puma 2.12.3 → 2.16.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8fb289c9463eb0aec389606cde7abca74b3ba737
-  data.tar.gz: 0f81b87b1bd9c0fa43d9c67e6d8b5c2f4a4b97a9
+  metadata.gz: 761911bec0cc543faf03994736a763dc7d87b6eb
+  data.tar.gz: 20cd1109cf893a9940549520e1f2e6c875532f2e
 SHA512:
-  metadata.gz: bf53fee269a717c206e9031cfb26c6e7924eb346d7d17f5accf57d858813fb6302aecb1832385b2a87a94e68f452fae50f218cfe2f941617df8370c712e20d9f
-  data.tar.gz: 92daf0ecf12fb7abda0655461ec72bff29f96dbf955f3434049f00e1e4de87b4b2672db36f03fe62ed36b0df0ea28305bd2dab80fa3de90ac3742a5954a42397
+  metadata.gz: c655e44ef966f2a4d8acd9b3d96b11a13072993edb1049ca65470cc0af3460bcd2e0d3f57f8afcec203cf6d9caad85cc7f1849454374ed65949b4284bd27ea33
+  data.tar.gz: 9b0e3acb94d4b0e3ae1a0f1eb1279dba87d600df67c928b455d8ea3ad47f3f90fb0a6854920776bad809dd46d013441e95385b981472d5f81f88d19ecbf4560e

data/DEPLOYMENT.md

@@ -1,7 +1,7 @@
 # Deployment engineering for puma
 
 Puma is software that is expected to be run in a deployed environment eventually.
-You can centainly use it as your dev server only, but most people look to use
+You can certainly use it as your dev server only, but most people look to use
 it in their production deployments as well.
 
 To that end, this is meant to serve as a foundation of wisdom how to do that
@@ -17,7 +17,7 @@ Welcome back!
 
 ## Single vs Cluster mode
 
-Puma was originally concieved as a thread-only webserver, but grew the ability to
+Puma was originally conceived as a thread-only webserver, but grew the ability to
 also use processes in version 2.
 
 Here are some rules of thumb:
@@ -27,7 +27,7 @@ Here are some rules of thumb:
 * Use cluster mode and set the number of workers to 1.5x the number of cpu cores
   in the machine, minimum 2.
 * Set the number of threads to desired concurrent requests / number of workers.
-  Puma defaults to 8 and thats a decent number.
+  Puma defaults to 8 and that's a decent number.
 
 #### Migrating from Unicorn
 

data/History.txt

@@ -1,3 +1,167 @@
+=== 2.16.0 / 2016-01-27
+
+* 7 minor features:
+
+  * Add 'set_remote_address' config option
+  * Allow to run puma in silent mode
+  * Expose cli options in DSL
+  * Support passing JRuby keystore info in ssl_bind DSL
+  * Allow umask for unix:/// style control urls
+  * Expose `old_worker_count` in stats url
+  * Support TLS client auth (verify_mode) in jruby
+
+* 7 bug fixes:
+
+  * Don't persist before_fork hook in state file
+  * Reload bundler before pulling in rack. Fixes #859
+  * Remove NEWRELIC_DISPATCHER env variable
+  * Cleanup C code
+  * Use Timeout.timeout instead of Object.timeout
+  * Make phased restarts faster
+  * Ignore the case of certain headers, because HTTP
+
+* 1 doc changes:
+
+  * Test against the latest Ruby 2.1, 2.2, 2.3, head and JRuby 9.0.4.0 on Travis
+
+* 12 merged PRs
+  * Merge pull request #822 from kwugirl/remove_NEWRELIC_DISPATCHER
+  * Merge pull request #833 from joemiller/jruby-client-tls-auth
+  * Merge pull request #837 from YuriSolovyov/ssl-keystore-jruby
+  * Merge pull request #839 from mezuka/master
+  * Merge pull request #845 from deepj/timeout-deprecation
+  * Merge pull request #846 from sriedel/strip_before_fork
+  * Merge pull request #850 from deepj/travis
+  * Merge pull request #853 from Jeffrey6052/patch-1
+  * Merge pull request #857 from zendesk/faster_phased_restarts
+  * Merge pull request #858 from mlarraz/fix_some_warnings
+  * Merge pull request #860 from zendesk/expose_old_worker_count
+  * Merge pull request #861 from zendesk/allow_control_url_umask
+
+=== 2.15.3 / 2015-11-07
+
+* 1 bug fix:
+
+  * Fix JRuby parser
+
+=== 2.15.2 / 2015-11-06
+
+* 2 bug fixes:
+  * ext/puma_http11: handle duplicate headers as per RFC
+  * Only set ctx.ca iff there is a params['ca'] to set with.
+
+* 2 PRs merged:
+  * Merge pull request #818 from unleashed/support-duplicate-headers
+  * Merge pull request #819 from VictorLowther/fix-ca-and-verify_null-exception
+
+=== 2.15.1 / 2015-11-06
+
+* 1 bug fix:
+
+  * Allow older openssl versions
+
+=== 2.15.0 / 2015-11-06
+
+* 6 minor features:
+  * Allow setting ca without setting a verify mode
+  * Make jungle for init.d support rbenv
+  * Use SSL_CTX_use_certificate_chain_file for full chain
+  * cluster: add worker_boot_timeout option
+  * configuration: allow empty tags to mean no tag desired
+  * puma/cli: support specifying STD{OUT,ERR} redirections and append mode
+
+* 5 bug fixes:
+  * Disable SSL Compression
+  * Fix bug setting worker_directory when using a symlink directory
+  * Fix error message in DSL that was slightly inaccurate
+  * Pumactl: set correct process name. Fixes #563
+  * thread_pool: fix race condition when shutting down workers
+
+* 10 doc fixes:
+  * Add before_fork explanation in Readme.md
+  * Correct spelling in DEPLOYMENT.md
+  * Correct spelling in docs/nginx.md
+  * Fix spelling errors.
+  * Fix typo in deployment description
+  * Fix typos (it's -> its) in events.rb and server.rb
+  * fixing for typo mentioned in #803
+  * Spelling correction for README
+  * thread_pool: fix typos in comment
+  * More explicit docs for worker_timeout
+
+* 18 PRs merged:
+  * Merge pull request #768 from nathansamson/patch-1
+  * Merge pull request #773 from rossta/spelling_corrections
+  * Merge pull request #774 from snow/master
+  * Merge pull request #781 from sunsations/fix-typo
+  * Merge pull request #791 from unleashed/allow_empty_tags
+  * Merge pull request #793 from robdimarco/fix-working-directory-symlink-bug
+  * Merge pull request #794 from peterkeen/patch-1
+  * Merge pull request #795 from unleashed/redirects-from-cmdline
+  * Merge pull request #796 from cschneid/fix_dsl_message
+  * Merge pull request #799 from annafw/master
+  * Merge pull request #800 from liamseanbrady/fix_typo
+  * Merge pull request #801 from scottjg/ssl-chain-file
+  * Merge pull request #802 from scottjg/ssl-crimes
+  * Merge pull request #804 from burningTyger/patch-2
+  * Merge pull request #809 from unleashed/threadpool-fix-race-in-shutdown
+  * Merge pull request #810 from vlmonk/fix-pumactl-restart-bug
+  * Merge pull request #814 from schneems/schneems/worker_timeout-docs
+  * Merge pull request #817 from unleashed/worker-boot-timeout
+
+=== 2.14.0 / 2015-09-18
+
+* 1 minor feature:
+  * Make building with SSL support optional
+
+* 1 bug fix:
+  * Use Rack::Builder if available. Fixes #735
+
+=== 2.13.4 / 2015-08-16
+
+* 1 bug fix:
+  * Use the environment possible set by the config early and from
+    the config file later (if set).
+
+=== 2.13.3 / 2015-08-15
+
+Seriously, I need to revamp config with tests.
+
+* 1 bug fix:
+  * Fix preserving options before cleaning for state. Fixes #769
+
+=== 2.13.2 / 2015-08-15
+
+The "clearly I don't have enough tests for the config" release.
+
+* 1 bug fix:
+  * Fix another place binds wasn't initialized. Fixes #767
+
+=== 2.13.1 / 2015-08-15
+
+* 2 bug fixes:
+  * Fix binds being masked in config files. Fixes #765
+  * Use options from the config file properly in pumactl. Fixes #764
+
+=== 2.13.0 / 2015-08-14
+
+* 1 minor feature:
+  * Add before_fork hooks option.
+
+* 3 bug fixes:
+  * Check for OPENSSL_NO_ECDH before using ECDH
+  * Eliminate logging overhead from JRuby SSL
+  * Prefer cli options over config file ones. Fixes #669
+
+* 1 deprecation:
+  * Add deprecation warning to capistrano.rb. Fixes #673
+
+* 4 PRs merged:
+  * Merge pull request #668 from kcollignon/patch-1
+  * Merge pull request #754 from nathansamson/before_boot
+  * Merge pull request #759 from BenV/fix-centos6-build
+  * Merge pull request #761 from looker/no-log
+
 === 2.12.3 / 2015-08-03
 
 * 8 minor bugs fixed:

data/README.md

@@ -117,6 +117,25 @@ If you're preloading your application and using ActiveRecord, it's recommend you
       end
     end
 
+On top of that, you can specify a block in your configuration file that will be run before workers are forked
+
+    # config/puma.rb
+    before_fork do
+      # configuration here
+    end
+
+This code can be used to clean up before forking to clients, allowing
+you to do some Puma-specific things that you don't want to embed in your application.
+
+If you're preloading your application and using ActiveRecord, it's recommend you close any connections to the database here to prevent connection leakage:
+
+    # config/puma.rb
+    before_fork do
+      ActiveRecord::Base.connection_pool.disconnect!
+    end
+
+This rule applies to any connections to external services (Redis, databases, memcache, ...) that might be started automatically by the framework.
+
 When you use preload_app, your new code goes all in the master process, and is then copied in the workers (meaning it’s only compatible with cluster mode). General rule is to use preload_app when your workers die often and need fast starts. If you don’t have many workers, you probably should not use preload_app.
 
 Note that preload_app can’t be used with phased restart, since phased restart kills and restarts workers one-by-one, and preload_app is all about copying the code of master into the workers.
@@ -167,7 +186,7 @@ You can also provide a configuration file which Puma will use with the `-C` (or
 
     $ puma -C /path/to/config
 
-By default, if no configuration file is specifed, Puma will look for a configuration file at config/puma.rb. If an environment is specified, either via the `-e` and `--environment` flags, or through the `RACK_ENV` environment variable, the default file location will be config/puma/environment_name.rb.
+By default, if no configuration file is specified, Puma will look for a configuration file at config/puma.rb. If an environment is specified, either via the `-e` and `--environment` flags, or through the `RACK_ENV` environment variable, the default file location will be config/puma/environment_name.rb.
 
 If you want to prevent Puma from looking for a configuration file in those locations, provide a dash as the argument to the `-C` (or `--config`) flag:
 
@@ -248,7 +267,7 @@ and then
 $ bundle exec cap puma:start
 $ bundle exec cap puma:restart
 $ bundle exec cap puma:stop
-$ bundle exec cap puma:phased_restart
+$ bundle exec cap puma:phased-restart
 ```
 
 ## Contributing

data/docs/nginx.md

@@ -40,7 +40,7 @@ server {
     }
 
     # check for index.html for directory index
-    # if its there on the filesystem then rewite
+    # if it's there on the filesystem then rewrite
     # the url to add /index.html to the end of it
     # and then break to send it to the next config rules.
     if (-f $request_filename/index.html) {

data/ext/puma_http11/extconf.rb

@@ -2,8 +2,12 @@ require 'mkmf'
 
 dir_config("puma_http11")
 
-if %w'crypto libeay32'.find {|crypto| have_library(crypto, 'BIO_read')} and
-    %w'ssl ssleay32'.find {|ssl| have_library(ssl, 'SSL_CTX_new')}
-  
-  create_makefile("puma/puma_http11")
+unless ENV["DISABLE_SSL"]
+  if %w'crypto libeay32'.find {|crypto| have_library(crypto, 'BIO_read')} and
+      %w'ssl ssleay32'.find {|ssl| have_library(ssl, 'SSL_CTX_new')}
+
+    have_header "openssl/bio.h"
+  end
 end
+
+create_makefile("puma/puma_http11")

data/ext/puma_http11/mini_ssl.c

@@ -1,12 +1,20 @@
 #define RSTRING_NOT_MODIFIED 1
+
 #include <ruby.h>
 #include <rubyio.h>
+
+#ifdef HAVE_OPENSSL_BIO_H
+
 #include <openssl/bio.h>
 #include <openssl/ssl.h>
 #include <openssl/dh.h>
 #include <openssl/err.h>
 #include <openssl/x509.h>
 
+#ifndef SSL_OP_NO_COMPRESSION
+#define SSL_OP_NO_COMPRESSION 0
+#endif
+
 typedef struct {
   BIO* read;
   BIO* write;
@@ -132,14 +140,14 @@ VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
   ctx = SSL_CTX_new(SSLv23_server_method());
   conn->ctx = ctx;
 
-  SSL_CTX_use_certificate_file(ctx, RSTRING_PTR(cert), SSL_FILETYPE_PEM);
+  SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(cert));
   SSL_CTX_use_PrivateKey_file(ctx, RSTRING_PTR(key), SSL_FILETYPE_PEM);
 
   if (!NIL_P(ca)) {
     SSL_CTX_load_verify_locations(ctx, RSTRING_PTR(ca), NULL);
   }
   
-  SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE);
+  SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_COMPRESSION);
   SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
 
   SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH");
@@ -147,11 +155,13 @@ VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
   DH *dh = get_dh1024();
   SSL_CTX_set_tmp_dh(ctx, dh);
 
+#ifndef OPENSSL_NO_ECDH
   EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_secp521r1);
   if (ecdh) {
     SSL_CTX_set_tmp_ecdh(ctx, ecdh);
     EC_KEY_free(ecdh);
   }
+#endif
 
   ssl = SSL_new(ctx);
   conn->ssl = ssl;
@@ -238,7 +248,7 @@ void raise_error(SSL* ssl, int result) {
 VALUE engine_read(VALUE self) {
   ms_conn* conn;
   char buf[512];
-  int bytes, n, error;
+  int bytes, error;
 
   Data_Get_Struct(self, ms_conn, conn);
 
@@ -345,6 +355,10 @@ VALUE engine_peercert(VALUE self) {
   return rb_cert_buf;
 }
 
+VALUE noop(VALUE self) {
+  return Qnil;
+}
+
 void Init_mini_ssl(VALUE puma) {
   VALUE mod, eng;
 
@@ -356,6 +370,8 @@ void Init_mini_ssl(VALUE puma) {
   mod = rb_define_module_under(puma, "MiniSSL");
   eng = rb_define_class_under(mod, "Engine", rb_cObject);
 
+  rb_define_singleton_method(mod, "check", noop, 0);
+
   eError = rb_define_class_under(mod, "SSLError", rb_eStandardError);
 
   rb_define_singleton_method(eng, "server", engine_init_server, 1);
@@ -369,3 +385,20 @@ void Init_mini_ssl(VALUE puma) {
 
   rb_define_method(eng, "peercert", engine_peercert, 0);
 }
+
+#else
+
+VALUE raise_error(VALUE self) {
+  rb_raise(rb_eStandardError, "SSL not available in this build");
+  return Qnil;
+}
+
+void Init_mini_ssl(VALUE puma) {
+  VALUE mod, eng;
+
+  mod = rb_define_module_under(puma, "MiniSSL");
+  rb_define_class_under(mod, "SSLError", rb_eStandardError);
+
+  rb_define_singleton_method(mod, "check", raise_error, 0);
+}
+#endif

data/ext/puma_http11/org/jruby/puma/Http11.java

@@ -82,11 +82,11 @@ public class Http11 extends RubyObject {
     private Http11Parser.FieldCB http_field = new Http11Parser.FieldCB() {
             public void call(Object data, int field, int flen, int value, int vlen) {
                 RubyHash req = (RubyHash)data;
-                RubyString v,f;
+                RubyString f;
+                IRubyObject v;
                 validateMaxLength(flen, MAX_FIELD_NAME_LENGTH, MAX_FIELD_NAME_LENGTH_ERR);
                 validateMaxLength(vlen, MAX_FIELD_VALUE_LENGTH, MAX_FIELD_VALUE_LENGTH_ERR);
 
-                v = RubyString.newString(runtime, new ByteList(Http11.this.hp.parser.buffer,value,vlen));
                 ByteList b = new ByteList(Http11.this.hp.parser.buffer,field,flen);
                 for(int i = 0,j = b.length();i<j;i++) {
                     if((b.get(i) & 0xFF) == '-') {
@@ -104,7 +104,16 @@ public class Http11 extends RubyObject {
                   f = RubyString.newString(runtime, "HTTP_");
                   f.cat(b);
                 }
-                req.op_aset(req.getRuntime().getCurrentContext(), f,v);
+
+                b = new ByteList(Http11.this.hp.parser.buffer, value, vlen);
+                v = req.op_aref(req.getRuntime().getCurrentContext(), f);
+                if (v.isNil()) {
+                    req.op_aset(req.getRuntime().getCurrentContext(), f, RubyString.newString(runtime, b));
+                } else {
+                    RubyString vs = v.convertToString();
+                    vs.cat(RubyString.newString(runtime, ", "));
+                    vs.cat(b);
+                }
             }
         };
 

data/ext/puma_http11/org/jruby/puma/MiniSSL.java

@@ -1,7 +1,6 @@
 package org.jruby.puma;
 
 import org.jruby.Ruby;
-import org.jruby.RubyBoolean;
 import org.jruby.RubyClass;
 import org.jruby.RubyModule;
 import org.jruby.RubyObject;
@@ -14,6 +13,7 @@ import org.jruby.runtime.builtin.IRubyObject;
 import org.jruby.util.ByteList;
 
 import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLEngineResult;
@@ -39,9 +39,6 @@ public class MiniSSL extends RubyObject {
     }
   };
 
-  // set to true to switch on our low-fi trace logging
-  private static boolean DEBUG = false;
-
   public static void createMiniSSL(Ruby runtime) {
     RubyModule mPuma = runtime.defineModule("Puma");
     RubyModule ssl = mPuma.defineModuleUnder("MiniSSL");
@@ -140,23 +137,36 @@ public class MiniSSL extends RubyObject {
   public IRubyObject initialize(ThreadContext threadContext, IRubyObject miniSSLContext)
       throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException {
     KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+    KeyStore ts = KeyStore.getInstance(KeyStore.getDefaultType());
 
     char[] password = miniSSLContext.callMethod(threadContext, "keystore_pass").convertToString().asJavaString().toCharArray();
-    ks.load(new FileInputStream(miniSSLContext.callMethod(threadContext, "keystore").convertToString().asJavaString()),
-        password);
+    String keystoreFile = miniSSLContext.callMethod(threadContext, "keystore").convertToString().asJavaString();
+    ks.load(new FileInputStream(keystoreFile), password);
+    ts.load(new FileInputStream(keystoreFile), password);
 
     KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
     kmf.init(ks, password);
 
+    TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
+    tmf.init(ts);
+
     SSLContext sslCtx = SSLContext.getInstance("TLS");
 
-    sslCtx.init(kmf.getKeyManagers(), null, null);
+    sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
     engine = sslCtx.createSSLEngine();
 
     String[] protocols = new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" };
     engine.setEnabledProtocols(protocols);
     engine.setUseClientMode(false);
 
+    long verify_mode = miniSSLContext.callMethod(threadContext, "verify_mode").convertToInteger().getLongValue();
+    if ((verify_mode & 0x1) != 0) { // 'peer'
+        engine.setWantClientAuth(true);
+    }
+    if ((verify_mode & 0x2) != 0) { // 'force_peer'
+        engine.setNeedClientAuth(true);
+    }
+
     SSLSession session = engine.getSession();
     inboundNetData = new MiniSSLBuffer(session.getPacketBufferSize());
     outboundAppData = new MiniSSLBuffer(session.getApplicationBufferSize());
@@ -170,12 +180,7 @@ public class MiniSSL extends RubyObject {
   public IRubyObject inject(IRubyObject arg) {
     try {
       byte[] bytes = arg.convertToString().getBytes();
-
-      log("Net Data post pre-inject: " + inboundNetData);
       inboundNetData.put(bytes);
-      log("Net Data post post-inject: " + inboundNetData);
-
-      log("inject(): " + bytes.length + " encrypted bytes from request");
       return this;
     } catch (Exception e) {
       e.printStackTrace();
@@ -205,8 +210,6 @@ public class MiniSSL extends RubyObject {
 
       switch (res.getStatus()) {
         case BUFFER_OVERFLOW:
-          log("SSLOp#doRun(): overflow");
-          log("SSLOp#doRun(): dst data at overflow: " + dst);
           // increase the buffer size to accommodate the overflowing data
           int newSize = Math.max(engine.getSession().getPacketBufferSize(), engine.getSession().getApplicationBufferSize());
           dst.resize(newSize + dst.position());
@@ -214,8 +217,6 @@ public class MiniSSL extends RubyObject {
           retryOp = true;
           break;
         case BUFFER_UNDERFLOW:
-          log("SSLOp#doRun(): underflow");
-          log("SSLOp#doRun(): src data at underflow: " + src);
           // need to wait for more data to come in before we retry
           retryOp = false;
           break;
@@ -245,25 +246,18 @@ public class MiniSSL extends RubyObject {
         return getRuntime().getNil();
       }
 
-      log("read(): inboundNetData prepped for read: " + inboundNetData);
-
       MiniSSLBuffer inboundAppData = new MiniSSLBuffer(engine.getSession().getApplicationBufferSize());
-      SSLEngineResult res = doOp(SSLOperation.UNWRAP, inboundNetData, inboundAppData);
-      log("read(): after initial unwrap", engine, res);
-
-      log("read(): Net Data post unwrap: " + inboundNetData);
+      doOp(SSLOperation.UNWRAP, inboundNetData, inboundAppData);
 
       HandshakeStatus handshakeStatus = engine.getHandshakeStatus();
       boolean done = false;
       while (!done) {
         switch (handshakeStatus) {
           case NEED_WRAP:
-            res = doOp(SSLOperation.WRAP, inboundAppData, outboundNetData);
-            log("read(): after handshake wrap", engine, res);
+            doOp(SSLOperation.WRAP, inboundAppData, outboundNetData);
             break;
           case NEED_UNWRAP:
-            res = doOp(SSLOperation.UNWRAP, inboundNetData, inboundAppData);
-            log("read(): after handshake unwrap", engine, res);
+            SSLEngineResult res = doOp(SSLOperation.UNWRAP, inboundNetData, inboundAppData);
             if (res.getStatus() == Status.BUFFER_UNDERFLOW) {
               // need more data before we can shake more hands
               done = true;
@@ -276,13 +270,9 @@ public class MiniSSL extends RubyObject {
       }
 
       if (inboundNetData.hasRemaining()) {
-        log("Net Data post pre-compact: " + inboundNetData);
         inboundNetData.compact();
-        log("Net Data post post-compact: " + inboundNetData);
       } else {
-        log("Net Data post pre-reset: " + inboundNetData);
         inboundNetData.clear();
-        log("Net Data post post-reset: " + inboundNetData);
       }
 
       ByteList appDataByteList = inboundAppData.asByteList();
@@ -292,54 +282,15 @@ public class MiniSSL extends RubyObject {
 
       RubyString str = getRuntime().newString("");
       str.setValue(appDataByteList);
-
-      logPlain("\n");
-      log("read(): begin dump of request data >>>>\n");
-      if (str.asJavaString().getBytes().length < 1000) {
-        logPlain(str.asJavaString() + "\n");
-      }
-      logPlain("Num bytes: " + str.asJavaString().getBytes().length + "\n");
-      log("read(): end dump of request data   <<<<\n");
       return str;
     } catch (Exception e) {
-      if (DEBUG) {
-        e.printStackTrace();
-      }
       throw getRuntime().newEOFError(e.getMessage());
     }
   }
 
-  private static void log(String str, SSLEngine engine, SSLEngineResult result) {
-    if (DEBUG) {
-      log(str + " " + result.getStatus() + "/" + engine.getHandshakeStatus() +
-          "---bytes consumed: " + result.bytesConsumed() +
-          ", bytes produced: " + result.bytesProduced());
-    }
-  }
-
-  private static void log(String str) {
-    if (DEBUG) {
-      System.out.println("MiniSSL.java: " + str);
-    }
-  }
-
-  private static void logPlain(String str) {
-    if (DEBUG) {
-      System.out.println(str);
-    }
-  }
-
   @JRubyMethod
   public IRubyObject write(IRubyObject arg) {
     try {
-      log("write(): begin dump of response data >>>>\n");
-      logPlain("\n");
-      if (arg.asJavaString().getBytes().length < 1000) {
-        logPlain(arg.asJavaString() + "\n");
-      }
-      logPlain("Num bytes: " + arg.asJavaString().getBytes().length + "\n");
-      log("write(): end dump of response data   <<<<\n");
-
       byte[] bls = arg.convertToString().getBytes();
       outboundAppData = new MiniSSLBuffer(bls);
 
@@ -365,9 +316,7 @@ public class MiniSSL extends RubyObject {
       }
 
       outboundNetData.clear();
-      SSLEngineResult res = doOp(SSLOperation.WRAP, outboundAppData, outboundNetData);
-      log("extract(): bytes consumed: " + res.bytesConsumed() + "\n");
-      log("extract(): bytes produced: " + res.bytesProduced() + "\n");
+      doOp(SSLOperation.WRAP, outboundAppData, outboundNetData);
       dataByteList = outboundNetData.asByteList();
       if (dataByteList == null) {
         return getRuntime().getNil();
@@ -376,8 +325,6 @@ public class MiniSSL extends RubyObject {
       RubyString str = getRuntime().newString("");
       str.setValue(dataByteList);
 
-      log("extract(): " + dataByteList.getRealSize() + " encrypted bytes for response");
-
       return str;
     } catch (Exception e) {
       e.printStackTrace();

data/ext/puma_http11/puma_http11.c

@@ -176,14 +176,12 @@ static VALUE find_common_field_value(const char *field, size_t flen)
 void http_field(puma_parser* hp, const char *field, size_t flen,
                                  const char *value, size_t vlen)
 {
-  VALUE v = Qnil;
   VALUE f = Qnil;
+  VALUE v;
 
   VALIDATE_MAX_LENGTH(flen, FIELD_NAME);
   VALIDATE_MAX_LENGTH(vlen, FIELD_VALUE);
 
-  v = rb_str_new(value, vlen);
-
   f = find_common_field_value(field, flen);
 
   if (f == Qnil) {
@@ -201,7 +199,17 @@ void http_field(puma_parser* hp, const char *field, size_t flen,
     f = rb_str_new(hp->buf, new_size);
   }
 
-  rb_hash_aset(hp->request, f, v);
+  /* check for duplicate header */
+  v = rb_hash_aref(hp->request, f);
+
+  if (v == Qnil) {
+      v = rb_str_new(value, vlen);
+      rb_hash_aset(hp->request, f, v);
+  } else {
+      /* if duplicate header, normalize to comma-separated values */
+      rb_str_cat2(v, ", ");
+      rb_str_cat(v, value, vlen);
+  }
 }
 
 void request_method(puma_parser* hp, const char *at, size_t length)