RubyGems - durable_streams-rails - Versions diffs - 0.5.2 → 0.6.0 - Mend

durable_streams-rails 0.5.2 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/README.md +82 -0
data/lib/durable_streams/rails/server_config.rb +54 -4
data/lib/durable_streams/rails/version.rb +1 -1
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 79f28df832bb82db8fe2c8bf0204cf5c6ffededd6755c153d2a00aba4ec7f611
-  data.tar.gz: 698ea2440a5422124be37cb82ee2f988ad2e34dd008c702943f30d60797b0510
+  metadata.gz: 7536abdf74ca0e1333cc080be34b9007965a698c79c8f6275d5062a20e1cba9a
+  data.tar.gz: 4b6a41ec2819f411f2f8b4fe7da3682fa93aaf31553d056d688c8456ce7005ed
 SHA512:
-  metadata.gz: 407c2bcb96115a2b19207a3a10d99992b09daa273a39c935ce87adde911df3bc38c7be8b5e5ad409d6313c366ad74607ad9abe3a32eee62a6acfb4b95ce5afd3
-  data.tar.gz: 4c91ddfb552668d981f16c355876daa08c616ed42988f4eea157f1848af5b386eb9a93ace96def84a25c7abc9582e3e7d04b24e053b5146e2d15498ec5b95d5a
+  metadata.gz: 5f63473d9d5239b786233367f1d47e404646f57c89baf78854ae1bf84cafef0ea7e0e678e7bfa423b1259d8642dd7523096eee893245c2a286489a9484cffed9
+  data.tar.gz: 5740d145eba781c339e451fa6d15767064d5140e852ee61be435d618c9f6ff5dc71dbc6876f3f15ee44288243962893158659627baacbbf3f1173491fe40748a

data/README.md CHANGED Viewed

@@ -83,6 +83,88 @@ production:
     data_dir: /var/data/durable-streams
 ```
+### Multi-server with internal listener
+In production, you typically want browsers to reach the stream server through a CDN
+(`client_url`), but Rails broadcasts should go directly over the private network
+(`server_url`). The `internal` option adds a plain HTTP listener for server-to-server
+traffic:
+```yaml
+production:
+  domain: streams.example.com
+  tls:
+    cert: /etc/caddy/certs/cert.pem
+    key: /etc/caddy/certs/key.pem
+  internal:
+    port: 4437
+    bind: 10.0.0.5              # Only listen on the private interface.
+    allowed_ips:                 # Caddy remote_ip matcher — 403 for everyone else.
+      - 10.0.0.4
+  auth:
+    url: https://10.0.0.4       # Connect to Rails over private VNET.
+    host: app.example.com       # Host header + TLS SNI for the Kamal proxy.
+    path: /durable_streams/auth/verify
+    copy_headers:
+      - Cookie
+      - Authorization
+  storage:
+    data_dir: /data/streams
+```
+When `auth.host` is set and the URL is HTTPS, the generated Caddyfile adds
+`header_up Host`, `tls_server_name`, and `tls_insecure_skip_verify` to the auth
+reverse proxy — same pattern as the internal listener's loopback connection. Use this
+when the auth URL is an internal IP and the Kamal proxy routes by Host header.
+#### Request flow
+A server-to-server write (e.g., Rails broadcasting a message) follows this path:
+```
+Rails (10.0.0.4)
+  │
+  │  PUT http://10.0.0.5:4437/v1/streams/{name}
+  │  (plain HTTP over private VNET — no TLS, no CDN)
+  │
+  ▼
+:4437 listener (Caddy on 10.0.0.5)
+  │
+  │  1. remote_ip check: is it 10.0.0.4? → proceed (otherwise 403)
+  │
+  │  2. reverse_proxy to https://127.0.0.1:443
+  │     Caddy connects to itself over loopback TLS:
+  │
+  │     header_up Host streams.example.com
+  │       → Host header so :443 matches the right server block
+  │
+  │     tls_server_name streams.example.com
+  │       → SNI in the TLS ClientHello so Caddy selects the right cert
+  │
+  │     tls_insecure_skip_verify
+  │       → Skip cert verification (origin certs aren't in the system
+  │         trust store; safe on loopback — nothing to MITM)
+  │
+  ▼
+streams.example.com :443 listener (same Caddy process)
+  │
+  │  reverse_proxy → app.example.com (validates Bearer token) - this is "forward_auth" expanded
+  │  durable_streams → writes to bbolt store
+  │
+  ▼
+Response flows back up the chain to Rails
+```
+Client reads (browsers) go directly to `streams.example.com:443` through the CDN,
+bypassing the internal listener entirely.
+#### Why reverse_proxy instead of a second `durable_streams`?
+The stream storage engine (bbolt) is single-writer — two handler instances can't open
+the same database file. The second one deadlocks waiting for the write lock. The
+internal listener avoids this by proxying to the main listener over loopback, so only
+one `durable_streams` handler exists process-wide.
 Power users can bypass the YAML entirely:
 ```bash

data/lib/durable_streams/rails/server_config.rb CHANGED Viewed

@@ -36,7 +36,15 @@ module DurableStreams
         <%- end -%>
         	@allowed remote_ip <%= internal_allowed_ips.join(" ") %>
         	handle @allowed {
-        <%= route_block(indent: 2) %>
+        		reverse_proxy <%= upstream_address %> {
+        <%- if upstream_tls? -%>
+        			header_up Host <%= domain %>
+        			transport http {
+        				tls_server_name <%= domain %>
+        				tls_insecure_skip_verify
+        			}
+        <%- end -%>
+        		}
         	}
         	respond 403
         }
@@ -110,9 +118,27 @@ module DurableStreams
           t = "\t" * indent
           lines = []
           lines << "#{t}route #{route_path} {"
-          lines << "#{t}\tforward_auth #{auth["url"]} {"
-          lines << "#{t}\t\turi #{auth["path"]}"
-          copy_headers.each { |h| lines << "#{t}\t\tcopy_headers #{h}" }
+          lines << "#{t}\t# Forward auth — verify request with Rails before reaching durable_streams"
+          lines << "#{t}\treverse_proxy #{auth["url"]} {"
+          lines << "#{t}\t\tmethod GET"
+          lines << "#{t}\t\trewrite #{auth["path"]}"
+          lines << "#{t}\t\theader_up Host #{auth_host}" if auth_host
+          lines << "#{t}\t\theader_up X-Forwarded-Method {method}"
+          lines << "#{t}\t\theader_up X-Forwarded-Uri {uri}"
+          if auth_tls_transport?
+            lines << "#{t}\t\ttransport http {"
+            lines << "#{t}\t\t\ttls_server_name #{auth_host}"
+            lines << "#{t}\t\t\ttls_insecure_skip_verify"
+            lines << "#{t}\t\t}"
+          end
+          lines << ""
+          lines << "#{t}\t\t@ok status 200"
+          lines << "#{t}\t\thandle_response @ok {"
+          copy_headers.each { |h| lines << "#{t}\t\t\trequest_header #{h} {rp.header.#{h}}" }
+          lines << "#{t}\t\t}"
+          lines << "#{t}\t\thandle_response {"
+          lines << "#{t}\t\t\trespond 401"
+          lines << "#{t}\t\t}"
           lines << "#{t}\t}"
           directives = storage_directives
@@ -140,6 +166,14 @@ module DurableStreams
           auth.fetch("copy_headers", [ "Cookie" ])
         end
+        def auth_host
+          auth["host"]
+        end
+        def auth_tls_transport?
+          auth_host && auth["url"].start_with?("https://")
+        end
         def storage_directives
           storage = @config.fetch("storage", {})
           STORAGE_DIRECTIVES.filter_map { |key| "#{key} #{storage[key]}" if storage[key] }
@@ -152,6 +186,22 @@ module DurableStreams
         def internal_allowed_ips
           internal&.dig("allowed_ips")
         end
+        def upstream_address
+          if upstream_tls?
+            "https://127.0.0.1:443"
+          else
+            "http://127.0.0.1:#{@config.fetch("port", 4437)}"
+          end
+        end
+        def upstream_tls?
+          tls_config || auto_https?
+        end
+        def domain
+          @config["domain"]
+        end
     end
   end
 end

data/lib/durable_streams/rails/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module DurableStreams
   module Rails
-    VERSION = "0.5.2"
+    VERSION = "0.6.0"
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: durable_streams-rails
 version: !ruby/object:Gem::Version
-  version: 0.5.2
+  version: 0.6.0
 platform: ruby
 authors:
 - tokimonki