itsi-server 0.2.27.rc1-x86_64-darwin → 0.2.27-x86_64-darwin

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 647597218f2ce8c9044429cb56d63ec59ef7824dbb9e592b5c875a5851a3172e
-  data.tar.gz: ccf50926a432423a733b3c8adf0230e23a238dd00e4141a0c1b9695db42b0949
+  metadata.gz: fb1782b200aa6febf6e08fcf2fddfff43c36bb79b6adbbe3312e8bd65a7440aa
+  data.tar.gz: 65954cd463d29b6f472c64981cdcfa8d71beb2a58f568dca31ea010429361de6
 SHA512:
-  metadata.gz: 16e88ce93d10094f8b730dac0bddffa17261bdf036a792e35623b5c1653ae81b6da3653f777b260c6d905ee551bfcd57fb0661fdd29a1360fa7b15d3c78fb618
-  data.tar.gz: 0fdfcb4823fddf7a1d946255e67739a97b481f781ab92fc6be66efd001cdb3a0319ade9a1a4495eb88cd853efc83e6468044b4077a5d1fe36d67af9fbcc28285
+  metadata.gz: daa87b7488630e1f74a1a89e1e377de76fc7ebf31d5996bcec2bd579fb0c639f6313d8ca005a1630c46b0c6856948adb5a7683c0e2e7074f9e45af6fbf2bdde3
+  data.tar.gz: de9f9aa9f02f656afe66cb21a0fc4d1728fc9135365765f1ef3156f86e1958c76fdce1da82ac9ad8bd9814f69dfc1d13bd52151448f5cc66bccc0807829ca2d0

data/Cargo.lock

@@ -1662,7 +1662,7 @@ checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c"
 
 [[package]]
 name = "itsi-server"
-version = "0.2.27-rc1"
+version = "0.2.27"
 dependencies = [
  "argon2",
  "async-channel",

data/ext/itsi_scheduler/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "itsi-scheduler"
-version = "0.2.27-rc1"
+version = "0.2.27"
 edition = "2021"
 authors = ["Wouter Coppieters <wc@pico.net.nz>"]
 license = "MIT"

data/ext/itsi_server/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "itsi-server"
-version = "0.2.27-rc1"
+version = "0.2.27"
 edition = "2021"
 authors = ["Wouter Coppieters <wc@pico.net.nz>"]
 license = "MIT"

data/ext/itsi_server/src/ruby_types/itsi_grpc_call.rs

@@ -11,7 +11,6 @@ use http::{request::Parts, Response, StatusCode};
 use http_body_util::BodyExt;
 use itsi_error::CLIENT_CONNECTION_CLOSED;
 use itsi_rb_helpers::{print_rb_backtrace, HeapValue};
-use itsi_tracing::debug;
 use magnus::{
     block::Proc,
     error::{ErrorType, Result as MagnusResult},

data/ext/itsi_server/src/ruby_types/itsi_http_response.rs

@@ -72,6 +72,17 @@ pub enum ResponseFrame {
 }
 
 impl ItsiHttpResponse {
+    fn is_expected_bridge_shutdown(err: &io::Error) -> bool {
+        matches!(
+            err.kind(),
+            io::ErrorKind::BrokenPipe
+                | io::ErrorKind::ConnectionAborted
+                | io::ErrorKind::ConnectionReset
+                | io::ErrorKind::NotConnected
+                | io::ErrorKind::UnexpectedEof
+        )
+    }
+
     pub fn new(
         parts: Arc<Parts>,
         response_sender: OneshotSender<ResponseFrame>,
@@ -98,13 +109,17 @@ impl ItsiHttpResponse {
         let (mut cr, mut cw) = tokio::io::split(client_io);
 
         let to_ruby = tokio::spawn(async move {
-            if let Err(e) = tokio::io::copy(&mut cr, &mut lw).await {
-                eprintln!("Error copying upgraded->local: {:?}", e);
+            if let Err(err) = tokio::io::copy(&mut cr, &mut lw).await {
+                if !Self::is_expected_bridge_shutdown(&err) {
+                    eprintln!("Error copying upgraded->local: {:?}", err);
+                }
             }
         });
         let from_ruby = tokio::spawn(async move {
-            if let Err(e) = tokio::io::copy(&mut lr, &mut cw).await {
-                eprintln!("Error copying upgraded->local: {:?}", e);
+            if let Err(err) = tokio::io::copy(&mut lr, &mut cw).await {
+                if !Self::is_expected_bridge_shutdown(&err) {
+                    eprintln!("Error copying local->upgraded: {:?}", err);
+                }
             }
         });
 

data/ext/itsi_server/src/server/signal.rs

@@ -63,7 +63,7 @@ pub fn send_lifecycle_event(event: LifecycleEvent) {
     }
 }
 
-fn receive_signal(signum: i32, _: sighandler_t) {
+extern "C" fn receive_signal(signum: i32) {
     debug!("Received signal: {}", signum);
     SIGINT_COUNT.fetch_add(-1, Ordering::SeqCst);
     let event = match signum {
@@ -96,20 +96,25 @@ fn receive_signal(signum: i32, _: sighandler_t) {
     }
 }
 
+fn signal_handler() -> sighandler_t {
+    receive_signal as *const () as sighandler_t
+}
+
 pub fn reset_signal_handlers() -> bool {
     debug!("Resetting signal handlers");
     SIGINT_COUNT.store(0, Ordering::SeqCst);
     SHUTDOWN_REQUESTED.store(false, Ordering::SeqCst);
 
     unsafe {
-        libc::signal(libc::SIGTERM, receive_signal as usize);
-        libc::signal(libc::SIGINT, receive_signal as usize);
-        libc::signal(libc::SIGUSR2, receive_signal as usize);
-        libc::signal(libc::SIGUSR1, receive_signal as usize);
-        libc::signal(libc::SIGHUP, receive_signal as usize);
-        libc::signal(libc::SIGTTIN, receive_signal as usize);
-        libc::signal(libc::SIGTTOU, receive_signal as usize);
-        libc::signal(libc::SIGCHLD, receive_signal as usize);
+        let handler = signal_handler();
+        libc::signal(libc::SIGTERM, handler);
+        libc::signal(libc::SIGINT, handler);
+        libc::signal(libc::SIGUSR2, handler);
+        libc::signal(libc::SIGUSR1, handler);
+        libc::signal(libc::SIGHUP, handler);
+        libc::signal(libc::SIGTTIN, handler);
+        libc::signal(libc::SIGTTOU, handler);
+        libc::signal(libc::SIGCHLD, handler);
     }
     true
 }

data/lib/itsi/server/config/options/certificates.md

@@ -54,12 +54,40 @@ Let's Encrypt enforces strict rate limits on production certificate generation.
 {{< /callout >}}
 
 
-{{< callout type="warn" >}}
-Currently only the TLS-ALPN-01 challenge type is supported for automated certificates.
-The HTTP-01 challenge is not *yet* supported. This means that, for e.g. if your server is sitting behind a CDN or reverse proxy that performs HTTPS termination, you will not be able to rely on the *automated* certificate generation for fully automated, verified e2e encryption.
-
-Instead you may wish to use:
-* [Self-signed](#development--self-signed) certificates
-* [Manually](#existing-certificates) install certificates
-* Use HTTP between the CDN and the server
-{{< /callout >}}
+Itsi supports both ACME challenge types that matter for common deployments:
+
+* `TLS-ALPN-01` is used when the certificate authority can reach Itsi directly on the HTTPS listener.
+* `HTTP-01` can be used when you also expose a reachable HTTP listener for the same hostname. In real Let's Encrypt deployments this typically means port `80` must reach Itsi for `/.well-known/acme-challenge/*`.
+
+This means setups behind a CDN, WAF, or TLS-terminating proxy can still use automated certificates, provided plain HTTP validation traffic is forwarded to Itsi.
+
+E.g. a production configuration that allows HTTP-01 fallback might look like this:
+
+```ruby {filename=Itsi.rb}
+bind "http://0.0.0.0:80"
+bind "https://0.0.0.0:443?cert=acme&domains=example.com&acme_email=you@example.com"
+```
+
+## Dynamic Domain Registration
+You can add or remove ACME-managed domains while Itsi is already running.
+
+This is useful when hostnames are discovered dynamically by your Ruby application, or when you want to defer certificate issuance until a tenant, customer, or site is activated.
+
+Runtime APIs:
+
+* `Itsi::Server.tls_bindings`
+* `Itsi::Server.tls_domains(listener_id = nil)`
+* `Itsi::Server.tls_domain_statuses(listener_id = nil)`
+* `Itsi::Server.register_tls_domain(domain, listener_id = nil)`
+* `Itsi::Server.unregister_tls_domain(domain, listener_id = nil)`
+
+Example:
+
+```ruby
+Itsi::Server.register_tls_domain("customer-a.example.com")
+
+status = Itsi::Server.tls_domain_statuses.find { |entry| entry["domain"] == "customer-a.example.com" }
+puts status
+```
+
+When using dynamic issuance with HTTP-01, the same requirement still applies: the domain being issued must be able to reach an Itsi-managed HTTP listener for the ACME challenge path.

data/lib/itsi/server/config/options/fiber_scheduler.md

@@ -7,6 +7,8 @@ This allows Itsi to process a very large number of IO heavy requests concurrentl
 
 Enabling Fiber Scheduler mode can drastically improve application performance if you perform large amounts of blocking IO operations.
 
+Itsi's bundled scheduler is intended to be practical for real Ruby applications, not just toy socket examples. It integrates with the scheduler hooks used by modern Rubies for socket I/O, DNS lookups, sleeps and timeouts, and process waiting.
+
 
 ## Configuration File
 ```ruby {filename="Itsi.rb"}

data/lib/itsi/server/default_config/Itsi.rb

@@ -37,6 +37,10 @@ fiber_scheduler nil
 # bind "https://itsi.fyi?cert=acme&acme_email=admin@itsi.fyi"
 # You can generate certificates for multiple domains at once, by passing a comma-separated list of domains
 # bind "https://0.0.0.0?domains=foo.itsi.fyi,bar.itsi.fyi&cert=acme&acme_email=admin@itsi.fyi"
+# If HTTPS on 443 is not directly reachable, you can also expose an HTTP listener and
+# Let's Encrypt will be able to validate using HTTP-01 instead.
+# bind "http://0.0.0.0:80"
+# bind "https://0.0.0.0:443?domains=foo.itsi.fyi&cert=acme&acme_email=admin@itsi.fyi"
 #
 # If you already have a certificate you can specify it using the cert and key parameters
 # bind "https://itsi.fyi?cert=/path/to/cert.pem&key=/path/to/key.pem"

data/lib/itsi/server/rack_interface.rb

@@ -103,7 +103,8 @@ module Itsi
         elsif body_streamer
           # If we're partially hijacked or returned a streaming body,
           # stream this response.
-          body_streamer.call(response)
+          stream = status == 101 ? request.partial_hijack : response
+          body_streamer.call(stream)
 
         elsif body.is_a?(Array)
           if body.length == 1

data/lib/itsi/server/version.rb

@@ -2,6 +2,6 @@
 
 module Itsi
   class Server
-    VERSION = "0.2.27.rc1"
+    VERSION = "0.2.27"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: itsi-server
 version: !ruby/object:Gem::Version
-  version: 0.2.27.rc1
+  version: 0.2.27
 platform: x86_64-darwin
 authors:
 - Wouter Coppieters
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-06-14 00:00:00.000000000 Z
+date: 2026-06-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json