Date | Commit message (Collapse) |
|
The current CA model and code quality of OpenSSL have long put me off
from supporting TLS; however but efforts such as "Let's Encrypt"
and the fallout from Heartbleed give me hope for the future.
This implements, as much as possible, a "hands-off" approach to TLS
support via OpenSSL. This implementation allows us to shift
responsibility away from us to users and upstreams (the Ruby 'openssl'
extension maintainers, software packagers, and OpenSSL project itself).
This is also perhaps the easiest way for now for us, while being most
powerful for users. It requires users to configure their own OpenSSL
context object which we'll use as-is.
This context object is used as the :ssl_ctx parameter to the "listen"
directive in the yahns configuration file:
require 'openssl' # we will not do this for the user, even
ctx = OpenSSL::SSL::SSLContext.new
# user must configure ctx here...
listen 443, ssl_ctx: ctx
This way, in case we support GnuTLS or other TLS libraries, there'll
be less confusion as to what a user is actually using.
Note: this feature requires Ruby 2.1 and later for non-kgio
{read,write}_nonblock(.. exception: false) support.
|
|
No need to waste space on this (and trigger "Bad partial
reference!" warnings on lynx)
|
|
This test is less reliable when there are multiple workers as the
second worker may not be ready to detect a dead parent.
This is still a possible race if the master dies very quicklly
before a worker is fully setup.
|
|
Followup-to commit ade89b5142bedbcf07f38aa062bfdbfcb8bc48d3
("wbuf: hack to avoid response corruption on FreeBSD")
It seems that we cannot test wbuf internals reliably outside of
Linux, however as long as the end result (via HTTP) is unchanged
on other OSes, we seem to be doing OK.
|
|
GC will close redundantly and lead to EBADF when finalizing. This was
probably harmless as the original IO objects remained marked; but do
not count on it. Seeing EBADF in a MT process is a very bad sign
(inadvertant information disclosure is only one race condition away).
Fortunately, this bug was limited to our test suite :)
|
|
There's a feature request for better coverage support in ruby-trunk
https://bugs.ruby-lang.org/issues/9508
At minimum, we need to preserve compatibility; but we should set
aside time to take advantage of the extra coverage support.
|
|
|
|
TCP socket timing is too varied over different OSes, Unix sockets
seem to test more reliably than TCP ones on my Debian GNU/kFreeBSD
system.
|
|
Not all TCP stacks behave the same with timing-sensitive tests.
Fortunately these timing differences aren't very critical over real
networks.
|
|
We may unnecessarily drop persistent connections from this bug,
and we had an incorrect assertion in our unit test, even.
|
|
We must not cork response headers when the response body is empty,
otherwise those headers will be delayed by 200ms.
|
|
If Content-Length is known, try to save some bandwidth by
corking the headers until the body is sendable. This allows
us to avoid sending an extra packet for small HTTP responses.
This allows high-performance websites like YHBT.net to be served
faster!
|
|
ab(1) is less common than our other dependencies, so allow tests
to run without it.
|
|
Leave that up to Rack::Chunked/Rack::ContentLength.
Chunking ourselves interacts badly with Rack::Deflater, since
Deflater will blindly deflate already-chunked portions.
|
|
Some attackers may try /path/to/file/foo where /path/to/file
is actually a valid path to a regular file. Of course, requests
like this work on dynamic websites, but not static file mappings
because Unix directories and files cannot be the same thing.
|
|
ref: https://github.com/rubinius/rubinius/issues/2772
|
|
This was failing under Rubinius and not necessary after all
ref: https://github.com/rubysl/rubysl-io-wait/issues/2
|
|
Following our own advice in
commit a79a6d8775171ad5cceda9bb3a77946ba60e26ce
(doc: recommend worker_processes if the app uses SIGCHLD)
|
|
We can use the wbuf_close return value instead to ensure we close
tmpio properly and follow the same code path as a normal
(:wait_writable-triggering) buffered response would.
Add a few tests to ensure we properly close the response body
for exec_cgi, where I noticed zombies and started me down this
rabbit hole looking for places where the response body was not
closed properly.
|
|
Unlike Rack::Directory, this this also avoids tables and CSS for
preformatted HTML. This is meant to resemble nginx autoindex
and index functionality (combined).
|
|
We allow applications to drop persistent connections, this does not
seem forbidden by Rack and gives the app author some control over
the lifetime of a connection.
|
|
These applications are what I'll be using to run on yahns on
my personal server.
Including them here will be helpful for me to find bugs. I've
already found some, the following commits were directly the result
of playing with these extras:
* stream_file: only close FDs we opened ourselves
* worker-less server should not waitpid indiscriminately
* http: do not drop Content-Range from response headers
|
|
This was triggering OOM on my 32-bit machine.
|
|
We parse and use Content-Range, but do not drop it when sending
a response since that would confuse clients.
|
|
When running a static file server, we must account for filesystem
activity outside of our control where files may grow/shrink as
they're being served.
For truncated files, we must abort any persistent connections
downloading a truncated file to avoid confusing clients because
the Content-Length header was already set to the big value.
We also must ensure (we already did so before this commit,
this just adds a test for it) we do not send additional data
when a file grows on us after we've started sending the response.
|
|
We didn't cover this before.
|
|
Increase scans of log files and use shorter sleep intervals
to get faster notification of successful timeout.
|
|
This allows users to specify alternative temporary directories
in case buffers get too large for one filesystem to handle or
to give priority to some clients on certain ports.
|
|
Sometimes buffering can catch up and we no longer need to
use the on-disk buffer, so keep trying to flush the data
out to the user to avoid VFS activity.
|
|
This should speed up our tests a little while removing the
dependency on md5sum(1) from coreutils.
|
|
Some users may care to have sub-second or fractional timeouts for
various reasons. Do not reject those values to be consistent with
Ruby sleep/select.
|
|
This should allow users to more-easily enable/disable apps
and their dependent atfork_* hooks.
|
|
It's usually given as a block, so Ruby won't care about arity there.
Users will get the worker ID number as the first arg, making it
possible to isolate some things to certain processes (e.g. for A/B
testing).
|
|
This allows modifying the command-line (as an array) passed to
Kernel#exec, as well as running anything necessary.
|
|
Otherwise, the server may stay running forever if a client chooses
to stay forever (and there is no FD pressure).
|
|
We need to account for the directory change since yahns may lazily
require some files. GTL is also not needed inside a child process.
|
|
Different instances/ports of apps may want to point error
output elsewhere.
|
|
Hopefully saves us from running out of FDs when doing parallel
tests.
|
|
This is often forgotten, and we need to make a tweak to the
coverage generator to dump correctly.
|
|
These are implemented trivially and based on working code, but test
them anyways.
|
|
This should prevent us from introducing bugs into some otherwise
rarely-tested code.
|
|
This is probably not needed and just adds contention, but it makes
experimenting easier.
While we're at it, validate minimum values of for sndbuf/rcvbuf
along with this new threads value, too.
|
|
This allows us to avoid some FD leakage and waste of
memory allocations.
|
|
We need to be able to resume hijacking if gigantic HTTP headers are
buffered on the response.
|
|
While we're at it, add some additional tests for input handling.
|
|
We may also return HTTP 408 errors in this case.
|
|
This was documented (incorrectly) and not implemented for either
the master/worker or single process cases. Implement and test
all (with mocks, so not fully-tested).
|
|
We do not want users to use the default queue unless an app
context requires it. We also do not want to spin up the default
queue unless we are sure we have app contexts using it (and
not private/anonymous queues).
|
|
We may end up buffering on headers and hitting EMFILE/ENFILE this
way, too. We need to figure out a way to recover from this.
|
|
We'll hit SIGCHLD if our reexec process fails on us, so the
non-MP server must handle it, too. We discovered this bug
while porting the PID file renaming changes from unicorn.
|