mux: Tweak documentation

mux: Add more tests
mux: Remove support for handling schemes
2021-06-26 20:26:30 -04:00 · 2021-06-26 20:16:38 -04:00 · 2021-06-26 18:50:09 -04:00 · 2021-04-21 12:48:27 -04:00 · 2021-04-21 12:41:56 -04:00 · 2021-04-21 12:18:52 -04:00
27 changed files with 1052 additions and 1200 deletions
--- a/64
+++ b/64
@@ -1,51 +1,19 @@
-go-gemini is available under the terms of the MIT license:
+Copyright (c) 2020 Adnan Maolood

-	Copyright (c) 2020 Adnan Maolood
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:

-	Permission is hereby granted, free of charge, to any person obtaining a copy
-	of this software and associated documentation files (the "Software"), to deal
-	in the Software without restriction, including without limitation the rights
-	to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-	copies of the Software, and to permit persons to whom the Software is
-	furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.

-	The above copyright notice and this permission notice shall be included in all
-	copies or substantial portions of the Software.
-
-	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-	IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-	AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-	LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-	OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-	SOFTWARE.
-
-Portions of this program were taken from Go:
-
-	Copyright (c) 2009 The Go Authors. All rights reserved.
-
-	Redistribution and use in source and binary forms, with or without
-	modification, are permitted provided that the following conditions are
-	met:
-
-	   * Redistributions of source code must retain the above copyright
-	notice, this list of conditions and the following disclaimer.
-	   * Redistributions in binary form must reproduce the above
-	copyright notice, this list of conditions and the following disclaimer
-	in the documentation and/or other materials provided with the
-	distribution.
-	   * Neither the name of Google Inc. nor the names of its
-	contributors may be used to endorse or promote products derived from
-	this software without specific prior written permission.
-
-	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-	"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-	LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-	A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-	OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-	SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-	LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-	DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-	THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-	(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-	OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/27
+++ b/27
@@ -0,0 +1,27 @@
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/README.md
+++ b/README.md
@@ -2,9 +2,9 @@

 [![godocs.io](https://godocs.io/git.sr.ht/~adnano/go-gemini?status.svg)](https://godocs.io/git.sr.ht/~adnano/go-gemini) [![builds.sr.ht status](https://builds.sr.ht/~adnano/go-gemini.svg)](https://builds.sr.ht/~adnano/go-gemini?)

-Package gemini implements the [Gemini protocol](https://gemini.circumlunar.space) in Go.
-
-It provides an API similar to that of net/http to make it easy to develop Gemini clients and servers.
+Package gemini implements the [Gemini protocol](https://gemini.circumlunar.space)
+in Go. It provides an API similar to that of net/http to facilitate the
+development of Gemini clients and servers.

 Compatible with version v0.14.3 of the Gemini specification.

@@ -12,6 +12,9 @@ Compatible with version v0.14.3 of the Gemini specification.

 	import "git.sr.ht/~adnano/go-gemini"

+Note that some filesystem-related functionality is only available on Go 1.16
+or later as it relies on the io/fs package.
+
 ## Examples

 There are a few examples provided in the examples directory.
@@ -24,3 +27,9 @@ To run an example:
 Send patches and questions to [~adnano/go-gemini-devel](https://lists.sr.ht/~adnano/go-gemini-devel).

 Subscribe to release announcements on [~adnano/go-gemini-announce](https://lists.sr.ht/~adnano/go-gemini-announce).
+
+## License
+
+go-gemini is licensed under the terms of the MIT license (see LICENSE).
+Portions of this library were adapted from Go and are governed by a BSD-style
+license (see LICENSE-GO). Those files are marked accordingly.
--- a/certificate/store.go
+++ b/certificate/store.go
@@ -6,53 +6,55 @@ import (
 	"crypto/x509/pkix"
 	"errors"
 	"fmt"
+	"os"
 	"path/filepath"
 	"strings"
 	"sync"
 	"time"
 )

-// A Store represents a certificate store.
-// It generates certificates as needed and automatically rotates expired certificates.
+// A Store represents a TLS certificate store.
 // The zero value for Store is an empty store ready to use.
 //
-// Certificate scopes must be registered with Register before calling Get or Load.
-// This prevents the Store from creating or loading unnecessary certificates.
+// Store can be used to store server certificates.
+// Servers should provide a hostname or wildcard pattern as a certificate scope.
+// Servers will most likely use the methods Register, Load and Get.
+//
+// Store can also be used to store client certificates.
+// Clients should provide a hostname as a certificate scope.
+// Clients will most likely use the methods Add, Load, and Lookup.
 //
 // Store is safe for concurrent use by multiple goroutines.
 type Store struct {
-	// CreateCertificate, if not nil, is called to create a new certificate
-	// to replace a missing or expired certificate. If CreateCertificate
-	// is nil, a certificate with a duration of 1 year will be created.
+	// CreateCertificate, if not nil, is called by Get to create a new
+	// certificate to replace a missing or expired certificate.
 	// The provided scope is suitable for use in a certificate's DNSNames.
 	CreateCertificate func(scope string) (tls.Certificate, error)

-	certs map[string]tls.Certificate
-	path  string
-	mu    sync.RWMutex
+	scopes map[string]struct{}
+	certs  map[string]tls.Certificate
+	path   string
+	mu     sync.RWMutex
 }

 // Register registers the provided scope with the certificate store.
 // The scope can either be a hostname or a wildcard pattern (e.g. "*.example.com").
 // To accept all hostnames, use the special pattern "*".
+//
+// Calls to Get will only succeed for registered scopes.
+// Other methods are not affected.
 func (s *Store) Register(scope string) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	if s.certs == nil {
-		s.certs = make(map[string]tls.Certificate)
+	if s.scopes == nil {
+		s.scopes = make(map[string]struct{})
 	}
-	s.certs[scope] = tls.Certificate{}
+	s.scopes[scope] = struct{}{}
 }

-// Add adds a certificate with the given scope to the certificate store.
-// If a certificate for the given scope already exists, Add will overwrite it.
+// Add registers the certificate for the given scope.
+// If a certificate already exists for scope, Add will overwrite it.
 func (s *Store) Add(scope string, cert tls.Certificate) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if s.certs == nil {
-		s.certs = make(map[string]tls.Certificate)
-	}
-
 	// Parse certificate if not already parsed
 	if cert.Leaf == nil {
 		parsed, err := x509.ParseCertificate(cert.Certificate[0])
@@ -62,6 +64,22 @@ func (s *Store) Add(scope string, cert tls.Certificate) error {
 		cert.Leaf = parsed
 	}

+	if err := s.write(scope, cert); err != nil {
+		return err
+	}
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if s.certs == nil {
+		s.certs = make(map[string]tls.Certificate)
+	}
+	s.certs[scope] = cert
+	return nil
+}
+
+func (s *Store) write(scope string, cert tls.Certificate) error {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
 	if s.path != "" {
 		certPath := filepath.Join(s.path, scope+".crt")
 		keyPath := filepath.Join(s.path, scope+".key")
@@ -69,35 +87,37 @@ func (s *Store) Add(scope string, cert tls.Certificate) error {
 			return err
 		}
 	}
-
-	s.certs[scope] = cert
 	return nil
 }

 // Get retrieves a certificate for the given hostname.
 // If no matching scope has been registered, Get returns an error.
 // Get generates new certificates as needed and rotates expired certificates.
+// It calls CreateCertificate to create a new certificate if it is not nil,
+// otherwise it creates certificates with a duration of 100 years.
 //
 // Get is suitable for use in a gemini.Server's GetCertificate field.
 func (s *Store) Get(hostname string) (*tls.Certificate, error) {
 	s.mu.RLock()
-	defer s.mu.RUnlock()
-	cert, ok := s.certs[hostname]
+	_, ok := s.scopes[hostname]
 	if !ok {
 		// Try wildcard
 		wildcard := strings.SplitN(hostname, ".", 2)
 		if len(wildcard) == 2 {
 			hostname = "*." + wildcard[1]
-			cert, ok = s.certs[hostname]
+			_, ok = s.scopes[hostname]
 		}
 	}
 	if !ok {
 		// Try "*"
-		cert, ok = s.certs["*"]
+		_, ok = s.scopes["*"]
 	}
 	if !ok {
+		s.mu.RUnlock()
 		return nil, errors.New("unrecognized scope")
 	}
+	cert := s.certs[hostname]
+	s.mu.RUnlock()

 	// If the certificate is empty or expired, generate a new one.
 	if cert.Leaf == nil || cert.Leaf.NotAfter.Before(time.Now()) {
@@ -114,6 +134,14 @@ func (s *Store) Get(hostname string) (*tls.Certificate, error) {
 	return &cert, nil
 }

+// Lookup returns the certificate for the provided scope.
+func (s *Store) Lookup(scope string) (tls.Certificate, bool) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	cert, ok := s.certs[scope]
+	return cert, ok
+}
+
 func (s *Store) createCertificate(scope string) (tls.Certificate, error) {
 	if s.CreateCertificate != nil {
 		return s.CreateCertificate(scope)
@@ -123,7 +151,7 @@ func (s *Store) createCertificate(scope string) (tls.Certificate, error) {
 		Subject: pkix.Name{
 			CommonName: scope,
 		},
-		Duration: 365 * 24 * time.Hour,
+		Duration: 100 * 365 * 24 * time.Hour,
 	})
 }

@@ -132,26 +160,31 @@ func (s *Store) createCertificate(scope string) (tls.Certificate, error) {
 // The path should lead to a directory containing certificates
 // and private keys named "scope.crt" and "scope.key" respectively,
 // where "scope" is the scope of the certificate.
-// Certificates with scopes that have not been registered will be ignored.
 func (s *Store) Load(path string) error {
+	if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil {
+		return err
+	}
+
+	path = filepath.Clean(path)
 	matches, err := filepath.Glob(filepath.Join(path, "*.crt"))
 	if err != nil {
 		return err
 	}
 	for _, crtPath := range matches {
-		scope := strings.TrimSuffix(filepath.Base(crtPath), ".crt")
-		if _, ok := s.certs[scope]; !ok {
-			continue
-		}
-
 		keyPath := strings.TrimSuffix(crtPath, ".crt") + ".key"
 		cert, err := tls.LoadX509KeyPair(crtPath, keyPath)
 		if err != nil {
 			continue
 		}
+
+		scope := strings.TrimPrefix(crtPath, path)
+		scope = strings.TrimPrefix(scope, "/")
+		scope = strings.TrimSuffix(scope, ".crt")
 		s.Add(scope, cert)
 	}
-	s.SetPath(path)
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.path = path
 	return nil
 }

@@ -170,5 +203,5 @@ func (s *Store) Entries() map[string]tls.Certificate {
 func (s *Store) SetPath(path string) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	s.path = path
+	s.path = filepath.Clean(path)
 }
--- a/client.go
+++ b/client.go
@@ -6,7 +6,6 @@ import (
 	"crypto/x509"
 	"net"
 	"net/url"
-	"time"
 	"unicode/utf8"

 	"golang.org/x/net/idna"
@@ -14,10 +13,10 @@ import (

 // A Client is a Gemini client. Its zero value is a usable client.
 type Client struct {
-	// TrustCertificate is called to determine whether the client
-	// should trust the certificate provided by the server.
-	// If TrustCertificate is nil, the client will accept any certificate.
-	// If the returned error is not nil, the certificate will not be trusted
+	// TrustCertificate is called to determine whether the client should
+	// trust the certificate provided by the server.
+	// If TrustCertificate is nil or returns nil, the client will accept
+	// any certificate. Otherwise, the certificate will not be trusted
 	// and the request will be aborted.
 	//
 	// See the tofu submodule for an implementation of trust on first use.
@@ -29,14 +28,14 @@ type Client struct {
 }

 // Get sends a Gemini request for the given URL.
-// If the provided context is canceled or times out, the request
-// will be aborted and the context's error will be returned.
+// The context controls the entire lifetime of a request and its response:
+// obtaining a connection, sending the request, and reading the response
+// header and body.
 //
 // An error is returned if there was a Gemini protocol error.
 // A non-2x status code doesn't cause an error.
 //
-// If the returned error is nil, the Response will contain a non-nil Body
-// which the user is expected to close.
+// If the returned error is nil, the user is expected to close the Response.
 //
 // For more control over requests, use NewRequest and Client.Do.
 func (c *Client) Get(ctx context.Context, url string) (*Response, error) {
@@ -48,16 +47,14 @@ func (c *Client) Get(ctx context.Context, url string) (*Response, error) {
 }

 // Do sends a Gemini request and returns a Gemini response.
-// If the provided context is canceled or times out, the request
-// will be aborted and the context's error will be returned.
+// The context controls the entire lifetime of a request and its response:
+// obtaining a connection, sending the request, and reading the response
+// header and body.
 //
 // An error is returned if there was a Gemini protocol error.
 // A non-2x status code doesn't cause an error.
 //
-// If the returned error is nil, the Response will contain a non-nil Body
-// which the user is expected to close.
-//
-// Generally Get will be used instead of Do.
+// If the returned error is nil, the user is expected to close the Response.
 func (c *Client) Do(ctx context.Context, req *Request) (*Response, error) {
 	if ctx == nil {
 		panic("nil context")
@@ -79,9 +76,10 @@ func (c *Client) Do(ctx context.Context, req *Request) (*Response, error) {

 		// Use the new URL in the request so that the server gets
 		// the punycoded hostname
-		req = &Request{
-			URL: u,
-		}
+		r := new(Request)
+		*r = *req
+		r.URL = u
+		req = r
 	}

 	// Use request host if provided
@@ -124,7 +122,7 @@ func (c *Client) Do(ctx context.Context, req *Request) (*Response, error) {

 	res := make(chan result, 1)
 	go func() {
-		resp, err := c.do(conn, req)
+		resp, err := c.do(ctx, conn, req)
 		res <- result{resp, err}
 	}()

@@ -133,27 +131,40 @@ func (c *Client) Do(ctx context.Context, req *Request) (*Response, error) {
 		conn.Close()
 		return nil, ctx.Err()
 	case r := <-res:
+		if r.err != nil {
+			conn.Close()
+		}
 		return r.resp, r.err
 	}
 }

-func (c *Client) do(conn net.Conn, req *Request) (*Response, error) {
+func (c *Client) do(ctx context.Context, conn net.Conn, req *Request) (*Response, error) {
+	ctx, cancel := context.WithCancel(ctx)
+	done := ctx.Done()
+	w := &contextWriter{
+		ctx:    ctx,
+		done:   done,
+		cancel: cancel,
+		wc:     conn,
+	}
+	rc := &contextReader{
+		ctx:    ctx,
+		done:   done,
+		cancel: cancel,
+		rc:     conn,
+	}
+
 	// Write the request
-	if err := req.Write(conn); err != nil {
+	if _, err := req.WriteTo(w); err != nil {
 		return nil, err
 	}

 	// Read the response
-	resp, err := ReadResponse(conn)
+	resp, err := ReadResponse(rc)
 	if err != nil {
 		return nil, err
 	}
-
-	// Store TLS connection state
-	if tlsConn, ok := conn.(*tls.Conn); ok {
-		state := tlsConn.ConnectionState()
-		resp.TLS = &state
-	}
+	resp.conn = conn

 	return resp, nil
 }
@@ -166,17 +177,9 @@ func (c *Client) dialContext(ctx context.Context, network, addr string) (net.Con
 }

 func (c *Client) verifyConnection(cs tls.ConnectionState, hostname string) error {
-	cert := cs.PeerCertificates[0]
-	// Verify hostname
-	if err := verifyHostname(cert, hostname); err != nil {
-		return err
-	}
-	// Check expiration date
-	if !time.Now().Before(cert.NotAfter) {
-		return ErrCertificateExpired
-	}
 	// See if the client trusts the certificate
 	if c.TrustCertificate != nil {
+		cert := cs.PeerCertificates[0]
 		return c.TrustCertificate(hostname, cert)
 	}
 	return nil
--- a/doc.go
+++ b/doc.go
@@ -4,7 +4,8 @@ Package gemini provides Gemini client and server implementations.
 Client is a Gemini client.

 	client := &gemini.Client{}
-	resp, err := client.Get("gemini://example.com")
+	ctx := context.Background()
+	resp, err := client.Get(ctx, "gemini://example.com")
 	if err != nil {
 		// handle error
 	}
@@ -21,16 +22,17 @@ Server is a Gemini server.
 Servers should be configured with certificates:

 	certificates := &certificate.Store{}
+	certificates.Register("localhost")
 	err := certificates.Load("/var/lib/gemini/certs")
 	if err != nil {
 		// handle error
 	}
-	server.GetCertificate = certificates.GetCertificate
+	server.GetCertificate = certificates.Get

-ServeMux is a Gemini request multiplexer.
-ServeMux can handle requests for multiple hosts and schemes.
+Mux is a Gemini request multiplexer.
+Mux can handle requests for multiple hosts and schemes.

-	mux := &gemini.ServeMux{}
+	mux := &gemini.Mux{}
 	mux.HandleFunc("example.com", func(ctx context.Context, w gemini.ResponseWriter, r *gemini.Request) {
 		fmt.Fprint(w, "Welcome to example.com")
 	})
@@ -44,7 +46,8 @@ ServeMux can handle requests for multiple hosts and schemes.

 To start the server, call ListenAndServe:

-	err := server.ListenAndServe(context.Background())
+	ctx := context.Background()
+	err := server.ListenAndServe(ctx)
 	if err != nil {
 		// handle error
 	}
--- a/examples/auth.go
+++ b/examples/auth.go
@@ -30,7 +30,7 @@ func main() {
 		log.Fatal(err)
 	}

-	mux := &gemini.ServeMux{}
+	mux := &gemini.Mux{}
 	mux.HandleFunc("/", profile)
 	mux.HandleFunc("/username", changeUsername)

@@ -52,11 +52,12 @@ func fingerprint(cert *x509.Certificate) string {
 }

 func profile(ctx context.Context, w gemini.ResponseWriter, r *gemini.Request) {
-	if len(r.TLS.PeerCertificates) == 0 {
+	tls := r.TLS()
+	if len(tls.PeerCertificates) == 0 {
 		w.WriteHeader(gemini.StatusCertificateRequired, "Certificate required")
 		return
 	}
-	fingerprint := fingerprint(r.TLS.PeerCertificates[0])
+	fingerprint := fingerprint(tls.PeerCertificates[0])
 	user, ok := users[fingerprint]
 	if !ok {
 		user = &User{}
@@ -67,7 +68,8 @@ func profile(ctx context.Context, w gemini.ResponseWriter, r *gemini.Request) {
 }

 func changeUsername(ctx context.Context, w gemini.ResponseWriter, r *gemini.Request) {
-	if len(r.TLS.PeerCertificates) == 0 {
+	tls := r.TLS()
+	if len(tls.PeerCertificates) == 0 {
 		w.WriteHeader(gemini.StatusCertificateRequired, "Certificate required")
 		return
 	}
@@ -77,7 +79,7 @@ func changeUsername(ctx context.Context, w gemini.ResponseWriter, r *gemini.Requ
 		w.WriteHeader(gemini.StatusInput, "Username")
 		return
 	}
-	fingerprint := fingerprint(r.TLS.PeerCertificates[0])
+	fingerprint := fingerprint(tls.PeerCertificates[0])
 	user, ok := users[fingerprint]
 	if !ok {
 		user = &User{}
--- a/examples/client.go
+++ b/examples/client.go
@@ -6,7 +6,6 @@ package main

 import (
 	"bufio"
-	"bytes"
 	"context"
 	"crypto/x509"
 	"errors"
@@ -16,7 +15,6 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
-	"time"

 	"git.sr.ht/~adnano/go-gemini"
 	"git.sr.ht/~adnano/go-gemini/tofu"
@@ -61,15 +59,14 @@ Otherwise, this should be safe to trust.
 => `

 func trustCertificate(hostname string, cert *x509.Certificate) error {
-	host := tofu.NewHost(hostname, cert.Raw, cert.NotAfter)
-
+	host := tofu.NewHost(hostname, cert.Raw)
 	knownHost, ok := hosts.Lookup(hostname)
-	if ok && time.Now().Before(knownHost.Expires) {
+	if ok {
 		// Check fingerprint
-		if bytes.Equal(knownHost.Fingerprint, host.Fingerprint) {
-			return nil
+		if knownHost.Fingerprint != host.Fingerprint {
+			return errors.New("error: fingerprint does not match!")
 		}
-		return errors.New("error: fingerprint does not match!")
+		return nil
 	}

 	fmt.Printf(trustPrompt, hostname, host.Fingerprint)
@@ -87,7 +84,7 @@ func trustCertificate(hostname string, cert *x509.Certificate) error {
 	}
 }

-func getInput(prompt string, sensitive bool) (input string, ok bool) {
+func getInput(prompt string) (input string, ok bool) {
 	fmt.Printf("%s ", prompt)
 	scanner.Scan()
 	return scanner.Text(), true
@@ -97,14 +94,15 @@ func do(req *gemini.Request, via []*gemini.Request) (*gemini.Response, error) {
 	client := gemini.Client{
 		TrustCertificate: trustCertificate,
 	}
-	resp, err := client.Do(context.Background(), req)
+	ctx := context.Background()
+	resp, err := client.Do(ctx, req)
 	if err != nil {
 		return resp, err
 	}

 	switch resp.Status.Class() {
 	case gemini.StatusInput:
-		input, ok := getInput(resp.Meta, resp.Status == gemini.StatusSensitiveInput)
+		input, ok := getInput(resp.Meta)
 		if !ok {
 			break
 		}
@@ -156,11 +154,10 @@ func main() {

 	// Handle response
 	if resp.Status.Class() == gemini.StatusSuccess {
-		body, err := io.ReadAll(resp.Body)
+		_, err := io.Copy(os.Stdout, resp.Body)
 		if err != nil {
 			log.Fatal(err)
 		}
-		fmt.Print(string(body))
 	} else {
 		fmt.Printf("%d %s\n", resp.Status, resp.Meta)
 		os.Exit(1)
--- a/examples/server.go
+++ b/examples/server.go
@@ -22,11 +22,11 @@ func main() {
 		log.Fatal(err)
 	}

-	mux := &gemini.ServeMux{}
+	mux := &gemini.Mux{}
 	mux.Handle("/", gemini.FileServer(os.DirFS("/var/www")))

 	server := &gemini.Server{
-		Handler:        mux,
+		Handler:        gemini.LoggingMiddleware(mux),
 		ReadTimeout:    30 * time.Second,
 		WriteTimeout:   1 * time.Minute,
 		GetCertificate: certificates.Get,
@@ -48,7 +48,8 @@ func main() {
 	case <-c:
 		// Shutdown the server
 		log.Println("Shutting down...")
-		ctx, _ := context.WithTimeout(context.Background(), 30*time.Second)
+		ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+		defer cancel()
 		err := server.Shutdown(ctx)
 		if err != nil {
 			log.Fatal(err)
--- a/examples/stream.go
+++ b/examples/stream.go
@@ -21,7 +21,7 @@ func main() {
 		log.Fatal(err)
 	}

-	mux := &gemini.ServeMux{}
+	mux := &gemini.Mux{}
 	mux.HandleFunc("/", stream)

 	server := &gemini.Server{
@@ -39,33 +39,16 @@ func main() {

 // stream writes an infinite stream to w.
 func stream(ctx context.Context, w gemini.ResponseWriter, r *gemini.Request) {
-	ch := make(chan string)
-	ctx, cancel := context.WithCancel(ctx)
-
-	go func(ctx context.Context) {
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			default:
-				ch <- fmt.Sprint(time.Now().UTC())
-			}
-			time.Sleep(time.Second)
-		}
-		// Close channel when finished.
-		// In this example this will never be reached.
-		close(ch)
-	}(ctx)
-
 	for {
-		s, ok := <-ch
-		if !ok {
-			break
+		select {
+		case <-ctx.Done():
+			return
+		default:
 		}
-		fmt.Fprintln(w, s)
+		fmt.Fprintln(w, time.Now().UTC())
 		if err := w.Flush(); err != nil {
-			cancel()
 			return
 		}
+		time.Sleep(time.Second)
 	}
 }
--- a/fs.go
+++ b/fs.go
@@ -1,3 +1,5 @@
+// +build go1.16
+
 package gemini

 import (
@@ -13,12 +15,6 @@ import (
 	"strings"
 )

-func init() {
-	// Add Gemini mime types
-	mime.AddExtensionType(".gmi", "text/gemini")
-	mime.AddExtensionType(".gemini", "text/gemini")
-}
-
 // FileServer returns a handler that serves Gemini requests with the contents
 // of the provided file system.
 //
@@ -33,88 +29,22 @@ type fileServer struct {
 	fs.FS
 }

-func (fs fileServer) ServeGemini(ctx context.Context, w ResponseWriter, r *Request) {
-	serveFile(w, r, fs, path.Clean(r.URL.Path), true)
-}
-
-// ServeContent replies to the request using the content in the
-// provided Reader. The main benefit of ServeContent over io.Copy
-// is that it sets the MIME type of the response.
-//
-// ServeContent tries to deduce the type from name's file extension.
-// The name is otherwise unused; it is never sent in the response.
-func ServeContent(w ResponseWriter, r *Request, name string, content io.Reader) {
-	serveContent(w, name, content)
-}
-
-func serveContent(w ResponseWriter, name string, content io.Reader) {
-	// Detect mimetype from file extension
-	ext := path.Ext(name)
-	mimetype := mime.TypeByExtension(ext)
-	w.SetMediaType(mimetype)
-	io.Copy(w, content)
-}
-
-// ServeFile responds to the request with the contents of the named file
-// or directory.
-//
-// If the provided file or directory name is a relative path, it is interpreted
-// relative to the current directory and may ascend to parent directories. If
-// the provided name is constructed from user input, it should be sanitized
-// before calling ServeFile.
-//
-// As a precaution, ServeFile will reject requests where r.URL.Path contains a
-// ".." path element; this protects against callers who might unsafely use
-// filepath.Join on r.URL.Path without sanitizing it and then use that
-// filepath.Join result as the name argument.
-//
-// As another special case, ServeFile redirects any request where r.URL.Path
-// ends in "/index.gmi" to the same path, without the final "index.gmi". To
-// avoid such redirects either modify the path or use ServeContent.
-//
-// Outside of those two special cases, ServeFile does not use r.URL.Path for
-// selecting the file or directory to serve; only the file or directory
-// provided in the name argument is used.
-func ServeFile(w ResponseWriter, r *Request, fsys fs.FS, name string) {
-	if containsDotDot(r.URL.Path) {
-		// Too many programs use r.URL.Path to construct the argument to
-		// serveFile. Reject the request under the assumption that happened
-		// here and ".." may not be wanted.
-		// Note that name might not contain "..", for example if code (still
-		// incorrectly) used filepath.Join(myDir, r.URL.Path).
-		w.WriteHeader(StatusBadRequest, "invalid URL path")
-		return
-	}
-	serveFile(w, r, fsys, name, false)
-}
-
-func containsDotDot(v string) bool {
-	if !strings.Contains(v, "..") {
-		return false
-	}
-	for _, ent := range strings.FieldsFunc(v, isSlashRune) {
-		if ent == ".." {
-			return true
-		}
-	}
-	return false
-}
-
-func isSlashRune(r rune) bool { return r == '/' || r == '\\' }
-
-func serveFile(w ResponseWriter, r *Request, fsys fs.FS, name string, redirect bool) {
+func (fsys fileServer) ServeGemini(ctx context.Context, w ResponseWriter, r *Request) {
 	const indexPage = "/index.gmi"

+	url := path.Clean(r.URL.Path)
+
 	// Redirect .../index.gmi to .../
-	if strings.HasSuffix(r.URL.Path, indexPage) {
-		w.WriteHeader(StatusPermanentRedirect, "./")
+	if strings.HasSuffix(url, indexPage) {
+		w.WriteHeader(StatusPermanentRedirect, strings.TrimSuffix(url, "index.gmi"))
 		return
 	}

+	name := url
 	if name == "/" {
 		name = "."
 	} else {
-		name = strings.Trim(name, "/")
+		name = strings.TrimPrefix(name, "/")
 	}

 	f, err := fsys.Open(name)
@@ -131,50 +61,89 @@ func serveFile(w ResponseWriter, r *Request, fsys fs.FS, name string, redirect b
 	}

 	// Redirect to canonical path
-	if redirect {
-		url := r.URL.Path
+	if len(r.URL.Path) != 0 {
 		if stat.IsDir() {
-			// Add trailing slash
-			if url[len(url)-1] != '/' {
-				w.WriteHeader(StatusPermanentRedirect, path.Base(url)+"/")
+			target := url
+			if target != "/" {
+				target += "/"
+			}
+			if len(r.URL.Path) != len(target) || r.URL.Path != target {
+				w.WriteHeader(StatusPermanentRedirect, target)
 				return
 			}
-		} else {
+		} else if r.URL.Path[len(r.URL.Path)-1] == '/' {
 			// Remove trailing slash
-			if url[len(url)-1] == '/' {
-				w.WriteHeader(StatusPermanentRedirect, "../"+path.Base(url))
-				return
-			}
-		}
-	}
-
-	if stat.IsDir() {
-		// Redirect if the directory name doesn't end in a slash
-		url := r.URL.Path
-		if url[len(url)-1] != '/' {
-			w.WriteHeader(StatusRedirect, path.Base(url)+"/")
+			w.WriteHeader(StatusPermanentRedirect, url)
 			return
 		}
-
-		// Use contents of index.gmi if present
-		index, err := fsys.Open(path.Join(name, indexPage))
-		if err == nil {
-			defer index.Close()
-			istat, err := index.Stat()
-			if err == nil {
-				f = index
-				stat = istat
-			}
-		}
 	}

 	if stat.IsDir() {
-		// Failed to find index file
-		dirList(w, f)
+		// Use contents of index.gmi if present
+		name = path.Join(name, indexPage)
+		index, err := fsys.Open(name)
+		if err == nil {
+			defer index.Close()
+			f = index
+		} else {
+			// Failed to find index file
+			dirList(w, f)
+			return
+		}
+	}
+
+	// Detect mimetype from file extension
+	ext := path.Ext(name)
+	mimetype := mime.TypeByExtension(ext)
+	w.SetMediaType(mimetype)
+	io.Copy(w, f)
+}
+
+// ServeFile responds to the request with the contents of the named file
+// or directory. If the provided name is constructed from user input, it
+// should be sanitized before calling ServeFile.
+func ServeFile(w ResponseWriter, fsys fs.FS, name string) {
+	const indexPage = "/index.gmi"
+
+	// Ensure name is relative
+	if name == "/" {
+		name = "."
+	} else {
+		name = strings.TrimLeft(name, "/")
+	}
+
+	f, err := fsys.Open(name)
+	if err != nil {
+		w.WriteHeader(toGeminiError(err))
+		return
+	}
+	defer f.Close()
+
+	stat, err := f.Stat()
+	if err != nil {
+		w.WriteHeader(toGeminiError(err))
 		return
 	}

-	serveContent(w, name, f)
+	if stat.IsDir() {
+		// Use contents of index file if present
+		name = path.Join(name, indexPage)
+		index, err := fsys.Open(name)
+		if err == nil {
+			defer index.Close()
+			f = index
+		} else {
+			// Failed to find index file
+			dirList(w, f)
+			return
+		}
+	}
+
+	// Detect mimetype from file extension
+	ext := path.Ext(name)
+	mimetype := mime.TypeByExtension(ext)
+	w.SetMediaType(mimetype)
+	io.Copy(w, f)
 }

 func dirList(w ResponseWriter, f fs.File) {
--- a/gemini.go
+++ b/gemini.go
@@ -2,22 +2,33 @@ package gemini

 import (
 	"errors"
+	"mime"
 )

-var crlf = []byte("\r\n")
+func init() {
+	// Add Gemini mime types
+	mime.AddExtensionType(".gmi", "text/gemini")
+	mime.AddExtensionType(".gemini", "text/gemini")
+}

 // Errors.
 var (
 	ErrInvalidRequest  = errors.New("gemini: invalid request")
 	ErrInvalidResponse = errors.New("gemini: invalid response")

-	ErrCertificateExpired = errors.New("gemini: certificate expired")
-
 	// ErrBodyNotAllowed is returned by ResponseWriter.Write calls
 	// when the response status code does not permit a body.
 	ErrBodyNotAllowed = errors.New("gemini: response status code does not allow body")
-
-	// ErrHandlerTimeout is returned on ResponseWriter Write calls
-	// in handlers which have timed out.
-	ErrHandlerTimeout = errors.New("gemini: Handler timeout")
 )
+
+var crlf = []byte("\r\n")
+
+func trimCRLF(b []byte) ([]byte, bool) {
+	// Check for CR
+	if len(b) < 2 || b[len(b)-2] != '\r' {
+		return nil, false
+	}
+	// Trim CRLF
+	b = b[:len(b)-2]
+	return b, true
+}
--- a/go.mod
+++ b/go.mod
@@ -1,5 +1,5 @@
 module git.sr.ht/~adnano/go-gemini

-go 1.16
+go 1.15

 require golang.org/x/net v0.0.0-20210119194325-5f4716e94777
--- a/handler.go
+++ b/handler.go
@@ -1,9 +1,12 @@
 package gemini

 import (
+	"bytes"
 	"context"
+	"io"
 	"net/url"
 	"strings"
+	"time"
 )

 // A Handler responds to a Gemini request.
@@ -13,6 +16,9 @@ import (
 // valid to use the ResponseWriter after or concurrently with the completion
 // of the ServeGemini call.
 //
+// The provided context is canceled when the client's connection is closed
+// or the ServeGemini method returns.
+//
 // Handlers should not modify the provided Request.
 type Handler interface {
 	ServeGemini(context.Context, ResponseWriter, *Request)
@@ -31,16 +37,9 @@ func (f HandlerFunc) ServeGemini(ctx context.Context, w ResponseWriter, r *Reque
 // StatusHandler returns a request handler that responds to each request
 // with the provided status code and meta.
 func StatusHandler(status Status, meta string) Handler {
-	return &statusHandler{status, meta}
-}
-
-type statusHandler struct {
-	status Status
-	meta   string
-}
-
-func (h *statusHandler) ServeGemini(ctx context.Context, w ResponseWriter, r *Request) {
-	w.WriteHeader(h.status, h.meta)
+	return HandlerFunc(func(ctx context.Context, w ResponseWriter, r *Request) {
+		w.WriteHeader(status, meta)
+	})
 }

 // NotFoundHandler returns a simple request handler that replies to each
@@ -75,3 +74,85 @@ func StripPrefix(prefix string, h Handler) Handler {
 		}
 	})
 }
+
+// TimeoutHandler returns a Handler that runs h with the given time limit.
+//
+// The new Handler calls h.ServeGemini to handle each request, but
+// if a call runs for longer than its time limit, the handler responds with a
+// 40 Temporary Failure status code and the given message in its response meta.
+// After such a timeout, writes by h to its ResponseWriter will return
+// context.DeadlineExceeded.
+func TimeoutHandler(h Handler, dt time.Duration, message string) Handler {
+	return &timeoutHandler{
+		h:   h,
+		dt:  dt,
+		msg: message,
+	}
+}
+
+type timeoutHandler struct {
+	h   Handler
+	dt  time.Duration
+	msg string
+}
+
+func (t *timeoutHandler) ServeGemini(ctx context.Context, w ResponseWriter, r *Request) {
+	ctx, cancel := context.WithTimeout(ctx, t.dt)
+	defer cancel()
+
+	buf := &bytes.Buffer{}
+	tw := &timeoutWriter{
+		wr: &contextWriter{
+			ctx:    ctx,
+			cancel: cancel,
+			done:   ctx.Done(),
+			wc:     nopCloser{buf},
+		},
+	}
+
+	done := make(chan struct{})
+	go func() {
+		t.h.ServeGemini(ctx, tw, r)
+		close(done)
+	}()
+
+	select {
+	case <-done:
+		w.WriteHeader(tw.status, tw.meta)
+		w.Write(buf.Bytes())
+	case <-ctx.Done():
+		w.WriteHeader(StatusTemporaryFailure, t.msg)
+	}
+}
+
+type timeoutWriter struct {
+	wr          io.Writer
+	status      Status
+	meta        string
+	mediatype   string
+	wroteHeader bool
+}
+
+func (w *timeoutWriter) SetMediaType(mediatype string) {
+	w.mediatype = mediatype
+}
+
+func (w *timeoutWriter) Write(b []byte) (int, error) {
+	if !w.wroteHeader {
+		w.WriteHeader(StatusSuccess, w.mediatype)
+	}
+	return w.wr.Write(b)
+}
+
+func (w *timeoutWriter) WriteHeader(status Status, meta string) {
+	if w.wroteHeader {
+		return
+	}
+	w.status = status
+	w.meta = meta
+	w.wroteHeader = true
+}
+
+func (w *timeoutWriter) Flush() error {
+	return nil
+}
--- a/io.go
+++ b/io.go
@@ -0,0 +1,76 @@
+package gemini
+
+import (
+	"context"
+	"io"
+)
+
+type contextReader struct {
+	ctx    context.Context
+	done   <-chan struct{}
+	cancel func()
+	rc     io.ReadCloser
+}
+
+func (r *contextReader) Read(p []byte) (int, error) {
+	select {
+	case <-r.done:
+		r.rc.Close()
+		return 0, r.ctx.Err()
+	default:
+	}
+	n, err := r.rc.Read(p)
+	if err != nil {
+		r.cancel()
+	}
+	return n, err
+}
+
+func (r *contextReader) Close() error {
+	r.cancel()
+	return r.rc.Close()
+}
+
+type contextWriter struct {
+	ctx    context.Context
+	done   <-chan struct{}
+	cancel func()
+	wc     io.WriteCloser
+}
+
+func (w *contextWriter) Write(b []byte) (int, error) {
+	select {
+	case <-w.done:
+		w.wc.Close()
+		return 0, w.ctx.Err()
+	default:
+	}
+	n, err := w.wc.Write(b)
+	if err != nil {
+		w.cancel()
+	}
+	return n, err
+}
+
+func (w *contextWriter) Close() error {
+	w.cancel()
+	return w.wc.Close()
+}
+
+type nopCloser struct {
+	io.Writer
+}
+
+func (nopCloser) Close() error {
+	return nil
+}
+
+type nopReadCloser struct{}
+
+func (nopReadCloser) Read(p []byte) (int, error) {
+	return 0, io.EOF
+}
+
+func (nopReadCloser) Close() error {
+	return nil
+}
--- a/middleware.go
+++ b/middleware.go
@@ -0,0 +1,58 @@
+package gemini
+
+import (
+	"context"
+	"log"
+)
+
+// LoggingMiddleware returns a handler that wraps h and logs Gemini requests
+// and their responses to the log package's standard logger.
+// Requests are logged with the format "gemini: {host} {URL} {status code} {bytes written}".
+func LoggingMiddleware(h Handler) Handler {
+	return HandlerFunc(func(ctx context.Context, w ResponseWriter, r *Request) {
+		lw := &logResponseWriter{rw: w}
+		h.ServeGemini(ctx, lw, r)
+		host := r.ServerName()
+		log.Printf("gemini: %s %q %d %d", host, r.URL, lw.Status, lw.Wrote)
+	})
+}
+
+type logResponseWriter struct {
+	Status      Status
+	Wrote       int
+	rw          ResponseWriter
+	mediatype   string
+	wroteHeader bool
+}
+
+func (w *logResponseWriter) SetMediaType(mediatype string) {
+	w.mediatype = mediatype
+}
+
+func (w *logResponseWriter) Write(b []byte) (int, error) {
+	if !w.wroteHeader {
+		meta := w.mediatype
+		if meta == "" {
+			// Use default media type
+			meta = defaultMediaType
+		}
+		w.WriteHeader(StatusSuccess, meta)
+	}
+	n, err := w.rw.Write(b)
+	w.Wrote += n
+	return n, err
+}
+
+func (w *logResponseWriter) WriteHeader(status Status, meta string) {
+	if w.wroteHeader {
+		return
+	}
+	w.wroteHeader = true
+	w.Status = status
+	w.Wrote += len(meta) + 5
+	w.rw.WriteHeader(status, meta)
+}
+
+func (w *logResponseWriter) Flush() error {
+	return nil
+}
--- a/mux.go
+++ b/mux.go
@@ -1,3 +1,7 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE-GO file.
+
 package gemini

 import (
@@ -10,7 +14,7 @@ import (
 	"sync"
 )

-// ServeMux is a Gemini request multiplexer.
+// Mux is a Gemini request multiplexer.
 // It matches the URL of each incoming request against a list of registered
 // patterns and calls the handler for the pattern that
 // most closely matches the URL.
@@ -28,58 +32,42 @@ import (
 // the pattern "/" matches all paths not matched by other registered
 // patterns, not just the URL with Path == "/".
 //
-// Patterns may also contain schemes and hostnames.
-// Wildcard patterns can be used to match multiple hostnames (e.g. "*.example.com").
+// Patterns may optionally begin with a host name, restricting matches to
+// URLs on that host only. Host-specific patterns take precedence over
+// general patterns, so that a handler might register for the two patterns
+// "/search" and "search.example.com/" without also taking over requests
+// for "gemini://example.com/".
 //
-// The following are examples of valid patterns, along with the scheme,
-// hostname, and path that they match.
-//
-//     Pattern                      │ Scheme │ Hostname │ Path
-//     ─────────────────────────────┼────────┼──────────┼─────────────
-//     /file                        │ gemini │ *        │ /file
-//     /directory/                  │ gemini │ *        │ /directory/*
-//     hostname/file                │ gemini │ hostname │ /file
-//     hostname/directory/          │ gemini │ hostname │ /directory/*
-//     scheme://hostname/file       │ scheme │ hostname │ /file
-//     scheme://hostname/directory/ │ scheme │ hostname │ /directory/*
-//     //hostname/file              │ *      │ hostname │ /file
-//     //hostname/directory/        │ *      │ hostname │ /directory/*
-//     scheme:///file               │ scheme │ *        │ /file
-//     scheme:///directory/         │ scheme │ *        │ /directory/*
-//     ///file                      │ *      │ *        │ /file
-//     ///directory/                │ *      │ *        │ /directory/*
-//
-// A pattern without a hostname will match any hostname.
-// If a pattern begins with "//", it will match any scheme.
-// Otherwise, a pattern with no scheme is treated as though it has a
-// scheme of "gemini".
+// Wildcard patterns can be used to match multiple hostnames. For example,
+// the pattern "*.example.com" will match requests for "blog.example.com"
+// and "gemini.example.com", but not "example.org".
 //
 // If a subtree has been registered and a request is received naming the
-// subtree root without its trailing slash, ServeMux redirects that
+// subtree root without its trailing slash, Mux redirects that
 // request to the subtree root (adding the trailing slash). This behavior can
 // be overridden with a separate registration for the path without
-// the trailing slash. For example, registering "/images/" causes ServeMux
+// the trailing slash. For example, registering "/images/" causes Mux
 // to redirect a request for "/images" to "/images/", unless "/images" has
 // been registered separately.
 //
-// ServeMux also takes care of sanitizing the URL request path and
+// Mux also takes care of sanitizing the URL request path and
 // redirecting any request containing . or .. elements or repeated slashes
 // to an equivalent, cleaner URL.
-type ServeMux struct {
+type Mux struct {
 	mu sync.RWMutex
-	m  map[muxKey]Handler
+	m  map[hostpath]Handler
 	es []muxEntry // slice of entries sorted from longest to shortest
 }

-type muxKey struct {
-	scheme string
-	host   string
-	path   string
+type hostpath struct {
+	host string
+	path string
 }

 type muxEntry struct {
 	handler Handler
-	key     muxKey
+	host    string
+	path    string
 }

 // cleanPath returns the canonical path for p, eliminating . and .. elements.
@@ -106,24 +94,17 @@ func cleanPath(p string) string {

 // Find a handler on a handler map given a path string.
 // Most-specific (longest) pattern wins.
-func (mux *ServeMux) match(key muxKey) Handler {
+func (mux *Mux) match(host, path string) Handler {
 	// Check for exact match first.
-	if r, ok := mux.m[key]; ok {
-		return r
-	} else if r, ok := mux.m[muxKey{"", key.host, key.path}]; ok {
-		return r
-	} else if r, ok := mux.m[muxKey{key.scheme, "", key.path}]; ok {
-		return r
-	} else if r, ok := mux.m[muxKey{"", "", key.path}]; ok {
-		return r
+	if h, ok := mux.m[hostpath{host, path}]; ok {
+		return h
 	}

 	// Check for longest valid match.  mux.es contains all patterns
 	// that end in / sorted from longest to shortest.
 	for _, e := range mux.es {
-		if (e.key.scheme == "" || key.scheme == e.key.scheme) &&
-			(e.key.host == "" || key.host == e.key.host) &&
-			strings.HasPrefix(key.path, e.key.path) {
+		if len(e.host) == len(host) && e.host == host &&
+			strings.HasPrefix(path, e.path) {
 			return e.handler
 		}
 	}
@@ -134,31 +115,32 @@ func (mux *ServeMux) match(key muxKey) Handler {
 // This occurs when a handler for path + "/" was already registered, but
 // not for path itself. If the path needs appending to, it creates a new
 // URL, setting the path to u.Path + "/" and returning true to indicate so.
-func (mux *ServeMux) redirectToPathSlash(key muxKey, u *url.URL) (*url.URL, bool) {
+func (mux *Mux) redirectToPathSlash(host, path string, u *url.URL) (*url.URL, bool) {
 	mux.mu.RLock()
-	shouldRedirect := mux.shouldRedirectRLocked(key)
+	shouldRedirect := mux.shouldRedirectRLocked(host, path)
 	mux.mu.RUnlock()
 	if !shouldRedirect {
 		return u, false
 	}
-	return u.ResolveReference(&url.URL{Path: key.path + "/"}), true
+	return u.ResolveReference(&url.URL{Path: path + "/"}), true
 }

 // shouldRedirectRLocked reports whether the given path and host should be redirected to
 // path+"/". This should happen if a handler is registered for path+"/" but
-// not path -- see comments at ServeMux.
-func (mux *ServeMux) shouldRedirectRLocked(key muxKey) bool {
-	if _, exist := mux.m[key]; exist {
+// not path -- see comments at Mux.
+func (mux *Mux) shouldRedirectRLocked(host, path string) bool {
+	if _, exist := mux.m[hostpath{host, path}]; exist {
 		return false
 	}

-	n := len(key.path)
+	n := len(path)
 	if n == 0 {
 		return false
 	}
-	if _, exist := mux.m[muxKey{key.scheme, key.host, key.path + "/"}]; exist {
-		return key.path[n-1] != '/'
+	if _, exist := mux.m[hostpath{host, path + "/"}]; exist {
+		return path[n-1] != '/'
 	}
+
 	return false
 }

@@ -177,14 +159,18 @@ func getWildcard(hostname string) (string, bool) {
 // the path is not in its canonical form, the handler will be an
 // internally-generated handler that redirects to the canonical path. If the
 // host contains a port, it is ignored when matching handlers.
-func (mux *ServeMux) Handler(r *Request) Handler {
-	scheme := r.URL.Scheme
+func (mux *Mux) Handler(r *Request) Handler {
+	// Disallow non-Gemini schemes
+	if r.URL.Scheme != "gemini" {
+		return NotFoundHandler()
+	}
+
 	host := r.URL.Hostname()
 	path := cleanPath(r.URL.Path)

 	// If the given path is /tree and its handler is not registered,
 	// redirect for /tree/.
-	if u, ok := mux.redirectToPathSlash(muxKey{scheme, host, path}, r.URL); ok {
+	if u, ok := mux.redirectToPathSlash(host, path, r.URL); ok {
 		return StatusHandler(StatusPermanentRedirect, u.String())
 	}

@@ -197,29 +183,43 @@ func (mux *ServeMux) Handler(r *Request) Handler {
 	mux.mu.RLock()
 	defer mux.mu.RUnlock()

-	h := mux.match(muxKey{scheme, host, path})
+	h := mux.match(host, path)
+
 	if h == nil {
 		// Try wildcard
 		if wildcard, ok := getWildcard(host); ok {
-			h = mux.match(muxKey{scheme, wildcard, path})
+			if u, ok := mux.redirectToPathSlash(wildcard, path, r.URL); ok {
+				return StatusHandler(StatusPermanentRedirect, u.String())
+			}
+			h = mux.match(wildcard, path)
 		}
 	}
+
+	if h == nil {
+		// Try empty host
+		if u, ok := mux.redirectToPathSlash("", path, r.URL); ok {
+			return StatusHandler(StatusPermanentRedirect, u.String())
+		}
+		h = mux.match("", path)
+	}
+
 	if h == nil {
 		h = NotFoundHandler()
 	}
+
 	return h
 }

 // ServeGemini dispatches the request to the handler whose
 // pattern most closely matches the request URL.
-func (mux *ServeMux) ServeGemini(ctx context.Context, w ResponseWriter, r *Request) {
+func (mux *Mux) ServeGemini(ctx context.Context, w ResponseWriter, r *Request) {
 	h := mux.Handler(r)
 	h.ServeGemini(ctx, w, r)
 }

 // Handle registers the handler for the given pattern.
 // If a handler already exists for pattern, Handle panics.
-func (mux *ServeMux) Handle(pattern string, handler Handler) {
+func (mux *Mux) Handle(pattern string, handler Handler) {
 	if pattern == "" {
 		panic("gemini: invalid pattern")
 	}
@@ -230,48 +230,32 @@ func (mux *ServeMux) Handle(pattern string, handler Handler) {
 	mux.mu.Lock()
 	defer mux.mu.Unlock()

-	var key muxKey
-	if strings.HasPrefix(pattern, "//") {
-		// match any scheme
-		key.scheme = ""
-		pattern = pattern[2:]
-	} else {
-		// extract scheme
-		cut := strings.Index(pattern, "://")
-		if cut == -1 {
-			// default scheme of gemini
-			key.scheme = "gemini"
-		} else {
-			key.scheme = pattern[:cut]
-			pattern = pattern[cut+3:]
-		}
-	}
-
+	var host, path string
 	// extract hostname and path
 	cut := strings.Index(pattern, "/")
 	if cut == -1 {
-		key.host = pattern
-		key.path = "/"
+		host = pattern
+		path = "/"
 	} else {
-		key.host = pattern[:cut]
-		key.path = pattern[cut:]
+		host = pattern[:cut]
+		path = pattern[cut:]
 	}

 	// strip port from hostname
-	if hostname, _, err := net.SplitHostPort(key.host); err == nil {
-		key.host = hostname
+	if hostname, _, err := net.SplitHostPort(host); err == nil {
+		host = hostname
 	}

-	if _, exist := mux.m[key]; exist {
+	if _, exist := mux.m[hostpath{host, path}]; exist {
 		panic("gemini: multiple registrations for " + pattern)
 	}

 	if mux.m == nil {
-		mux.m = make(map[muxKey]Handler)
+		mux.m = make(map[hostpath]Handler)
 	}
-	mux.m[key] = handler
-	e := muxEntry{handler, key}
-	if key.path[len(key.path)-1] == '/' {
+	mux.m[hostpath{host, path}] = handler
+	e := muxEntry{handler, host, path}
+	if path[len(path)-1] == '/' {
 		mux.es = appendSorted(mux.es, e)
 	}
 }
@@ -279,9 +263,7 @@ func (mux *ServeMux) Handle(pattern string, handler Handler) {
 func appendSorted(es []muxEntry, e muxEntry) []muxEntry {
 	n := len(es)
 	i := sort.Search(n, func(i int) bool {
-		return len(es[i].key.scheme) < len(e.key.scheme) ||
-			len(es[i].key.host) < len(es[i].key.host) ||
-			len(es[i].key.path) < len(e.key.path)
+		return len(es[i].path) < len(e.path)
 	})
 	if i == n {
 		return append(es, e)
@@ -294,6 +276,6 @@ func appendSorted(es []muxEntry, e muxEntry) []muxEntry {
 }

 // HandleFunc registers the handler function for the given pattern.
-func (mux *ServeMux) HandleFunc(pattern string, handler HandlerFunc) {
+func (mux *Mux) HandleFunc(pattern string, handler HandlerFunc) {
 	mux.Handle(pattern, handler)
 }
--- a/mux_test.go
+++ b/mux_test.go
@@ -2,6 +2,7 @@ package gemini

 import (
 	"context"
+	"io"
 	"net/url"
 	"testing"
 )
@@ -10,7 +11,222 @@ type nopHandler struct{}

 func (*nopHandler) ServeGemini(context.Context, ResponseWriter, *Request) {}

-func TestServeMuxMatch(t *testing.T) {
+type nopResponseWriter struct {
+	Status Status
+	Meta   string
+}
+
+func (w *nopResponseWriter) WriteHeader(status Status, meta string) {
+	w.Status = status
+	w.Meta = meta
+}
+
+func (nopResponseWriter) SetMediaType(mediatype string) {}
+func (nopResponseWriter) Write(b []byte) (int, error)   { return 0, io.EOF }
+func (nopResponseWriter) Flush() error                  { return nil }
+
+func TestMux(t *testing.T) {
+	type Test struct {
+		URL      string
+		Pattern  string
+		Redirect string
+		NotFound bool
+	}
+
+	tests := []struct {
+		Patterns []string
+		Tests    []Test
+	}{
+		{
+			Patterns: []string{"/a", "/b/", "/b/c/d", "/b/c/d/"},
+			Tests: []Test{
+				{
+					URL:      "gemini://example.com",
+					Redirect: "gemini://example.com/",
+				},
+				{
+					URL:      "gemini://example.com/",
+					NotFound: true,
+				},
+				{
+					URL:      "gemini://example.com/c",
+					NotFound: true,
+				},
+				{
+					URL:     "gemini://example.com/a",
+					Pattern: "/a",
+				},
+				{
+					URL:      "gemini://example.com/a/",
+					NotFound: true,
+				},
+				{
+					URL:      "gemini://example.com/b",
+					Redirect: "gemini://example.com/b/",
+				},
+				{
+					URL:     "gemini://example.com/b/",
+					Pattern: "/b/",
+				},
+				{
+					URL:     "gemini://example.com/b/c",
+					Pattern: "/b/",
+				},
+				{
+					URL:     "gemini://example.com/b/c/d",
+					Pattern: "/b/c/d",
+				},
+				{
+					URL:     "gemini://example.com/b/c/d/e/",
+					Pattern: "/b/c/d/",
+				},
+			},
+		},
+		{
+			Patterns: []string{
+				"/", "/a", "/b/",
+				"example.com", "example.com/a", "example.com/b/",
+				"*.example.com", "*.example.com/a", "*.example.com/b/",
+			},
+			Tests: []Test{
+				{
+					URL:     "gemini://example.net/",
+					Pattern: "/",
+				},
+				{
+					URL:     "gemini://example.net/a",
+					Pattern: "/a",
+				},
+				{
+					URL:      "gemini://example.net/b",
+					Redirect: "gemini://example.net/b/",
+				},
+				{
+					URL:     "gemini://example.net/b/",
+					Pattern: "/b/",
+				},
+				{
+					URL:     "gemini://example.com/",
+					Pattern: "example.com",
+				},
+				{
+					URL:      "gemini://example.com/b",
+					Redirect: "gemini://example.com/b/",
+				},
+				{
+					URL:     "gemini://example.com/b/",
+					Pattern: "example.com/b/",
+				},
+				{
+					URL:     "gemini://a.example.com/",
+					Pattern: "*.example.com",
+				},
+				{
+					URL:     "gemini://b.example.com/a",
+					Pattern: "*.example.com/a",
+				},
+				{
+					URL:      "gemini://c.example.com/b",
+					Redirect: "gemini://c.example.com/b/",
+				},
+				{
+					URL:     "gemini://d.example.com/b/",
+					Pattern: "*.example.com/b/",
+				},
+			},
+		},
+		{
+			Patterns: []string{"example.net", "*.example.org"},
+			Tests: []Test{
+				{
+					// The following redirect occurs as a result of cleaning
+					// the path provided to the Mux. This happens even if there
+					// are no matching handlers.
+					URL:      "gemini://example.com",
+					Redirect: "gemini://example.com/",
+				},
+				{
+					URL:      "gemini://example.com/",
+					NotFound: true,
+				},
+				{
+					URL:      "gemini://example.net",
+					Redirect: "gemini://example.net/",
+				},
+				{
+					URL:      "gemini://example.org/",
+					NotFound: true,
+				},
+				{
+					URL:      "gemini://gemini.example.org",
+					Redirect: "gemini://gemini.example.org/",
+				},
+			},
+		},
+	}
+
+	for _, test := range tests {
+		type handler struct {
+			nopHandler
+			Pattern string
+		}
+
+		mux := &Mux{}
+		for _, pattern := range test.Patterns {
+			mux.Handle(pattern, &handler{
+				Pattern: pattern,
+			})
+		}
+
+		for _, test := range test.Tests {
+			u, err := url.Parse(test.URL)
+			if err != nil {
+				panic(err)
+			}
+
+			req := &Request{URL: u}
+
+			h := mux.Handler(req)
+
+			if h, ok := h.(*handler); ok {
+				if h.Pattern != test.Pattern {
+					t.Errorf("wrong pattern for %q: expected %q, got %q", test.URL, test.Pattern, h.Pattern)
+				}
+				continue
+			}
+
+			// Check redirects and NotFounds
+			w := &nopResponseWriter{}
+			h.ServeGemini(context.Background(), w, req)
+
+			switch w.Status {
+			case StatusNotFound:
+				if !test.NotFound {
+					t.Errorf("expected pattern for %q, got NotFound", test.URL)
+				}
+
+			case StatusPermanentRedirect:
+				if test.Redirect == "" {
+					t.Errorf("expected pattern for %q, got redirect to %q", test.URL, w.Meta)
+					break
+				}
+
+				res, err := url.Parse(test.Redirect)
+				if err != nil {
+					panic(err)
+				}
+				if w.Meta != res.String() {
+					t.Errorf("bad redirect for %q: expected %q, got %q", test.URL, res.String(), w.Meta)
+				}
+
+			default:
+				t.Errorf("unexpected response for %q: %d %s", test.URL, w.Status, w.Meta)
+			}
+		}
+	}
+}
+
+func TestMuxMatch(t *testing.T) {
 	type Match struct {
 		URL string
 		Ok  bool
@@ -21,7 +237,7 @@ func TestServeMuxMatch(t *testing.T) {
 		Matches []Match
 	}{
 		{
-			// scheme: gemini, hostname: *, path: /*
+			// hostname: *, path: /*
 			Pattern: "/",
 			Matches: []Match{
 				{"gemini://example.com/path", true},
@@ -34,7 +250,7 @@ func TestServeMuxMatch(t *testing.T) {
 			},
 		},
 		{
-			// scheme: gemini, hostname: *, path: /path
+			// hostname: *, path: /path
 			Pattern: "/path",
 			Matches: []Match{
 				{"gemini://example.com/path", true},
@@ -47,7 +263,7 @@ func TestServeMuxMatch(t *testing.T) {
 			},
 		},
 		{
-			// scheme: gemini, hostname: *, path: /subtree/*
+			// hostname: *, path: /subtree/*
 			Pattern: "/subtree/",
 			Matches: []Match{
 				{"gemini://example.com/subtree/", true},
@@ -62,7 +278,7 @@ func TestServeMuxMatch(t *testing.T) {
 			},
 		},
 		{
-			// scheme: gemini, hostname: example.com, path: /*
+			// hostname: example.com, path: /*
 			Pattern: "example.com",
 			Matches: []Match{
 				{"gemini://example.com/path", true},
@@ -75,7 +291,7 @@ func TestServeMuxMatch(t *testing.T) {
 			},
 		},
 		{
-			// scheme: gemini, hostname: example.com, path: /path
+			// hostname: example.com, path: /path
 			Pattern: "example.com/path",
 			Matches: []Match{
 				{"gemini://example.com/path", true},
@@ -88,7 +304,7 @@ func TestServeMuxMatch(t *testing.T) {
 			},
 		},
 		{
-			// scheme: gemini, hostname: example.com, path: /subtree/*
+			// hostname: example.com, path: /subtree/*
 			Pattern: "example.com/subtree/",
 			Matches: []Match{
 				{"gemini://example.com/subtree/", true},
@@ -102,170 +318,6 @@ func TestServeMuxMatch(t *testing.T) {
 				{"http://example.com/subtree/", false},
 			},
 		},
-		{
-			// scheme: http, hostname: example.com, path: /*
-			Pattern: "http://example.com",
-			Matches: []Match{
-				{"http://example.com/path", true},
-				{"http://example.com/", true},
-				{"http://example.com/path.gmi", true},
-				{"http://example.com/path/", true},
-				{"http://example.org/path", false},
-				{"gemini://example.com/path", false},
-				{"gemini://example.org/path", false},
-			},
-		},
-		{
-			// scheme: http, hostname: example.com, path: /path
-			Pattern: "http://example.com/path",
-			Matches: []Match{
-				{"http://example.com/path", true},
-				{"http://example.com/", false},
-				{"http://example.com/path.gmi", false},
-				{"http://example.com/path/", false},
-				{"http://example.org/path", false},
-				{"gemini://example.com/path", false},
-				{"gemini://example.org/path", false},
-			},
-		},
-		{
-			// scheme: http, hostname: example.com, path: /subtree/*
-			Pattern: "http://example.com/subtree/",
-			Matches: []Match{
-				{"http://example.com/subtree/", true},
-				{"http://example.com/subtree/nested/", true},
-				{"http://example.com/subtree/nested/file", true},
-				{"http://example.org/subtree/", false},
-				{"http://example.org/subtree/nested/", false},
-				{"http://example.org/subtree/nested/file", false},
-				{"http://example.com/subtree", false},
-				{"http://www.example.com/subtree/", false},
-				{"gemini://example.com/subtree/", false},
-			},
-		},
-		{
-			// scheme: *, hostname: example.com, path: /*
-			Pattern: "//example.com",
-			Matches: []Match{
-				{"gemini://example.com/path", true},
-				{"gemini://example.com/", true},
-				{"gemini://example.com/path.gmi", true},
-				{"gemini://example.com/path/", true},
-				{"gemini://example.org/path", false},
-				{"http://example.com/path", true},
-				{"http://example.org/path", false},
-			},
-		},
-		{
-			// scheme: *, hostname: example.com, path: /path
-			Pattern: "//example.com/path",
-			Matches: []Match{
-				{"gemini://example.com/path", true},
-				{"gemini://example.com/", false},
-				{"gemini://example.com/path.gmi", false},
-				{"gemini://example.com/path/", false},
-				{"gemini://example.org/path", false},
-				{"http://example.com/path", true},
-				{"http://example.org/path", false},
-			},
-		},
-		{
-			// scheme: *, hostname: example.com, path: /subtree/*
-			Pattern: "//example.com/subtree/",
-			Matches: []Match{
-				{"gemini://example.com/subtree/", true},
-				{"gemini://example.com/subtree/nested/", true},
-				{"gemini://example.com/subtree/nested/file", true},
-				{"gemini://example.org/subtree/", false},
-				{"gemini://example.org/subtree/nested/", false},
-				{"gemini://example.org/subtree/nested/file", false},
-				{"gemini://example.com/subtree", false},
-				{"gemini://www.example.com/subtree/", false},
-				{"http://example.com/subtree/", true},
-			},
-		},
-		{
-			// scheme: http, hostname: *, path: /*
-			Pattern: "http://",
-			Matches: []Match{
-				{"http://example.com/path", true},
-				{"http://example.com/", true},
-				{"http://example.com/path.gmi", true},
-				{"http://example.com/path/", true},
-				{"http://example.org/path", true},
-				{"gemini://example.com/path", false},
-				{"gemini://example.org/path", false},
-			},
-		},
-		{
-			// scheme: http, hostname: *, path: /path
-			Pattern: "http:///path",
-			Matches: []Match{
-				{"http://example.com/path", true},
-				{"http://example.com/", false},
-				{"http://example.com/path.gmi", false},
-				{"http://example.com/path/", false},
-				{"http://example.org/path", true},
-				{"gemini://example.com/path", false},
-				{"gemini://example.org/path", false},
-			},
-		},
-		{
-			// scheme: http, hostname: *, path: /subtree/*
-			Pattern: "http:///subtree/",
-			Matches: []Match{
-				{"http://example.com/subtree/", true},
-				{"http://example.com/subtree/nested/", true},
-				{"http://example.com/subtree/nested/file", true},
-				{"http://example.org/subtree/", true},
-				{"http://example.org/subtree/nested/", true},
-				{"http://example.org/subtree/nested/file", true},
-				{"http://example.com/subtree", false},
-				{"http://www.example.com/subtree/", true},
-				{"gemini://example.com/subtree/", false},
-			},
-		},
-		{
-			// scheme: *, hostname: *, path: /*
-			Pattern: "//",
-			Matches: []Match{
-				{"gemini://example.com/path", true},
-				{"gemini://example.com/", true},
-				{"gemini://example.com/path.gmi", true},
-				{"gemini://example.com/path/", true},
-				{"gemini://example.org/path", true},
-				{"http://example.com/path", true},
-				{"http://example.org/path", true},
-			},
-		},
-		{
-			// scheme: *, hostname: *, path: /path
-			Pattern: "///path",
-			Matches: []Match{
-				{"gemini://example.com/path", true},
-				{"gemini://example.com/", false},
-				{"gemini://example.com/path.gmi", false},
-				{"gemini://example.com/path/", false},
-				{"gemini://example.org/path", true},
-				{"http://example.com/path", true},
-				{"http://example.org/path", true},
-			},
-		},
-		{
-			// scheme: *, hostname: *, path: /subtree/*
-			Pattern: "///subtree/",
-			Matches: []Match{
-				{"gemini://example.com/subtree/", true},
-				{"gemini://example.com/subtree/nested/", true},
-				{"gemini://example.com/subtree/nested/file", true},
-				{"gemini://example.org/subtree/", true},
-				{"gemini://example.org/subtree/nested/", true},
-				{"gemini://example.org/subtree/nested/file", true},
-				{"gemini://example.com/subtree", false},
-				{"gemini://www.example.com/subtree/", true},
-				{"http://example.com/subtree/", true},
-			},
-		},
 		{
 			// scheme: gemini, hostname: *.example.com, path: /*
 			Pattern: "*.example.com",
@@ -277,25 +329,14 @@ func TestServeMuxMatch(t *testing.T) {
 				{"http://www.example.com/", false},
 			},
 		},
-		{
-			// scheme: http, hostname: *.example.com, path: /*
-			Pattern: "http://*.example.com",
-			Matches: []Match{
-				{"http://mail.example.com/", true},
-				{"http://www.example.com/index.gmi", true},
-				{"http://example.com/", false},
-				{"http://a.b.example.com/", false},
-				{"gemini://www.example.com/", false},
-			},
-		},
 	}

-	for i, test := range tests {
+	for _, test := range tests {
 		h := &nopHandler{}
-		var mux ServeMux
+		var mux Mux
 		mux.Handle(test.Pattern, h)

-		for _, match := range tests[i].Matches {
+		for _, match := range test.Matches {
 			u, err := url.Parse(match.URL)
 			if err != nil {
 				panic(err)
--- a/query.go
+++ b/query.go
@@ -12,7 +12,8 @@ func QueryEscape(query string) string {
 	return strings.ReplaceAll(url.PathEscape(query), "+", "%2B")
 }

-// QueryUnescape is identical to url.PathUnescape.
+// QueryUnescape unescapes a Gemini URL query.
+// It is identical to url.PathUnescape.
 func QueryUnescape(query string) (string, error) {
 	return url.PathUnescape(query)
 }
--- a/request.go
+++ b/request.go
@@ -10,11 +10,8 @@ import (

 // A Request represents a Gemini request received by a server or to be sent
 // by a client.
-//
-// The field semantics differ slightly between client and server usage.
 type Request struct {
-	// URL specifies the URL being requested (for server
-	// requests) or the URL to access (for client requests).
+	// URL specifies the URL being requested.
 	URL *url.URL

 	// For client requests, Host optionally specifies the server to
@@ -23,9 +20,7 @@ type Request struct {
 	// For international domain names, Host may be in Punycode or
 	// Unicode form. Use golang.org/x/net/idna to convert it to
 	// either format if needed.
-	//
-	// For server requests, Host specifies the host on which the URL
-	// is sought.
+	// This field is ignored by the Gemini server.
 	Host string

 	// For client requests, Certificate optionally specifies the
@@ -33,24 +28,11 @@ type Request struct {
 	// This field is ignored by the Gemini server.
 	Certificate *tls.Certificate

-	// RemoteAddr allows Gemini servers and other software to record
-	// the network address that sent the request, usually for
-	// logging. This field is not filled in by ReadRequest.
-	// This field is ignored by the Gemini client.
-	RemoteAddr net.Addr
-
-	// TLS allows Gemini servers and other software to record
-	// information about the TLS connection on which the request
-	// was received. This field is not filled in by ReadRequest.
-	// The Gemini server in this package sets the field for
-	// TLS-enabled connections before invoking a handler;
-	// otherwise it leaves the field nil.
-	// This field is ignored by the Gemini client.
-	TLS *tls.ConnectionState
+	conn net.Conn
+	tls  *tls.ConnectionState
 }

 // NewRequest returns a new request.
-//
 // The returned Request is suitable for use with Client.Do.
 //
 // Callers should be careful that the URL query is properly escaped.
@@ -69,45 +51,78 @@ func NewRequest(rawurl string) (*Request, error) {
 // for specialized applications; most code should use the Server
 // to read requests and handle them via the Handler interface.
 func ReadRequest(r io.Reader) (*Request, error) {
-	// Read URL
+	// Limit request size
 	r = io.LimitReader(r, 1026)
 	br := bufio.NewReaderSize(r, 1026)
-	rawurl, err := br.ReadString('\r')
+	b, err := br.ReadBytes('\n')
 	if err != nil {
+		if err == io.EOF {
+			return nil, ErrInvalidRequest
+		}
 		return nil, err
 	}
-	// Read terminating line feed
-	if b, err := br.ReadByte(); err != nil {
-		return nil, err
-	} else if b != '\n' {
+	// Read URL
+	rawurl, ok := trimCRLF(b)
+	if !ok {
 		return nil, ErrInvalidRequest
 	}
-	// Trim carriage return
-	rawurl = rawurl[:len(rawurl)-1]
-	// Validate URL
-	if len(rawurl) > 1024 {
+	if len(rawurl) == 0 {
 		return nil, ErrInvalidRequest
 	}
-	u, err := url.Parse(rawurl)
+	u, err := url.Parse(string(rawurl))
 	if err != nil {
 		return nil, err
 	}
 	return &Request{URL: u}, nil
 }

-// Write writes a Gemini request in wire format.
+// WriteTo writes r to w in the Gemini request format.
 // This method consults the request URL only.
-func (r *Request) Write(w io.Writer) error {
+func (r *Request) WriteTo(w io.Writer) (int64, error) {
 	bw := bufio.NewWriterSize(w, 1026)
 	url := r.URL.String()
 	if len(url) > 1024 {
-		return ErrInvalidRequest
+		return 0, ErrInvalidRequest
 	}
-	if _, err := bw.WriteString(url); err != nil {
-		return err
+	var wrote int64
+	n, err := bw.WriteString(url)
+	wrote += int64(n)
+	if err != nil {
+		return wrote, err
 	}
-	if _, err := bw.Write(crlf); err != nil {
-		return err
+	n, err = bw.Write(crlf)
+	wrote += int64(n)
+	if err != nil {
+		return wrote, err
 	}
-	return bw.Flush()
+	return wrote, bw.Flush()
+}
+
+// Conn returns the network connection on which the request was received.
+// Conn returns nil for client requests.
+func (r *Request) Conn() net.Conn {
+	return r.conn
+}
+
+// TLS returns information about the TLS connection on which the
+// request was received.
+// TLS returns nil for client requests.
+func (r *Request) TLS() *tls.ConnectionState {
+	if r.tls == nil {
+		if tlsConn, ok := r.conn.(*tls.Conn); ok {
+			state := tlsConn.ConnectionState()
+			r.tls = &state
+		}
+	}
+	return r.tls
+}
+
+// ServerName returns the value of the TLS Server Name Indication extension
+// sent by the client.
+// ServerName returns an empty string for client requests.
+func (r *Request) ServerName() string {
+	if tls := r.TLS(); tls != nil {
+		return tls.ServerName
+	}
+	return ""
 }
--- a/request_test.go
+++ b/request_test.go
@@ -2,7 +2,6 @@ package gemini

 import (
 	"bufio"
-	"io"
 	"net/url"
 	"strings"
 	"testing"
@@ -36,25 +35,25 @@ func TestReadRequest(t *testing.T) {
 		},
 		{
 			Raw: "\r\n",
-			URL: &url.URL{},
+			Err: ErrInvalidRequest,
 		},
 		{
 			Raw: "gemini://example.com\n",
-			Err: io.EOF,
+			Err: ErrInvalidRequest,
 		},
 		{
 			Raw: "gemini://example.com",
-			Err: io.EOF,
+			Err: ErrInvalidRequest,
 		},
 		{
 			// 1030 bytes
 			Raw: maxURL + "xxxxxx",
-			Err: io.EOF,
+			Err: ErrInvalidRequest,
 		},
 		{
 			// 1027 bytes
 			Raw: maxURL + "x" + "\r\n",
-			Err: io.EOF,
+			Err: ErrInvalidRequest,
 		},
 		{
 			// 1024 bytes
@@ -119,7 +118,7 @@ func TestWriteRequest(t *testing.T) {
 		t.Logf("%s", test.Req.URL)
 		var b strings.Builder
 		bw := bufio.NewWriter(&b)
-		err := test.Req.Write(bw)
+		_, err := test.Req.WriteTo(bw)
 		if err != test.Err {
 			t.Errorf("expected err = %v, got %v", test.Err, err)
 		}
--- a/response.go
+++ b/response.go
@@ -5,11 +5,12 @@ import (
 	"crypto/tls"
 	"fmt"
 	"io"
+	"net"
 	"strconv"
 )

 // The default media type for responses.
-const defaultMediaType = "text/gemini; charset=utf-8"
+const defaultMediaType = "text/gemini"

 // Response represents the response from a Gemini request.
 //
@@ -17,13 +18,12 @@ const defaultMediaType = "text/gemini; charset=utf-8"
 // header has been received. The response body is streamed on demand
 // as the Body field is read.
 type Response struct {
-	// Status contains the response status code.
+	// Status is the response status code.
 	Status Status

-	// Meta contains more information related to the response status.
-	// For successful responses, Meta should contain the media type of the response.
-	// For failure responses, Meta should contain a short description of the failure.
-	// Meta should not be longer than 1024 bytes.
+	// Meta returns the response meta.
+	// For successful responses, the meta should contain the media type of the response.
+	// For failure responses, the meta should contain a short description of the failure.
 	Meta string

 	// Body represents the response body.
@@ -38,120 +38,105 @@ type Response struct {
 	// close Body.
 	Body io.ReadCloser

-	// TLS contains information about the TLS connection on which the
-	// response was received. It is nil for unencrypted responses.
-	TLS *tls.ConnectionState
+	conn net.Conn
 }

 // ReadResponse reads a Gemini response from the provided io.ReadCloser.
-func ReadResponse(rc io.ReadCloser) (*Response, error) {
+func ReadResponse(r io.ReadCloser) (*Response, error) {
 	resp := &Response{}
-	br := bufio.NewReader(rc)

-	// Read the status
-	statusB := make([]byte, 2)
-	if _, err := br.Read(statusB); err != nil {
+	// Limit response header size
+	lr := io.LimitReader(r, 1029)
+	// Wrap the reader to remove the limit later on
+	wr := &struct{ io.Reader }{lr}
+	br := bufio.NewReader(wr)
+
+	// Read response header
+	b, err := br.ReadBytes('\n')
+	if err != nil {
+		if err == io.EOF {
+			return nil, ErrInvalidResponse
+		}
 		return nil, err
 	}
-	status, err := strconv.Atoi(string(statusB))
+	if len(b) < 3 {
+		return nil, ErrInvalidResponse
+	}
+
+	// Read the status
+	status, err := strconv.Atoi(string(b[:2]))
 	if err != nil {
 		return nil, ErrInvalidResponse
 	}
 	resp.Status = Status(status)

 	// Read one space
-	if b, err := br.ReadByte(); err != nil {
-		return nil, err
-	} else if b != ' ' {
+	if b[2] != ' ' {
 		return nil, ErrInvalidResponse
 	}

 	// Read the meta
-	meta, err := br.ReadString('\r')
-	if err != nil {
-		return nil, err
-	}
-	// Trim carriage return
-	meta = meta[:len(meta)-1]
-	// Ensure meta is less than or equal to 1024 bytes
-	if len(meta) > 1024 {
+	meta, ok := trimCRLF(b[3:])
+	if !ok {
 		return nil, ErrInvalidResponse
 	}
-	if resp.Status.Class() == StatusSuccess && meta == "" {
-		// Use default media type
-		meta = defaultMediaType
-	}
-	resp.Meta = meta
-
-	// Read terminating newline
-	if b, err := br.ReadByte(); err != nil {
-		return nil, err
-	} else if b != '\n' {
+	if len(meta) == 0 {
 		return nil, ErrInvalidResponse
 	}
+	resp.Meta = string(meta)

 	if resp.Status.Class() == StatusSuccess {
-		resp.Body = newReadCloserBody(br, rc)
+		// Use unlimited reader
+		wr.Reader = r
+
+		type readCloser struct {
+			io.Reader
+			io.Closer
+		}
+		resp.Body = readCloser{br, r}
 	} else {
 		resp.Body = nopReadCloser{}
-		rc.Close()
+		r.Close()
 	}
 	return resp, nil
 }

-type nopReadCloser struct{}
-
-func (nopReadCloser) Read(p []byte) (int, error) {
-	return 0, io.EOF
+// Conn returns the network connection on which the response was received.
+func (r *Response) Conn() net.Conn {
+	return r.conn
 }

-func (nopReadCloser) Close() error {
+// TLS returns information about the TLS connection on which the
+// response was received.
+func (r *Response) TLS() *tls.ConnectionState {
+	if tlsConn, ok := r.conn.(*tls.Conn); ok {
+		state := tlsConn.ConnectionState()
+		return &state
+	}
 	return nil
 }

-type readCloserBody struct {
-	br *bufio.Reader // used until empty
-	io.ReadCloser
-}
-
-func newReadCloserBody(br *bufio.Reader, rc io.ReadCloser) io.ReadCloser {
-	body := &readCloserBody{ReadCloser: rc}
-	if br.Buffered() != 0 {
-		body.br = br
-	}
-	return body
-}
-
-func (b *readCloserBody) Read(p []byte) (n int, err error) {
-	if b.br != nil {
-		if n := b.br.Buffered(); len(p) > n {
-			p = p[:n]
-		}
-		n, err = b.br.Read(p)
-		if b.br.Buffered() == 0 {
-			b.br = nil
-		}
-		return n, err
-	}
-	return b.ReadCloser.Read(p)
-}
-
-// Write writes r to w in the Gemini response format, including the
+// WriteTo writes r to w in the Gemini response format, including the
 // header and body.
 //
 // This method consults the Status, Meta, and Body fields of the response.
 // The Response Body is closed after it is sent.
-func (r *Response) Write(w io.Writer) error {
-	if _, err := fmt.Fprintf(w, "%02d %s\r\n", r.Status, r.Meta); err != nil {
-		return err
+func (r *Response) WriteTo(w io.Writer) (int64, error) {
+	var wrote int64
+	n, err := fmt.Fprintf(w, "%02d %s\r\n", r.Status, r.Meta)
+	wrote += int64(n)
+	if err != nil {
+		return wrote, err
 	}
 	if r.Body != nil {
 		defer r.Body.Close()
-		if _, err := io.Copy(w, r.Body); err != nil {
-			return err
+		n, err := io.Copy(w, r.Body)
+		wrote += n
+		if err != nil {
+			return wrote, err
 		}
 	}
-	return nil
+	return wrote, nil
 }

 // A ResponseWriter interface is used by a Gemini handler to construct
@@ -161,19 +146,19 @@ func (r *Response) Write(w io.Writer) error {
 // has returned.
 type ResponseWriter interface {
 	// SetMediaType sets the media type that will be sent by Write for a
-	// successful response. If no media type is set, a default of
-	// "text/gemini; charset=utf-8" will be used.
+	// successful response. If no media type is set, a default media type of
+	// "text/gemini" will be used.
 	//
 	// Setting the media type after a call to Write or WriteHeader has
 	// no effect.
-	SetMediaType(string)
+	SetMediaType(mediatype string)

 	// Write writes the data to the connection as part of a Gemini response.
 	//
 	// If WriteHeader has not yet been called, Write calls WriteHeader with
 	// StatusSuccess and the media type set in SetMediaType before writing the data.
 	// If no media type was set, Write uses a default media type of
-	// "text/gemini; charset=utf-8".
+	// "text/gemini".
 	Write([]byte) (int, error)

 	// WriteHeader sends a Gemini response header with the provided
@@ -193,20 +178,15 @@ type ResponseWriter interface {
 }

 type responseWriter struct {
-	b           *bufio.Writer
+	bw          *bufio.Writer
 	mediatype   string
 	wroteHeader bool
 	bodyAllowed bool
 }

-// NewResponseWriter returns a ResponseWriter that uses the provided io.Writer.
-func NewResponseWriter(w io.Writer) ResponseWriter {
-	return newResponseWriter(w)
-}
-
 func newResponseWriter(w io.Writer) *responseWriter {
 	return &responseWriter{
-		b: bufio.NewWriter(w),
+		bw: bufio.NewWriter(w),
 	}
 }

@@ -226,7 +206,7 @@ func (w *responseWriter) Write(b []byte) (int, error) {
 	if !w.bodyAllowed {
 		return 0, ErrBodyNotAllowed
 	}
-	return w.b.Write(b)
+	return w.bw.Write(b)
 }

 func (w *responseWriter) WriteHeader(status Status, meta string) {
@@ -238,10 +218,10 @@ func (w *responseWriter) WriteHeader(status Status, meta string) {
 		w.bodyAllowed = true
 	}

-	w.b.WriteString(strconv.Itoa(int(status)))
-	w.b.WriteByte(' ')
-	w.b.WriteString(meta)
-	w.b.Write(crlf)
+	w.bw.WriteString(strconv.Itoa(int(status)))
+	w.bw.WriteByte(' ')
+	w.bw.WriteString(meta)
+	w.bw.Write(crlf)
 	w.wroteHeader = true
 }

@@ -249,6 +229,6 @@ func (w *responseWriter) Flush() error {
 	if !w.wroteHeader {
 		w.WriteHeader(StatusTemporaryFailure, "Temporary failure")
 	}
-	// Write errors from writeHeader will be returned here.
-	return w.b.Flush()
+	// Write errors from WriteHeader will be returned here.
+	return w.bw.Flush()
 }
--- a/response_test.go
+++ b/response_test.go
@@ -2,6 +2,7 @@ package gemini

 import (
 	"io"
+	"io/ioutil"
 	"strings"
 	"testing"
 )
@@ -37,6 +38,15 @@ func TestReadWriteResponse(t *testing.T) {
 			Meta:      "/redirect",
 			SkipWrite: true, // skip write test since result won't match Raw
 		},
+		{
+			Raw:    "32 " + maxURL + "\r\n",
+			Status: 32,
+			Meta:   maxURL,
+		},
+		{
+			Raw: "33 " + maxURL + "xxxx" + "\r\n",
+			Err: ErrInvalidResponse,
+		},
 		{
 			Raw:    "99 Unknown status code\r\n",
 			Status: 99,
@@ -56,15 +66,15 @@ func TestReadWriteResponse(t *testing.T) {
 		},
 		{
 			Raw: "",
-			Err: io.EOF,
+			Err: ErrInvalidResponse,
 		},
 		{
 			Raw: "10 Search query",
-			Err: io.EOF,
+			Err: ErrInvalidResponse,
 		},
 		{
 			Raw: "20 text/gemini\nHello, world!",
-			Err: io.EOF,
+			Err: ErrInvalidResponse,
 		},
 		{
 			Raw: "20 text/gemini\rHello, world!",
@@ -72,7 +82,7 @@ func TestReadWriteResponse(t *testing.T) {
 		},
 		{
 			Raw: "20 text/gemini\r",
-			Err: io.EOF,
+			Err: ErrInvalidResponse,
 		},
 		{
 			Raw: "abcdefghijklmnopqrstuvwxyz",
@@ -82,11 +92,11 @@ func TestReadWriteResponse(t *testing.T) {

 	for _, test := range tests {
 		t.Logf("%#v", test.Raw)
-		resp, err := ReadResponse(io.NopCloser(strings.NewReader(test.Raw)))
+		resp, err := ReadResponse(ioutil.NopCloser(strings.NewReader(test.Raw)))
 		if err != test.Err {
 			t.Errorf("expected err = %v, got %v", test.Err, err)
 		}
-		if test.Err != nil {
+		if err != nil {
 			// No response
 			continue
 		}
@@ -96,7 +106,7 @@ func TestReadWriteResponse(t *testing.T) {
 		if resp.Meta != test.Meta {
 			t.Errorf("expected meta = %s, got %s", test.Meta, resp.Meta)
 		}
-		b, _ := io.ReadAll(resp.Body)
+		b, _ := ioutil.ReadAll(resp.Body)
 		body := string(b)
 		if body != test.Body {
 			t.Errorf("expected body = %#v, got %#v", test.Body, body)
@@ -107,14 +117,12 @@ func TestReadWriteResponse(t *testing.T) {
 		if test.Err != nil || test.SkipWrite {
 			continue
 		}
-		resp := &Response{
-			Status: test.Status,
-			Meta:   test.Meta,
-			Body:   io.NopCloser(strings.NewReader(test.Body)),
-		}

 		var b strings.Builder
-		if err := resp.Write(&b); err != nil {
+		w := newResponseWriter(nopCloser{&b})
+		w.WriteHeader(test.Status, test.Meta)
+		io.Copy(w, strings.NewReader(test.Body))
+		if err := w.Flush(); err != nil {
 			t.Error(err)
 			continue
 		}
--- a/server.go
+++ b/server.go
@@ -52,7 +52,7 @@ type Server struct {

 	listeners map[*net.Listener]context.CancelFunc
 	conns     map[*net.Conn]context.CancelFunc
-	closed    bool // true if Closed or Shutdown called
+	closed    bool // true if Close or Shutdown called
 	shutdown  bool // true if Shutdown called
 	doneChan  chan struct{}
 	mu        sync.Mutex
@@ -229,8 +229,8 @@ func (srv *Server) deleteListener(l *net.Listener) {
 }

 // Serve accepts incoming connections on the Listener l, creating a new
-// service goroutine for each. The service goroutines reads the request and
-// then calls the appropriate Handler to reply to them. If the provided
+// service goroutine for each. The service goroutines read the requests and
+// then call the appropriate Handler to reply to them. If the provided
 // context expires, Serve closes l and returns the context's error.
 //
 // Serve always closes l and returns a non-nil error.
@@ -282,14 +282,17 @@ func (srv *Server) serve(ctx context.Context, l net.Listener) error {
 			return err
 		}
 		tempDelay = 0
-		go srv.ServeConn(ctx, rw)
+		go srv.serveConn(ctx, rw, false)
 	}
 }

-func (srv *Server) trackConn(conn *net.Conn, cancel context.CancelFunc) bool {
+func (srv *Server) trackConn(conn *net.Conn, cancel context.CancelFunc, external bool) bool {
 	srv.mu.Lock()
 	defer srv.mu.Unlock()
-	if srv.closed && !srv.shutdown {
+	// Reject the connection under the following conditions:
+	// - Shutdown or Close has been called and conn is external (from ServeConn)
+	// - Close (not Shutdown) has been called and conn is internal (from Serve)
+	if srv.closed && (external || !srv.shutdown) {
 		return false
 	}
 	if srv.conns == nil {
@@ -309,15 +312,17 @@ func (srv *Server) deleteConn(conn *net.Conn) {
 // It closes the connection when the response has been completed.
 // If the provided context expires before the response has completed,
 // ServeConn closes the connection and returns the context's error.
-//
-// Note that ServeConn can be used during a Shutdown.
 func (srv *Server) ServeConn(ctx context.Context, conn net.Conn) error {
+	return srv.serveConn(ctx, conn, true)
+}
+
+func (srv *Server) serveConn(ctx context.Context, conn net.Conn, external bool) error {
 	defer conn.Close()

 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()

-	if !srv.trackConn(&conn, cancel) {
+	if !srv.trackConn(&conn, cancel, external) {
 		return context.Canceled
 	}
 	defer srv.tryCloseDone()
@@ -332,7 +337,7 @@ func (srv *Server) ServeConn(ctx context.Context, conn net.Conn) error {

 	errch := make(chan error, 1)
 	go func() {
-		errch <- srv.serveConn(ctx, conn)
+		errch <- srv.goServeConn(ctx, conn)
 	}()

 	select {
@@ -343,24 +348,30 @@ func (srv *Server) ServeConn(ctx context.Context, conn net.Conn) error {
 	}
 }

-func (srv *Server) serveConn(ctx context.Context, conn net.Conn) error {
-	w := newResponseWriter(conn)
+func (srv *Server) goServeConn(ctx context.Context, conn net.Conn) error {
+	ctx, cancel := context.WithCancel(ctx)
+	done := ctx.Done()
+	cw := &contextWriter{
+		ctx:    ctx,
+		done:   done,
+		cancel: cancel,
+		wc:     conn,
+	}
+	r := &contextReader{
+		ctx:    ctx,
+		done:   done,
+		cancel: cancel,
+		rc:     conn,
+	}

-	req, err := ReadRequest(conn)
+	w := newResponseWriter(cw)
+
+	req, err := ReadRequest(r)
 	if err != nil {
 		w.WriteHeader(StatusBadRequest, "Bad request")
 		return w.Flush()
 	}
-
-	// Store the TLS connection state
-	if tlsConn, ok := conn.(*tls.Conn); ok {
-		state := tlsConn.ConnectionState()
-		req.TLS = &state
-		req.Host = state.ServerName
-	}
-
-	// Store remote address
-	req.RemoteAddr = conn.RemoteAddr()
+	req.conn = conn

 	h := srv.Handler
 	if h == nil {
--- a/timeout.go
+++ b/timeout.go
@@ -1,112 +0,0 @@
-package gemini
-
-import (
-	"bytes"
-	"context"
-	"sync"
-	"time"
-)
-
-// TimeoutHandler returns a Handler that runs h with the given time limit.
-//
-// The new Handler calls h.ServeGemini to handle each request, but
-// if a call runs for longer than its time limit, the handler responds with a
-// 40 Temporary Failure error. After such a timeout, writes by h to its
-// ResponseWriter will return ErrHandlerTimeout.
-func TimeoutHandler(h Handler, dt time.Duration) Handler {
-	return &timeoutHandler{
-		h:  h,
-		dt: dt,
-	}
-}
-
-type timeoutHandler struct {
-	h  Handler
-	dt time.Duration
-}
-
-func (t *timeoutHandler) ServeGemini(ctx context.Context, w ResponseWriter, r *Request) {
-	ctx, cancel := context.WithTimeout(ctx, t.dt)
-	defer cancel()
-
-	done := make(chan struct{})
-	tw := &timeoutWriter{}
-	panicChan := make(chan interface{}, 1)
-	go func() {
-		defer func() {
-			if p := recover(); p != nil {
-				panicChan <- p
-			}
-		}()
-		t.h.ServeGemini(ctx, tw, r)
-		close(done)
-	}()
-
-	select {
-	case p := <-panicChan:
-		panic(p)
-	case <-done:
-		tw.mu.Lock()
-		defer tw.mu.Unlock()
-		if !tw.wroteHeader {
-			tw.status = StatusSuccess
-		}
-		w.WriteHeader(tw.status, tw.meta)
-		w.Write(tw.b.Bytes())
-	case <-ctx.Done():
-		tw.mu.Lock()
-		defer tw.mu.Unlock()
-		w.WriteHeader(StatusTemporaryFailure, "Timeout")
-		tw.timedOut = true
-	}
-}
-
-type timeoutWriter struct {
-	mu          sync.Mutex
-	b           bytes.Buffer
-	status      Status
-	meta        string
-	mediatype   string
-	wroteHeader bool
-	timedOut    bool
-}
-
-func (w *timeoutWriter) SetMediaType(mediatype string) {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-	w.mediatype = mediatype
-}
-
-func (w *timeoutWriter) Write(b []byte) (int, error) {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-	if w.timedOut {
-		return 0, ErrHandlerTimeout
-	}
-	if !w.wroteHeader {
-		w.writeHeaderLocked(StatusSuccess, w.mediatype)
-	}
-	return w.b.Write(b)
-}
-
-func (w *timeoutWriter) WriteHeader(status Status, meta string) {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-	if w.timedOut {
-		return
-	}
-	w.writeHeaderLocked(status, meta)
-}
-
-func (w *timeoutWriter) writeHeaderLocked(status Status, meta string) {
-	if w.wroteHeader {
-		return
-	}
-	w.status = status
-	w.meta = meta
-	w.wroteHeader = true
-}
-
-func (w *timeoutWriter) Flush() error {
-	return nil
-}
--- a/tofu/tofu.go
+++ b/tofu/tofu.go
@@ -4,17 +4,16 @@ package tofu
 import (
 	"bufio"
 	"bytes"
-	"crypto/sha512"
+	"crypto/sha256"
 	"crypto/x509"
-	"errors"
+	"encoding/base64"
 	"fmt"
 	"io"
 	"os"
+	"path/filepath"
 	"sort"
-	"strconv"
 	"strings"
 	"sync"
-	"time"
 )

 // KnownHosts represents a list of known hosts.
@@ -84,7 +83,11 @@ func (k *KnownHosts) WriteTo(w io.Writer) (int64, error) {

 // Load loads the known hosts entries from the provided path.
 func (k *KnownHosts) Load(path string) error {
-	f, err := os.Open(path)
+	if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil {
+		return err
+	}
+
+	f, err := os.OpenFile(path, os.O_CREATE|os.O_RDONLY, 0644)
 	if err != nil {
 		return err
 	}
@@ -133,6 +136,9 @@ func (k *KnownHosts) Parse(r io.Reader) error {
 		if err != nil {
 			continue
 		}
+		if h.Algorithm != "sha256" {
+			continue
+		}

 		k.hosts[h.Hostname] = h
 	}
@@ -143,22 +149,17 @@ func (k *KnownHosts) Parse(r io.Reader) error {
 // TOFU implements basic trust on first use.
 //
 // If the host is not on file, it is added to the list.
-// If the host on file is expired, a new entry is added to the list.
 // If the fingerprint does not match the one on file, an error is returned.
 func (k *KnownHosts) TOFU(hostname string, cert *x509.Certificate) error {
-	host := NewHost(hostname, cert.Raw, cert.NotAfter)
-
+	host := NewHost(hostname, cert.Raw)
 	knownHost, ok := k.Lookup(hostname)
-	if !ok || time.Now().After(knownHost.Expires) {
+	if !ok {
 		k.Add(host)
 		return nil
 	}
-
-	// Check fingerprint
-	if !bytes.Equal(knownHost.Fingerprint, host.Fingerprint) {
+	if host.Fingerprint != knownHost.Fingerprint {
 		return fmt.Errorf("fingerprint for %q does not match", hostname)
 	}
-
 	return nil
 }

@@ -266,21 +267,16 @@ func (p *PersistentHosts) Entries() []Host {
 // TOFU implements trust on first use with a persistent set of known hosts.
 //
 // If the host is not on file, it is added to the list.
-// If the host on file is expired, a new entry is added to the list.
 // If the fingerprint does not match the one on file, an error is returned.
 func (p *PersistentHosts) TOFU(hostname string, cert *x509.Certificate) error {
-	host := NewHost(hostname, cert.Raw, cert.NotAfter)
-
+	host := NewHost(hostname, cert.Raw)
 	knownHost, ok := p.Lookup(hostname)
-	if !ok || time.Now().After(knownHost.Expires) {
+	if !ok {
 		return p.Add(host)
 	}
-
-	// Check fingerprint
-	if !bytes.Equal(knownHost.Fingerprint, host.Fingerprint) {
+	if host.Fingerprint != knownHost.Fingerprint {
 		return fmt.Errorf("fingerprint for %q does not match", hostname)
 	}
-
 	return nil
 }

@@ -291,22 +287,20 @@ func (p *PersistentHosts) Close() error {

 // Host represents a host entry with a fingerprint using a certain algorithm.
 type Host struct {
-	Hostname    string      // hostname
-	Algorithm   string      // fingerprint algorithm e.g. SHA-512
-	Fingerprint Fingerprint // fingerprint
-	Expires     time.Time   // unix time of the fingerprint expiration date
+	Hostname    string // hostname
+	Algorithm   string // fingerprint algorithm e.g. sha256
+	Fingerprint string // fingerprint
 }

-// NewHost returns a new host with a SHA-512 fingerprint of
+// NewHost returns a new host with a SHA256 fingerprint of
 // the provided raw data.
-func NewHost(hostname string, raw []byte, expires time.Time) Host {
-	sum := sha512.Sum512(raw)
+func NewHost(hostname string, raw []byte) Host {
+	sum := sha256.Sum256(raw)

 	return Host{
 		Hostname:    hostname,
-		Algorithm:   "SHA-512",
-		Fingerprint: sum[:],
-		Expires:     expires,
+		Algorithm:   "sha256",
+		Fingerprint: base64.StdEncoding.EncodeToString(sum[:]),
 	}
 }

@@ -324,95 +318,19 @@ func (h Host) String() string {
 	b.WriteByte(' ')
 	b.WriteString(h.Algorithm)
 	b.WriteByte(' ')
-	b.WriteString(h.Fingerprint.String())
-	b.WriteByte(' ')
-	b.WriteString(strconv.FormatInt(h.Expires.Unix(), 10))
+	b.WriteString(h.Fingerprint)
 	return b.String()
 }

 // UnmarshalText unmarshals the host from the provided text.
 func (h *Host) UnmarshalText(text []byte) error {
-	const format = "hostname algorithm hex-fingerprint expiry-unix-ts"
-
 	parts := bytes.Split(text, []byte(" "))
-	if len(parts) != 4 {
-		return fmt.Errorf("expected the format %q", format)
-	}
-
-	if len(parts[0]) == 0 {
-		return errors.New("empty hostname")
+	if len(parts) != 3 {
+		return fmt.Errorf("expected the format 'hostname algorithm fingerprint'")
 	}

 	h.Hostname = string(parts[0])
-
-	algorithm := string(parts[1])
-	if algorithm != "SHA-512" {
-		return fmt.Errorf("unsupported algorithm %q", algorithm)
-	}
-
-	h.Algorithm = algorithm
-
-	fingerprint := make([]byte, 0, sha512.Size)
-	scanner := bufio.NewScanner(bytes.NewReader(parts[2]))
-	scanner.Split(scanFingerprint)
-
-	for scanner.Scan() {
-		b, err := strconv.ParseUint(scanner.Text(), 16, 8)
-		if err != nil {
-			return fmt.Errorf("failed to parse fingerprint hash: %w", err)
-		}
-		fingerprint = append(fingerprint, byte(b))
-	}
-
-	if len(fingerprint) != sha512.Size {
-		return fmt.Errorf("invalid fingerprint size %d, expected %d",
-			len(fingerprint), sha512.Size)
-	}
-
-	h.Fingerprint = fingerprint
-
-	unix, err := strconv.ParseInt(string(parts[3]), 10, 0)
-	if err != nil {
-		return fmt.Errorf("invalid unix timestamp: %w", err)
-	}
-
-	h.Expires = time.Unix(unix, 0)
-
+	h.Algorithm = string(parts[1])
+	h.Fingerprint = string(parts[2])
 	return nil
 }
-
-func scanFingerprint(data []byte, atEOF bool) (advance int, token []byte, err error) {
-	if atEOF && len(data) == 0 {
-		return 0, nil, nil
-	}
-	if i := bytes.IndexByte(data, ':'); i >= 0 {
-		// We have a full newline-terminated line.
-		return i + 1, data[0:i], nil
-	}
-
-	// If we're at EOF, we have a final, non-terminated hex byte
-	if atEOF {
-		return len(data), data, nil
-	}
-
-	// Request more data.
-	return 0, nil, nil
-}
-
-// Fingerprint represents a fingerprint.
-type Fingerprint []byte
-
-// String returns a string representation of the fingerprint.
-func (f Fingerprint) String() string {
-	var sb strings.Builder
-
-	for i, b := range f {
-		if i > 0 {
-			sb.WriteByte(':')
-		}
-
-		fmt.Fprintf(&sb, "%02X", b)
-	}
-
-	return sb.String()
-}
--- a/vendor.go
+++ b/vendor.go
@@ -1,212 +0,0 @@
-// Hostname verification code from the crypto/x509 package.
-// Modified to allow Common Names in the short term, until new certificates
-// can be issued with SANs.
-
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package gemini
-
-import (
-	"crypto/x509"
-	"net"
-	"strings"
-	"unicode/utf8"
-)
-
-var oidExtensionSubjectAltName = []int{2, 5, 29, 17}
-
-func hasSANExtension(c *x509.Certificate) bool {
-	for _, e := range c.Extensions {
-		if e.Id.Equal(oidExtensionSubjectAltName) {
-			return true
-		}
-	}
-	return false
-}
-
-func validHostnamePattern(host string) bool { return validHostname(host, true) }
-func validHostnameInput(host string) bool   { return validHostname(host, false) }
-
-// validHostname reports whether host is a valid hostname that can be matched or
-// matched against according to RFC 6125 2.2, with some leniency to accommodate
-// legacy values.
-func validHostname(host string, isPattern bool) bool {
-	if !isPattern {
-		host = strings.TrimSuffix(host, ".")
-	}
-	if len(host) == 0 {
-		return false
-	}
-
-	for i, part := range strings.Split(host, ".") {
-		if part == "" {
-			// Empty label.
-			return false
-		}
-		if isPattern && i == 0 && part == "*" {
-			// Only allow full left-most wildcards, as those are the only ones
-			// we match, and matching literal '*' characters is probably never
-			// the expected behavior.
-			continue
-		}
-		for j, c := range part {
-			if 'a' <= c && c <= 'z' {
-				continue
-			}
-			if '0' <= c && c <= '9' {
-				continue
-			}
-			if 'A' <= c && c <= 'Z' {
-				continue
-			}
-			if c == '-' && j != 0 {
-				continue
-			}
-			if c == '_' {
-				// Not a valid character in hostnames, but commonly
-				// found in deployments outside the WebPKI.
-				continue
-			}
-			return false
-		}
-	}
-
-	return true
-}
-
-// commonNameAsHostname reports whether the Common Name field should be
-// considered the hostname that the certificate is valid for. This is a legacy
-// behavior, disabled by default or if the Subject Alt Name extension is present.
-//
-// It applies the strict validHostname check to the Common Name field, so that
-// certificates without SANs can still be validated against CAs with name
-// constraints if there is no risk the CN would be matched as a hostname.
-// See NameConstraintsWithoutSANs and issue 24151.
-func commonNameAsHostname(c *x509.Certificate) bool {
-	return !hasSANExtension(c) && validHostnamePattern(c.Subject.CommonName)
-}
-
-func matchExactly(hostA, hostB string) bool {
-	if hostA == "" || hostA == "." || hostB == "" || hostB == "." {
-		return false
-	}
-	return toLowerCaseASCII(hostA) == toLowerCaseASCII(hostB)
-}
-
-func matchHostnames(pattern, host string) bool {
-	pattern = toLowerCaseASCII(pattern)
-	host = toLowerCaseASCII(strings.TrimSuffix(host, "."))
-
-	if len(pattern) == 0 || len(host) == 0 {
-		return false
-	}
-
-	patternParts := strings.Split(pattern, ".")
-	hostParts := strings.Split(host, ".")
-
-	if len(patternParts) != len(hostParts) {
-		return false
-	}
-
-	for i, patternPart := range patternParts {
-		if i == 0 && patternPart == "*" {
-			continue
-		}
-		if patternPart != hostParts[i] {
-			return false
-		}
-	}
-
-	return true
-}
-
-// toLowerCaseASCII returns a lower-case version of in. See RFC 6125 6.4.1. We use
-// an explicitly ASCII function to avoid any sharp corners resulting from
-// performing Unicode operations on DNS labels.
-func toLowerCaseASCII(in string) string {
-	// If the string is already lower-case then there's nothing to do.
-	isAlreadyLowerCase := true
-	for _, c := range in {
-		if c == utf8.RuneError {
-			// If we get a UTF-8 error then there might be
-			// upper-case ASCII bytes in the invalid sequence.
-			isAlreadyLowerCase = false
-			break
-		}
-		if 'A' <= c && c <= 'Z' {
-			isAlreadyLowerCase = false
-			break
-		}
-	}
-
-	if isAlreadyLowerCase {
-		return in
-	}
-
-	out := []byte(in)
-	for i, c := range out {
-		if 'A' <= c && c <= 'Z' {
-			out[i] += 'a' - 'A'
-		}
-	}
-	return string(out)
-}
-
-// verifyHostname returns nil if c is a valid certificate for the named host.
-// Otherwise it returns an error describing the mismatch.
-//
-// IP addresses can be optionally enclosed in square brackets and are checked
-// against the IPAddresses field. Other names are checked case insensitively
-// against the DNSNames field. If the names are valid hostnames, the certificate
-// fields can have a wildcard as the left-most label.
-//
-// The legacy Common Name field is ignored unless it's a valid hostname, the
-// certificate doesn't have any Subject Alternative Names, and the GODEBUG
-// environment variable is set to "x509ignoreCN=0". Support for Common Name is
-// deprecated will be entirely removed in the future.
-func verifyHostname(c *x509.Certificate, h string) error {
-	// IP addresses may be written in [ ].
-	candidateIP := h
-	if len(h) >= 3 && h[0] == '[' && h[len(h)-1] == ']' {
-		candidateIP = h[1 : len(h)-1]
-	}
-	if ip := net.ParseIP(candidateIP); ip != nil {
-		// We only match IP addresses against IP SANs.
-		// See RFC 6125, Appendix B.2.
-		for _, candidate := range c.IPAddresses {
-			if ip.Equal(candidate) {
-				return nil
-			}
-		}
-		return x509.HostnameError{c, candidateIP}
-	}
-
-	names := c.DNSNames
-	if commonNameAsHostname(c) {
-		names = []string{c.Subject.CommonName}
-	}
-
-	candidateName := toLowerCaseASCII(h) // Save allocations inside the loop.
-	validCandidateName := validHostnameInput(candidateName)
-
-	for _, match := range names {
-		// Ideally, we'd only match valid hostnames according to RFC 6125 like
-		// browsers (more or less) do, but in practice Go is used in a wider
-		// array of contexts and can't even assume DNS resolution. Instead,
-		// always allow perfect matches, and only apply wildcard and trailing
-		// dot processing to valid hostnames.
-		if validCandidateName && validHostnamePattern(match) {
-			if matchHostnames(match, candidateName) {
-				return nil
-			}
-		} else {
-			if matchExactly(match, candidateName) {
-				return nil
-			}
-		}
-	}
-
-	return x509.HostnameError{c, h}
-}
Author	SHA1	Message	Date
Adnan Maolood	3d2110d90f	mux: Tweak documentation	2021-06-26 20:26:30 -04:00
Adnan Maolood	b5c47a5ef0	mux: Add more tests	2021-06-26 20:16:38 -04:00
Adnan Maolood	fb0d4d24bd	mux: Remove support for handling schemes Also fix redirection to subtree roots for wildcard patterns and patterns without a host name.	2021-06-26 18:50:09 -04:00
Adnan Maolood	1170e007d4	fs: Avoid equality check if lengths don't match	2021-04-21 12:48:27 -04:00
Adnan Maolood	c85759d777	fs: Improve redirect behavior	2021-04-21 12:41:56 -04:00
Adnan Maolood	507773618b	fs: Refactor	2021-04-21 12:18:52 -04:00
Adnan Maolood	3bc243dd66	fs: Remove ServeContent function	2021-04-21 11:41:40 -04:00
Adnan Maolood	de93d44786	LoggingMiddleware: Prevent writing empty meta	2021-04-21 11:38:34 -04:00
Adnan Maolood	eb32c32063	fs: Fix panic on indexing URL of zero length	2021-04-21 11:36:43 -04:00
Adnan Maolood	e5cf345273	Update README.md	2021-03-24 13:30:46 -04:00
Adnan Maolood	c68ce57488	mux: Add copyright notice	2021-03-24 13:09:53 -04:00
Adnan Maolood	2b161650fe	Split LICENSE into two files	2021-03-24 13:08:32 -04:00
Adnan Maolood	dbbef1fb6d	Revert "Require Go 1.16" This reverts commit `0e87d64ffc`.	2021-03-23 22:05:12 -04:00
Adnan Maolood	90518a01a8	Revert "Replace uses of ioutil with io" This reverts commit `19f1d6693e`.	2021-03-23 22:02:32 -04:00
Adnan Maolood	056e55abbb	response: Remove unnecessary length check	2021-03-20 18:29:40 -04:00
Adnan Maolood	72d437c82e	response: Limit response header size	2021-03-20 14:01:45 -04:00
Adnan Maolood	3dca29eb41	response: Don't use bufReadCloser	2021-03-20 13:41:53 -04:00
Adnan Maolood	a40b5dcd0b	fs: Fix empty media type for directory index pages	2021-03-20 13:33:15 -04:00
Adnan Maolood	fffe86680e	client: Only get cert if TrustCertificate is set	2021-03-20 12:54:41 -04:00
Adnan Maolood	d5af32e121	client: Close connection on error	2021-03-20 12:49:27 -04:00
Adnan Maolood	5141eaafaa	Tweak request and response parsing	2021-03-20 12:27:20 -04:00
Adnan Maolood	e5c0afa013	response: Treat empty meta as invalid	2021-03-20 12:07:24 -04:00
Adnan Maolood	4c7c200f92	Remove unused field	2021-03-20 12:05:21 -04:00
Adnan Maolood	0a709da439	Remove charset=utf-8 from default media type	2021-03-20 12:04:42 -04:00
Adnan Maolood	1fdef9b608	Rename ServeMux to Mux	2021-03-15 15:44:35 -04:00
Adnan Maolood	2144e2c2f2	status: Reintroduce StatusSensitiveInput	2021-03-15 15:19:43 -04:00
Adnan Maolood	93a606b591	certificate.Store: Call os.MkdirAll on Load	2021-03-09 08:59:28 -05:00
Adnan Maolood	b00794f236	tofu: Use stricter file permissions	2021-03-09 08:58:36 -05:00
Noah Kleiner	3da7fe7cee	tofu: Create path if not exists This commit is a follow-up to `56774408` which does not take into account the case that the parent directory of the known_hosts file does not already exist.	2021-03-09 08:50:42 -05:00
Adnan Maolood	dea7600f29	Remove StatusSensitiveInput	2021-03-08 14:08:45 -05:00
Adnan Maolood	7d958a4798	examples/client: Fix certificate trust check	2021-03-08 14:07:18 -05:00
Adnan Maolood	a5493b708a	tofu: Fix known host unmarshaling	2021-03-06 15:49:11 -05:00
Adnan Maolood	6e5c2473e7	tofu: Use base64-encoded sha256 fingerprints	2021-03-06 15:24:15 -05:00
Adnan Maolood	c639233ea1	tofu: Fix format in error message	2021-03-06 15:13:06 -05:00
Adnan Maolood	5677440876	tofu: Automatically create file in KnownHosts.Load	2021-03-06 15:11:30 -05:00
Adnan Maolood	be3d09d7f4	certificate.Store: Don't call os.MkdirAll	2021-03-06 13:11:11 -05:00
Adnan Maolood	504da9afd8	certificate.Store: Don't check parent scopes in Lookup Limit the scopes of client certificates to hostnames only instead of hostnames and paths.	2021-03-06 12:59:33 -05:00
Adnan Maolood	d1cb8967b6	certificate.Store: Make 100 years the default duration	2021-03-05 23:29:56 -05:00
Adnan Maolood	107b3a1785	Move LoggingMiddleware out of examples/server.go	2021-03-05 11:35:01 -05:00
Adnan Maolood	e7a06a12bf	certificate.Store: Clean scope path in Load Clean the scope path so that trimming the path from the scope works for relative paths.	2021-03-05 10:51:55 -05:00
Adnan Maolood	649b20659b	Revert "certificate: Remove Subject from CreateOptions" This reverts commit `ce649ecc66`.	2021-03-04 20:04:46 -05:00
Adnan Maolood	c9e2af98f3	Revert "certificate.Store: Allow using '*' in DNSNames" This reverts commit `de0b93a4f6`.	2021-03-04 19:26:13 -05:00
Adnan Maolood	d6d02e398e	certificate.Store: Bump default duration to 250 years	2021-03-04 16:55:09 -05:00
Adnan Maolood	de0b93a4f6	certificate.Store: Allow using '*' in DNSNames This isn't exactly a valid DNSName, but it reduces the number of certificates that need to be created. Clients should either accept it or skip checking DNSNames.	2021-03-04 16:40:25 -05:00
Adnan Maolood	ce649ecc66	certificate: Remove Subject from CreateOptions	2021-03-04 16:27:16 -05:00
Adnan Maolood	688e7e2823	certificate: Fix deadlock in Store.Get	2021-03-04 16:20:57 -05:00
Adnan Maolood	b38311da00	certificate.Store: Fix hostname registration check	2021-03-04 16:12:36 -05:00
Adnan Maolood	8e2ac24830	tofu: Remove expiration timestamp from known hosts	2021-03-04 15:37:02 -05:00
Adnan Maolood	bfa3356d3a	client: Remove hostname verification check	2021-03-04 14:36:31 -05:00
Adnan Maolood	9f3564936e	client: Ignore certificate expiration time	2021-03-04 14:35:51 -05:00
Adnan Maolood	d8fb072826	Rename vendor.go to verify_hostname.go	2021-02-28 23:21:10 -05:00
Adnan Maolood	69f0913b3d	Make Response implement io.WriterTo	2021-02-28 22:21:54 -05:00
Adnan Maolood	f7012b38da	Request.WriteTo: return int64	2021-02-28 22:20:59 -05:00
Adnan Maolood	768ec6c17b	Make Request implement io.WriterTo	2021-02-28 22:16:38 -05:00
Adnan Maolood	ae7d58549d	Add message argument to TimeoutHandler	2021-02-28 22:07:24 -05:00
Adnan Maolood	ad5d78f08f	Mention that Request methods don't work for clients	2021-02-28 21:59:19 -05:00
Adnan Maolood	4b92c71839	Remove Request.RemoteAddr helper method	2021-02-28 21:52:41 -05:00
Adnan Maolood	19f1d6693e	Replace uses of ioutil with io	2021-02-28 21:38:36 -05:00
Adnan Maolood	0e87d64ffc	Require Go 1.16	2021-02-28 21:38:17 -05:00
Adnan Maolood	845f8e9bd1	Reintroduce Response.Write method	2021-02-28 20:50:18 -05:00
Adnan Maolood	cf9ab18c1f	certificate.Store: Check parent scopes in Lookup	2021-02-28 20:23:32 -05:00
Adnan Maolood	ada42ff427	certificate.Store: Support client certificates	2021-02-28 19:29:25 -05:00
Adnan Maolood	fcc71b76d9	examples/server: Clean up LoggingMiddleware	2021-02-27 14:53:37 -05:00
Adnan Maolood	6a1ccdc644	response: Add tests for maximum-length META	2021-02-27 14:08:31 -05:00
Adnan Maolood	f156be19b4	request: Add RemoteAddr helper function	2021-02-27 14:03:33 -05:00
Adnan Maolood	82bdffc1eb	request: Add ServerName helper method	2021-02-27 14:02:30 -05:00
Adnan Maolood	a396ec77e4	request: Cache calls to TLS	2021-02-27 13:59:45 -05:00
Adnan Maolood	21ad3a2ded	server: Disallow ServeConn usage after Shutdown	2021-02-24 19:25:52 -05:00
Adnan Maolood	2d7f28e152	Update examples/client.go	2021-02-24 19:21:31 -05:00
Adnan Maolood	1764e02d1e	Remove ResponseWriter.Close method	2021-02-24 19:00:09 -05:00
Adnan Maolood	1bc5c68c3f	response: Revert to using fields instead of methods	2021-02-24 18:50:40 -05:00
Adnan Maolood	867074d81b	examples/client: Fix display of response status	2021-02-24 16:16:42 -05:00
Adnan Maolood	1da23ba07b	Revert "Replace uses of ioutil with io" This reverts commit `48c67bcead`.	2021-02-24 14:45:57 -05:00
Adnan Maolood	cbfbeb6c22	Don't require Go 1.16	2021-02-24 14:29:29 -05:00
Adnan Maolood	c3418fdfed	Add missing import	2021-02-24 14:28:47 -05:00
Adnan Maolood	6181751e8d	Move mimetype registration to gemini.go	2021-02-24 14:27:49 -05:00
Adnan Maolood	48c67bcead	Replace uses of ioutil with io	2021-02-24 11:11:10 -05:00
Adnan Maolood	25f441f573	fs: Remove build constraint	2021-02-24 11:01:02 -05:00
Adnan Maolood	cb7879c966	Add NewResponse function	2021-02-24 10:48:17 -05:00
Adnan Maolood	19bfca1cc3	examples/server: Cancel context	2021-02-24 10:27:28 -05:00
Adnan Maolood	991b18d526	examples/server: Add logging middleware	2021-02-24 10:25:08 -05:00
Adnan Maolood	b66b287f94	ResponseWriter: Remove unexported method	2021-02-24 10:01:46 -05:00
Adnan Maolood	bd29d76f66	client: Fix copying of request	2021-02-24 09:48:23 -05:00
Adnan Maolood	1d20a6c3c8	examples/client: Use Response methods	2021-02-24 09:22:25 -05:00
Adnan Maolood	6f46b2fa47	examples/auth: Use Request.TLS method	2021-02-24 09:22:01 -05:00
Adnan Maolood	15385e3095	fs: Fix Go build constraint comment	2021-02-24 09:00:28 -05:00
Adnan Maolood	3101856afa	response: Move to methods	2021-02-24 08:43:57 -05:00
Adnan Maolood	094c16297b	server: Fix comment	2021-02-24 08:38:08 -05:00
Adnan Maolood	08f5ddd41a	TimeoutHandler: Mention returned error	2021-02-24 08:37:52 -05:00
Adnan Maolood	41c95add81	Add unexported method to timeout writer	2021-02-24 08:34:26 -05:00
Adnan Maolood	de339490f4	Move ResponseWriter Conn and TLS methods to Request	2021-02-24 08:24:49 -05:00
Adnan Maolood	b488146cc6	Remove ResponseWriter.Hijack method	2021-02-24 08:22:12 -05:00
Adnan Maolood	069b473c28	Implement TimeoutHandler by wrapping ResponseWriter	2021-02-24 08:18:23 -05:00
Kaleb Elwert	2c2d74bcb2	Only use fs.go when fs.FS is available	2021-02-24 07:41:53 -05:00
Adnan Maolood	3660698a4b	Make ResponseWriter an interface Make ResponseWriter an interface with an unexported method. Implementors must embed a ResponseWriter from elsewhere. This gives us the flexibility of an interface while allowing us to add new methods in the future.	2021-02-24 00:13:46 -05:00
Adnan Maolood	526d232ab0	Remove ErrHandlerTimeout	2021-02-23 22:15:19 -05:00
Adnan Maolood	f08efa330f	Move TimeoutHandler to handler.go	2021-02-23 22:12:04 -05:00
Adnan Maolood	310bd16344	Unexport NewResponseWriter	2021-02-23 22:02:47 -05:00
Adnan Maolood	9eae88f00c	Reimplement TimeoutHandler	2021-02-23 21:59:16 -05:00
Adnan Maolood	b386a9ba41	response: Change field names	2021-02-23 21:51:42 -05:00
Adnan Maolood	f28a63ff0c	Add ResponseWriter.Hijack method	2021-02-23 21:36:29 -05:00
Adnan Maolood	d35dd3d867	ResponseWriter: Add TLS and Conn methods	2021-02-23 20:59:04 -05:00
Adnan Maolood	75abb99518	request: Remove TLS and Conn methods	2021-02-23 20:57:53 -05:00
Adnan Maolood	e8d98ef4ec	Move I/O utilities to io.go	2021-02-23 20:49:55 -05:00
Adnan Maolood	a65c3c3d4f	Make ResponseWriter a struct Make ResponseWriter a struct again so that it can be extended in a backwards-compatible way.	2021-02-23 20:41:16 -05:00
Adnan Maolood	64f9381bbc	handler: Mention when the context is canceled	2021-02-23 19:01:12 -05:00
Adnan Maolood	a34cf6dd1b	handler: Mention ResponseWriter.Close method	2021-02-23 18:59:20 -05:00
Adnan Maolood	b3e8d9ccf3	client: Clarify usage of contexts	2021-02-23 18:56:18 -05:00
Adnan Maolood	a7c449a3cf	Use HandlerFunc to implement StatusHandler	2021-02-23 18:52:00 -05:00
Adnan Maolood	02bbedc330	Update documentation	2021-02-23 18:45:58 -05:00
Adnan Maolood	5cf936d304	Update documentation	2021-02-23 17:52:47 -05:00
Adnan Maolood	f1f933925c	Update examples/client.go	2021-02-23 17:52:34 -05:00
Adnan Maolood	e1c04ee605	Make Response an io.ReadCloser	2021-02-23 17:50:47 -05:00
Adnan Maolood	ae3fc2fc73	response: Add Close method	2021-02-23 17:32:23 -05:00
Adnan Maolood	311233a012	request: Fix documentation for TLS	2021-02-23 17:30:46 -05:00
Adnan Maolood	c688defefd	request: Add Conn and TLS methods	2021-02-23 17:29:50 -05:00
Adnan Maolood	83c904913f	response: Add Conn and TLS methods	2021-02-23 16:36:17 -05:00
Adnan Maolood	833edaf63d	server: Cancel context on IO errors	2021-02-23 16:06:57 -05:00
Adnan Maolood	d07e9d99d1	client: Move context handling to do	2021-02-23 16:01:29 -05:00
Adnan Maolood	31e16d5a4c	examples/client: Stream response body	2021-02-23 15:56:44 -05:00
Adnan Maolood	9974071657	client: Cancel context on IO errors Also close the connection when the context expires.	2021-02-23 15:52:47 -05:00
Adnan Maolood	09e3393e4c	examples/stream: Simplify	2021-02-23 15:31:41 -05:00
Adnan Maolood	1aa85d0683	timeout: Don't recover from panics	2021-02-23 15:30:44 -05:00
Adnan Maolood	62e22b4cf2	response: Remove TLS field	2021-02-23 15:29:27 -05:00
Adnan Maolood	eee7156b3a	Update documentation	2021-02-23 14:29:37 -05:00
Adnan Maolood	d8b5fa716a	client: Use present tense in documentation	2021-02-23 12:21:05 -05:00