itsi-server 0.2.27.rc1-x86_64-linux → 0.2.27-x86_64-linux

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e16f9c96d5e04d3f7d4d1677d029e29ff9de945d31ab252db520ddafa734767b
-  data.tar.gz: a43a8b24ed433bd79017fb24a6073ff953d13927687e7349e845686b02918974
+  metadata.gz: fad0f86c8e82c6bc2772407608124aaaccac0f4f80b0a652267978a020881089
+  data.tar.gz: dd9c0f043baf59043560fda020ed4e1ed190d2ce2a6c45c9412f23d4596e680e
 SHA512:
-  metadata.gz: 94335b92eb34045bfacd21e7e9e4b71b7b140cfda09970668eda5276edd17646a556ee0b9f1280307b225d3b1657021db84f342167d05c1b3481731887cee498
-  data.tar.gz: f98a7aa4a87337b034d1a891adbf741d3bd49d58a718f3102aa9c129fcda6e9b80155fedb1b0925dbc63b97eb4c238162f61a7a35c9724a0e4204825c58e3fc5
+  metadata.gz: 825097e5f3bc540cf3e752f9ffe21264663a7fc9e4a2058fac7a3b90046bab1d7f96b525de0f69be580752d758d22f32078e0726f857c1d7238d3606624e0263
+  data.tar.gz: dda9041982ace348303f9469f7013cab21449e7185fd43b8b8efd4caac5456a047914d2987097ca63e06de7127ba0133ae6e819c62dc8b9644fe5a35caa21b99

data/Cargo.lock

@@ -1662,7 +1662,7 @@ checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c"
 
 [[package]]
 name = "itsi-server"
-version = "0.2.27-rc1"
+version = "0.2.27"
 dependencies = [
  "argon2",
  "async-channel",

data/ext/itsi_scheduler/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "itsi-scheduler"
-version = "0.2.27-rc1"
+version = "0.2.27"
 edition = "2021"
 authors = ["Wouter Coppieters <wc@pico.net.nz>"]
 license = "MIT"

data/ext/itsi_server/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "itsi-server"
-version = "0.2.27-rc1"
+version = "0.2.27"
 edition = "2021"
 authors = ["Wouter Coppieters <wc@pico.net.nz>"]
 license = "MIT"

data/ext/itsi_server/src/ruby_types/itsi_grpc_call.rs

@@ -11,7 +11,6 @@ use http::{request::Parts, Response, StatusCode};
 use http_body_util::BodyExt;
 use itsi_error::CLIENT_CONNECTION_CLOSED;
 use itsi_rb_helpers::{print_rb_backtrace, HeapValue};
-use itsi_tracing::debug;
 use magnus::{
     block::Proc,
     error::{ErrorType, Result as MagnusResult},

data/ext/itsi_server/src/ruby_types/itsi_http_response.rs

@@ -72,6 +72,17 @@ pub enum ResponseFrame {
 }
 
 impl ItsiHttpResponse {
+    fn is_expected_bridge_shutdown(err: &io::Error) -> bool {
+        matches!(
+            err.kind(),
+            io::ErrorKind::BrokenPipe
+                | io::ErrorKind::ConnectionAborted
+                | io::ErrorKind::ConnectionReset
+                | io::ErrorKind::NotConnected
+                | io::ErrorKind::UnexpectedEof
+        )
+    }
+
     pub fn new(
         parts: Arc<Parts>,
         response_sender: OneshotSender<ResponseFrame>,
@@ -98,13 +109,17 @@ impl ItsiHttpResponse {
         let (mut cr, mut cw) = tokio::io::split(client_io);
 
         let to_ruby = tokio::spawn(async move {
-            if let Err(e) = tokio::io::copy(&mut cr, &mut lw).await {
-                eprintln!("Error copying upgraded->local: {:?}", e);
+            if let Err(err) = tokio::io::copy(&mut cr, &mut lw).await {
+                if !Self::is_expected_bridge_shutdown(&err) {
+                    eprintln!("Error copying upgraded->local: {:?}", err);
+                }
             }
         });
         let from_ruby = tokio::spawn(async move {
-            if let Err(e) = tokio::io::copy(&mut lr, &mut cw).await {
-                eprintln!("Error copying upgraded->local: {:?}", e);
+            if let Err(err) = tokio::io::copy(&mut lr, &mut cw).await {
+                if !Self::is_expected_bridge_shutdown(&err) {
+                    eprintln!("Error copying local->upgraded: {:?}", err);
+                }
             }
         });
 

data/ext/itsi_server/src/server/signal.rs

@@ -63,7 +63,7 @@ pub fn send_lifecycle_event(event: LifecycleEvent) {
     }
 }
 
-fn receive_signal(signum: i32, _: sighandler_t) {
+extern "C" fn receive_signal(signum: i32) {
     debug!("Received signal: {}", signum);
     SIGINT_COUNT.fetch_add(-1, Ordering::SeqCst);
     let event = match signum {
@@ -96,20 +96,25 @@ fn receive_signal(signum: i32, _: sighandler_t) {
     }
 }
 
+fn signal_handler() -> sighandler_t {
+    receive_signal as *const () as sighandler_t
+}
+
 pub fn reset_signal_handlers() -> bool {
     debug!("Resetting signal handlers");
     SIGINT_COUNT.store(0, Ordering::SeqCst);
     SHUTDOWN_REQUESTED.store(false, Ordering::SeqCst);
 
     unsafe {
-        libc::signal(libc::SIGTERM, receive_signal as usize);
-        libc::signal(libc::SIGINT, receive_signal as usize);
-        libc::signal(libc::SIGUSR2, receive_signal as usize);
-        libc::signal(libc::SIGUSR1, receive_signal as usize);
-        libc::signal(libc::SIGHUP, receive_signal as usize);
-        libc::signal(libc::SIGTTIN, receive_signal as usize);
-        libc::signal(libc::SIGTTOU, receive_signal as usize);
-        libc::signal(libc::SIGCHLD, receive_signal as usize);
+        let handler = signal_handler();
+        libc::signal(libc::SIGTERM, handler);
+        libc::signal(libc::SIGINT, handler);
+        libc::signal(libc::SIGUSR2, handler);
+        libc::signal(libc::SIGUSR1, handler);
+        libc::signal(libc::SIGHUP, handler);
+        libc::signal(libc::SIGTTIN, handler);
+        libc::signal(libc::SIGTTOU, handler);
+        libc::signal(libc::SIGCHLD, handler);
     }
     true
 }

data/lib/itsi/server/config/options/certificates.md

@@ -54,12 +54,40 @@ Let's Encrypt enforces strict rate limits on production certificate generation.
 {{< /callout >}}
 
 
-{{< callout type="warn" >}}
-Currently only the TLS-ALPN-01 challenge type is supported for automated certificates.
-The HTTP-01 challenge is not *yet* supported. This means that, for e.g. if your server is sitting behind a CDN or reverse proxy that performs HTTPS termination, you will not be able to rely on the *automated* certificate generation for fully automated, verified e2e encryption.
-
-Instead you may wish to use:
-* [Self-signed](#development--self-signed) certificates
-* [Manually](#existing-certificates) install certificates
-* Use HTTP between the CDN and the server
-{{< /callout >}}
+Itsi supports both ACME challenge types that matter for common deployments:
+
+* `TLS-ALPN-01` is used when the certificate authority can reach Itsi directly on the HTTPS listener.
+* `HTTP-01` can be used when you also expose a reachable HTTP listener for the same hostname. In real Let's Encrypt deployments this typically means port `80` must reach Itsi for `/.well-known/acme-challenge/*`.
+
+This means setups behind a CDN, WAF, or TLS-terminating proxy can still use automated certificates, provided plain HTTP validation traffic is forwarded to Itsi.
+
+E.g. a production configuration that allows HTTP-01 fallback might look like this:
+
+```ruby {filename=Itsi.rb}
+bind "http://0.0.0.0:80"
+bind "https://0.0.0.0:443?cert=acme&domains=example.com&acme_email=you@example.com"
+```
+
+## Dynamic Domain Registration
+You can add or remove ACME-managed domains while Itsi is already running.
+
+This is useful when hostnames are discovered dynamically by your Ruby application, or when you want to defer certificate issuance until a tenant, customer, or site is activated.
+
+Runtime APIs:
+
+* `Itsi::Server.tls_bindings`
+* `Itsi::Server.tls_domains(listener_id = nil)`
+* `Itsi::Server.tls_domain_statuses(listener_id = nil)`
+* `Itsi::Server.register_tls_domain(domain, listener_id = nil)`
+* `Itsi::Server.unregister_tls_domain(domain, listener_id = nil)`
+
+Example:
+
+```ruby
+Itsi::Server.register_tls_domain("customer-a.example.com")
+
+status = Itsi::Server.tls_domain_statuses.find { |entry| entry["domain"] == "customer-a.example.com" }
+puts status
+```
+
+When using dynamic issuance with HTTP-01, the same requirement still applies: the domain being issued must be able to reach an Itsi-managed HTTP listener for the ACME challenge path.

data/lib/itsi/server/config/options/fiber_scheduler.md

@@ -7,6 +7,8 @@ This allows Itsi to process a very large number of IO heavy requests concurrentl
 
 Enabling Fiber Scheduler mode can drastically improve application performance if you perform large amounts of blocking IO operations.
 
+Itsi's bundled scheduler is intended to be practical for real Ruby applications, not just toy socket examples. It integrates with the scheduler hooks used by modern Rubies for socket I/O, DNS lookups, sleeps and timeouts, and process waiting.
+
 
 ## Configuration File
 ```ruby {filename="Itsi.rb"}

data/lib/itsi/server/default_config/Itsi.rb

@@ -37,6 +37,10 @@ fiber_scheduler nil
 # bind "https://itsi.fyi?cert=acme&acme_email=admin@itsi.fyi"
 # You can generate certificates for multiple domains at once, by passing a comma-separated list of domains
 # bind "https://0.0.0.0?domains=foo.itsi.fyi,bar.itsi.fyi&cert=acme&acme_email=admin@itsi.fyi"
+# If HTTPS on 443 is not directly reachable, you can also expose an HTTP listener and
+# Let's Encrypt will be able to validate using HTTP-01 instead.
+# bind "http://0.0.0.0:80"
+# bind "https://0.0.0.0:443?domains=foo.itsi.fyi&cert=acme&acme_email=admin@itsi.fyi"
 #
 # If you already have a certificate you can specify it using the cert and key parameters
 # bind "https://itsi.fyi?cert=/path/to/cert.pem&key=/path/to/key.pem"

data/lib/itsi/server/rack_interface.rb

@@ -103,7 +103,8 @@ module Itsi
         elsif body_streamer
           # If we're partially hijacked or returned a streaming body,
           # stream this response.
-          body_streamer.call(response)
+          stream = status == 101 ? request.partial_hijack : response
+          body_streamer.call(stream)
 
         elsif body.is_a?(Array)
           if body.length == 1

data/lib/itsi/server/version.rb

@@ -2,6 +2,6 @@
 
 module Itsi
   class Server
-    VERSION = "0.2.27.rc1"
+    VERSION = "0.2.27"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: itsi-server
 version: !ruby/object:Gem::Version
-  version: 0.2.27.rc1
+  version: 0.2.27
 platform: x86_64-linux
 authors:
 - Wouter Coppieters
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2026-06-14 00:00:00.000000000 Z
+date: 2026-06-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json