pollux/README.md

# Pollux - A Simple Gemini Server

Pollux is a lightweight Gemini server for serving static files securely. It supports **virtual hosting**, allowing multiple Gemini capsules on a single server instance. Features include TLS encryption, hostname validation, directory serving, and comprehensive security protections.

## Requirements

Rust 1.70+ and Cargo.

## Building

Clone or download the source, then run:

```bash
cargo build --release
```

This produces the `target/release/pollux` binary.

## Virtual Hosting

Pollux supports **virtual hosting**, allowing you to serve multiple Gemini capsules from a single server. Each hostname can have its own root directory, certificates, and configuration.

### Configuration

Create a config file at `/etc/pollux/config.toml` or use `--config` to specify a path:

```toml
# Global settings (optional)
bind_host = "0.0.0.0"
port = 1965
log_level = "info"
max_concurrent_requests = 1000

# Virtual host configurations
["example.com"]
root = "/var/gemini/example.com"
cert = "/etc/ssl/example.com.crt"
key = "/etc/ssl/example.com.key"

["blog.example.com"]
root = "/var/gemini/blog"
cert = "/etc/ssl/blog.crt"
key = "/etc/ssl/blog.key"

["another-site.net"]
root = "/var/gemini/another"
cert = "/etc/ssl/another.crt"
key = "/etc/ssl/another.key"
port = 1966  # Optional per-host port override
```

### Features

- **Multiple hostnames** on a single server instance
- **Per-host TLS certificates** for proper security isolation
- **Automatic content isolation** - each host serves only its own files
- **Path security** - directory traversal attacks are blocked
- **Index file serving** - `index.gmi` files are served automatically
- **Hostname validation** - DNS-compliant hostname checking

### Request Routing

- `gemini://example.com/` → serves `/var/gemini/example.com/index.gmi`
- `gemini://blog.example.com/article.gmi` → serves `/var/gemini/blog/article.gmi`
- `gemini://unknown.com/` → returns status 53 "Proxy request refused"

### Single Host Mode (Legacy)

For backward compatibility, you can still use the old single-host format:

```toml
root = "/path/to/static/files"
cert = "/path/to/cert.pem"
key = "/path/to/key.pem"
hostname = "gemini.example.com"
bind_host = "0.0.0.0"
port = 1965
log_level = "info"
max_concurrent_requests = 1000
```

## Development Setup

### Quick Start with Self-Signed Certs
```bash
mkdir -p tmp
openssl req -x509 -newkey rsa:2048 \
  -keyout tmp/key.pem \
  -out tmp/cert.pem \
  -days 365 \
  -nodes \
  -subj "/CN=localhost"
```

Update `config.toml`:
```toml
cert = "tmp/cert.pem"
key = "tmp/key.pem"
```

Run the server:

```bash
./pollux --config /path/to/config.toml
```

Access with a Gemini client like Lagrange at `gemini://yourdomain.com/`.

### Development Notes

- These certificates are for local testing only
- Browsers will show security warnings with self-signed certs
- Certificates in the `dev/` directory are gitignored for security

## Options

- `--config` (`-C`): Path to config file (default `/etc/pollux/config.toml`)
- `--no-tls`: Disable TLS for testing (uses raw TCP connections)
- `--test-processing-delay` (debug builds only): Add delay before processing requests (seconds) - for testing rate limiting

## Security

Pollux is designed with security as a priority:

- **Path traversal protection** - requests like `../../../etc/passwd` are blocked
- **TLS encryption** - all connections are encrypted with valid certificates
- **Content isolation** - virtual hosts cannot access each other's files
- **Request validation** - malformed requests are rejected
- **Rate limiting** - configurable concurrent request limits prevent abuse

### Best Practices

#### Virtual Hosting Setup
- Use separate TLS certificates for each hostname when possible
- Keep host root directories separate and properly permissioned
- Use DNS-compliant hostnames (no underscores, proper formatting)
- Monitor logs for unknown hostname attempts

#### Certificate Management
- Never commit certificate files to version control
- Use development certificates only for local testing
- Production certificates should be obtained via Let's Encrypt or your CA
- Rotate certificates regularly and restart the server

#### File Organization
- Create `index.gmi` files in directories for automatic serving
- Use `.gmi` extension for Gemini text files
- Store certificates outside web-accessible directories
- Use proper file permissions (readable by server user only)

### Limitations

- **No dynamic content** - Pollux serves only static files
- **Single certificate per server** - All hosts currently share the same TLS certificate (can be enhanced)
- **No CGI support** - No server-side processing or scripting
- **Memory usage** - All host configurations are loaded into memory
- **No HTTP support** - Gemini protocol only

## Examples

The `examples/` directory contains sample configuration files:

- `virtual-hosting.toml` - Multi-host setup with different certificates
- `single-host.toml` - Legacy single-host configuration
- `development.toml` - Local development with self-signed certificates

## Testing

Run `cargo test` for the full test suite, which includes comprehensive integration tests covering:

- Virtual hosting with multiple hostnames
- TLS certificate validation
- Path security and isolation
- Concurrent request handling
- Performance validation

**Note**: Some integration tests use Python 3 for Gemini protocol validation. If Python 3 is not available, certain tests will be skipped automatically.