puma 5.5.2 → 5.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3f0ef12e973901d1ef05ea411057d82c5dc3e3c6fbe471402abfea5cb9e9a5da
-  data.tar.gz: 32b6b9e7a34748bd8facf5d6bb2bb8fc0b3aedda83823b4db826d9b16fdf9290
+  metadata.gz: b26655d47e2cc0987b78174ca6f6f7f9e16cfc584d1925cee08b2c4fd8d8a63e
+  data.tar.gz: 48aaec83462461d40fba5791679f8a81a677ea11731337d05213f358e1e1df01
 SHA512:
-  metadata.gz: a7792db683a263be5a0bd226578f98d55bcfb9ecab6fcdd1fc09da8b903f7960f149711b5174660ff6ebfa5402e2eb0e0d75ff1b5ce1110dfbec85e0532ed078
-  data.tar.gz: 344ad1f7eae75c085e42e24583a77a2444e8a92386fa8ac66ad7ea8d35ae3a72d7db0c01da60a2d20bc04330608b260685eb934603c9440df7208f809a6994f1
+  metadata.gz: e09ac76431f64ef08f5be4da5d2792e6ff7a152235534cc3c9a9798bf2bb34041fc98d6050b489598b1a9625bb9af13af355e3d4c9689cc055ab2790adbbcc8e
+  data.tar.gz: a2609c1568543ce1b41f51eff668e59ccacc79582c447fed74aeb334403e8f9212bb19f676ee2cd949f5209d240ab735495a5d364e549c4ab24676f1941801d5

data/History.md

@@ -1,3 +1,26 @@
+## 5.6.0 / 2022-01-25
+
+* Features
+  * Support `localhost` integration in `ssl_bind` ([#2764], [#2708])
+  * Allow backlog parameter to be set with ssl_bind DSL ([#2780])
+  * Remove yaml (psych) requirement in StateFile ([#2784])
+  * Allow culling of oldest workers, previously was only youngest ([#2773], [#2794])
+  * Add worker_check_interval configuration option ([#2759])
+  * Always send lowlevel_error response to client ([#2731], [#2341])
+  * Support for cert_pem and key_pem with ssl_bind DSL ([#2728])
+
+* Bugfixes
+  * Keep thread names under 15 characters, prevents breakage on some OSes ([#2733])
+  * Fix two 'old-style-definition' compile warning ([#2807], [#2806])
+  * Log environment correctly using option value ([#2799])
+  * Fix warning from Ruby master (will be 3.2.0) ([#2785])
+  * extconf.rb - fix openssl with old Windows builds ([#2757])
+  * server.rb - rescue handling (`Errno::EBADF`) for `@notify.close` ([#2745])
+
+* Refactor
+  * server.rb - refactor code using @options[:remote_address] ([#2742])
+  * [jruby] a couple refactorings - avoid copy-ing bytes ([#2730])
+
 ## 5.5.2 / 2021-10-12
 
 * Bugfixes
@@ -5,6 +28,9 @@
 
 ## 5.5.1 / 2021-10-12
 
+* Feature (added as mistake - we don't normally do this on bugfix releases, sorry!)
+  * Allow setting APP_ENV in preference to RACK_ENV or RAILS_ENV ([#2702])
+
 * Security
   * Do not allow LF as a line ending in a header (CVE-2021-41136)
 
@@ -261,6 +287,11 @@
   * Support parallel tests in verbose progress reporting ([#2223])
   * Refactor error handling in server accept loop ([#2239])
 
+## 4.3.10 / 2021-10-12
+
+* Bugfixes
+  * Allow UTF-8 in HTTP header values
+
 ## 4.3.9 / 2021-10-12
 
 * Security
@@ -1799,6 +1830,26 @@ be added back in a future date when a java Puma::MiniSSL is added.
 * Bugfixes
   * Your bugfix goes here <Most recent on the top, like GitHub> (#Github Number)
 
+[#2764]:https://github.com/puma/puma/pull/2764     "PR by @dentarg, merged 2022-01-18"
+[#2708]:https://github.com/puma/puma/issues/2708   "Issue by @erikaxel, closed 2022-01-18"
+[#2780]:https://github.com/puma/puma/pull/2780     "PR by @dalibor, merged 2022-01-01"
+[#2784]:https://github.com/puma/puma/pull/2784     "PR by @MSP-Greg, merged 2022-01-01"
+[#2773]:https://github.com/puma/puma/pull/2773     "PR by @ob-stripe, merged 2022-01-01"
+[#2794]:https://github.com/puma/puma/pull/2794     "PR by @johnnyshields, merged 2022-01-10"
+[#2759]:https://github.com/puma/puma/pull/2759     "PR by @ob-stripe, merged 2021-12-11"
+[#2731]:https://github.com/puma/puma/pull/2731     "PR by @baelter, merged 2021-11-02"
+[#2341]:https://github.com/puma/puma/issues/2341   "Issue by @cjlarose, closed 2021-11-02"
+[#2728]:https://github.com/puma/puma/pull/2728     "PR by @dalibor, merged 2021-10-31"
+[#2733]:https://github.com/puma/puma/pull/2733     "PR by @ob-stripe, merged 2021-12-12"
+[#2807]:https://github.com/puma/puma/pull/2807     "PR by @MSP-Greg, merged 2022-01-25"
+[#2806]:https://github.com/puma/puma/issues/2806   "Issue by @olleolleolle, closed 2022-01-25"
+[#2799]:https://github.com/puma/puma/pull/2799     "PR by @ags, merged 2022-01-22"
+[#2785]:https://github.com/puma/puma/pull/2785     "PR by @MSP-Greg, merged 2022-01-02"
+[#2757]:https://github.com/puma/puma/pull/2757     "PR by @MSP-Greg, merged 2021-11-24"
+[#2745]:https://github.com/puma/puma/pull/2745     "PR by @MSP-Greg, merged 2021-11-03"
+[#2742]:https://github.com/puma/puma/pull/2742     "PR by @MSP-Greg, merged 2021-12-12"
+[#2730]:https://github.com/puma/puma/pull/2730     "PR by @kares, merged 2021-11-01"
+[#2702]:https://github.com/puma/puma/pull/2702     "PR by @jacobherrington, merged 2021-09-21"
 [#2610]:https://github.com/puma/puma/pull/2610     "PR by @ye-lin-aung, merged 2021-08-18"
 [#2257]:https://github.com/puma/puma/issues/2257   "Issue by @nateberkopec, closed 2021-08-18"
 [#2654]:https://github.com/puma/puma/pull/2654     "PR by @Roguelazer, merged 2021-09-07"

data/README.md

@@ -137,6 +137,11 @@ This code can be used to setup the process before booting the application, allow
 you to do some Puma-specific things that you don't want to embed in your application.
 For instance, you could fire a log notification that a worker booted or send something to statsd. This can be called multiple times.
 
+Constants loaded by your application (such as `Rails`) will not be available in `on_worker_boot`.
+However, these constants _will_ be available if `preload_app!` is enabled, either explicitly in your `puma` config or automatically if
+using 2 or more workers in cluster mode.
+If `preload_app!` is not enabled and 1 worker is used, then `on_worker_boot` will fire, but your app will not be preloaded and constants will not be available.
+
 `before_fork` specifies a block to be run before workers are forked:
 
 ```ruby

data/docs/architecture.md

@@ -31,10 +31,10 @@ _workers_, and we sometimes call the threads created by Puma's
 ![https://bit.ly/2zwzhEK](images/puma-connection-flow.png)
 
 * Upon startup, Puma listens on a TCP or UNIX socket.
-  * The backlog of this socket is configured (with a default of 1024). The
-    backlog determines the size of the queue for unaccepted connections.
-    Generally, you'll never hit the backlog cap in production. If the backlog is
-    full, the operating system refuses new connections.
+  * The backlog of this socket is configured with a default of 1024, but the
+    actual backlog value is capped by the `net.core.somaxconn` sysctl value.
+    The backlog determines the size of the queue for unaccepted connections. If
+    the backlog is full, the operating system is not accepting new connections.
   * This socket backlog is distinct from the `backlog` of work as reported by
     `Puma.stats` or the control server. The backlog that `Puma.stats` refers to
     represents the number of connections in the process' `todo` set waiting for

data/docs/signals.md

@@ -42,6 +42,7 @@ Puma cluster responds to these signals:
 - `INT ` equivalent of sending Ctrl-C to cluster. Puma will attempt to finish then exit.
 - `CHLD`
 - `URG ` refork workers in phases from worker 0 if `fork_workers` option is enabled.
+- `INFO` print backtraces of all puma threads
 
 ## Callbacks order in case of different signals
 

data/ext/puma_http11/extconf.rb

@@ -11,7 +11,7 @@ end
 unless ENV["DISABLE_SSL"]
   dir_config("openssl")
 
-  found_ssl = if pkg_config 'openssl'
+  found_ssl = if (!$mingw || RUBY_VERSION >= '2.4') && (t = pkg_config 'openssl')
     puts 'using OpenSSL pkgconfig (openssl.pc)'
     true
   elsif %w'crypto libeay32'.find {|crypto| have_library(crypto, 'BIO_read')} &&
@@ -33,11 +33,14 @@ unless ENV["DISABLE_SSL"]
     have_func  "SSL_CTX_set_min_proto_version(NULL, 0)", "openssl/ssl.h"
 
     have_func  "X509_STORE_up_ref"
-    have_func("SSL_CTX_set_ecdh_auto(NULL, 0)", "openssl/ssl.h")
+    have_func "SSL_CTX_set_ecdh_auto(NULL, 0)"         , "openssl/ssl.h"
+
+    # below are yes for 3.0.0 & later, use for OpenSSL 3 detection
+    have_func "SSL_get1_peer_certificate"              , "openssl/ssl.h"
 
     # Random.bytes available in Ruby 2.5 and later, Random::DEFAULT deprecated in 3.0
     if Random.respond_to?(:bytes)
-      $defs.push("-DHAVE_RANDOM_BYTES")
+      $defs.push "-DHAVE_RANDOM_BYTES"
       puts "checking for Random.bytes... yes"
     else
       puts "checking for Random.bytes... no"
@@ -48,11 +51,14 @@ end
 if ENV["MAKE_WARNINGS_INTO_ERRORS"]
   # Make all warnings into errors
   # Except `implicit-fallthrough` since most failures comes from ragel state machine generated code
-  if respond_to? :append_cflags
-    append_cflags config_string 'WERRORFLAG'
+  if respond_to?(:append_cflags, true) # Ruby 2.5 and later
+    append_cflags(config_string('WERRORFLAG') || '-Werror')
     append_cflags '-Wno-implicit-fallthrough'
   else
-    $CFLAGS += ' ' << (config_string 'WERRORFLAG') << ' -Wno-implicit-fallthrough'
+    # flag may not exist on some platforms, -Werror may not be defined on some platforms, but
+    # works with all in current CI
+    $CFLAGS << " #{config_string('WERRORFLAG') || '-Werror'}"
+    $CFLAGS << ' -Wno-implicit-fallthrough'
   end
 end
 

data/ext/puma_http11/mini_ssl.c

@@ -49,7 +49,8 @@ const rb_data_type_t engine_data_type = {
     0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
 };
 
-DH *get_dh2048() {
+#ifndef HAVE_SSL_GET1_PEER_CERTIFICATE
+DH *get_dh2048(void) {
   /* `openssl dhparam -C 2048`
    * -----BEGIN DH PARAMETERS-----
    * MIIBCAKCAQEAjmh1uQHdTfxOyxEbKAV30fUfzqMDF/ChPzjfyzl2jcrqQMhrk76o
@@ -119,6 +120,7 @@ DH *get_dh2048() {
 
   return dh;
 }
+#endif
 
 static void
 sslctx_free(void *ptr) {
@@ -208,8 +210,13 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
 #endif
   int ssl_options;
   VALUE key, cert, ca, verify_mode, ssl_cipher_filter, no_tlsv1, no_tlsv1_1,
-    verification_flags, session_id_bytes;
+    verification_flags, session_id_bytes, cert_pem, key_pem;
+#ifndef HAVE_SSL_GET1_PEER_CERTIFICATE
   DH *dh;
+#endif
+  BIO *bio;
+  X509 *x509;
+  EVP_PKEY *pkey;
 
 #if OPENSSL_VERSION_NUMBER < 0x10002000L
   EC_KEY *ecdh;
@@ -218,13 +225,15 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
   TypedData_Get_Struct(self, SSL_CTX, &sslctx_type, ctx);
 
   key = rb_funcall(mini_ssl_ctx, rb_intern_const("key"), 0);
-  StringValue(key);
 
   cert = rb_funcall(mini_ssl_ctx, rb_intern_const("cert"), 0);
-  StringValue(cert);
 
   ca = rb_funcall(mini_ssl_ctx, rb_intern_const("ca"), 0);
 
+  cert_pem = rb_funcall(mini_ssl_ctx, rb_intern_const("cert_pem"), 0);
+
+  key_pem = rb_funcall(mini_ssl_ctx, rb_intern_const("key_pem"), 0);
+
   verify_mode = rb_funcall(mini_ssl_ctx, rb_intern_const("verify_mode"), 0);
 
   ssl_cipher_filter = rb_funcall(mini_ssl_ctx, rb_intern_const("ssl_cipher_filter"), 0);
@@ -233,8 +242,31 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
 
   no_tlsv1_1 = rb_funcall(mini_ssl_ctx, rb_intern_const("no_tlsv1_1"), 0);
 
-  SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(cert));
-  SSL_CTX_use_PrivateKey_file(ctx, RSTRING_PTR(key), SSL_FILETYPE_PEM);
+  if (!NIL_P(cert)) {
+    StringValue(cert);
+    SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(cert));
+  }
+
+  if (!NIL_P(key)) {
+    StringValue(key);
+    SSL_CTX_use_PrivateKey_file(ctx, RSTRING_PTR(key), SSL_FILETYPE_PEM);
+  }
+
+  if (!NIL_P(cert_pem)) {
+    bio = BIO_new(BIO_s_mem());
+    BIO_puts(bio, RSTRING_PTR(cert_pem));
+    x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+
+    SSL_CTX_use_certificate(ctx, x509);
+  }
+
+  if (!NIL_P(key_pem)) {
+    bio = BIO_new(BIO_s_mem());
+    BIO_puts(bio, RSTRING_PTR(key_pem));
+    pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
+
+    SSL_CTX_use_PrivateKey(ctx, pkey);
+  }
 
   verification_flags = rb_funcall(mini_ssl_ctx, rb_intern_const("verification_flags"), 0);
 
@@ -289,9 +321,6 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
     SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH");
   }
 
-  dh = get_dh2048();
-  SSL_CTX_set_tmp_dh(ctx, dh);
-
 #if OPENSSL_VERSION_NUMBER < 0x10002000L
   // Remove this case if OpenSSL 1.0.1 (now EOL) support is no
   // longer needed.
@@ -325,6 +354,15 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
                                  SSL_MAX_SSL_SESSION_ID_LENGTH);
 
   // printf("\ninitialize end security_level %d\n", SSL_CTX_get_security_level(ctx));
+
+#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
+  // https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_dh_auto.html
+  SSL_CTX_set_dh_auto(ctx, 1);
+#else
+  dh = get_dh2048();
+  SSL_CTX_set_tmp_dh(ctx, dh);
+#endif
+
   rb_obj_freeze(self);
   return self;
 }
@@ -523,7 +561,11 @@ VALUE engine_peercert(VALUE self) {
 
   TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);
 
+#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
+  cert = SSL_get1_peer_certificate(conn->ssl);
+#else
   cert = SSL_get_peer_certificate(conn->ssl);
+#endif
   if(!cert) {
     /*
      * See if there was a failed certificate associated with this client.
@@ -580,7 +622,10 @@ void Init_mini_ssl(VALUE puma) {
   ERR_load_crypto_strings();
 
   mod = rb_define_module_under(puma, "MiniSSL");
+
   eng = rb_define_class_under(mod, "Engine", rb_cObject);
+  rb_undef_alloc_func(eng);
+
   sslctx = rb_define_class_under(mod, "SSLContext", rb_cObject);
   rb_define_alloc_func(sslctx, sslctx_alloc);
   rb_define_method(sslctx, "initialize", sslctx_initialize, 1);

data/ext/puma_http11/org/jruby/puma/MiniSSL.java

@@ -6,6 +6,7 @@ import org.jruby.RubyModule;
 import org.jruby.RubyObject;
 import org.jruby.RubyString;
 import org.jruby.anno.JRubyMethod;
+import org.jruby.exceptions.RaiseException;
 import org.jruby.javasupport.JavaEmbedUtils;
 import org.jruby.runtime.Block;
 import org.jruby.runtime.ObjectAllocator;
@@ -80,11 +81,11 @@ public class MiniSSL extends RubyObject {
     /**
      * Writes bytes to the buffer after ensuring there's room
      */
-    public void put(byte[] bytes) {
-      if (buffer.remaining() < bytes.length) {
-        resize(buffer.limit() + bytes.length);
+    private void put(byte[] bytes, final int offset, final int length) {
+      if (buffer.remaining() < length) {
+        resize(buffer.limit() + length);
       }
-      buffer.put(bytes);
+      buffer.put(bytes, offset, length);
     }
 
     /**
@@ -115,7 +116,7 @@ public class MiniSSL extends RubyObject {
 
       buffer.get(bss);
       buffer.clear();
-      return new ByteList(bss);
+      return new ByteList(bss, false);
     }
 
     @Override
@@ -174,8 +175,6 @@ public class MiniSSL extends RubyObject {
   @JRubyMethod
   public IRubyObject initialize(ThreadContext threadContext, IRubyObject miniSSLContext)
       throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
-    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
-    KeyStore ts = KeyStore.getInstance(KeyStore.getDefaultType());
 
     String keystoreFile = miniSSLContext.callMethod(threadContext, "keystore").convertToString().asJavaString();
     KeyManagerFactory kmf = keyManagerFactoryMap.get(keystoreFile);
@@ -230,14 +229,9 @@ public class MiniSSL extends RubyObject {
 
   @JRubyMethod
   public IRubyObject inject(IRubyObject arg) {
-    try {
-      byte[] bytes = arg.convertToString().getBytes();
-      inboundNetData.put(bytes);
-      return this;
-    } catch (Exception e) {
-      e.printStackTrace();
-      throw new RuntimeException(e);
-    }
+    ByteList bytes = arg.convertToString().getByteList();
+    inboundNetData.put(bytes.unsafeBytes(), bytes.getBegin(), bytes.getRealSize());
+    return this;
   }
 
   private enum SSLOperation {
@@ -297,7 +291,7 @@ public class MiniSSL extends RubyObject {
   }
 
   @JRubyMethod
-  public IRubyObject read() throws Exception {
+  public IRubyObject read() {
     try {
       inboundNetData.flip();
 
@@ -342,55 +336,46 @@ public class MiniSSL extends RubyObject {
         return getRuntime().getNil();
       }
 
-      RubyString str = getRuntime().newString("");
-      str.setValue(appDataByteList);
-      return str;
-    } catch (Exception e) {
-      throw getRuntime().newEOFError(e.getMessage());
+      return RubyString.newString(getRuntime(), appDataByteList);
+    } catch (SSLException e) {
+      RaiseException re = getRuntime().newEOFError(e.getMessage());
+      re.initCause(e);
+      throw re;
     }
   }
 
   @JRubyMethod
   public IRubyObject write(IRubyObject arg) {
-    try {
-      byte[] bls = arg.convertToString().getBytes();
-      outboundAppData = new MiniSSLBuffer(bls);
+    byte[] bls = arg.convertToString().getBytes();
+    outboundAppData = new MiniSSLBuffer(bls);
 
-      return getRuntime().newFixnum(bls.length);
-    } catch (Exception e) {
-      e.printStackTrace();
-      throw new RuntimeException(e);
-    }
+    return getRuntime().newFixnum(bls.length);
   }
 
   @JRubyMethod
-  public IRubyObject extract() throws SSLException {
+  public IRubyObject extract(ThreadContext context) {
     try {
       ByteList dataByteList = outboundNetData.asByteList();
       if (dataByteList != null) {
-        RubyString str = getRuntime().newString("");
-        str.setValue(dataByteList);
-        return str;
+        return RubyString.newString(context.runtime, dataByteList);
       }
 
       if (!outboundAppData.hasRemaining()) {
-        return getRuntime().getNil();
+        return context.nil;
       }
 
       outboundNetData.clear();
       doOp(SSLOperation.WRAP, outboundAppData, outboundNetData);
       dataByteList = outboundNetData.asByteList();
       if (dataByteList == null) {
-        return getRuntime().getNil();
+        return context.nil;
       }
 
-      RubyString str = getRuntime().newString("");
-      str.setValue(dataByteList);
-
-      return str;
-    } catch (Exception e) {
-      e.printStackTrace();
-      throw new RuntimeException(e);
+      return RubyString.newString(context.runtime, dataByteList);
+    } catch (SSLException e) {
+      RaiseException ex = context.runtime.newRuntimeError(e.toString());
+      ex.initCause(e);
+      throw ex;
     }
   }
 
@@ -398,7 +383,7 @@ public class MiniSSL extends RubyObject {
   public IRubyObject peercert() throws CertificateEncodingException {
     try {
       return JavaEmbedUtils.javaToRuby(getRuntime(), engine.getSession().getPeerCertificates()[0].getEncoded());
-    } catch (SSLPeerUnverifiedException ex) {
+    } catch (SSLPeerUnverifiedException e) {
       return getRuntime().getNil();
     }
   }

data/ext/puma_http11/puma_http11.c

@@ -451,7 +451,7 @@ VALUE HttpParser_body(VALUE self) {
 void Init_mini_ssl(VALUE mod);
 #endif
 
-void Init_puma_http11()
+void Init_puma_http11(void)
 {
 
   VALUE mPuma = rb_define_module("Puma");

data/lib/puma/binder.rb

@@ -30,6 +30,7 @@ module Puma
 
     def initialize(events, conf = Configuration.new)
       @events = events
+      @conf = conf
       @listeners = []
       @inherited_fds = {}
       @activated_sockets = {}
@@ -167,9 +168,9 @@ module Puma
             params = Util.parse_query uri.query
 
             opt = params.key?('low_latency') && params['low_latency'] != 'false'
-            bak = params.fetch('backlog', 1024).to_i
+            backlog = params.fetch('backlog', 1024).to_i
 
-            io = add_tcp_listener uri.host, uri.port, opt, bak
+            io = add_tcp_listener uri.host, uri.port, opt, backlog
 
             @ios[ios_len..-1].each do |i|
               addr = loc_addr_str i
@@ -232,9 +233,21 @@ module Puma
           # If key and certs are not defined and localhost gem is required.
           # localhost gem will be used for self signed
           # Load localhost authority if not loaded.
-          ctx = localhost_authority && localhost_authority_context if params.empty?
+          if params.values_at('cert', 'key').all? { |v| v.to_s.empty? }
+            ctx = localhost_authority && localhost_authority_context
+          end
 
-          ctx ||= MiniSSL::ContextBuilder.new(params, @events).context
+          ctx ||=
+            begin
+              # Extract cert_pem and key_pem from options[:store] if present
+              ['cert', 'key'].each do |v|
+                if params[v] && params[v].start_with?('store:')
+                  index = Integer(params.delete(v).split('store:').last)
+                  params["#{v}_pem"] = @conf.options[:store][index]
+                end
+              end
+              MiniSSL::ContextBuilder.new(params, @events).context
+            end
 
           if fd = @inherited_fds.delete(str)
             logger.log "* Inherited #{str}"
@@ -244,7 +257,8 @@ module Puma
             logger.log "* Activated #{str}"
           else
             ios_len = @ios.length
-            io = add_ssl_listener uri.host, uri.port, ctx
+            backlog = params.fetch('backlog', 1024).to_i
+            io = add_ssl_listener uri.host, uri.port, ctx, optimize_for_latency = true, backlog
 
             @ios[ios_len..-1].each do |i|
               addr = loc_addr_str i

data/lib/puma/cli.rb

@@ -11,16 +11,17 @@ require 'puma/events'
 
 module Puma
   class << self
-    # The CLI exports its Puma::Configuration object here to allow
-    # apps to pick it up. An app needs to use it conditionally though
-    # since it is not set if the app is launched via another
-    # mechanism than the CLI class.
+    # The CLI exports a Puma::Configuration instance here to allow
+    # apps to pick it up. An app must load this object conditionally
+    # because it is not set if the app is launched via any mechanism
+    # other than the CLI class.
     attr_accessor :cli_config
   end
 
   # Handles invoke a Puma::Server in a command line style.
   #
   class CLI
+    # @deprecated 6.0.0
     KEYS_NOT_TO_PERSIST_IN_STATE = Launcher::KEYS_NOT_TO_PERSIST_IN_STATE
 
     # Create a new CLI object using +argv+ as the command line
@@ -184,6 +185,10 @@ module Puma
             user_config.restart_command cmd
           end
 
+          o.on "-s", "--silent", "Do not log prompt messages other than errors" do
+            @events = Events.new NullIO.new, $stderr
+          end
+
           o.on "-S", "--state PATH", "Where to store the state details" do |arg|
             user_config.state_path arg
           end

data/lib/puma/client.rb

@@ -161,7 +161,7 @@ module Puma
     def close
       begin
         @io.close
-      rescue IOError
+      rescue IOError, Errno::EBADF
         Puma::Util.purge_interrupt_queue
       end
     end