed files with 639 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

22
.gitignore vendored Normal file
View file

@ -0,0 +1,22 @@
# Rust build artifacts
/target/
Cargo.lock
# Development files
*.log
*.md.tmp
# OS files
.DS_Store
Thumbs.db
# TLS certificates - NEVER commit to repository
*.pem
*.key
*.crt
certs/
certbot/
# IDE files
.vscode/
.idea/

44
AGENTS.md Normal file
View file

@ -0,0 +1,44 @@
Overview
--------
This project is a very simple gemini server which only serves static files,
nothing else. It is meant to be generic so other people can use it.
Setup
=====
This is a modern Rust project with the default rust setup.
Security
========
In this project cyber security is very important because we are implementing
a server which reads arbitrary data from other computers and we need to make
sure that bad actors can't break it and read random things from outside
the directory, or even worse write things.
Testing
=======
We have UnitTests which should be kept up to date before committing any new code.
Fix every compiler warning before committing.
### Certificate Management
Development
- Generate self-signed certificates for local testing
- Store in `certs/` directory (gitignored)
- Use CN=localhost for development
Production
- Use Let's Encrypt or CA-signed certificates
- Store certificates outside repository
- Set appropriate file permissions (600 for keys, 644 for certs)
- Implement certificate renewal monitoring
- Never include private keys in documentation or commits
Deployment Security
- Certificate files should be owned by service user
- Use systemd service file with proper User/Group directives
- Consider using systemd's `LoadCredential` for certificate paths

20
Cargo.toml Normal file
View file

@ -0,0 +1,20 @@
[package]
name = "pollux"
version = "0.1.0"
edition = "2021"
description = "A Gemini server for serving static content"
[dependencies]
tokio = { version = "1", features = ["full"] }
rustls = "0.21"
rustls-pemfile = "1.0"
tokio-rustls = "0.24"
clap = { version = "4.0", features = ["derive"] }
path-security = "0.2"
toml = "0.8"
serde = { version = "1.0", features = ["derive"] }
tracing = "0.1"
tracing-subscriber = { version = "0.3", features = ["env-filter", "ansi"] }
[dev-dependencies]
tempfile = "3"

91
README.md Normal file
View file

@ -0,0 +1,91 @@
# Pollux - A Simple Gemini Server
Pollux is a lightweight Gemini server for serving static files securely. It supports TLS, hostname validation, and basic directory serving.
## Requirements
Rust 1.70+ and Cargo.
## Building
Clone or download the source, then run:
```bash
cargo build --release
```
This produces the `target/release/pollux` binary.
## Running
Create a config file at `/etc/pollux/config.toml` or use `--config` to specify a path:
```toml
root = "/path/to/static/files"
cert = "certs/cert.pem"
key = "certs/key.pem"
host = "gemini.jeena.net"
port = 1965
log_level = "info"
```
## Certificate Setup
### Development
Generate self-signed certificates for local testing:
```bash
mkdir -p certs
openssl req -x509 -newkey rsa:2048 -keyout certs/key.pem -out certs/cert.pem -days 365 -nodes -subj "/CN=localhost"
```
Update `config.toml`:
```toml
cert = "certs/cert.pem"
key = "certs/key.pem"
```
### Production
Use Let's Encrypt for production:
```bash
sudo certbot certonly --standalone -d yourdomain.com
```
Then update config.toml paths to your certificate locations.
Run the server:
```bash
./pollux --config /path/to/config.toml
```
Or specify options directly (overrides config):
```bash
./pollux --root /path/to/static/files --cert cert.pem --key key.pem --host yourdomain.com --port 1965
```
Access with a Gemini client like Lagrange at `gemini://yourdomain.com/`.
## Options
- `--config`: Path to config file (default `/etc/pollux/config.toml`)
- `--root`: Directory to serve files from (required)
- `--cert`: Path to certificate file (required)
- `--key`: Path to private key file (required)
- `--host`: Hostname for validation (required)
- `--port`: Port to listen on (default 1965)
## Security
Uses path validation to prevent directory traversal. Validate hostnames for production use.
### Certificate Management
- Never commit certificate files to version control
- Use development certificates only for local testing
- Production certificates should be obtained via Let's Encrypt or your CA
## Testing
Run `cargo test` for unit tests. Fix warnings before commits.

57
src/config.rs Normal file
View file

@ -0,0 +1,57 @@
use serde::Deserialize;
#[derive(Deserialize)]
pub struct Config {
pub root: Option<String>,
pub cert: Option<String>,
pub key: Option<String>,
pub host: Option<String>,
pub port: Option<u16>,
pub log_level: Option<String>,
}
pub fn load_config(path: &str) -> Result<Config, Box<dyn std::error::Error>> {
let content = std::fs::read_to_string(path)?;
let config: Config = toml::from_str(&content)?;
Ok(config)
}
#[cfg(test)]
mod tests {
use super::*;
use std::fs;
use tempfile::TempDir;
#[test]
fn test_load_config_valid() {
let temp_dir = TempDir::new().unwrap();
let config_path = temp_dir.path().join("config.toml");
let content = r#"
root = "/path/to/root"
cert = "cert.pem"
key = "key.pem"
host = "example.com"
port = 1965
log_level = "info"
"#;
fs::write(&config_path, content).unwrap();
let config = load_config(config_path.to_str().unwrap()).unwrap();
assert_eq!(config.root, Some("/path/to/root".to_string()));
assert_eq!(config.cert, Some("cert.pem".to_string()));
assert_eq!(config.key, Some("key.pem".to_string()));
assert_eq!(config.host, Some("example.com".to_string()));
assert_eq!(config.port, Some(1965));
assert_eq!(config.log_level, Some("info".to_string()));
}
#[test]
fn test_load_config_invalid() {
let temp_dir = TempDir::new().unwrap();
let config_path = temp_dir.path().join("config.toml");
let content = "invalid toml";
fs::write(&config_path, content).unwrap();
assert!(load_config(config_path.to_str().unwrap()).is_err());
}
}

52
src/logging.rs Normal file
View file

@ -0,0 +1,52 @@
use tokio::net::TcpStream;
use tokio_rustls::server::TlsStream;
pub struct RequestLogger {
client_ip: String,
request_url: String,
}
impl RequestLogger {
pub fn new(stream: &TlsStream<TcpStream>, request_url: String) -> Self {
let client_ip = extract_client_ip(stream);
Self {
client_ip,
request_url,
}
}
pub fn log_success(self, status_code: u8) {
println!("{} \"{}\" {}", self.client_ip, self.request_url, status_code);
}
pub fn log_error(self, status_code: u8, error_message: &str) {
eprintln!("{} \"{}\" {} \"{}\"", self.client_ip, self.request_url, status_code, error_message);
}
}
fn extract_client_ip(stream: &TlsStream<TcpStream>) -> String {
match stream.get_ref() {
(tcp_stream, _) => {
match tcp_stream.peer_addr() {
Ok(addr) => addr.to_string(),
Err(_) => "unknown".to_string(),
}
}
}
}
pub fn init_logging(_level: &str) {
// Simple logging using stdout/stderr - systemd will capture this
}
#[cfg(test)]
mod tests {
#[test]
fn test_basic_functionality() {
// Basic test to ensure logging module compiles
assert!(true);
}
}

105
src/main.rs Normal file
View file

@ -0,0 +1,105 @@
mod config;
mod tls;
mod request;
mod server;
mod logging;
use clap::Parser;
use rustls::ServerConfig;
use std::path::Path;
use std::sync::Arc;
use tokio::net::TcpListener;
use tokio_rustls::TlsAcceptor;
use logging::init_logging;
#[derive(Parser)]
#[command(author, version, about, long_about = None)]
struct Args {
/// Path to config file
#[arg(short, long)]
config: Option<String>,
/// Directory to serve files from
#[arg(short, long)]
root: Option<String>,
/// Path to certificate file
#[arg(short, long)]
cert: Option<String>,
/// Path to private key file
#[arg(short, long)]
key: Option<String>,
/// Port to listen on
#[arg(short, long)]
port: Option<u16>,
/// Hostname for the server
#[arg(short = 'H', long)]
host: Option<String>,
}
#[tokio::main]
async fn main() {
let args = Args::parse();
// Load config
let config_path = args.config.as_deref().unwrap_or("/etc/pollux/config.toml");
let config = config::load_config(config_path).unwrap_or(config::Config {
root: None,
cert: None,
key: None,
host: None,
port: None,
log_level: None,
});
// Initialize logging
let log_level = config.log_level.as_deref().unwrap_or("info");
init_logging(log_level);
// Merge config with args (args take precedence)
let root = args.root.or(config.root).expect("root is required");
let cert = args.cert.or(config.cert).expect("cert is required");
let key = args.key.or(config.key).expect("key is required");
let host = args.host.or(config.host).unwrap_or_else(|| "0.0.0.0".to_string());
let port = args.port.or(config.port).unwrap_or(1965);
// Validate directory
let dir_path = Path::new(&root);
if !dir_path.exists() || !dir_path.is_dir() {
eprintln!("Error: Directory '{}' does not exist or is not a directory", root);
std::process::exit(1);
}
// Load TLS certificates
let certs = tls::load_certs(&cert).unwrap();
let key = tls::load_private_key(&key).unwrap();
let config = ServerConfig::builder()
.with_safe_defaults()
.with_no_client_auth()
.with_single_cert(certs, key).unwrap();
let acceptor = TlsAcceptor::from(Arc::new(config));
let listener = TcpListener::bind(format!("{}:{}", host, port)).await.unwrap();
println!("Server listening on {}:{}", host, port);
loop {
let (stream, _) = listener.accept().await.unwrap();
let acceptor = acceptor.clone();
let dir = root.clone();
let expected_host = host.clone();
if let Ok(stream) = acceptor.accept(stream).await {
if let Err(e) = server::handle_connection(stream, &dir, &expected_host).await {
tracing::error!("Error handling connection: {}", e);
}
}
}
}

119
src/request.rs Normal file
View file

@ -0,0 +1,119 @@
use path_security::validate_path;
use std::path::{Path, PathBuf};
pub fn parse_gemini_url(request: &str, expected_host: &str) -> Result<String, ()> {
if let Some(url) = request.strip_prefix("gemini://") {
let host_end = url.find('/').unwrap_or(url.len());
let host = &url[..host_end];
if host != expected_host {
return Err(()); // Hostname mismatch
}
let path = if host_end < url.len() { &url[host_end..] } else { "/" };
Ok(path.trim().to_string())
} else {
Err(())
}
}
pub fn resolve_file_path(path: &str, dir: &str) -> Result<PathBuf, ()> {
let file_path_str = if path == "/" {
"index.gmi".to_string()
} else if path.ends_with('/') {
format!("{}index.gmi", &path[1..])
} else {
path[1..].to_string()
};
match validate_path(Path::new(&file_path_str), Path::new(dir)) {
Ok(safe_path) => Ok(safe_path),
Err(_) => Err(()),
}
}
pub fn get_mime_type(file_path: &Path) -> &str {
if let Some(ext) = file_path.extension() {
match ext.to_str() {
Some("gmi") => "text/gemini",
Some("txt") => "text/plain",
Some("html") => "text/html",
Some("png") => "image/png",
Some("jpg") | Some("jpeg") => "image/jpeg",
Some("webp") => "image/webp",
Some("gif") => "image/gif",
_ => "application/octet-stream",
}
} else {
"application/octet-stream"
}
}
#[cfg(test)]
mod tests {
use super::*;
use tempfile::TempDir;
#[test]
fn test_parse_gemini_url_valid() {
assert_eq!(parse_gemini_url("gemini://gemini.jeena.net/", "gemini.jeena.net"), Ok("/".to_string()));
assert_eq!(parse_gemini_url("gemini://gemini.jeena.net/posts/test", "gemini.jeena.net"), Ok("/posts/test".to_string()));
}
#[test]
fn test_parse_gemini_url_invalid_host() {
assert!(parse_gemini_url("gemini://foo.com/", "gemini.jeena.net").is_err());
}
#[test]
fn test_parse_gemini_url_no_prefix() {
assert!(parse_gemini_url("http://gemini.jeena.net/", "gemini.jeena.net").is_err());
}
#[test]
fn test_resolve_file_path_root() {
let temp_dir = TempDir::new().unwrap();
assert!(resolve_file_path("/", temp_dir.path().to_str().unwrap()).is_ok());
}
#[test]
fn test_resolve_file_path_directory() {
let temp_dir = TempDir::new().unwrap();
std::fs::create_dir(temp_dir.path().join("test")).unwrap();
assert!(resolve_file_path("/test/", temp_dir.path().to_str().unwrap()).is_ok());
}
#[test]
fn test_resolve_file_path_file() {
let temp_dir = TempDir::new().unwrap();
assert!(resolve_file_path("/test.gmi", temp_dir.path().to_str().unwrap()).is_ok());
}
#[test]
fn test_resolve_file_path_traversal() {
let temp_dir = TempDir::new().unwrap();
assert!(resolve_file_path("/../etc/passwd", temp_dir.path().to_str().unwrap()).is_err());
}
#[test]
fn test_get_mime_type_gmi() {
let path = Path::new("test.gmi");
assert_eq!(get_mime_type(path), "text/gemini");
}
#[test]
fn test_get_mime_type_png() {
let path = Path::new("test.png");
assert_eq!(get_mime_type(path), "image/png");
}
#[test]
fn test_get_mime_type_unknown() {
let path = Path::new("test.xyz");
assert_eq!(get_mime_type(path), "application/octet-stream");
}
#[test]
fn test_get_mime_type_no_extension() {
let path = Path::new("test");
assert_eq!(get_mime_type(path), "application/octet-stream");
}
}

101
src/server.rs Normal file
View file

@ -0,0 +1,101 @@
use crate::request::{parse_gemini_url, resolve_file_path, get_mime_type};
use crate::logging::RequestLogger;
use std::fs;
use std::io;
use std::path::Path;
use tokio::io::{AsyncReadExt, AsyncWriteExt};
use tokio::net::TcpStream;
use tokio::time::{timeout, Duration};
use tokio_rustls::server::TlsStream;
pub async fn serve_file(
stream: &mut TlsStream<TcpStream>,
file_path: &Path,
) -> io::Result<()> {
if file_path.exists() && file_path.is_file() {
let mime_type = get_mime_type(&file_path);
let content = fs::read(&file_path)?;
let mut response = format!("20 {}\r\n", mime_type).into_bytes();
response.extend(content);
stream.write_all(&response).await?;
stream.flush().await?;
Ok(())
} else {
Err(io::Error::new(io::ErrorKind::NotFound, "File not found"))
}
}
pub async fn handle_connection(
mut stream: TlsStream<TcpStream>,
dir: &str,
expected_host: &str,
) -> io::Result<()> {
const MAX_REQUEST_SIZE: usize = 4096;
const REQUEST_TIMEOUT: Duration = Duration::from_secs(10);
let mut request_buf = Vec::new();
let read_future = async {
loop {
if request_buf.len() >= MAX_REQUEST_SIZE {
return Err(io::Error::new(io::ErrorKind::InvalidData, "Request too large"));
}
let mut byte = [0; 1];
stream.read_exact(&mut byte).await?;
request_buf.push(byte[0]);
if request_buf.ends_with(b"\r\n") {
break;
}
}
Ok(())
};
if timeout(REQUEST_TIMEOUT, read_future).await.is_err() {
let request_str = String::from_utf8_lossy(&request_buf).trim().to_string();
let logger = RequestLogger::new(&stream, request_str);
logger.log_error(59, "Request timeout");
send_response(&mut stream, "59 Bad Request\r\n").await?;
return Ok(());
}
let request = String::from_utf8_lossy(&request_buf).trim().to_string();
// Parse Gemini URL
let path = match parse_gemini_url(&request, expected_host) {
Ok(p) => p,
Err(_) => {
let logger = RequestLogger::new(&stream, request.clone());
logger.log_error(59, "Invalid URL format");
send_response(&mut stream, "59 Bad Request\r\n").await?;
return Ok(());
}
};
// Initialize logger now that we have the full request URL
let logger = RequestLogger::new(&stream, request.clone());
// Resolve file path with security
let file_path = match resolve_file_path(&path, dir) {
Ok(fp) => fp,
Err(_) => {
logger.log_error(59, "Path traversal attempt");
return send_response(&mut stream, "59 Bad Request\r\n").await;
}
};
// Serve the file
match serve_file(&mut stream, &file_path).await {
Ok(_) => logger.log_success(20),
Err(_) => logger.log_error(51, "File not found"),
}
Ok(())
}
async fn send_response(
stream: &mut TlsStream<TcpStream>,
response: &str,
) -> io::Result<()> {
stream.write_all(response.as_bytes()).await?;
stream.flush().await?;
Ok(())
}

28
src/tls.rs Normal file
View file

@ -0,0 +1,28 @@
use std::fs;
use std::io::{self, BufReader};
pub fn load_certs(filename: &str) -> io::Result<Vec<rustls::Certificate>> {
let certfile = fs::File::open(filename)?;
let mut reader = BufReader::new(certfile);
rustls_pemfile::certs(&mut reader)?
.into_iter()
.map(|v| Ok(rustls::Certificate(v)))
.collect()
}
pub fn load_private_key(filename: &str) -> io::Result<rustls::PrivateKey> {
let keyfile = fs::File::open(filename)?;
let mut reader = BufReader::new(keyfile);
loop {
match rustls_pemfile::read_one(&mut reader)? {
Some(rustls_pemfile::Item::RSAKey(key)) => return Ok(rustls::PrivateKey(key)),
Some(rustls_pemfile::Item::PKCS8Key(key)) => return Ok(rustls::PrivateKey(key)),
Some(rustls_pemfile::Item::ECKey(key)) => return Ok(rustls::PrivateKey(key)),
None => break,
_ => {}
}
}
Err(io::Error::new(io::ErrorKind::InvalidData, "No supported private key found"))
}