New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow Puma to compile when built without SSL, load SSL files on demand #2305
Changes from all commits
b1c760a
f291c63
55885c9
55e78e4
fe2c25b
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
name: No SSL | ||
|
||
on: [push, pull_request] | ||
|
||
jobs: | ||
build: | ||
name: >- | ||
${{ matrix.os }} ${{ matrix.ruby }} | ||
env: | ||
CI: true | ||
TESTOPTS: -v | ||
DISABLE_SSL: no_ssl | ||
|
||
runs-on: ${{ matrix.os }} | ||
if: | | ||
!( contains(github.event.pull_request.title, '[ci skip]') | ||
|| contains(github.event.pull_request.title, '[skip ci]') | ||
|| contains(github.event.head_commit.message, '[ci skip]') | ||
|| contains(github.event.head_commit.message, '[skip ci]')) | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
include: | ||
- { os: ubuntu-20.04, ruby: 2.7 } | ||
- { os: ubuntu-20.04, ruby: jruby } | ||
- { os: windows-2019, ruby: 2.7 } | ||
|
||
steps: | ||
- name: repo checkout | ||
uses: actions/checkout@v2 | ||
|
||
- name: load ruby, ragel | ||
uses: MSP-Greg/setup-ruby-pkgs@v1 | ||
with: | ||
ruby-version: ${{ matrix.ruby }} | ||
apt-get: ragel | ||
brew: ragel | ||
mingw: _upgrade_ openssl ragel | ||
|
||
# won't run on Ruby 2.2, see puma.yml | ||
- name: bundle install | ||
shell: pwsh | ||
run: bundle install --jobs 4 --retry 3 | ||
|
||
- name: compile | ||
run: bundle exec rake compile | ||
|
||
- name: test | ||
id: test | ||
timeout-minutes: 10 | ||
run: bundle exec rake test:all |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -29,6 +29,18 @@ $ puma | |
Without arguments, puma will look for a rackup (.ru) file in | ||
working directory called `config.ru`. | ||
|
||
## SSL Connection Support | ||
|
||
Puma will install/compile with support for ssl sockets, assuming OpenSSL | ||
development files are installed on the system. | ||
|
||
If the system does not have OpenSSL development files installed, Puma will | ||
install/compile, but it will not allow ssl connections. | ||
|
||
If the system has OpenSSL development files installed, but you don't want Puma | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I feel like this is a little unclear. If you don't bind Puma to SSL, why should you need to use As written, this makes it sound like anyone using Puma w/o SSL must set There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
You don't have to, but 'If the system has OpenSSL development files', it will compile the SSL functions into
Didn't mean to imply that. Maybe a rephrasing is in order. I meant to make it clear that it's optional. But, I didn't say anything about benefits... BTW, thanks for reviewing. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah I just ended up removing it. I think it's too confusing. Good feature to have but not one that needs explaining right in README.md. Thanks so much for your work on the test suite over the last 2 weeks Greg, it's so much better now. |
||
to use ssl connections, set ENV['DISABLE_SSL'] to any value before installing | ||
Puma. | ||
|
||
## Frameworks | ||
|
||
### Rails | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
package puma; | ||
|
||
import java.io.IOException; | ||
|
||
import org.jruby.Ruby; | ||
import org.jruby.runtime.load.BasicLibraryService; | ||
|
||
import org.jruby.puma.Http11; | ||
|
||
public class PumaHttp11Service implements BasicLibraryService { | ||
public boolean basicLoad(final Ruby runtime) throws IOException { | ||
Http11.createHttp11(runtime); | ||
return true; | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,10 +5,16 @@ | |
|
||
require 'puma/const' | ||
require 'puma/util' | ||
require 'puma/minissl/context_builder' | ||
require 'puma/configuration' | ||
|
||
module Puma | ||
|
||
if HAS_SSL | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What's the purpose of moving these from the top of the file? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We could move it above and use This was an issue I was about to post a message about. Currently, if Puma successfully compiles with OpenSSL, it loads all the files. Should we make so that it only loads the files if one binds to an ssl socket? That is trickier... |
||
require 'puma/minissl' | ||
require 'puma/minissl/context_builder' | ||
require 'puma/accept_nonblock' | ||
end | ||
|
||
class Binder | ||
include Puma::Const | ||
|
||
|
@@ -155,6 +161,9 @@ def parse(binds, logger, log_msg = 'Listening') | |
|
||
@listeners << [str, io] | ||
when "ssl" | ||
|
||
raise "Puma compiled without SSL support" unless HAS_SSL | ||
|
||
params = Util.parse_query uri.query | ||
ctx = MiniSSL::ContextBuilder.new(params, @events).context | ||
|
||
|
@@ -245,9 +254,8 @@ def inherit_tcp_listener(host, port, fd) | |
|
||
def add_ssl_listener(host, port, ctx, | ||
optimize_for_latency=true, backlog=1024) | ||
require 'puma/minissl' | ||
|
||
MiniSSL.check | ||
raise "Puma compiled without SSL support" unless HAS_SSL | ||
|
||
if host == "localhost" | ||
loopback_addresses.each do |addr| | ||
|
@@ -264,7 +272,6 @@ def add_ssl_listener(host, port, ctx, | |
s.setsockopt(Socket::SOL_SOCKET,Socket::SO_REUSEADDR, true) | ||
s.listen backlog | ||
|
||
|
||
ssl = MiniSSL::Server.new s, ctx | ||
env = @proto_env.dup | ||
env[HTTPS_KEY] = HTTPS | ||
|
@@ -275,8 +282,7 @@ def add_ssl_listener(host, port, ctx, | |
end | ||
|
||
def inherit_ssl_listener(fd, ctx) | ||
require 'puma/minissl' | ||
MSP-Greg marked this conversation as resolved.
Show resolved
Hide resolved
|
||
MiniSSL.check | ||
raise "Puma compiled without SSL support" unless HAS_SSL | ||
|
||
if fd.kind_of? TCPServer | ||
s = fd | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like for JRuby, for this to work, you need to have DISABLE_SSL set, but for MRI, you don't. Is that true?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Re MRI, I know how to uninstall 'openssl dev', and it works locally.
I don't know how to uninstall Java's equivalent of 'openssl dev'. For MRI systems, it's a separate install, I don't think that's the case with Java?
EDIT:
Sorry I wasn't clear.
Correct.
If you don't have 'openssl dev' installed, there is no need for
ENV['DISABLE_SSL']
. If it is installed, you need to set the ENV variable in shell to disable compiling with OpenSSL.