itsi-server 0.1.1 → 0.1.11

data/ext/itsi_server/src/server/tls.rs

@@ -1,20 +1,115 @@
 use base64::{engine::general_purpose, Engine as _};
 use itsi_error::Result;
-use itsi_tracing::{info, warn};
-use rcgen::{CertificateParams, DnType, KeyPair, SanType};
+use itsi_tracing::info;
+use locked_dir_cache::LockedDirCache;
+use rcgen::{
+    generate_simple_self_signed, CertificateParams, CertifiedKey, DnType, KeyPair, SanType,
+};
+use rustls::{
+    pki_types::{CertificateDer, PrivateKeyDer},
+    ClientConfig, RootCertStore,
+};
 use rustls_pemfile::{certs, pkcs8_private_keys};
-use std::{collections::HashMap, fs, io::BufReader};
-use tokio_rustls::rustls::{Certificate, PrivateKey, ServerConfig};
-
-const ITS_CA_CERT: &str = include_str!("./itsi_ca/itsi_ca.crt");
-const ITS_CA_KEY: &str = include_str!("./itsi_ca/itsi_ca.key");
-
-// Generates a TLS configuration based on either :
-// * Input "cert" and "key" options (either paths or Base64-encoded strings) or
-// * Performs automatic certificate generation/retrieval. Generated certs use an internal self-signed Isti CA.
-// If a non-local host or optional domain parameter is provided,
-// an automated certificate will attempt to be fetched using let's encrypt.
-pub fn configure_tls(host: &str, query_params: &HashMap<String, String>) -> Result<ServerConfig> {
+use std::{
+    collections::HashMap,
+    fs,
+    io::{BufReader, Error},
+    sync::Arc,
+};
+use tokio::sync::Mutex;
+use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
+use tokio_rustls_acme::{AcmeAcceptor, AcmeConfig, AcmeState};
+
+use crate::env::{
+    ITSI_ACME_CACHE_DIR, ITSI_ACME_CA_PEM_PATH, ITSI_ACME_CONTACT_EMAIL, ITSI_ACME_DIRECTORY_URL,
+    ITSI_LOCAL_CA_DIR,
+};
+mod locked_dir_cache;
+
+#[derive(Clone)]
+pub enum ItsiTlsAcceptor {
+    Manual(TlsAcceptor),
+    Automatic(
+        AcmeAcceptor,
+        Arc<Mutex<AcmeState<Error>>>,
+        Arc<ServerConfig>,
+    ),
+}
+
+/// Generates a TLS configuration based on either :
+/// * Input "cert" and "key" options (either paths or Base64-encoded strings) or
+/// * Performs automatic certificate generation/retrieval. Generated certs use an internal self-signed Isti CA.
+///
+/// If a non-local host or optional domain parameter is provided,
+/// an automated certificate will attempt to be fetched using let's encrypt.
+pub fn configure_tls(
+    host: &str,
+    query_params: &HashMap<String, String>,
+) -> Result<ItsiTlsAcceptor> {
+    let domains = query_params
+        .get("domains")
+        .map(|v| v.split(',').map(String::from).collect::<Vec<_>>())
+        .or_else(|| query_params.get("domain").map(|v| vec![v.to_string()]));
+
+    if query_params.get("cert").is_some_and(|c| c == "acme") {
+        if let Some(domains) = domains {
+            let directory_url = &*ITSI_ACME_DIRECTORY_URL;
+            info!(
+                domains = format!("{:?}", domains),
+                directory_url, "Requesting acme cert"
+            );
+            let acme_contact_email = query_params
+                .get("acme_email")
+                .map(|s| s.to_string())
+                .or_else(|| (*ITSI_ACME_CONTACT_EMAIL).as_ref().ok().map(|s| s.to_string()))
+                .ok_or_else(|| itsi_error::ItsiError::ArgumentError(
+                    "acme_email query param or ITSI_ACME_CONTACT_EMAIL must be set before you can auto-generate let's encrypt certificates".to_string(),
+                ))?;
+
+            let acme_config = AcmeConfig::new(domains)
+                .contact([format!("mailto:{}", acme_contact_email)])
+                .cache(LockedDirCache::new(&*ITSI_ACME_CACHE_DIR))
+                .directory(directory_url);
+
+            let acme_state = if let Ok(ca_pem_path) = &*ITSI_ACME_CA_PEM_PATH {
+                let mut root_cert_store = RootCertStore::empty();
+
+                let ca_pem = fs::read(ca_pem_path).expect("failed to read CA pem file");
+                let mut ca_reader = BufReader::new(&ca_pem[..]);
+                let der_certs: Vec<CertificateDer> = certs(&mut ca_reader)
+                    .collect::<std::result::Result<Vec<CertificateDer>, _>>()
+                    .map_err(|e| {
+                        itsi_error::ItsiError::ArgumentError(format!(
+                            "Invalid ACME CA Pem path {:?}",
+                            e
+                        ))
+                    })?;
+                root_cert_store.add_parsable_certificates(der_certs);
+
+                let client_config = ClientConfig::builder()
+                    .with_root_certificates(root_cert_store)
+                    .with_no_client_auth();
+                acme_config
+                    .client_tls_config(Arc::new(client_config))
+                    .state()
+            } else {
+                acme_config.state()
+            };
+
+            let mut rustls_config = ServerConfig::builder()
+                .with_no_client_auth()
+                .with_cert_resolver(acme_state.resolver());
+
+            rustls_config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
+
+            let acceptor = acme_state.acceptor();
+            return Ok(ItsiTlsAcceptor::Automatic(
+                acceptor,
+                Arc::new(Mutex::new(acme_state)),
+                Arc::new(rustls_config),
+            ));
+        }
+    }
     let (certs, key) = if let (Some(cert_path), Some(key_path)) =
         (query_params.get("cert"), query_params.get("key"))
     {
@@ -22,41 +117,20 @@ pub fn configure_tls(host: &str, query_params: &HashMap<String, String>) -> Resu
         let certs = load_certs(cert_path);
         let key = load_private_key(key_path);
         (certs, key)
-    } else if query_params
-        .get("cert")
-        .map(|v| v == "auto")
-        .unwrap_or(false)
-    {
-        let domain_param = query_params.get("domain");
-        let host_string = host.to_string();
-        let domain = domain_param.or_else(|| {
-            if host_string != "localhost" {
-                Some(&host_string)
-            } else {
-                None
-            }
-        });
-
-        if let Some(domain) = domain {
-            retrieve_acme_cert(domain)?
-        } else {
-            generate_ca_signed_cert(host)?
-        }
     } else {
-        generate_ca_signed_cert(host)?
+        generate_ca_signed_cert(domains.unwrap_or(vec![host.to_owned()]))?
     };
 
     let mut config = ServerConfig::builder()
-        .with_safe_defaults()
         .with_no_client_auth()
         .with_single_cert(certs, key)
         .expect("Failed to build TLS config");
 
     config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
-    Ok(config)
+    Ok(ItsiTlsAcceptor::Manual(TlsAcceptor::from(Arc::new(config))))
 }
 
-pub fn load_certs(path: &str) -> Vec<Certificate> {
+pub fn load_certs(path: &str) -> Vec<CertificateDer<'static>> {
     let data = if let Some(stripped) = path.strip_prefix("base64:") {
         general_purpose::STANDARD
             .decode(stripped)
@@ -74,14 +148,20 @@ pub fn load_certs(path: &str) -> Vec<Certificate> {
             })
             .collect::<Result<_>>()
             .expect("Failed to parse certificate file");
-        certs_der.into_iter().map(Certificate).collect()
+        certs_der
+            .into_iter()
+            .map(|vec| {
+                // Convert the owned Vec<u8> into a CertificateDer and force 'static.
+                unsafe { std::mem::transmute(CertificateDer::from(vec)) }
+            })
+            .collect()
     } else {
-        vec![Certificate(data)]
+        vec![CertificateDer::from(data)]
     }
 }
 
 /// Loads a private key from a file or Base64.
-pub fn load_private_key(path: &str) -> PrivateKey {
+pub fn load_private_key(path: &str) -> PrivateKeyDer<'static> {
     let key_data = if let Some(stripped) = path.strip_prefix("base64:") {
         general_purpose::STANDARD
             .decode(stripped)
@@ -100,39 +180,86 @@ pub fn load_private_key(path: &str) -> PrivateKey {
             .collect::<Result<_>>()
             .expect("Failed to parse private key");
         if !keys.is_empty() {
-            return PrivateKey(keys[0].clone());
+            return PrivateKeyDer::try_from(keys[0].clone()).unwrap();
         }
     }
-    PrivateKey(key_data)
+    PrivateKeyDer::try_from(key_data).unwrap()
 }
 
-pub fn generate_ca_signed_cert(domain: &str) -> Result<(Vec<Certificate>, PrivateKey)> {
-    info!("Generating New Itsi CA - Self signed Certificate. Use `itsi ca export` to export the CA certificate for import into your local trust store.");
+pub fn generate_ca_signed_cert(
+    domains: Vec<String>,
+) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)> {
+    info!(
+        domains = format!("{}", domains.join(", ")),
+        "Self signed cert",
+    );
+    info!(
+        "Add {} to your system's trusted cert store to resolve certificate errors.",
+        format!("{}/itsi_dev_ca.crt", ITSI_LOCAL_CA_DIR.to_str().unwrap())
+    );
+    info!("Dev CA path can be overridden by setting env var: `ITSI_LOCAL_CA_DIR`.");
+    let (ca_key_pem, ca_cert_pem) = get_or_create_local_dev_ca()?;
 
-    let ca_kp = KeyPair::from_pem(ITS_CA_KEY).unwrap();
-    let params = CertificateParams::from_ca_cert_pem(ITS_CA_CERT).unwrap();
+    let ca_kp = KeyPair::from_pem(&ca_key_pem).expect("Failed to load CA key");
+    let ca_cert = CertificateParams::from_ca_cert_pem(&ca_cert_pem)
+        .expect("Failed to parse embedded CA certificate")
+        .self_signed(&ca_kp)
+        .expect("Failed to self-sign embedded CA cert");
 
-    let ca_cert = params.self_signed(&ca_kp).unwrap();
-    let ee_key = KeyPair::generate().unwrap();
+    let ee_key = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap();
     let mut ee_params = CertificateParams::default();
 
-    // Set the domain in the subject alternative names (SAN)
-    ee_params.subject_alt_names = vec![SanType::DnsName(domain.try_into()?)];
-    // Optionally, set the Common Name (CN) in the distinguished name:
+    use std::net::IpAddr;
+
+    ee_params.subject_alt_names = domains
+        .iter()
+        .map(|domain| {
+            if let Ok(ip) = domain.parse::<IpAddr>() {
+                SanType::IpAddress(ip)
+            } else {
+                SanType::DnsName(domain.clone().try_into().unwrap())
+            }
+        })
+        .collect();
+
     ee_params
         .distinguished_name
-        .push(DnType::CommonName, domain);
+        .push(DnType::CommonName, domains[0].clone());
 
     ee_params.use_authority_key_identifier_extension = true;
 
-    let ee_cert = ee_params.signed_by(&ee_key, &ca_cert, &ee_key).unwrap();
+    let ee_cert = ee_params.signed_by(&ee_key, &ca_cert, &ca_kp).unwrap();
     let ee_cert_der = ee_cert.der().to_vec();
-    let ee_cert = Certificate(ee_cert_der);
-    Ok((vec![ee_cert], PrivateKey(ee_key.serialize_der())))
+    let ee_cert = CertificateDer::from(ee_cert_der);
+    let ca_cert = CertificateDer::from(ca_cert.der().to_vec());
+    Ok((
+        vec![ee_cert, ca_cert],
+        PrivateKeyDer::try_from(ee_key.serialize_der()).unwrap(),
+    ))
 }
 
-/// Retrieves an ACME certificate for a given domain.
-pub fn retrieve_acme_cert(domain: &str) -> Result<(Vec<Certificate>, PrivateKey)> {
-    warn!("Retrieving ACME cert for {}", domain);
-    generate_ca_signed_cert(domain)
+fn get_or_create_local_dev_ca() -> Result<(String, String)> {
+    let ca_dir = &*ITSI_LOCAL_CA_DIR;
+    fs::create_dir_all(ca_dir)?;
+
+    let key_path = ca_dir.join("itsi_dev_ca.key");
+    let cert_path = ca_dir.join("itsi_dev_ca.crt");
+
+    if key_path.exists() && cert_path.exists() {
+        // Already have a local CA
+        let key_pem = fs::read_to_string(&key_path)?;
+        let cert_pem = fs::read_to_string(&cert_path)?;
+
+        Ok((key_pem, cert_pem))
+    } else {
+        let subject_alt_names = vec!["dev.itsi.fyi".to_string(), "localhost".to_string()];
+
+        let CertifiedKey { cert, key_pair } =
+            generate_simple_self_signed(subject_alt_names).unwrap();
+
+        fs::write(&key_path, key_pair.serialize_pem())?;
+        fs::write(&cert_path, cert.pem())?;
+
+        Ok((key_pair.serialize_pem(), cert.pem()))
+    }
 }

data/ext/itsi_tracing/Cargo.toml

@@ -9,4 +9,8 @@ tracing-subscriber = { version = "0.3.19", features = [
   "env-filter",
   "std",
   "fmt",
+  "json",
+  "ansi",
 ] }
+tracing-attributes = "0.1"
+atty = "0.2.14"

data/ext/itsi_tracing/src/lib.rs

@@ -1,11 +1,58 @@
+use std::env;
+
+use atty::{Stream, is};
+use tracing::level_filters::LevelFilter;
 pub use tracing::{debug, error, info, trace, warn};
-use tracing_subscriber::{EnvFilter, fmt};
+pub use tracing_attributes::instrument; // Explicitly export from tracing-attributes
+use tracing_subscriber::{
+    EnvFilter, Layer,
+    fmt::{self, format},
+    layer::SubscriberExt,
+};
 
+#[instrument]
 pub fn init() {
-    let env_filter = EnvFilter::try_from_default_env().unwrap_or_else(|_| EnvFilter::new("info"));
-    let format = fmt::format().with_level(true).with_target(false).compact();
-    tracing_subscriber::fmt()
-        .with_env_filter(env_filter)
+    let env_filter = EnvFilter::builder()
+        .with_env_var("ITSI_LOG")
+        .try_from_env()
+        .unwrap_or_else(|_| EnvFilter::new("info"));
+
+    let format = fmt::format()
+        .compact()
+        .with_file(false)
+        .with_level(true)
+        .with_line_number(false)
+        .with_source_location(false)
+        .with_target(false)
+        .with_thread_ids(false);
+
+    let is_tty = is(Stream::Stdout);
+
+    let subscriber = tracing_subscriber::fmt()
         .event_format(format)
-        .init();
+        .with_env_filter(env_filter);
+
+    if (is_tty && env::var("ITSI_LOG_PLAIN").is_err()) || env::var("ITSI_LOG_ANSI").is_ok() {
+        subscriber.with_ansi(true).init();
+    } else {
+        subscriber
+            .fmt_fields(format::JsonFields::default())
+            .event_format(fmt::format().json())
+            .init();
+    }
+}
+
+pub fn run_silently<F, R>(f: F) -> R
+where
+    F: FnOnce() -> R,
+{
+    // Build a minimal subscriber that filters *everything* out
+    let no_op_subscriber =
+        tracing_subscriber::registry().with(fmt::layer().with_filter(LevelFilter::OFF));
+
+    // Turn that subscriber into a `Dispatch`
+    let no_op_dispatch = tracing::dispatcher::Dispatch::new(no_op_subscriber);
+
+    // Temporarily set `no_op_dispatch` as the *default* within this closure
+    tracing::dispatcher::with_default(&no_op_dispatch, f)
 }

data/lib/itsi/index.html

@@ -0,0 +1,91 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <title>Itsi - Default</title>
+  <style>
+    * {
+      box-sizing: border-box;
+      margin: 0;
+      padding: 0;
+    }
+    body {
+      font-family: "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
+      background-color: #f4f4f4;
+      color: #333;
+      line-height: 1.6;
+    }
+    .container {
+      max-width: 700px;
+      margin: 3rem auto;
+      background: #fff;
+      border-radius: 8px;
+      box-shadow: 0 2px 6px rgba(0, 0, 0, 0.1);
+      padding: 2rem;
+    }
+    h1 {
+      font-size: 1.8rem;
+      margin-bottom: 1rem;
+      text-align: center;
+      color: #444;
+    }
+    p {
+      margin-bottom: 1rem;
+      text-align: center;
+      color: #666;
+    }
+    ul.fields {
+      list-style: none;
+      margin-top: 1.5rem;
+      padding: 0;
+    }
+    ul.fields li {
+      background: #fafafa;
+      border: 1px solid #eee;
+      border-radius: 5px;
+      padding: 0.75rem;
+      margin-bottom: 0.75rem;
+      display: flex;
+      justify-content: space-between;
+      align-items: center;
+    }
+    .label {
+      font-weight: bold;
+      margin-right: 1rem;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>You're running on Itsi!</h1>
+    <p>RACK environment:</p>
+
+    <ul class="fields">
+      <li>
+        <span class="label">REQUEST_METHOD:</span>
+        <span>%{REQUEST_METHOD}</span>
+      </li>
+      <li>
+        <span class="label">PATH_INFO:</span>
+        <span>%{PATH_INFO}</span>
+      </li>
+      <li>
+        <span class="label">SERVER_NAME:</span>
+        <span>%{SERVER_NAME}</span>
+      </li>
+      <li>
+        <span class="label">SERVER_PORT:</span>
+        <span>%{SERVER_PORT}</span>
+      </li>
+      <li>
+        <span class="label">REMOTE_ADDR:</span>
+        <span>%{REMOTE_ADDR}</span>
+      </li>
+      <li>
+        <span class="label">HTTP_USER_AGENT:</span>
+        <span>%{HTTP_USER_AGENT}</span>
+      </li>
+    </ul>
+  </div>
+</body>
+</html>

data/lib/itsi/request.rb

@@ -1,10 +1,16 @@
 # frozen_string_literal: true
 
 require "stringio"
+require "socket"
 
 module Itsi
   class Request
-    def to_env
+    attr_accessor :hijacked
+
+    def to_rack_env
+      path = self.path
+      host = self.host
+      version = self.version
       {
         "SERVER_SOFTWARE" => "Itsi",
         "SCRIPT_NAME" => script_name,
@@ -13,27 +19,45 @@ module Itsi
         "REQUEST_PATH" => path,
         "QUERY_STRING" => query_string,
         "REMOTE_ADDR" => remote_addr,
-        "SERVER_NAME" => host,
         "SERVER_PORT" => port.to_s,
+        "SERVER_NAME" => host,
+        "HTTP_HOST" => host,
         "SERVER_PROTOCOL" => version,
         "HTTP_VERSION" => version,
-        "HTTP_HOST" => host,
-        "rack.input" => StringIO.new(body),
+        "itsi.request" => self,
+        "itsi.response" => response,
+        "rack.version" => [version],
+        "rack.url_scheme" => scheme,
+        "rack.input" => build_input_io,
         "rack.errors" => $stderr,
-        "rack.version" => version,
         "rack.multithread" => true,
         "rack.multiprocess" => true,
         "rack.run_once" => false,
-        "rack.multipart.buffer_size" => 16_384
-      }.merge(
-        headers.transform_keys do |k|
-          case k
-          when "content-length" then "CONTENT_LENGTH"
-          when "content-type" then "CONTENT_TYPE"
-          else "HTTP_#{k.upcase.tr("-", "_")}"
-          end
+        "rack.hijack?" => true,
+        "rack.multipart.buffer_size" => 16_384,
+        "rack.hijack" => build_hijack_proc
+      }.tap { |r| headers.each { |(k, v)| r[k] = v } }
+    end
+
+    def build_hijack_proc
+      lambda do
+        self.hijacked = true
+        UNIXSocket.pair.yield_self do |(server_sock, app_sock)|
+          response.hijack(server_sock.fileno)
+          server_sock.sync = true
+          app_sock.sync = true
+          app_sock.instance_variable_set("@server_sock", server_sock)
+          app_sock
         end
-      )
+      end
+    end
+
+    def build_input_io
+      case body
+      when Array then File.open(body.first, "rb")
+      when String then StringIO.new(body)
+      else body
+      end
     end
   end
 end

data/lib/itsi/server/Itsi.rb

@@ -0,0 +1,127 @@
+# frozen_string_literal: true
+env = ENV.fetch('APP_ENV') { ENV.fetch('RACK_ENV', 'development') }
+
+# This is the default Itsi configuration file, installed when you run `itsi init`
+# It contains a sane starting point for configuring your Itsi server.
+# You can use this file in both development and production environments.
+# Most of the options in this file can be overridden by command line options.
+# Check out itsi -h to learn more about the command line options available to you.
+
+# Number of worker processes to spawn
+# If more than 1, Itsi will be booted in Cluster mode
+workers ENV.fetch('ITSI_WORKERS') {
+  require 'etc'
+  env == 'development' ? 1 : Etc.nprocessors
+}
+
+# Number of threads to spawn per worker process
+# For pure CPU bound applicationss, you'll get the best results keeping this number low
+# Setting a value of 1 is great for superficial benchmarks, but in reality
+# it's better to set this a bit higher to allow expensive requests to get overtaken and minimize head-of-line blocking
+threads ENV.fetch('ITSI_THREADS', 3)
+
+# If your application is IO bound (e.g. performing a lot of proxied HTTP requests, or heavy queries etc)
+# you can see *substantial* benefits from enabling this option.
+# To set this option, pass a string, not a class (as we will not have loaded the class yet)
+# E.g.
+# `fiber_scheduler "Itsi::Scheduler"` - The default fast and light-weight scheduler that comes with Itsi
+# `fiber_scheduler "Async::Scheduler"` - Bring your own scheduler!
+fiber_scheduler nil
+
+# By default Itsi will run the Rack app from config.ru.
+# You can provide an alternative Rack app file name here
+# Or you can inline the app directly inside Itsi.rb.
+# Only one of `run` and `rackup_file` can be used.
+# E.g.
+# require 'rack'
+# run(Rack::Builder.app do
+#   use Rack::CommonLogger
+#   run ->(env) { [200, { 'content-type' => 'text/plain' }, ['OK']] }
+# end)
+rackup_file 'config.ru'
+
+# If you bind to https, without specifying a certificate, Itsi will use a self-signed certificate.
+# The self-signed certificate will use a CA generated for your host and stored inside `ITSI_LOCAL_CA_DIR` (Defaults to ~/.itsi)
+# bind "https://localhost:3000"
+# bind "https://localhost:3000?domains=dev.itsi.fyi"
+#
+# If you want to use let's encrypt to generate you a real certificate you and pass cert=acme and an acme_email address to generate one.
+# bind "https://itsi.fyi?cert=acme&acme_email=admin@itsi.fyi"
+# You can generate certificates for multiple domains at once, by passing a comma-separated list of domains
+# bind "https://0.0.0.0?domains=foo.itsi.fyi,bar.itsi.fyi&cert=acme&acme_email=admin@itsi.fyi"
+#
+# If you already have a certificate you can specify it using the cert and key parameters
+# bind "https://itsi.fyi?cert=/path/to/cert.pem&key=/path/to/key.pem"
+#
+# You can also bind to a unix socket or a tls unix socket. E.g.
+# bind "unix:///tmp/itsi.sock"
+# bind "tls:///tmp/itsi.secure.sock"
+
+if env == 'development'
+  bind 'http://localhost:3000'
+else
+  bind "https://0.0.0.0?domains=#{ENV['PRODUCTION_DOMAINS']}&cert=acme&acme_email=admin@itsi.fyi"
+end
+
+# If you want to preload the application, set preload to true
+# to load the entire rack-app defined in rack_file_name before forking.
+# Alternatively, you can preload just a specific set of gems in a group in your gemfile,
+# by providing the group name here.
+# E.g.
+#
+# preload :preload # Load gems inside the preload group
+# preload false # Don't preload.
+#
+# If you want to be able to perform zero-downtime deploys using a single itsi process,
+# you should disable preloads, so that the application is loaded fresh each time a new worker boots
+preload true
+
+# Set the maximum memory limit for each worker process in bytes
+# When this limit is reached, the worker will be gracefully restarted.
+# Only one worker is restarted at a time to ensure we don't take down
+# all of them at once, if they reach the threshold simultaneously.
+worker_memory_limit 48 * 1024 * 1024
+
+# You can provide an optional block of code to run, when a worker hits its memory threshold (Use this to send yourself an alert,
+# write metrics to disk etc. etc.)
+after_memory_threshold_reached do |pid|
+  puts "Worker #{pid} has reached its memory threshold and will restart"
+end
+
+# Do clean up of any non-threadsafe resources before forking a new worker here.
+before_fork {}
+
+# Reinitialize any non-threadsafe resources after forking a new worker here.
+after_fork {}
+
+# Shutdown timeout
+# Number of seconds to wait for workers to gracefully shutdown before killing them.
+shutdown_timeout 5
+
+# Set this to false for application environments that require rack.input to be a rewindable body
+# (like Rails). For rack applications that can stream inputs, you can set this to true for a more memory-efficient approach.
+stream_body false
+
+# OOB GC responses threshold
+# Specifies how frequently OOB gc should be triggered during periods where there is a gap in queued requests.
+# Setting this too low can substantially worsen performance
+oob_gc_responses_threshold 512
+
+# Set this to false for application environments that require rack.input to be a rewindable body
+# (like Rails). For rack applications that can stream inputs, you can set this to true for a more memory-efficient approach.
+stream_body false
+
+# OOB GC responses threshold
+# Specifies how frequently OOB gc should be triggered during periods where there is a gap in queued requests.
+# Setting this too low can substantially worsen performance
+oob_gc_responses_threshold 512
+
+# Log level
+# Set this to one of the following values: debug, info, warn, error, fatal
+# Can also be set using the ITSI_LOG environment variable
+log_level :info
+
+# Log Format
+# Set this to be either :ansi or :json. If you leave it blank Itsi will try
+# and auto-detect the format based on the TTY environment.
+log_format :auto