rack-proxy 0.7.7 → 0.8.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 888784aa8d1d28ae0dc2a1352aa44ba8e639d5cd604043facbb31da3fa1dc759
-  data.tar.gz: 9ba49effcffcacb930ab08fe2f6a9fd08040b60800b8aa8e5ccc274053f36c4e
+  metadata.gz: 40c24e4b559fc7669c3b675184af8d7f0b9ba693d3a7b41e6433274c16429adc
+  data.tar.gz: 6f8790c5c391e102275c11225a869e2572d109f2e52e4783cdc5cbbb50733579
 SHA512:
-  metadata.gz: 606ed720fb5b8c67cd1fc3058b9644e88fb2e7768d4fce4606ba0332fac24cadca11a36ab50d97cb7ff5767664864b1c1a2cf5108cd58a66fecfb3b93de37517
-  data.tar.gz: a91cc8541d7af6c390fe1c0faa3c923942a14cce746eebc3d170b95b45aafc5871a04ad1ec9fee6f0c07500534755c794f76d0c14bccdcf5fdaad06e239aeb07
+  metadata.gz: 2885f787b2f08c712c99b938218749d7f5d35348588290414f058c446104e10ba80b7f0b439ea60c3fc4daea1a0b0f991c92e853a3a9de4ef238d5f864d85d20
+  data.tar.gz: 3f70b5ab5eee94517d10e82f72f517a7e4cd3fec346ba78142ed6d93bd34bb7d175f6e857c037c7b0beffd710889651f15d107920e38da7208bdc132f246f712

data/Gemfile.lock

@@ -1,28 +1,31 @@
 PATH
   remote: .
   specs:
-    rack-proxy (0.7.7)
+    rack-proxy (0.8.2)
       rack
 
 GEM
   remote: https://rubygems.org/
   specs:
     power_assert (2.0.3)
-    rack (3.0.8)
+    rack (3.2.6)
     rack-test (2.1.0)
       rack (>= 1.3)
     rake (13.0.6)
     test-unit (3.6.1)
       power_assert
+    webrick (1.9.2)
 
 PLATFORMS
   arm64-darwin-22
+  x86_64-linux
 
 DEPENDENCIES
   rack-proxy!
   rack-test
   rake
   test-unit
+  webrick
 
 BUNDLED WITH
    2.4.17

data/README.md

@@ -6,7 +6,7 @@ Installation
 Add the following to your `Gemfile`:
 
 ```
-gem 'rack-proxy', '~> 0.7.7'
+gem 'rack-proxy', '~> 0.8.0'
 ```
 
 Or install:
@@ -38,10 +38,12 @@ Options can be set when initializing the middleware or overriding a method.
 
 
 * `:streaming` - defaults to `true`, but does not work on all Ruby versions, recommend to set to `false`
-* `:ssl_verify_none` - tell `Net::HTTP` to not validate certs
+* `:ssl_verify_none` - tell `Net::HTTP` to skip TLS certificate verification (defaults to verifying — see [Upgrading](#upgrading) for the 0.8 change)
+* `:verify_mode` - explicit `OpenSSL::SSL::VERIFY_*` constant; wins over `ssl_verify_none`
 * `:ssl_version` - tell `Net::HTTP` to set a specific `ssl_version`
 * `:backend` - the URI parseable format of host and port of the target proxy backend. If not set it will assume the backend target is the same as the source.
 * `:read_timeout` - set proxy timeout it defaults to 60 seconds
+* `:logger` - any object responding to `#<<` (e.g. `$stdout`, a `StringIO`, or a Ruby `Logger`). Wired through to `Net::HTTP#set_debug_output` so the full HTTP wire-level conversation is written to the sink. Useful for debugging.
 
 To pass in options, when you configure your middleware you can pass them in as an optional hash.
 
@@ -98,9 +100,6 @@ class TrustingProxy < Rack::Proxy
 
   def rewrite_env(env)
     env["HTTP_HOST"] = "self-signed.badssl.com"
-
-    # We are going to trust the self-signed SSL
-    env["rack.ssl_verify_none"] = true
     env
   end
 
@@ -116,11 +115,8 @@ class TrustingProxy < Rack::Proxy
   end
 
 end
-```
-
-The same can be achieved for *all* requests going through the `Rack::Proxy` instance by using
 
-```ruby
+# Pass ssl_verify_none: true to skip TLS certificate verification.
 Rack::Proxy.new(ssl_verify_none: true)
 ```
 
@@ -327,6 +323,29 @@ class TLSProxy < Rack::Proxy
 end
 ```
 
+Upgrading
+----
+
+### 0.7.x → 0.8.0
+
+**TLS certificate verification is now on by default.** Prior versions silently used `OpenSSL::SSL::VERIFY_NONE` whenever the backend was HTTPS, which disabled certificate checks. 0.8.0 defaults to `VERIFY_PEER` to match Ruby's `Net::HTTP`.
+
+If you proxy to a backend with a self-signed or otherwise untrusted certificate, you'll now get an `OpenSSL::SSL::SSLError` unless you opt out explicitly:
+
+```ruby
+Rack::Proxy.new(ssl_verify_none: true)              # or
+Rack::Proxy.new(verify_mode: OpenSSL::SSL::VERIFY_NONE)
+```
+
+For internal services with a private CA, prefer setting `cert`/`verify_mode` over disabling verification altogether.
+
+A note on header keys (#96)
+----
+
+Per the standard Rack/CGI convention, header names received by your proxy are exposed in the env with underscores (`HTTP_X_CUSTOM_HEADER`), and rack-proxy rewrites them with dashes (`X-Custom-Header`) when forwarding. This conversion is lossy: by the time a request reaches rack-proxy, the upstream web server (nginx, Apache, Caddy, Puma) has already collapsed both `X-Custom-Header` and `X_Custom_Header` into the same env key, and rack-proxy cannot recover the original spelling.
+
+If you need underscore-style headers preserved end-to-end, configure your fronting web server (e.g. `underscores_in_headers on;` in nginx, or `HTTPProtocolOptions` in Apache) — rack-proxy is not the right layer to fix this.
+
 WARNING
 ----
 

data/lib/rack/http_streaming_response.rb

@@ -10,7 +10,7 @@ module Rack
       304 => true
     }.freeze
 
-    attr_accessor :use_ssl, :verify_mode, :read_timeout, :ssl_version, :cert, :key
+    attr_accessor :use_ssl, :verify_mode, :read_timeout, :ssl_version, :cert, :key, :logger
 
     def initialize(request, host, port = nil)
       @request, @host, @port = request, host, port
@@ -61,6 +61,7 @@ module Rack
         http.ssl_version = ssl_version if ssl_version
         http.cert = cert if cert
         http.key = key if key
+        http.set_debug_output(logger) if logger
         http.start
       end
     end

data/lib/rack/proxy.rb

@@ -5,7 +5,7 @@ module Rack
 
   # Subclass and bring your own #rewrite_request and #rewrite_response
   class Proxy
-    VERSION = "0.7.7".freeze
+    VERSION = "0.8.2".freeze
 
     HOP_BY_HOP_HEADERS = {
       'connection' => true,
@@ -39,7 +39,9 @@ module Rack
       end
 
       def build_header_hash(pairs)
-        if Rack.const_defined?(:Headers)
+        # Pass inherit: false so we only check Rack's own constants — otherwise
+        # a top-level ::Headers defined by the host app would falsely match.
+        if Rack.const_defined?(:Headers, false)
           # Rack::Headers is only available from Rack 3 onward
           Headers.new.tap { |headers| pairs.each { |k, v| headers[k] = v } }
         else
@@ -69,17 +71,24 @@ module Rack
       end
 
       @streaming = opts.fetch(:streaming, true)
-      @ssl_verify_none = opts.fetch(:ssl_verify_none, false)
       @backend = opts[:backend] ? URI(opts[:backend]) : nil
       @read_timeout = opts.fetch(:read_timeout, 60)
       @ssl_version = opts[:ssl_version]
       @cert = opts[:cert]
       @key = opts[:key]
+      # SSL verification: defaults to VERIFY_PEER (Ruby's Net::HTTP default).
+      # Pass ssl_verify_none: true to explicitly disable cert verification, or
+      # pass verify_mode: <OpenSSL::SSL::VERIFY_*> for full control.
       @verify_mode = opts[:verify_mode]
+      @verify_mode ||= OpenSSL::SSL::VERIFY_NONE if opts[:ssl_verify_none]
 
       @username = opts[:username]
       @password = opts[:password]
 
+      # Optional logger for Net::HTTP debug output. Accepts anything with a #<< method
+      # (e.g. $stdout, a StringIO, or a Ruby Logger instance).
+      @logger = opts[:logger]
+
       @opts = opts
     end
 
@@ -130,33 +139,42 @@ module Rack
       read_timeout = env.delete('http.read_timeout') || @read_timeout
 
       # Create the response
-      if @streaming
-        # streaming response (the actual network communication is deferred, a.k.a. streamed)
-        target_response = HttpStreamingResponse.new(target_request, backend.host, backend.port)
-        target_response.use_ssl = use_ssl
-        target_response.read_timeout = read_timeout
-        target_response.ssl_version = @ssl_version if @ssl_version
-        target_response.verify_mode = (@verify_mode || OpenSSL::SSL::VERIFY_NONE) if use_ssl
-        target_response.cert = @cert if @cert
-        target_response.key = @key if @key
-      else
-        http = Net::HTTP.new(backend.host, backend.port)
-        http.use_ssl = use_ssl if use_ssl
-        http.read_timeout = read_timeout
-        http.ssl_version = @ssl_version if @ssl_version
-        http.verify_mode = (@verify_mode || OpenSSL::SSL::VERIFY_NONE if use_ssl) if use_ssl
-        http.cert = @cert if @cert
-        http.key = @key if @key
-
-        target_response = http.start do
-          http.request(target_request)
+      begin
+        if @streaming
+          # streaming response (the actual network communication is deferred, a.k.a. streamed)
+          target_response = HttpStreamingResponse.new(target_request, backend.host, backend.port)
+          target_response.use_ssl = use_ssl
+          target_response.read_timeout = read_timeout
+          target_response.ssl_version = @ssl_version if @ssl_version
+          target_response.verify_mode = (@verify_mode || OpenSSL::SSL::VERIFY_PEER) if use_ssl
+          target_response.cert = @cert if @cert
+          target_response.key = @key if @key
+          target_response.logger = @logger if @logger
+        else
+          http = Net::HTTP.new(backend.host, backend.port)
+          http.use_ssl = use_ssl if use_ssl
+          http.read_timeout = read_timeout
+          http.ssl_version = @ssl_version if @ssl_version
+          http.verify_mode = @verify_mode || OpenSSL::SSL::VERIFY_PEER if use_ssl
+          http.cert = @cert if @cert
+          http.key = @key if @key
+          http.set_debug_output(@logger) if @logger
+
+          target_response = http.start do
+            http.request(target_request)
+          end
         end
+
+        code    = target_response.code
+        headers = self.class.normalize_headers(target_response.respond_to?(:headers) ? target_response.headers : target_response.to_hash)
+        body    = target_response.body || []
+        body    = [body] unless body.respond_to?(:each)
+      rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH, Errno::ENETUNREACH, Errno::ETIMEDOUT, Net::OpenTimeout, SocketError
+        return [502, {}, []]
       end
 
-      code    = target_response.code
-      headers = self.class.normalize_headers(target_response.respond_to?(:headers) ? target_response.headers : target_response.to_hash)
-      body    = target_response.body || [""]
-      body    = [body] unless body.respond_to?(:each)
+      # No entity body for status codes that don't allow one (1xx, 204, 304)
+      body = [] if Rack::Utils::STATUS_WITH_NO_ENTITY_BODY[code.to_i]
 
       # According to https://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-14#section-7.1.3.1Acc
       # should remove hop-by-hop header fields

data/lib/rack_proxy_examples/trusting_proxy.rb

@@ -2,15 +2,12 @@ class TrustingProxy < Rack::Proxy
 
   def rewrite_env(env)
     env["HTTP_HOST"] = "self-signed.badssl.com"
-
-    # We are going to trust the self-signed SSL 
-    env["rack.ssl_verify_none"] = true
     env
   end
 
   def rewrite_response(triplet)
     status, headers, body = triplet
-    
+
     # if you rewrite env, it appears that content-length isn't calculated correctly
     # resulting in only partial responses being sent to users
     # you can remove it or recalculate it here
@@ -21,4 +18,8 @@ class TrustingProxy < Rack::Proxy
 
 end
 
-Rails.application.config.middleware.use TrustingProxy, backend: 'https://self-signed.badssl.com', streaming: false
+# Pass ssl_verify_none: true to skip TLS certificate verification.
+Rails.application.config.middleware.use TrustingProxy,
+  backend: 'https://self-signed.badssl.com',
+  streaming: false,
+  ssl_verify_none: true

data/rack-proxy.gemspec

@@ -22,4 +22,5 @@ Gem::Specification.new do |s|
   s.add_dependency("rack")
   s.add_development_dependency("rack-test")
   s.add_development_dependency("test-unit")
+  s.add_development_dependency("webrick")
 end

data/test/http_streaming_response_test.rb

@@ -19,9 +19,8 @@ class HttpStreamingResponseTest < Test::Unit::TestCase
 
     assert headers.size.positive?
 
-    assert_match %r{text/html; ?charset=utf-8}, headers["content-type"].first.downcase
+    assert_match %r{text/html}, headers["content-type"].first.downcase
     assert_equal headers["content-type"], headers["CoNtEnT-TyPe"]
-    assert headers["content-length"].first.to_i.positive?
 
     # Body
     chunks = []
@@ -37,7 +36,10 @@ class HttpStreamingResponseTest < Test::Unit::TestCase
   end
 
   def test_to_s
-    assert_equal @response.headers["Content-Length"].first.to_i, @response.body.to_s.bytesize
+    body_string = @response.body.to_s
+    assert body_string.bytesize.positive?
+    content_length = @response.headers["Content-Length"]
+    assert_equal content_length.first.to_i, body_string.bytesize if content_length
   end
 
   def test_to_s_called_twice

data/test/rack_proxy_test.rb

@@ -31,9 +31,9 @@ class RackProxyTest < Test::Unit::TestCase
 
   def test_http_full_request_headers
     app(:streaming => false)
-    app.host = 'www.google.com'
-    get "/"
-    assert !Array(last_response['Set-Cookie']).empty?, 'Google always sets a cookie, yo. Where my cookies at?!'
+    app.host = 'httpbin.org'
+    get "/cookies/set?test=1"
+    assert !Array(last_response['Set-Cookie']).empty?, 'httpbin.org/cookies/set should set a cookie'
   end
 
   def test_https_streaming
@@ -44,7 +44,7 @@ class RackProxyTest < Test::Unit::TestCase
   end
 
   def test_https_streaming_tls
-    app(:ssl_version => :TLSv1).host = 'www.apple.com'
+    app(:ssl_version => :TLSv1_2).host = 'www.apple.com'
     get 'https://example.com'
     assert last_response.ok?
     assert_match(/(itunes|iphone|ipod|mac|ipad)/, last_response.body)
@@ -58,7 +58,7 @@ class RackProxyTest < Test::Unit::TestCase
   end
 
   def test_https_full_request_tls
-    app({:streaming => false, :ssl_version => :TLSv1}).host = 'www.apple.com'
+    app({:streaming => false, :ssl_version => :TLSv1_2}).host = 'www.apple.com'
     get 'https://example.com'
     assert last_response.ok?
     assert_match(/(itunes|iphone|ipod|mac|ipad)/, last_response.body)
@@ -69,7 +69,8 @@ class RackProxyTest < Test::Unit::TestCase
     headers = { 'header_array' => ['first_entry'], 'header_non_array' => :entry }
 
     normalized_headers = proxy_class.send(:normalize_headers, headers)
-    assert normalized_headers.instance_of?(Rack::Utils::HeaderHash)
+    expected_class = Rack.const_defined?(:Headers) ? Rack::Headers : Rack::Utils::HeaderHash
+    assert normalized_headers.instance_of?(expected_class)
     assert normalized_headers['header_array'] == 'first_entry'
     assert normalized_headers['header_non_array'] == :entry
   end
@@ -124,4 +125,197 @@ class RackProxyTest < Test::Unit::TestCase
     get 'https://example.com/oauth2/token/info?access_token=123'
     assert !last_response.headers.key?('transfer-encoding')
   end
+
+  # Issue #58: connection errors should return 502, not raise.
+  def test_connection_refused_returns_502
+    # Bind a socket to find a free port, then close it so connection is refused.
+    server = TCPServer.new('127.0.0.1', 0)
+    closed_port = server.addr[1]
+    server.close
+
+    app({:streaming => false}).host = "127.0.0.1:#{closed_port}"
+    get '/'
+    assert_equal 502, last_response.status
+    assert_equal '', last_response.body
+  end
+
+  def test_connection_refused_returns_502_streaming
+    server = TCPServer.new('127.0.0.1', 0)
+    closed_port = server.addr[1]
+    server.close
+
+    app({:streaming => true}).host = "127.0.0.1:#{closed_port}"
+    get '/'
+    assert_equal 502, last_response.status
+    assert_equal '', last_response.body
+  end
+
+  def test_unknown_host_returns_502
+    app({:streaming => false}).host = 'no-such-host.invalid'
+    get '/'
+    assert_equal 502, last_response.status
+  end
+
+  # Issues #122/#123: body should be [] for empty responses and for status
+  # codes that don't allow an entity body (1xx, 204, 304).
+  def test_no_entity_body_for_204
+    with_webrick_proxy(streaming: false) do |port, proxy|
+      proxy.host = "127.0.0.1:#{port}"
+      get '/no-content'
+      assert_equal 204, last_response.status
+      assert_equal '', last_response.body
+    end
+  end
+
+  def test_no_entity_body_for_304
+    with_webrick_proxy(streaming: false) do |port, proxy|
+      proxy.host = "127.0.0.1:#{port}"
+      get '/not-modified'
+      assert_equal 304, last_response.status
+      assert_equal '', last_response.body
+    end
+  end
+
+  def test_empty_body_is_not_array_with_empty_string
+    with_webrick_proxy(streaming: false) do |port, proxy|
+      proxy.host = "127.0.0.1:#{port}"
+      get '/empty'
+      assert_equal 200, last_response.status
+      assert_equal '', last_response.body
+    end
+  end
+
+  # Issue #65: header values must be strings, not single-element arrays,
+  # for both streaming and non-streaming paths.
+  def test_header_values_are_strings_streaming
+    assert_no_array_header_values(streaming: true)
+  end
+
+  def test_header_values_are_strings_non_streaming
+    assert_no_array_header_values(streaming: false)
+  end
+
+  # Issue #113: SSL cert verification must default to VERIFY_PEER (Ruby's
+  # Net::HTTP default), not VERIFY_NONE.
+  def test_ssl_default_is_verify_peer
+    proxy = Rack::Proxy.new
+    assert_nil proxy.instance_variable_get(:@verify_mode),
+      "@verify_mode should be unset by default so VERIFY_PEER applies at request time"
+  end
+
+  def test_ssl_verify_none_opt_in
+    proxy = Rack::Proxy.new(ssl_verify_none: true)
+    assert_equal OpenSSL::SSL::VERIFY_NONE, proxy.instance_variable_get(:@verify_mode)
+  end
+
+  def test_explicit_verify_mode_wins_over_ssl_verify_none
+    proxy = Rack::Proxy.new(ssl_verify_none: true, verify_mode: OpenSSL::SSL::VERIFY_PEER)
+    assert_equal OpenSSL::SSL::VERIFY_PEER, proxy.instance_variable_get(:@verify_mode)
+  end
+
+  def test_https_default_rejects_invalid_certificate
+    # self-signed cert on a public test host should be rejected with the new default
+    app({:streaming => false}).host = 'self-signed.badssl.com'
+    error = assert_raise(OpenSSL::SSL::SSLError) { get 'https://example.com/' }
+    assert_match(/certificate verify failed/, error.message)
+  end
+
+  def test_https_with_ssl_verify_none_accepts_invalid_certificate
+    app({:streaming => false, :ssl_verify_none => true}).host = 'self-signed.badssl.com'
+    get 'https://example.com/'
+    assert last_response.ok?
+  end
+
+  # Issue #80: a :logger option should pipe Net::HTTP debug output to the
+  # given sink (anything responding to #<<). We use a StringIO to capture it.
+  def test_logger_captures_request_in_non_streaming
+    sink = StringIO.new
+    with_webrick_proxy(streaming: false, logger: sink) do |port, proxy|
+      proxy.host = "127.0.0.1:#{port}"
+      get '/empty'
+      assert last_response.ok?
+    end
+    assert_match(/GET \/empty/, sink.string,
+      "expected debug output to include request line, got: #{sink.string.inspect}")
+  end
+
+  def test_logger_captures_request_in_streaming
+    sink = StringIO.new
+    with_webrick_proxy(streaming: true, logger: sink) do |port, proxy|
+      proxy.host = "127.0.0.1:#{port}"
+      get '/empty'
+      assert last_response.ok?
+    end
+    assert_match(/GET \/empty/, sink.string,
+      "expected debug output to include request line, got: #{sink.string.inspect}")
+  end
+
+  # Regression: build_header_hash must not match a top-level ::Headers
+  # constant defined by the host app (would happen with inherit: true).
+  def test_build_header_hash_ignores_toplevel_headers_constant
+    Object.send(:remove_const, :Headers) if Object.const_defined?(:Headers, false)
+    Object.const_set(:Headers, Class.new)
+    begin
+      result = Rack::Proxy.send(:build_header_hash, [['X-Test', 'value']])
+      # On Rack 3+ we get Rack::Headers; on Rack 2 we get Rack::Utils::HeaderHash.
+      # In neither case should we get the bogus top-level ::Headers.
+      assert_not_equal ::Headers, result.class,
+        "build_header_hash leaked into top-level ::Headers"
+    ensure
+      Object.send(:remove_const, :Headers)
+    end
+  end
+
+  def test_no_logger_means_no_debug_output
+    # Without a :logger option, Net::HTTP's set_debug_output should never be
+    # called. We can't directly assert that, but we can confirm requests still
+    # work when no logger is configured (covered by every other test).
+    with_webrick_proxy(streaming: false) do |port, proxy|
+      proxy.host = "127.0.0.1:#{port}"
+      get '/empty'
+      assert last_response.ok?
+    end
+  end
+
+  private
+
+  def assert_no_array_header_values(streaming:)
+    with_webrick_proxy(streaming: streaming) do |port, proxy|
+      proxy.host = "127.0.0.1:#{port}"
+      get '/echo-headers'
+      array_valued = last_response.headers.select { |_, v| v.is_a?(Array) }
+      assert_empty array_valued,
+        "expected no Array-valued headers (#65), got: #{array_valued.inspect}"
+      assert_equal 'value-here', last_response['x-custom']
+    end
+  end
+
+
+  # Spin up a tiny WEBrick server with fixed routes so we can exercise the
+  # proxy against real Net::HTTP requests without depending on a remote host.
+  def with_webrick_proxy(**proxy_opts)
+    require 'webrick'
+    server = WEBrick::HTTPServer.new(
+      Port: 0,
+      BindAddress: '127.0.0.1',
+      Logger: WEBrick::Log.new(File::NULL),
+      AccessLog: []
+    )
+    server.mount_proc('/no-content')   { |_req, res| res.status = 204 }
+    server.mount_proc('/not-modified') { |_req, res| res.status = 304 }
+    server.mount_proc('/empty')        { |_req, res| res.body = '' }
+    server.mount_proc('/echo-headers') do |_req, res|
+      res['x-custom'] = 'value-here'
+      res.body = 'ok'
+    end
+    Thread.new { server.start }
+    port = server.config[:Port]
+
+    proxy = HostProxy.new(**proxy_opts)
+    @app = proxy
+    yield port, proxy
+  ensure
+    server&.shutdown
+    @app = nil
+  end
 end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rack-proxy
 version: !ruby/object:Gem::Version
-  version: 0.7.7
+  version: 0.8.2
 platform: ruby
 authors:
 - Jacek Becela
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-09-01 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -52,6 +51,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: webrick
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: A Rack app that provides request/response rewriting proxy capabilities
   with streaming.
 email:
@@ -85,7 +98,6 @@ homepage: https://github.com/ncr/rack-proxy
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -100,8 +112,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: A request/response rewriting HTTP proxy. A Rack app.
 test_files: