* [ANN] yahns 1.12.0 -_- sleepy app server for Ruby
@ 2016-02-14 22:37 6% Eric Wong
0 siblings, 0 replies; 2+ results
From: Eric Wong @ 2016-02-14 22:37 UTC (permalink / raw)
To: ruby-talk, yahns-public
A Free Software, multi-threaded, non-blocking network
application server designed for low _idle_ power consumption.
It is primarily optimized for applications with occasional users
which see little or no traffic. yahns currently hosts Rack/HTTP
applications, but may eventually support other application
types. Unlike some existing servers, yahns is extremely
sensitive to fatal bugs in the applications it hosts.
Changes:
yahns 1.12.0 - TLS fixes and more!
Most notably, serving static files over HTTPS did not work
before this release with the "sendfile" gem installed. The
yahns_config(5) manpage is also updated with an example for
using OpenSSL::SSL::SSLContext objects. Users of
Rack::Request#scheme and env['rack.url_scheme'] should see
"https" properly set for HTTPS connections.
There's also a bunch of internal tweaks like taking advantage of
the file-level frozen_string_literal: directive in 2.3 and
explicitly clearing short-lived string buffers
TLS support is still in its early stages, but I'm experimenting
with Let's Encrypt (via getssl[1]) and hosting https://YHBT.net/
on it.
For now, I suggest using a separate yahns instance (with a
different master process) to avoid any potential data leaks
between HTTPS and HTTP instances. In the future, it may be
possible to isolate HTTPS from HTTP at the worker process level.
Supporting GnuTLS (alongside OpenSSL) may be in our future, too.
To paraphrase the warning in http://www.postfix.org/TLS_README.html
(which was written before Heartbleed):
WARNING
By turning on TLS support in yahns, you not only get the
ability to encrypt traffic and to authenticate remote
clients. You also turn on thousands and thousands of
lines of OpenSSL library code. Assuming that OpenSSL is
written as carefully as Eric's own code, every 1000 lines
introduce one additional bug into yahns.
I'm not nearly as careful with yahns as Wietse is with postfix,
either.
20 changes since v1.11.0:
README: updates for kqueue
add .gitattributes for Ruby method detection
nodoc internals
enable frozen_string_literal for Ruby 2.3+
copyright updates for 2016
extras/exec_cgi: fix frozen string error on slow responses
avoid StringIO#binmode for the next few years
use String#clear for short-lived buffers we create
gemspec: make rack a development dependency
build: install-gem forced to "--local" domain
acceptor: all subclasses of TCPServer use TCP_INFO
properly emulate sendfile for OpenSSL sockets
avoid race conditions in OpenSSL::SSL::SSLContext#setup
set HTTPS and rack.url_scheme in Rack env as appropriate
proxy_pass: pass X-Forwarded-Proto through
doc: switch to perlpod (from pandoc-flavored Markdown)
doc: trim down documentation slightly
doc: document ssl_ctx for "listen" directive
doc: various doc and linkification improvements
http_context: reduce constant lookup + bytecode
[1] git clone https://github.com/srvrco/getssl.git
Please note the disclaimer:
yahns is extremely sensitive to fatal bugs in the apps it hosts. There
is no (and never will be) any built-in "watchdog"-type feature to kill
stuck processes/threads. Each yahns process may be handling thousands
of clients; unexpectedly killing the process will abort _all_ of those
connections. Lives may be lost!
yahns hackers are not responsible for your application/library bugs.
Use an application server which is tolerant of buggy applications
if you cannot be bothered to fix all your fatal bugs.
* git clone git://yhbt.net/yahns
* http://yahns.yhbt.net/README
* http://yahns.yhbt.net/NEWS.atom.xml
* we only accept plain-text email yahns-public@yhbt.net
* and archive all the mail we receive: http://yhbt.net/yahns-public/
* nntp://news.public-inbox.org/inbox.comp.lang.ruby.yahns
^ permalink raw reply [relevance 6%]
* [PATCH 4/3] set HTTPS and rack.url_scheme in Rack env as appropriate
@ 2016-02-12 4:05 14% ` Eric Wong
0 siblings, 0 replies; 2+ results
From: Eric Wong @ 2016-02-12 4:05 UTC (permalink / raw)
To: yahns-public
Eric Wong <e@80x24.org> wrote:
> Things like rack.url_scheme, SERVER_NAME, SERVER_PORT, etc...
> will all need to be set properly.
SERVER_NAME and SERVER_PORT will be set inside the unicorn HTTP
parser based on the value of the Host: header
-----------8<-----------
Subject: [PATCH] set HTTPS and rack.url_scheme in Rack env as appropriate
env['HTTPS'] is not documented in rack SPEC, but appears to be
used by Rack::Request since 2010[*]. Also, set rack.url_scheme
as documented by rack SPEC.
[*] - commit 4defbe5d7c07b3ba721ff34a8ff59fde480a4a9f
("Improves performance by lazy loading the session.")
---
lib/yahns/http_context.rb | 2 +-
lib/yahns/server.rb | 3 +++
test/test_ssl.rb | 43 +++++++++++++++++++++++++++++++++++--------
3 files changed, 39 insertions(+), 9 deletions(-)
diff --git a/lib/yahns/http_context.rb b/lib/yahns/http_context.rb
index 10be062..c02eefd 100644
--- a/lib/yahns/http_context.rb
+++ b/lib/yahns/http_context.rb
@@ -17,7 +17,7 @@ module Yahns::HttpContext # :nodoc:
attr_accessor :qegg
attr_accessor :queue # set right before spawning acceptors
attr_reader :app
- attr_reader :app_defaults
+ attr_accessor :app_defaults
attr_writer :input_buffer_tmpdir
attr_accessor :output_buffer_tmpdir
diff --git a/lib/yahns/server.rb b/lib/yahns/server.rb
index 09ddbef..d6a03f3 100644
--- a/lib/yahns/server.rb
+++ b/lib/yahns/server.rb
@@ -382,6 +382,9 @@ def fdmap_init
ctx.__send__(:include, l.expire_mod)
if ssl_ctx = opts[:ssl_ctx]
ctx.__send__(:include, Yahns::OpenSSLClient)
+ env = ctx.app_defaults = ctx.app_defaults.dup
+ env['HTTPS'] = 'on' # undocumented, but Rack::Request uses this
+ env['rack.url_scheme'] = 'https'
# call OpenSSL::SSL::SSLContext#setup explicitly here to detect
# errors and avoid race conditions. We avoid calling this in the
diff --git a/test/test_ssl.rb b/test/test_ssl.rb
index 172d8e4..fe7e09e 100644
--- a/test/test_ssl.rb
+++ b/test/test_ssl.rb
@@ -63,12 +63,21 @@ def srv_ctx
def test_ssl_basic
err, cfg, host, port = @err, Yahns::Config.new, @srv.addr[3], @srv.addr[1]
+ insecure = TCPServer.new(ENV["TEST_HOST"] || "127.0.0.1", 0)
ctx = srv_ctx
raw = File.read(__FILE__)
pid = mkserver(cfg) do
+ ENV["YAHNS_FD"] += ",#{insecure.fileno.to_s}"
cfg.instance_eval do
ru = lambda do |env|
- case env['PATH_INFO']
+ case path_info = env['PATH_INFO']
+ when '/rack.url_scheme', '/HTTPS'
+ s = env[path_info[1..-1]] # remove leading slash
+ s = s.inspect if s.nil?
+ [ 200, {
+ 'Content-Length' => s.bytesize.to_s,
+ 'Content-Type'=>'text/plain',
+ }, [ s ] ]
when '/static'
f = File.open(__FILE__)
[ 200, {
@@ -80,19 +89,36 @@ def test_ssl_basic
[ 200, {'Content-Length'=>'2'}, ['HI'] ]
end
end
- app(:rack, ru) { listen "#{host}:#{port}", ssl_ctx: ctx }
+ app(:rack, ru) {
+ listen "#{host}:#{port}", ssl_ctx: ctx
+ listen "#{insecure.addr[3]}:#{insecure.addr[1]}"
+ }
logger(Logger.new(err.path))
end
end
client = ssl_client(host, port)
- client.write("GET / HTTP/1.1\r\nHost: example.com\r\n\r\n")
buf = ''.dup
- Timeout.timeout(60) do
- buf << client.readpartial(111) until buf =~ /HI\z/
+ { '/' => 'HI',
+ '/rack.url_scheme' => 'https',
+ '/HTTPS' => 'on'
+ }.each do |path, exp|
+ client.write("GET #{path} HTTP/1.1\r\nHost: example.com\r\n\r\n")
+ buf.clear
+ re = /#{Regexp.escape(exp)}\z/
+ Timeout.timeout(60) do
+ buf << client.readpartial(111) until buf =~ re
+ end
+ head, body = buf.split("\r\n\r\n", 2)
+ assert_equal exp, body
+ assert_match %r{\AHTTP/1\.\d 200 OK\r\n}, head
+ end
+
+ Net::HTTP.start(insecure.addr[3], insecure.addr[1]) do |h|
+ res = h.get('/rack.url_scheme')
+ assert_equal 'http', res.body
+ res = h.get('/HTTPS')
+ assert_equal 'nil', res.body
end
- head, body = buf.split("\r\n\r\n", 2)
- assert_equal "HI", body
- assert_match %r{\AHTTP/1\.\d 200 OK\r\n}, head
# read static file
client.write("GET /static HTTP/1.1\r\nHost: example.com\r\n\r\n")
@@ -109,6 +135,7 @@ def test_ssl_basic
assert_equal "HI", body
assert_match %r{\AHTTP/1\.\d 200 OK\r\n}, head
ensure
+ insecure.close if insecure
client.close if client
quit_wait(pid)
end
--
EW
^ permalink raw reply related [relevance 14%]
Results 1-2 of 2 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2016-02-12 1:47 [PATCH 0/3] TLS fixes Eric Wong
2016-02-12 4:05 14% ` [PATCH 4/3] set HTTPS and rack.url_scheme in Rack env as appropriate Eric Wong
2016-02-14 22:37 6% [ANN] yahns 1.12.0 -_- sleepy app server for Ruby Eric Wong
Code repositories for project(s) associated with this public inbox
https://yhbt.net/yahns.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).