puma 3.0.0.rc1 → 5.0.0.beta1

data/ext/puma_http11/org/jruby/puma/MiniSSL.java

@@ -6,6 +6,7 @@ import org.jruby.RubyModule;
 import org.jruby.RubyObject;
 import org.jruby.RubyString;
 import org.jruby.anno.JRubyMethod;
+import org.jruby.javasupport.JavaEmbedUtils;
 import org.jruby.runtime.Block;
 import org.jruby.runtime.ObjectAllocator;
 import org.jruby.runtime.ThreadContext;
@@ -18,15 +19,18 @@ import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLEngineResult;
 import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
 import java.io.FileInputStream;
 import java.io.IOException;
+import java.nio.Buffer;
 import java.nio.ByteBuffer;
 import java.security.KeyManagementException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
 
 import static javax.net.ssl.SSLEngineResult.Status;
@@ -62,7 +66,7 @@ public class MiniSSL extends RubyObject {
 
     public void clear() { buffer.clear(); }
     public void compact() { buffer.compact(); }
-    public void flip() { buffer.flip(); }
+    public void flip() { ((Buffer) buffer).flip(); }
     public boolean hasRemaining() { return buffer.hasRemaining(); }
     public int position() { return buffer.position(); }
 
@@ -86,7 +90,7 @@ public class MiniSSL extends RubyObject {
     public void resize(int newCapacity) {
       if (newCapacity > buffer.capacity()) {
         ByteBuffer dstTmp = ByteBuffer.allocate(newCapacity);
-        buffer.flip();
+        flip();
         dstTmp.put(buffer);
         buffer = dstTmp;
       } else {
@@ -98,7 +102,7 @@ public class MiniSSL extends RubyObject {
      * Drains the buffer to a ByteList, or returns null for an empty buffer
      */
     public ByteList asByteList() {
-      buffer.flip();
+      flip();
       if (!buffer.hasRemaining()) {
         buffer.clear();
         return null;
@@ -155,7 +159,17 @@ public class MiniSSL extends RubyObject {
     sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
     engine = sslCtx.createSSLEngine();
 
-    String[] protocols = new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" };
+    String[] protocols;
+    if(miniSSLContext.callMethod(threadContext, "no_tlsv1").isTrue()) {
+        protocols = new String[] { "TLSv1.1", "TLSv1.2" };
+    } else {
+        protocols = new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" };
+    }
+
+    if(miniSSLContext.callMethod(threadContext, "no_tlsv1_1").isTrue()) {
+        protocols = new String[] { "TLSv1.2" };
+    }
+
     engine.setEnabledProtocols(protocols);
     engine.setUseClientMode(false);
 
@@ -167,6 +181,12 @@ public class MiniSSL extends RubyObject {
         engine.setNeedClientAuth(true);
     }
 
+    IRubyObject sslCipherListObject = miniSSLContext.callMethod(threadContext, "ssl_cipher_list");
+    if (!sslCipherListObject.isNil()) {
+      String[] sslCipherList = sslCipherListObject.convertToString().asJavaString().split(",");
+      engine.setEnabledCipherSuites(sslCipherList);
+    }
+
     SSLSession session = engine.getSession();
     inboundNetData = new MiniSSLBuffer(session.getPacketBufferSize());
     outboundAppData = new MiniSSLBuffer(session.getApplicationBufferSize());
@@ -333,7 +353,11 @@ public class MiniSSL extends RubyObject {
   }
 
   @JRubyMethod
-  public IRubyObject peercert() {
-    return getRuntime().getNil();
+  public IRubyObject peercert() throws CertificateEncodingException {
+    try {
+      return JavaEmbedUtils.javaToRuby(getRuntime(), engine.getSession().getPeerCertificates()[0].getEncoded());
+    } catch (SSLPeerUnverifiedException ex) {
+      return getRuntime().getNil();
+    }
   }
 }

data/ext/puma_http11/puma_http11.c

@@ -1,6 +1,7 @@
 /**
  * Copyright (c) 2005 Zed A. Shaw
  * You can redistribute it and/or modify it under the same terms as Ruby.
+ * License 3-clause BSD
  */
 
 #define RSTRING_NOT_MODIFIED 1
@@ -9,6 +10,7 @@
 #include "ext_help.h"
 #include <assert.h>
 #include <string.h>
+#include <ctype.h>
 #include "http11_parser.h"
 
 #ifndef MANAGED_STRINGS
@@ -52,7 +54,7 @@ DEF_MAX_LENGTH(FIELD_NAME, 256);
 DEF_MAX_LENGTH(FIELD_VALUE, 80 * 1024);
 DEF_MAX_LENGTH(REQUEST_URI, 1024 * 12);
 DEF_MAX_LENGTH(FRAGMENT, 1024); /* Don't know if this length is specified somewhere or not */
-DEF_MAX_LENGTH(REQUEST_PATH, 2048);
+DEF_MAX_LENGTH(REQUEST_PATH, 8196);
 DEF_MAX_LENGTH(QUERY_STRING, (1024 * 10));
 DEF_MAX_LENGTH(HEADER, (1024 * (80 + 32)));
 
@@ -110,21 +112,6 @@ static struct common_field common_http_fields[] = {
 # undef f
 };
 
-/*
- * qsort(3) and bsearch(3) improve average performance slightly, but may
- * not be worth it for lack of portability to certain platforms...
- */
-#if defined(HAVE_QSORT_BSEARCH)
-/* sort by length, then by name if there's a tie */
-static int common_field_cmp(const void *a, const void *b)
-{
-  struct common_field *cfa = (struct common_field *)a;
-  struct common_field *cfb = (struct common_field *)b;
-  signed long diff = cfa->len - cfb->len;
-  return diff ? diff : memcmp(cfa->name, cfb->name, cfa->len);
-}
-#endif /* HAVE_QSORT_BSEARCH */
-
 static void init_common_fields(void)
 {
   unsigned i;
@@ -141,28 +128,10 @@ static void init_common_fields(void)
     }
     rb_global_variable(&cf->value);
   }
-
-#if defined(HAVE_QSORT_BSEARCH)
-  qsort(common_http_fields,
-        ARRAY_SIZE(common_http_fields),
-        sizeof(struct common_field),
-        common_field_cmp);
-#endif /* HAVE_QSORT_BSEARCH */
 }
 
 static VALUE find_common_field_value(const char *field, size_t flen)
 {
-#if defined(HAVE_QSORT_BSEARCH)
-  struct common_field key;
-  struct common_field *found;
-  key.name = field;
-  key.len = (signed long)flen;
-  found = (struct common_field *)bsearch(&key, common_http_fields,
-                                         ARRAY_SIZE(common_http_fields),
-                                         sizeof(struct common_field),
-                                         common_field_cmp);
-  return found ? found->value : Qnil;
-#else /* !HAVE_QSORT_BSEARCH */
   unsigned i;
   struct common_field *cf = common_http_fields;
   for(i = 0; i < ARRAY_SIZE(common_http_fields); i++, cf++) {
@@ -170,7 +139,6 @@ static VALUE find_common_field_value(const char *field, size_t flen)
       return cf->value;
   }
   return Qnil;
-#endif /* !HAVE_QSORT_BSEARCH */
 }
 
 void http_field(puma_parser* hp, const char *field, size_t flen,
@@ -199,6 +167,8 @@ void http_field(puma_parser* hp, const char *field, size_t flen,
     f = rb_str_new(hp->buf, new_size);
   }
 
+  while (vlen > 0 && isspace(value[vlen - 1])) vlen--;
+
   /* check for duplicate header */
   v = rb_hash_aref(hp->request, f);
 
@@ -397,7 +367,7 @@ VALUE HttpParser_execute(VALUE self, VALUE req_hash, VALUE data, VALUE start)
     VALIDATE_MAX_LENGTH(puma_parser_nread(http), HEADER);
 
     if(puma_parser_has_error(http)) {
-      rb_raise(eHttpParserError, "%s", "Invalid HTTP format, parsing fails.");
+      rb_raise(eHttpParserError, "%s", "Invalid HTTP format, parsing fails. Are you trying to open an SSL connection to a non-SSL Puma?");
     } else {
       return INT2FIX(puma_parser_nread(http));
     }
@@ -464,7 +434,6 @@ VALUE HttpParser_body(VALUE self) {
   return http->body;
 }
 
-void Init_io_buffer(VALUE puma);
 void Init_mini_ssl(VALUE mod);
 
 void Init_puma_http11()
@@ -494,6 +463,5 @@ void Init_puma_http11()
   rb_define_method(cHttpParser, "body", HttpParser_body, 0);
   init_common_fields();
 
-  Init_io_buffer(mPuma);
   Init_mini_ssl(mPuma);
 }

data/lib/puma.rb

@@ -1,7 +1,8 @@
+# frozen_string_literal: true
+
 # Standard libraries
 require 'socket'
 require 'tempfile'
-require 'yaml'
 require 'time'
 require 'etc'
 require 'uri'
@@ -9,7 +10,26 @@ require 'stringio'
 
 require 'thread'
 
-# Ruby Puma
-require 'puma/const'
-require 'puma/server'
-require 'puma/launcher'
+module Puma
+  autoload :Const, 'puma/const'
+  autoload :Server, 'puma/server'
+  autoload :Launcher, 'puma/launcher'
+
+  def self.stats_object=(val)
+    @get_stats = val
+  end
+
+  def self.stats
+    @get_stats.stats.to_json
+  end
+
+  def self.stats_hash
+    @get_stats.stats
+  end
+
+  # Thread name is new in Ruby 2.3
+  def self.set_thread_name(name)
+    return unless Thread.current.respond_to?(:name=)
+    Thread.current.name = "puma #{name}"
+  end
+end

data/lib/puma/accept_nonblock.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'openssl'
 
 module OpenSSL
@@ -13,7 +15,11 @@ module OpenSSL
             ssl.accept if @start_immediately
             ssl
           rescue SSLError => ex
-            sock.close
+            if ssl
+              ssl.close
+            else
+              sock.close
+            end
             raise ex
           end
         end

data/lib/puma/app/status.rb

@@ -1,26 +1,17 @@
+# frozen_string_literal: true
+
+require 'json'
+
 module Puma
   module App
+    # Check out {#call}'s source code to see what actions this web application
+    # can respond to.
     class Status
-      def initialize(cli)
-        @cli = cli
-        @auth_token = nil
-      end
       OK_STATUS = '{ "status": "ok" }'.freeze
 
-      attr_accessor :auth_token
-
-      def authenticate(env)
-        return true unless @auth_token
-        env['QUERY_STRING'].to_s.split(/&;/).include?("token=#{@auth_token}")
-      end
-
-      def rack_response(status, body, content_type='application/json')
-        headers = {
-          'Content-Type' => content_type,
-          'Content-Length' => body.bytesize.to_s
-        }
-
-        [status, headers, [body]]
+      def initialize(cli, token = nil)
+        @cli = cli
+        @auth_token = token
       end
 
       def call(env)
@@ -31,36 +22,72 @@ module Puma
         case env['PATH_INFO']
         when /\/stop$/
           @cli.stop
-          return rack_response(200, OK_STATUS)
+          rack_response(200, OK_STATUS)
 
         when /\/halt$/
           @cli.halt
-          return rack_response(200, OK_STATUS)
+          rack_response(200, OK_STATUS)
 
         when /\/restart$/
           @cli.restart
-          return rack_response(200, OK_STATUS)
+          rack_response(200, OK_STATUS)
 
         when /\/phased-restart$/
           if !@cli.phased_restart
-            return rack_response(404, '{ "error": "phased restart not available" }')
+            rack_response(404, '{ "error": "phased restart not available" }')
           else
-            return rack_response(200, OK_STATUS)
+            rack_response(200, OK_STATUS)
           end
 
         when /\/reload-worker-directory$/
           if !@cli.send(:reload_worker_directory)
-            return rack_response(404, '{ "error": "reload_worker_directory not available" }')
+            rack_response(404, '{ "error": "reload_worker_directory not available" }')
           else
-            return rack_response(200, OK_STATUS)
+            rack_response(200, OK_STATUS)
           end
 
+        when /\/gc$/
+          GC.start
+          rack_response(200, OK_STATUS)
+
+        when /\/gc-stats$/
+          rack_response(200, GC.stat.to_json)
+
         when /\/stats$/
-          return rack_response(200, @cli.stats)
+          rack_response(200, @cli.stats.to_json)
+
+        when /\/thread-backtraces$/
+          backtraces = []
+          @cli.thread_status do |name, backtrace|
+            backtraces << { name: name, backtrace: backtrace }
+          end
+
+          rack_response(200, backtraces.to_json)
+
+        when /\/refork$/
+          Process.kill "SIGURG", $$
+          rack_response(200, OK_STATUS)
+
         else
           rack_response 404, "Unsupported action", 'text/plain'
         end
       end
+
+      private
+
+      def authenticate(env)
+        return true unless @auth_token
+        env['QUERY_STRING'].to_s.split(/&;/).include?("token=#{@auth_token}")
+      end
+
+      def rack_response(status, body, content_type='application/json')
+        headers = {
+          'Content-Type' => content_type,
+          'Content-Length' => body.bytesize.to_s
+        }
+
+        [status, headers, [body]]
+      end
     end
   end
 end

data/lib/puma/binder.rb

@@ -1,16 +1,23 @@
-require 'puma/const'
+# frozen_string_literal: true
+
 require 'uri'
+require 'socket'
+
+require 'puma/const'
+require 'puma/util'
+require 'puma/minissl/context_builder'
 
 module Puma
   class Binder
     include Puma::Const
 
-    RACK_VERSION = [1,3].freeze
+    RACK_VERSION = [1,6].freeze
 
     def initialize(events)
       @events = events
       @listeners = []
       @inherited_fds = {}
+      @activated_sockets = {}
       @unix_paths = []
 
       @proto_env = {
@@ -22,13 +29,13 @@ module Puma
         "SCRIPT_NAME".freeze => ENV['SCRIPT_NAME'] || "",
 
         # I'd like to set a default CONTENT_TYPE here but some things
-        # depend on their not being a default set and infering
+        # depend on their not being a default set and inferring
         # it from the content. And so if i set it here, it won't
         # infer properly.
 
         "QUERY_STRING".freeze => "",
         SERVER_PROTOCOL => HTTP_11,
-        SERVER_SOFTWARE => PUMA_VERSION,
+        SERVER_SOFTWARE => PUMA_SERVER_STRING,
         GATEWAY_INTERFACE => CGI_VER
       }
 
@@ -36,7 +43,8 @@ module Puma
       @ios = []
     end
 
-    attr_reader :listeners, :ios
+    attr_reader :ios, :listeners, :unix_paths, :proto_env, :envs, :activated_sockets, :inherited_fds
+    attr_writer :ios, :listeners
 
     def env(sock)
       @envs.fetch(sock, @proto_env)
@@ -44,73 +52,85 @@ module Puma
 
     def close
       @ios.each { |i| i.close }
-      @unix_paths.each { |i| File.unlink i }
     end
 
-    def import_from_env
-      remove = []
+    def connected_ports
+      ios.map { |io| io.addr[1] }.uniq
+    end
 
-      ENV.each do |k,v|
-        if k =~ /PUMA_INHERIT_\d+/
-          fd, url = v.split(":", 2)
-          @inherited_fds[url] = fd.to_i
-          remove << k
-        end
-        if k =~ /LISTEN_FDS/ && ENV['LISTEN_PID'].to_i == $$
-          v.to_i.times do |num|
-            fd = num + 3
-            sock = TCPServer.for_fd(fd)
-            begin
-              url = "unix://" + Socket.unpack_sockaddr_un(sock.getsockname)
-            rescue ArgumentError
-              port, addr = Socket.unpack_sockaddr_in(sock.getsockname)
-              if addr =~ /\:/
-                addr = "[#{addr}]"
-              end
-              url = "tcp://#{addr}:#{port}"
-            end
-            @inherited_fds[url] = sock
-          end
-          ENV.delete k
-          ENV.delete 'LISTEN_PID'
-        end
-      end
+    def create_inherited_fds(env_hash)
+      env_hash.select {|k,v| k =~ /PUMA_INHERIT_\d+/}.each do |_k, v|
+        fd, url = v.split(":", 2)
+        @inherited_fds[url] = fd.to_i
+      end.keys # pass keys back for removal
+    end
 
-      remove.each do |k|
-        ENV.delete k
+    # systemd socket activation.
+    # LISTEN_FDS = number of listening sockets. e.g. 2 means accept on 2 sockets w/descriptors 3 and 4.
+    # LISTEN_PID = PID of the service process, aka us
+    # see https://www.freedesktop.org/software/systemd/man/systemd-socket-activate.html
+    def create_activated_fds(env_hash)
+      return [] unless env_hash['LISTEN_FDS'] && env_hash['LISTEN_PID'].to_i == $$
+      env_hash['LISTEN_FDS'].to_i.times do |index|
+        sock = TCPServer.for_fd(socket_activation_fd(index))
+        key = begin # Try to parse as a path
+          [:unix, Socket.unpack_sockaddr_un(sock.getsockname)]
+        rescue ArgumentError # Try to parse as a port/ip
+          port, addr = Socket.unpack_sockaddr_in(sock.getsockname)
+          addr = "[#{addr}]" if addr =~ /\:/
+          [:tcp, addr, port]
+        end
+        @activated_sockets[key] = sock
+        @events.debug "Registered #{key.join ':'} for activation from LISTEN_FDS"
       end
+      ["LISTEN_FDS", "LISTEN_PID"] # Signal to remove these keys from ENV
     end
 
-    def parse(binds, logger)
+    def parse(binds, logger, log_msg = 'Listening')
       binds.each do |str|
         uri = URI.parse str
         case uri.scheme
         when "tcp"
           if fd = @inherited_fds.delete(str)
-            logger.log "* Inherited #{str}"
             io = inherit_tcp_listener uri.host, uri.port, fd
+            logger.log "* Inherited #{str}"
+          elsif sock = @activated_sockets.delete([ :tcp, uri.host, uri.port ])
+            io = inherit_tcp_listener uri.host, uri.port, sock
+            logger.log "* Activated #{str}"
           else
             params = Util.parse_query uri.query
 
             opt = params.key?('low_latency')
             bak = params.fetch('backlog', 1024).to_i
 
-            logger.log "* Listening on #{str}"
             io = add_tcp_listener uri.host, uri.port, opt, bak
+
+            @ios.each do |i|
+              next unless TCPServer === i
+              addr = if i.local_address.ipv6?
+                "[#{i.local_address.ip_unpack[0]}]:#{i.local_address.ip_unpack[1]}"
+              else
+                i.local_address.ip_unpack.join(':')
+              end
+
+              logger.log "* #{log_msg} on tcp://#{addr}"
+            end
           end
 
-          @listeners << [str, io]
+          @listeners << [str, io] if io
         when "unix"
           path = "#{uri.host}#{uri.path}".gsub("%20", " ")
 
           if fd = @inherited_fds.delete(str)
-            logger.log "* Inherited #{str}"
             io = inherit_unix_listener path, fd
+            logger.log "* Inherited #{str}"
+          elsif sock = @activated_sockets.delete([ :unix, path ])
+            io = inherit_unix_listener path, sock
+            logger.log "* Activated #{str}"
           else
-            logger.log "* Listening on #{str}"
-
             umask = nil
             mode = nil
+            backlog = 1024
 
             if uri.query
               params = Util.parse_query uri.query
@@ -122,77 +142,33 @@ module Puma
               if u = params['mode']
                 mode = Integer('0'+u)
               end
+
+              if u = params['backlog']
+                backlog = Integer(u)
+              end
             end
 
-            io = add_unix_listener path, umask, mode
+            io = add_unix_listener path, umask, mode, backlog
+            logger.log "* #{log_msg} on #{str}"
           end
 
           @listeners << [str, io]
         when "ssl"
-          MiniSSL.check
-
           params = Util.parse_query uri.query
-          require 'puma/minissl'
-
-          ctx = MiniSSL::Context.new
-
-          if defined?(JRUBY_VERSION)
-            unless params['keystore']
-              @events.error "Please specify the Java keystore via 'keystore='"
-            end
-
-            ctx.keystore = params['keystore']
-
-            unless params['keystore-pass']
-              @events.error "Please specify the Java keystore password  via 'keystore-pass='"
-            end
-
-            ctx.keystore_pass = params['keystore-pass']
-          else
-            unless params['key']
-              @events.error "Please specify the SSL key via 'key='"
-            end
-
-            ctx.key = params['key']
-
-            unless params['cert']
-              @events.error "Please specify the SSL cert via 'cert='"
-            end
-
-            ctx.cert = params['cert']
-
-            if ['peer', 'force_peer'].include?(params['verify_mode'])
-              unless params['ca']
-                @events.error "Please specify the SSL ca via 'ca='"
-              end
-            end
-
-            ctx.ca = params['ca'] if params['ca']
-
-            if  params['verify_mode']
-              ctx.verify_mode = case params['verify_mode']
-                                when "peer"
-                                  MiniSSL::VERIFY_PEER
-                                when "force_peer"
-                                  MiniSSL::VERIFY_PEER | MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT
-                                when "none"
-                                  MiniSSL::VERIFY_NONE
-                                else
-                                  @events.error "Please specify a valid verify_mode="
-                                  MiniSSL::VERIFY_NONE
-                                end
-            end
-          end
+          ctx = MiniSSL::ContextBuilder.new(params, @events).context
 
           if fd = @inherited_fds.delete(str)
             logger.log "* Inherited #{str}"
-            io = inherited_ssl_listener fd, ctx
+            io = inherit_ssl_listener fd, ctx
+          elsif sock = @activated_sockets.delete([ :tcp, uri.host, uri.port ])
+            io = inherit_ssl_listener sock, ctx
+            logger.log "* Activated #{str}"
           else
-            logger.log "* Listening on #{str}"
             io = add_ssl_listener uri.host, uri.port, ctx
+            logger.log "* Listening on #{str}"
           end
 
-          @listeners << [str, io]
+          @listeners << [str, io] if io
         else
           logger.error "Invalid URI: #{str}"
         end
@@ -204,12 +180,7 @@ module Puma
         logger.log "* Closing unused inherited connection: #{str}"
 
         begin
-          if fd.kind_of? TCPServer
-            fd.close
-          else
-            IO.for_fd(fd).close
-          end
-
+          IO.for_fd(fd).close
         rescue SystemCallError
         end
 
@@ -221,6 +192,16 @@ module Puma
         end
       end
 
+      # Also close any unused activated sockets
+      @activated_sockets.each do |key, sock|
+        logger.log "* Closing unused activated socket: #{key.join ':'}"
+        begin
+          sock.close
+        rescue SystemCallError
+        end
+        # We have to unlink a unix socket path that's not being used
+        File.unlink key[1] if key[0] == :unix
+      end
     end
 
     # Tell the server to listen on host +host+, port +port+.
@@ -231,21 +212,25 @@ module Puma
     # allow to accumulate before returning connection refused.
     #
     def add_tcp_listener(host, port, optimize_for_latency=true, backlog=1024)
+      if host == "localhost"
+        loopback_addresses.each do |addr|
+          add_tcp_listener addr, port, optimize_for_latency, backlog
+        end
+        return
+      end
+
       host = host[1..-2] if host and host[0..0] == '['
-      s = TCPServer.new(host, port)
+      tcp_server = TCPServer.new(host, port)
       if optimize_for_latency
-        s.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
+        tcp_server.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
       end
-      s.setsockopt(Socket::SOL_SOCKET,Socket::SO_REUSEADDR, true)
-      s.listen backlog
-      @connected_port = s.addr[1]
+      tcp_server.setsockopt(Socket::SOL_SOCKET,Socket::SO_REUSEADDR, true)
+      tcp_server.listen backlog
 
-      @ios << s
-      s
+      @ios << tcp_server
+      tcp_server
     end
 
-    attr_reader :connected_port
-
     def inherit_tcp_listener(host, port, fd)
       if fd.kind_of? TCPServer
         s = fd
@@ -263,6 +248,13 @@ module Puma
 
       MiniSSL.check
 
+      if host == "localhost"
+        loopback_addresses.each do |addr|
+          add_ssl_listener addr, port, ctx, optimize_for_latency, backlog
+        end
+        return
+      end
+
       host = host[1..-2] if host[0..0] == '['
       s = TCPServer.new(host, port)
       if optimize_for_latency
@@ -271,6 +263,7 @@ module Puma
       s.setsockopt(Socket::SOL_SOCKET,Socket::SO_REUSEADDR, true)
       s.listen backlog
 
+
       ssl = MiniSSL::Server.new s, ctx
       env = @proto_env.dup
       env[HTTPS_KEY] = HTTPS
@@ -280,11 +273,15 @@ module Puma
       s
     end
 
-    def inherited_ssl_listener(fd, ctx)
+    def inherit_ssl_listener(fd, ctx)
       require 'puma/minissl'
       MiniSSL.check
 
-      s = TCPServer.for_fd(fd)
+      if fd.kind_of? TCPServer
+        s = fd
+      else
+        s = TCPServer.for_fd(fd)
+      end
       ssl = MiniSSL::Server.new(s, ctx)
 
       env = @proto_env.dup
@@ -298,8 +295,8 @@ module Puma
 
     # Tell the server to listen on +path+ as a UNIX domain socket.
     #
-    def add_unix_listener(path, umask=nil, mode=nil)
-      @unix_paths << path
+    def add_unix_listener(path, umask=nil, mode=nil, backlog=1024)
+      @unix_paths << path unless File.exist? path
 
       # Let anyone connect by default
       umask ||= 0
@@ -319,6 +316,7 @@ module Puma
         end
 
         s = UNIXServer.new(path)
+        s.listen backlog
         @ios << s
       ensure
         File.umask old_mask
@@ -336,7 +334,7 @@ module Puma
     end
 
     def inherit_unix_listener(path, fd)
-      @unix_paths << path
+      @unix_paths << path unless File.exist? path
 
       if fd.kind_of? TCPServer
         s = fd
@@ -352,5 +350,38 @@ module Puma
       s
     end
 
+    def close_listeners
+      listeners.each do |l, io|
+        io.close unless io.closed? # Ruby 2.2 issue
+        uri = URI.parse(l)
+        next unless uri.scheme == 'unix'
+        unix_path = "#{uri.host}#{uri.path}"
+        File.unlink unix_path if unix_paths.include? unix_path
+      end
+    end
+
+    def redirects_for_restart
+      redirects = listeners.map { |a| [a[1].to_i, a[1].to_i] }.to_h
+      redirects[:close_others] = true
+      redirects
+    end
+
+    def redirects_for_restart_env
+      listeners.each_with_object({}).with_index do |(listen, memo), i|
+        memo["PUMA_INHERIT_#{i}"] = "#{listen[1].to_i}:#{listen[0]}"
+      end
+    end
+
+    private
+
+    def loopback_addresses
+      Socket.ip_address_list.select do |addrinfo|
+        addrinfo.ipv6_loopback? || addrinfo.ipv4_loopback?
+      end.map { |addrinfo| addrinfo.ip_address }.uniq
+    end
+
+    def socket_activation_fd(int)
+      int + 3 # 3 is the magic number you add to follow the SA protocol
+    end
   end
 end