unicorn 3.1.0 → 3.2.1

data/.document

@@ -11,6 +11,7 @@ KNOWN_ISSUES
 TODO
 NEWS
 ChangeLog
+LATEST
 lib
 ext/unicorn_http/unicorn_http.c
 unicorn_1

data/.gitignore

@@ -21,3 +21,4 @@ pkg/
 /GIT-VERSION-FILE
 /man
 /tmp
+/LATEST

data/.wrongdoc.yml

@@ -0,0 +1,8 @@
+---
+cgit_url: http://git.bogomips.org/cgit/unicorn.git
+git_url: git://git.bogomips.org/unicorn.git
+rdoc_url: http://unicorn.bogomips.org/
+changelog_start: v1.1.5
+merge_html:
+  unicorn_1: Documentation/unicorn.1.html
+  unicorn_rails_1: Documentation/unicorn_rails.1.html

data/GIT-VERSION-GEN

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 GVF=GIT-VERSION-FILE
-DEF_VER=v3.1.0.GIT
+DEF_VER=v3.2.1.GIT
 
 LF='
 '

data/GNUmakefile

@@ -1,7 +1,6 @@
 # use GNU Make to run tests in parallel, and without depending on RubyGems
 all:: test
 
-GIT_URL = git://git.bogomips.org/unicorn.git
 RLFLAGS = -G2
 
 MRI = ruby
@@ -156,77 +155,39 @@ clean:
 	$(RM) $(setup_rb_files) $(t_log)
 	$(RM) -r $(test_prefix) man
 
-man:
-	$(MAKE) -C Documentation install-man
+man html:
+	$(MAKE) -C Documentation install-$@
 
-pkg_extra := GIT-VERSION-FILE NEWS ChangeLog $(ext)/unicorn_http.c
-manifest: $(pkg_extra) man
-	$(RM) .manifest
-	$(MAKE) .manifest
+pkg_extra := GIT-VERSION-FILE ChangeLog LATEST NEWS \
+             $(ext)/unicorn_http.c $(man1_paths)
 
-.manifest:
-	(git ls-files && \
-         for i in $@ $(pkg_extra) $(man1_paths); \
-	 do echo $$i; done) | LC_ALL=C sort > $@+
+ChangeLog: GIT-VERSION-FILE .wrongdoc.yml
+	wrongdoc prepare
+
+.manifest: ChangeLog $(ext)/unicorn_http.c
+	(git ls-files && for i in $@ $(pkg_extra); do echo $$i; done) | \
+	  LC_ALL=C sort > $@+
 	cmp $@+ $@ || mv $@+ $@
 	$(RM) $@+
 
-NEWS: GIT-VERSION-FILE .manifest
-	$(RAKE) -s news_rdoc > $@+
-	mv $@+ $@
-
-SINCE = 1.1.5
-ChangeLog: LOG_VERSION = \
-  $(shell git rev-parse -q "$(GIT_VERSION)" >/dev/null 2>&1 && \
-          echo $(GIT_VERSION) || git describe)
-ChangeLog: log_range = v$(SINCE)..$(LOG_VERSION)
-ChangeLog: GIT-VERSION-FILE
-	@echo "ChangeLog from $(GIT_URL) ($(log_range))" > $@+
-	@echo >> $@+
-	git log $(log_range) | sed -e 's/^/    /' >> $@+
-	mv $@+ $@
-
-news_atom := http://unicorn.bogomips.org/NEWS.atom.xml
-cgit_atom := http://git.bogomips.org/cgit/unicorn.git/atom/?h=master
-atom = <link rel="alternate" title="Atom feed" href="$(1)" \
-             type="application/atom+xml"/>
-
-# using rdoc 2.5.x+
-doc: .document $(ext)/unicorn_http.c NEWS ChangeLog
+doc: .document $(ext)/unicorn_http.c man html .wrongdoc.yml
 	for i in $(man1_rdoc); do echo > $$i; done
 	find bin lib -type f -name '*.rbc' -exec rm -f '{}' ';'
-	rdoc -t "$(shell sed -ne '1s/^= //p' README)"
+	$(RM) -r doc
+	wrongdoc all
 	install -m644 COPYING doc/COPYING
-	install -m644 $(shell grep '^[A-Z]' .document)  doc/
-	$(MAKE) -C Documentation install-html install-man
+	install -m644 $(shell grep '^[A-Z]' .document) doc/
 	install -m644 $(man1_paths) doc/
-	cd doc && for i in $(base_bins); do \
-	  $(RM) 1.html $${i}.1.html; \
-	  sed -e '/"documentation">/r man1/'$$i'.1.html' \
-		< $${i}_1.html > tmp && mv tmp $${i}_1.html; \
-	  ln $${i}_1.html $${i}.1.html; \
-	  done
-	$(RUBY) -i -p -e \
-	  '$$_.gsub!("</title>",%q{\&$(call atom,$(cgit_atom))})' \
-	  doc/ChangeLog.html
-	$(RUBY) -i -p -e \
-	  '$$_.gsub!("</title>",%q{\&$(call atom,$(news_atom))})' \
-	  doc/NEWS.html doc/README.html
-	$(RAKE) -s news_atom > doc/NEWS.atom.xml
-	cd doc && ln README.html tmp && mv tmp index.html
+	tar cf - $$(git ls-files examples/) | (cd doc && tar xf -)
 	$(RM) $(man1_rdoc)
 
 # publishes docs to http://unicorn.bogomips.org
 publish_doc:
 	-git set-file-times
-	$(RM) -r doc ChangeLog NEWS
-	$(MAKE) doc LOG_VERSION=$(shell git tag -l | tail -1)
-	@awk 'BEGIN{RS="=== ";ORS=""}NR==2{sub(/\n$$/,"");print RS""$$0 }' \
-	 < NEWS > doc/LATEST
-	find doc/images doc/js -type f | \
-		TZ=UTC xargs touch -d '1970-01-01 00:00:00' doc/rdoc.css
+	$(MAKE) doc
+	find doc/images -type f | \
+		TZ=UTC xargs touch -d '1970-01-01 00:00:02' doc/rdoc.css
 	$(MAKE) doc_gz
-	tar cf - $$(git ls-files examples/) | (cd doc && tar xf -)
 	chmod 644 $$(find doc -type f)
 	$(RSYNC) -av doc/ unicorn.bogomips.org:/srv/unicorn/
 	git ls-files | xargs touch
@@ -235,7 +196,6 @@ publish_doc:
 # "gzip_static on" can serve the gzipped versions directly.
 doc_gz: docs = $(shell find doc -type f ! -regex '^.*\.\(gif\|jpg\|png\|gz\)$$')
 doc_gz:
-	touch doc/NEWS.atom.xml -d "$$(awk 'NR==1{print $$4,$$5,$$6}' NEWS)"
 	for i in $(docs); do \
 	  gzip --rsyncable -9 < $$i > $$i.gz; touch -r $$i $$i.gz; done
 
@@ -274,10 +234,10 @@ release_changes := release_changes-$(VERSION)
 release-notes: $(release_notes)
 release-changes: $(release_changes)
 $(release_changes):
-	$(RAKE) -s release_changes > $@+
+	wrongdoc release_changes > $@+
 	$(VISUAL) $@+ && test -s $@+ && mv $@+ $@
 $(release_notes):
-	GIT_URL=$(GIT_URL) $(RAKE) -s release_notes > $@+
+	wrongdoc release_notes > $@+
 	$(VISUAL) $@+ && test -s $@+ && mv $@+ $@
 
 # ensures we're actually on the tagged $(VERSION), only used for release
@@ -297,18 +257,18 @@ gem: $(pkggem)
 install-gem: $(pkggem)
 	gem install $(CURDIR)/$<
 
-$(pkggem): manifest fix-perms
+$(pkggem): .manifest fix-perms
 	gem build $(rfpackage).gemspec
 	mkdir -p pkg
 	mv $(@F) $@
 
 $(pkgtgz): distdir = $(basename $@)
 $(pkgtgz): HEAD = v$(VERSION)
-$(pkgtgz): manifest fix-perms
+$(pkgtgz): .manifest fix-perms
 	@test -n "$(distdir)"
 	$(RM) -r $(distdir)
 	mkdir -p $(distdir)
-	tar cf - `cat .manifest` | (cd $(distdir) && tar xf -)
+	tar cf - $$(cat .manifest) | (cd $(distdir) && tar xf -)
 	cd pkg && tar cf - $(basename $(@F)) | gzip -9 > $(@F)+
 	mv $@+ $@
 
@@ -330,5 +290,5 @@ gem install-gem: GIT-VERSION-FILE
 	$(MAKE) $@ VERSION=$(GIT_VERSION)
 endif
 
-.PHONY: .FORCE-GIT-VERSION-FILE doc $(T) $(slow_tests) manifest man
+.PHONY: .FORCE-GIT-VERSION-FILE doc $(T) $(slow_tests) man
 .PHONY: test-install

data/Rakefile

@@ -1,112 +1,9 @@
 # -*- encoding: binary -*-
 autoload :Gem, 'rubygems'
 
-# most tasks are in the GNUmakefile which offers better parallelism
-
-def old_summaries
-  @old_summaries ||= File.readlines(".CHANGELOG.old").inject({}) do |hash, line|
-    version, summary = line.split(/ - /, 2)
-    hash[version] = summary
-    hash
-  end
-end
-
-def tags
-  timefmt = '%Y-%m-%dT%H:%M:%SZ'
-  @tags ||= `git tag -l`.split(/\n/).map do |tag|
-    next if tag == "v0.0.0"
-    if %r{\Av[\d\.]+} =~ tag
-      header, subject, body = `git cat-file tag #{tag}`.split(/\n\n/, 3)
-      header = header.split(/\n/)
-      tagger = header.grep(/\Atagger /).first
-      body ||= "initial"
-      {
-        :time => Time.at(tagger.split(/ /)[-2].to_i).utc.strftime(timefmt),
-        :tagger_name => %r{^tagger ([^<]+)}.match(tagger)[1].strip,
-        :tagger_email => %r{<([^>]+)>}.match(tagger)[1].strip,
-        :id => `git rev-parse refs/tags/#{tag}`.chomp!,
-        :tag => tag,
-        :subject => subject,
-        :body => (old = old_summaries[tag]) ? "#{old}\n#{body}" : body,
-      }
-    end
-  end.compact.sort { |a,b| b[:time] <=> a[:time] }
-end
-
 cgit_url = "http://git.bogomips.org/cgit/unicorn.git"
 git_url = ENV['GIT_URL'] || 'git://git.bogomips.org/unicorn.git'
 
-desc 'prints news as an Atom feed'
-task :news_atom do
-  require 'nokogiri'
-  new_tags = tags[0,10]
-  puts(Nokogiri::XML::Builder.new do
-    feed :xmlns => "http://www.w3.org/2005/Atom" do
-      id! "http://unicorn.bogomips.org/NEWS.atom.xml"
-      title "Unicorn news"
-      subtitle "Rack HTTP server for Unix and fast clients"
-      link! :rel => 'alternate', :type => 'text/html',
-            :href => 'http://unicorn.bogomips.org/NEWS.html'
-      updated new_tags.first[:time]
-      new_tags.each do |tag|
-        entry do
-          title tag[:subject]
-          updated tag[:time]
-          published tag[:time]
-          author {
-            name tag[:tagger_name]
-            email tag[:tagger_email]
-          }
-          url = "#{cgit_url}/tag/?id=#{tag[:tag]}"
-          link! :rel => "alternate", :type => "text/html", :href =>url
-          id! url
-          message_only = tag[:body].split(/\n.+\(\d+\):\n {6}/s).first.strip
-          content({:type =>:text}, message_only)
-          content(:type =>:xhtml) { pre tag[:body] }
-        end
-      end
-    end
-  end.to_xml)
-end
-
-desc 'prints RDoc-formatted news'
-task :news_rdoc do
-  tags.each do |tag|
-    time = tag[:time].tr!('T', ' ').gsub!(/:\d\dZ/, ' UTC')
-    puts "=== #{tag[:tag].sub(/^v/, '')} / #{time}"
-    puts ""
-
-    body = tag[:body]
-    puts tag[:body].gsub(/^/sm, "  ").gsub(/[ \t]+$/sm, "")
-    puts ""
-  end
-end
-
-desc "print release changelog for Rubyforge"
-task :release_changes do
-  version = ENV['VERSION'] or abort "VERSION= needed"
-  version = "v#{version}"
-  vtags = tags.map { |tag| tag[:tag] =~ /\Av/ and tag[:tag] }.sort
-  prev = vtags[vtags.index(version) - 1]
-  system('git', 'diff', '--stat', prev, version) or abort $?
-  puts ""
-  system('git', 'log', "#{prev}..#{version}") or abort $?
-end
-
-desc "print release notes for Rubyforge"
-task :release_notes do
-  spec = Gem::Specification.load('unicorn.gemspec')
-  puts spec.description.strip
-  puts ""
-  puts "* #{spec.homepage}"
-  puts "* #{spec.email}"
-  puts "* #{git_url}"
-
-  _, _, body = `git cat-file tag v#{spec.version}`.split(/\n\n/, 3)
-  print "\nChanges:\n\n"
-  puts body
-end
-
 desc "post to RAA"
 task :raa_update do
   require 'net/http'

data/TODO

@@ -1,7 +1,5 @@
 * Documentation improvements
 
-* performance validation (esp. TeeInput)
-
 * improve test suite
 
 * scalability to >= 1024 worker processes for crazy NUMA systems

data/ext/unicorn_http/global_variables.h

@@ -15,6 +15,7 @@ static VALUE g_server_port;
 static VALUE g_server_protocol;
 static VALUE g_http_host;
 static VALUE g_http_x_forwarded_proto;
+static VALUE g_http_x_forwarded_ssl;
 static VALUE g_http_transfer_encoding;
 static VALUE g_content_length;
 static VALUE g_http_trailer;
@@ -23,6 +24,7 @@ static VALUE g_port_80;
 static VALUE g_port_443;
 static VALUE g_localhost;
 static VALUE g_http;
+static VALUE g_https;
 static VALUE g_http_09;
 static VALUE g_http_10;
 static VALUE g_http_11;
@@ -73,10 +75,12 @@ static void init_globals(void)
   DEF_GLOBAL(server_port, "SERVER_PORT");
   DEF_GLOBAL(server_protocol, "SERVER_PROTOCOL");
   DEF_GLOBAL(http_x_forwarded_proto, "HTTP_X_FORWARDED_PROTO");
+  DEF_GLOBAL(http_x_forwarded_ssl, "HTTP_X_FORWARDED_SSL");
   DEF_GLOBAL(port_80, "80");
   DEF_GLOBAL(port_443, "443");
   DEF_GLOBAL(localhost, "localhost");
   DEF_GLOBAL(http, "http");
+  DEF_GLOBAL(https, "https");
   DEF_GLOBAL(http_11, "HTTP/1.1");
   DEF_GLOBAL(http_10, "HTTP/1.0");
   DEF_GLOBAL(http_09, "HTTP/0.9");

data/ext/unicorn_http/unicorn_http.rl

@@ -21,14 +21,70 @@
 #define UH_FL_REQEOF 0x40
 #define UH_FL_KAVERSION 0x80
 #define UH_FL_HASHEADER 0x100
+#define UH_FL_TO_CLEAR 0x200
 
 /* all of these flags need to be set for keepalive to be supported */
 #define UH_FL_KEEPALIVE (UH_FL_KAVERSION | UH_FL_REQEOF | UH_FL_HASHEADER)
 
+/*
+ * whether or not to trust X-Forwarded-Proto and X-Forwarded-SSL when
+ * setting rack.url_scheme
+ */
+static VALUE trust_x_forward = Qtrue;
+
+static unsigned long keepalive_requests = 100; /* same as nginx */
+
+/*
+ * Returns the maximum number of keepalive requests a client may make
+ * before the parser refuses to continue.
+ */
+static VALUE ka_req(VALUE self)
+{
+  return ULONG2NUM(keepalive_requests);
+}
+
+/*
+ * Sets the maximum number of keepalive requests a client may make.
+ * A special value of +nil+ causes this to be the maximum value
+ * possible (this is architecture-dependent).
+ */
+static VALUE set_ka_req(VALUE self, VALUE val)
+{
+  keepalive_requests = NIL_P(val) ? ULONG_MAX : NUM2ULONG(val);
+
+  return ka_req(self);
+}
+
+/*
+ * Sets whether or not the parser will trust X-Forwarded-Proto and
+ * X-Forwarded-SSL headers and set "rack.url_scheme" to "https" accordingly.
+ * Rainbows!/Zbatery installations facing untrusted clients directly
+ * should set this to +false+
+ */
+static VALUE set_xftrust(VALUE self, VALUE val)
+{
+  if (Qtrue == val || Qfalse == val)
+    trust_x_forward = val;
+  else
+    rb_raise(rb_eTypeError, "must be true or false");
+
+  return val;
+}
+
+/*
+ * returns whether or not the parser will trust X-Forwarded-Proto and
+ * X-Forwarded-SSL headers and set "rack.url_scheme" to "https" accordingly
+ */
+static VALUE xftrust(VALUE self)
+{
+  return trust_x_forward;
+}
+
 /* keep this small for Rainbows! since every client has one */
 struct http_parser {
   int cs; /* Ragel internal state */
   unsigned int flags;
+  unsigned long nr_requests;
   size_t mark;
   size_t offset;
   union { /* these 2 fields don't nest */
@@ -391,42 +447,85 @@ static struct http_parser *data_get(VALUE self)
   return hp;
 }
 
-static void finalize_header(struct http_parser *hp)
+/*
+ * set rack.url_scheme to "https" or "http", no others are allowed by Rack
+ * this resembles the Rack::Request#scheme method as of rack commit
+ * 35bb5ba6746b5d346de9202c004cc926039650c7
+ */
+static void set_url_scheme(VALUE env, VALUE *server_port)
 {
-  VALUE temp = rb_hash_aref(hp->env, g_rack_url_scheme);
-  VALUE server_name = g_localhost;
-  VALUE server_port = g_port_80;
+  VALUE scheme = rb_hash_aref(env, g_rack_url_scheme);
 
-  /* set rack.url_scheme to "https" or "http", no others are allowed by Rack */
-  if (NIL_P(temp)) {
-    temp = rb_hash_aref(hp->env, g_http_x_forwarded_proto);
-    if (!NIL_P(temp) && STR_CSTR_EQ(temp, "https"))
-      server_port = g_port_443;
-    else
-      temp = g_http;
-    rb_hash_aset(hp->env, g_rack_url_scheme, temp);
-  } else if (STR_CSTR_EQ(temp, "https")) {
-    server_port = g_port_443;
+  if (NIL_P(scheme)) {
+    if (trust_x_forward == Qfalse) {
+      scheme = g_http;
+    } else {
+      scheme = rb_hash_aref(env, g_http_x_forwarded_ssl);
+      if (!NIL_P(scheme) && STR_CSTR_EQ(scheme, "on")) {
+        *server_port = g_port_443;
+        scheme = g_https;
+      } else {
+        scheme = rb_hash_aref(env, g_http_x_forwarded_proto);
+        if (NIL_P(scheme)) {
+          scheme = g_http;
+        } else {
+          long len = RSTRING_LEN(scheme);
+          if (len >= 5 && !memcmp(RSTRING_PTR(scheme), "https", 5)) {
+            if (len != 5)
+              scheme = g_https;
+            *server_port = g_port_443;
+          } else {
+            scheme = g_http;
+          }
+        }
+      }
+    }
+    rb_hash_aset(env, g_rack_url_scheme, scheme);
+  } else if (STR_CSTR_EQ(scheme, "https")) {
+    *server_port = g_port_443;
   } else {
-    assert(server_port == g_port_80 && "server_port not set");
+    assert(*server_port == g_port_80 && "server_port not set");
   }
+}
+
+/*
+ * Parse and set the SERVER_NAME and SERVER_PORT variables
+ * Not supporting X-Forwarded-Host/X-Forwarded-Port in here since
+ * anybody who needs them is using an unsupported configuration and/or
+ * incompetent.  Rack::Request will handle X-Forwarded-{Port,Host} just
+ * fine.
+ */
+static void set_server_vars(VALUE env, VALUE *server_port)
+{
+  VALUE server_name = g_localhost;
+  VALUE host = rb_hash_aref(env, g_http_host);
+
+  if (!NIL_P(host)) {
+    char *host_ptr = RSTRING_PTR(host);
+    long host_len = RSTRING_LEN(host);
+    char *colon = memchr(host_ptr, ':', host_len);
 
-  /* parse and set the SERVER_NAME and SERVER_PORT variables */
-  temp = rb_hash_aref(hp->env, g_http_host);
-  if (!NIL_P(temp)) {
-    char *colon = memchr(RSTRING_PTR(temp), ':', RSTRING_LEN(temp));
     if (colon) {
-      long port_start = colon - RSTRING_PTR(temp) + 1;
+      long port_start = colon - host_ptr + 1;
 
-      server_name = rb_str_substr(temp, 0, colon - RSTRING_PTR(temp));
-      if ((RSTRING_LEN(temp) - port_start) > 0)
-        server_port = rb_str_substr(temp, port_start, RSTRING_LEN(temp));
+      server_name = rb_str_substr(host, 0, colon - host_ptr);
+      if ((host_len - port_start) > 0)
+        *server_port = rb_str_substr(host, port_start, host_len);
     } else {
-      server_name = temp;
+      server_name = host;
     }
   }
-  rb_hash_aset(hp->env, g_server_name, server_name);
-  rb_hash_aset(hp->env, g_server_port, server_port);
+  rb_hash_aset(env, g_server_name, server_name);
+  rb_hash_aset(env, g_server_port, *server_port);
+}
+
+static void finalize_header(struct http_parser *hp)
+{
+  VALUE server_port = g_port_80;
+
+  set_url_scheme(hp->env, &server_port);
+  set_server_vars(hp->env, &server_port);
+
   if (!HP_FL_TEST(hp, HASHEADER))
     rb_hash_aset(hp->env, g_server_protocol, g_http_09);
 
@@ -464,6 +563,7 @@ static VALUE HttpParser_init(VALUE self)
   http_parser_init(hp);
   hp->buf = rb_str_new(NULL, 0);
   hp->env = rb_hash_new();
+  hp->nr_requests = keepalive_requests;
 
   return self;
 }
@@ -537,6 +637,11 @@ static VALUE HttpParser_parse(VALUE self)
   struct http_parser *hp = data_get(self);
   VALUE data = hp->buf;
 
+  if (HP_FL_TEST(hp, TO_CLEAR)) {
+    http_parser_init(hp);
+    rb_funcall(hp->env, id_clear, 0);
+  }
+
   http_parser_execute(hp, RSTRING_PTR(data), RSTRING_LEN(data));
   VALIDATE_MAX_LENGTH(hp->offset, HEADER);
 
@@ -622,15 +727,16 @@ static VALUE HttpParser_keepalive(VALUE self)
  *    parser.next? => true or false
  *
  * Exactly like HttpParser#keepalive?, except it will reset the internal
- * parser state if it returns true.
+ * parser state on next parse if it returns true.  It will also respect
+ * the maximum *keepalive_requests* value and return false if that is
+ * reached.
  */
 static VALUE HttpParser_next(VALUE self)
 {
   struct http_parser *hp = data_get(self);
 
-  if (HP_FL_ALL(hp, KEEPALIVE)) {
-    http_parser_init(hp);
-    rb_funcall(hp->env, id_clear, 0);
+  if ((HP_FL_ALL(hp, KEEPALIVE)) && (hp->nr_requests-- != 0)) {
+    HP_FL_SET(hp, TO_CLEAR);
     return Qtrue;
   }
   return Qfalse;
@@ -775,6 +881,15 @@ void Init_unicorn_http(void)
    */
   rb_define_const(cHttpParser, "LENGTH_MAX", OFFT2NUM(UH_OFF_T_MAX));
 
+  /* default value for keepalive_requests */
+  rb_define_const(cHttpParser, "KEEPALIVE_REQUESTS_DEFAULT",
+                  ULONG2NUM(keepalive_requests));
+
+  rb_define_singleton_method(cHttpParser, "keepalive_requests", ka_req, 0);
+  rb_define_singleton_method(cHttpParser, "keepalive_requests=", set_ka_req, 1);
+  rb_define_singleton_method(cHttpParser, "trust_x_forwarded=", set_xftrust, 1);
+  rb_define_singleton_method(cHttpParser, "trust_x_forwarded?", xftrust, 0);
+
   init_common_fields();
   SET_GLOBAL(g_http_host, "HOST");
   SET_GLOBAL(g_http_trailer, "TRAILER");

data/lib/unicorn/configurator.rb

@@ -10,9 +10,10 @@ require 'logger'
 # http://unicorn.bogomips.org/examples/nginx.conf
 class Unicorn::Configurator
   include Unicorn
-  attr_accessor :set, :config_file, :after_reload
 
   # :stopdoc:
+  attr_accessor :set, :config_file, :after_reload
+
   # used to stash stuff for deferred processing of cli options in
   # config.ru after "working_directory" is bound.  Do not rely on
   # this being around later on...
@@ -42,6 +43,7 @@ class Unicorn::Configurator
     :preload_app => false,
     :rewindable_input => true, # for Rack 2.x: (Rack::VERSION[0] <= 1),
     :client_body_buffer_size => Unicorn::Const::MAX_BODY,
+    :trust_x_forwarded => true,
   }
   #:startdoc:
 
@@ -448,6 +450,15 @@ class Unicorn::Configurator
     set[:user] = [ user, group ]
   end
 
+  # Sets whether or not the parser will trust X-Forwarded-Proto and
+  # X-Forwarded-SSL headers and set "rack.url_scheme" to "https" accordingly.
+  # Rainbows!/Zbatery installations facing untrusted clients directly
+  # should set this to +false+.  This is +true+ by default as Unicorn
+  # is designed to only sit behind trusted nginx proxies.
+  def trust_x_forwarded(bool)
+    set_bool(:trust_x_forwarded, bool)
+  end
+
   # expands "unix:path/to/foo" to a socket relative to the current path
   # expands pathnames of sockets if relative to "~" or "~username"
   # expands "*:port and ":port" to "0.0.0.0:port"
@@ -472,7 +483,7 @@ class Unicorn::Configurator
   end
 
 private
-  def set_int(var, n, min)
+  def set_int(var, n, min) #:nodoc:
     Integer === n or raise ArgumentError, "not an integer: #{var}=#{n.inspect}"
     n >= min or raise ArgumentError, "too low (< #{min}): #{var}=#{n.inspect}"
     set[var] = n

data/lib/unicorn/const.rb

@@ -7,8 +7,8 @@
 # improve things much compared to constants.
 module Unicorn::Const
 
-  # The current version of Unicorn, currently 3.1.0
-  UNICORN_VERSION = "3.1.0"
+  # The current version of Unicorn, currently 3.2.1
+  UNICORN_VERSION = "3.2.1"
 
   # default TCP listen host address (0.0.0.0, all interfaces)
   DEFAULT_HOST = "0.0.0.0"

data/lib/unicorn/http_response.rb

@@ -9,8 +9,6 @@ require 'time'
 #
 # Most header correctness (including Content-Length and Content-Type)
 # is the job of Rack, with the exception of the "Date" and "Status" header.
-#
-# TODO: allow keepalive
 module Unicorn::HttpResponse
 
   # Every standard HTTP code mapped to the appropriate message.

data/lib/unicorn/http_server.rb

@@ -73,19 +73,17 @@ class Unicorn::HttpServer
   #   Unicorn::HttpServer::START_CTX[0] = "/home/bofh/1.9.2/bin/unicorn"
   START_CTX = {
     :argv => ARGV.map { |arg| arg.dup },
-    :cwd => lambda {
-        # favor ENV['PWD'] since it is (usually) symlink aware for
-        # Capistrano and like systems
-        begin
-          a = File.stat(pwd = ENV['PWD'])
-          b = File.stat(Dir.pwd)
-          a.ino == b.ino && a.dev == b.dev ? pwd : Dir.pwd
-        rescue
-          Dir.pwd
-        end
-      }.call,
     0 => $0.dup,
   }
+  # We favor ENV['PWD'] since it is (usually) symlink aware for Capistrano
+  # and like systems
+  START_CTX[:cwd] = begin
+    a = File.stat(pwd = ENV['PWD'])
+    b = File.stat(Dir.pwd)
+    a.ino == b.ino && a.dev == b.dev ? pwd : Dir.pwd
+  rescue
+    Dir.pwd
+  end
 
   # Creates a working server on host:port (strange things happen if
   # port isn't a Number).  Use HttpServer::run to start the server and
@@ -372,6 +370,14 @@ class Unicorn::HttpServer
     Unicorn::TeeInput.client_body_buffer_size = bytes
   end
 
+  def trust_x_forwarded
+    Unicorn::HttpParser.trust_x_forwarded?
+  end
+
+  def trust_x_forwarded=(bool)
+    Unicorn::HttpParser.trust_x_forwarded = bool
+  end
+
   private
 
   # wait for a signal hander to wake us up and then consume the pipe

data/script/isolate_for_tests

@@ -17,7 +17,7 @@ opts = {
 pid = fork do
   Isolate.now!(opts) do
     gem 'sqlite3-ruby', '1.2.5'
-    gem 'kgio', '2.0.0'
+    gem 'kgio', '2.1.1'
     gem 'rack', '1.1.0'
   end
 end

data/t/t0016-trust-x-forwarded-false.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+. ./test-lib.sh
+t_plan 5 "trust_x_forwarded=false configuration test"
+
+t_begin "setup and start" && {
+	unicorn_setup
+	echo "trust_x_forwarded false" >> $unicorn_config
+	unicorn -D -c $unicorn_config env.ru
+	unicorn_wait_start
+}
+
+t_begin "spoofed request with X-Forwarded-Proto does not trigger" && {
+	curl -H 'X-Forwarded-Proto: https' http://$listen/ | \
+		grep -F '"rack.url_scheme"=>"http"'
+}
+
+t_begin "spoofed request with X-Forwarded-SSL does not trigger" && {
+	curl -H 'X-Forwarded-SSL: on' http://$listen/ | \
+		grep -F '"rack.url_scheme"=>"http"'
+}
+
+t_begin "killing succeeds" && {
+	kill $unicorn_pid
+}
+
+t_begin "check stderr has no errors" && {
+	check_stderr
+}
+
+t_done

data/t/t0017-trust-x-forwarded-true.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+. ./test-lib.sh
+t_plan 5 "trust_x_forwarded=true configuration test"
+
+t_begin "setup and start" && {
+	unicorn_setup
+	echo "trust_x_forwarded true " >> $unicorn_config
+	unicorn -D -c $unicorn_config env.ru
+	unicorn_wait_start
+}
+
+t_begin "spoofed request with X-Forwarded-Proto sets 'https'" && {
+	curl -H 'X-Forwarded-Proto: https' http://$listen/ | \
+		grep -F '"rack.url_scheme"=>"https"'
+}
+
+t_begin "spoofed request with X-Forwarded-SSL sets 'https'" && {
+	curl -H 'X-Forwarded-SSL: on' http://$listen/ | \
+		grep -F '"rack.url_scheme"=>"https"'
+}
+
+t_begin "killing succeeds" && {
+	kill $unicorn_pid
+}
+
+t_begin "check stderr has no errors" && {
+	check_stderr
+}
+
+t_done

data/test/unit/test_http_parser.rb

@@ -147,6 +147,61 @@ class HttpParserTest < Test::Unit::TestCase
     assert parser.keepalive?
   end
 
+  def test_parse_xfp_https_chained
+    parser = HttpParser.new
+    req = {}
+    tmp = "GET / HTTP/1.0\r\n" \
+          "X-Forwarded-Proto: https,http\r\n\r\n"
+    assert_equal req, parser.headers(req, tmp)
+    assert_equal '443', req['SERVER_PORT'], req.inspect
+    assert_equal 'https', req['rack.url_scheme'], req.inspect
+    assert_equal '', tmp
+  end
+
+  def test_parse_xfp_https_chained_backwards
+    parser = HttpParser.new
+    req = {}
+    tmp = "GET / HTTP/1.0\r\n" \
+          "X-Forwarded-Proto: http,https\r\n\r\n"
+    assert_equal req, parser.headers(req, tmp)
+    assert_equal '80', req['SERVER_PORT'], req.inspect
+    assert_equal 'http', req['rack.url_scheme'], req.inspect
+    assert_equal '', tmp
+  end
+
+  def test_parse_xfp_gopher_is_ignored
+    parser = HttpParser.new
+    req = {}
+    tmp = "GET / HTTP/1.0\r\n" \
+          "X-Forwarded-Proto: gopher\r\n\r\n"
+    assert_equal req, parser.headers(req, tmp)
+    assert_equal '80', req['SERVER_PORT'], req.inspect
+    assert_equal 'http', req['rack.url_scheme'], req.inspect
+    assert_equal '', tmp
+  end
+
+  def test_parse_x_forwarded_ssl_on
+    parser = HttpParser.new
+    req = {}
+    tmp = "GET / HTTP/1.0\r\n" \
+          "X-Forwarded-Ssl: on\r\n\r\n"
+    assert_equal req, parser.headers(req, tmp)
+    assert_equal '443', req['SERVER_PORT'], req.inspect
+    assert_equal 'https', req['rack.url_scheme'], req.inspect
+    assert_equal '', tmp
+  end
+
+  def test_parse_x_forwarded_ssl_off
+    parser = HttpParser.new
+    req = {}
+    tmp = "GET / HTTP/1.0\r\n" \
+          "X-Forwarded-Ssl: off\r\n\r\n"
+    assert_equal req, parser.headers(req, tmp)
+    assert_equal '80', req['SERVER_PORT'], req.inspect
+    assert_equal 'http', req['rack.url_scheme'], req.inspect
+    assert_equal '', tmp
+  end
+
   def test_parse_strange_headers
     parser = HttpParser.new
     req = {}

data/test/unit/test_http_parser_ng.rb

@@ -8,9 +8,81 @@ include Unicorn
 class HttpParserNgTest < Test::Unit::TestCase
 
   def setup
+    HttpParser.keepalive_requests = HttpParser::KEEPALIVE_REQUESTS_DEFAULT
     @parser = HttpParser.new
   end
 
+  def test_keepalive_requests_default_constant
+    assert_kind_of Integer, HttpParser::KEEPALIVE_REQUESTS_DEFAULT
+    assert HttpParser::KEEPALIVE_REQUESTS_DEFAULT >= 0
+  end
+
+  def test_keepalive_requests_setting
+    HttpParser.keepalive_requests = 0
+    assert_equal 0, HttpParser.keepalive_requests
+    HttpParser.keepalive_requests = nil
+    assert HttpParser.keepalive_requests >= 0xffffffff
+    HttpParser.keepalive_requests = 1
+    assert_equal 1, HttpParser.keepalive_requests
+    HttpParser.keepalive_requests = 666
+    assert_equal 666, HttpParser.keepalive_requests
+
+    assert_raises(TypeError) { HttpParser.keepalive_requests = "666" }
+    assert_raises(TypeError) { HttpParser.keepalive_requests = [] }
+  end
+
+  def test_keepalive_requests_with_next?
+    req = "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n".freeze
+    expect = {
+      "SERVER_NAME" => "example.com",
+      "HTTP_HOST" => "example.com",
+      "rack.url_scheme" => "http",
+      "REQUEST_PATH" => "/",
+      "SERVER_PROTOCOL" => "HTTP/1.1",
+      "PATH_INFO" => "/",
+      "HTTP_VERSION" => "HTTP/1.1",
+      "REQUEST_URI" => "/",
+      "SERVER_PORT" => "80",
+      "REQUEST_METHOD" => "GET",
+      "QUERY_STRING" => ""
+    }.freeze
+    HttpParser::KEEPALIVE_REQUESTS_DEFAULT.times do |nr|
+      @parser.buf << req
+      assert_equal expect, @parser.parse
+      assert @parser.next?
+    end
+    @parser.buf << req
+    assert_equal expect, @parser.parse
+    assert ! @parser.next?
+  end
+
+  def test_fewer_keepalive_requests_with_next?
+    HttpParser.keepalive_requests = 5
+    @parser = HttpParser.new
+    req = "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n".freeze
+    expect = {
+      "SERVER_NAME" => "example.com",
+      "HTTP_HOST" => "example.com",
+      "rack.url_scheme" => "http",
+      "REQUEST_PATH" => "/",
+      "SERVER_PROTOCOL" => "HTTP/1.1",
+      "PATH_INFO" => "/",
+      "HTTP_VERSION" => "HTTP/1.1",
+      "REQUEST_URI" => "/",
+      "SERVER_PORT" => "80",
+      "REQUEST_METHOD" => "GET",
+      "QUERY_STRING" => ""
+    }.freeze
+    5.times do |nr|
+      @parser.buf << req
+      assert_equal expect, @parser.parse
+      assert @parser.next?
+    end
+    @parser.buf << req
+    assert_equal expect, @parser.parse
+    assert ! @parser.next?
+  end
+
   def test_default_keepalive_is_off
     assert ! @parser.keepalive?
     assert ! @parser.next?
@@ -504,9 +576,10 @@ class HttpParserNgTest < Test::Unit::TestCase
   end
 
   def test_pipelined_requests
+    host = "example.com"
     expect = {
-      "HTTP_HOST" => "example.com",
-      "SERVER_NAME" => "example.com",
+      "HTTP_HOST" => host,
+      "SERVER_NAME" => host,
       "REQUEST_PATH" => "/",
       "rack.url_scheme" => "http",
       "SERVER_PROTOCOL" => "HTTP/1.1",
@@ -517,15 +590,21 @@ class HttpParserNgTest < Test::Unit::TestCase
       "REQUEST_METHOD" => "GET",
       "QUERY_STRING" => ""
     }
-    str = "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
-    @parser.buf << (str * 2)
+    req1 = "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
+    req2 = "GET / HTTP/1.1\r\nHost: www.example.com\r\n\r\n"
+    @parser.buf << (req1 + req2)
     env1 = @parser.parse.dup
     assert_equal expect, env1
-    assert_equal str, @parser.buf
+    assert_equal req2, @parser.buf
     assert ! @parser.env.empty?
     assert @parser.next?
-    assert @parser.env.empty?
+    assert @parser.keepalive?
+    assert @parser.headers?
+    assert_equal expect, @parser.env
     env2 = @parser.parse.dup
+    host.replace "www.example.com"
+    assert_equal "www.example.com", expect["HTTP_HOST"]
+    assert_equal "www.example.com", expect["SERVER_NAME"]
     assert_equal expect, env2
     assert_equal "", @parser.buf
   end

data/test/unit/test_http_parser_xftrust.rb

@@ -0,0 +1,38 @@
+# -*- encoding: binary -*-
+require 'test/test_helper'
+
+include Unicorn
+
+class HttpParserXFTrustTest < Test::Unit::TestCase
+  def setup
+    assert HttpParser.trust_x_forwarded?
+  end
+
+  def test_xf_trust_false_xfp
+    HttpParser.trust_x_forwarded = false
+    parser = HttpParser.new
+    parser.buf << "GET / HTTP/1.1\r\nHost: foo:\r\n" \
+                  "X-Forwarded-Proto: https\r\n\r\n"
+    env = parser.parse
+    assert_kind_of Hash, env
+    assert_equal 'foo', env['SERVER_NAME']
+    assert_equal '80', env['SERVER_PORT']
+    assert_equal 'http', env['rack.url_scheme']
+  end
+
+  def test_xf_trust_false_xfs
+    HttpParser.trust_x_forwarded = false
+    parser = HttpParser.new
+    parser.buf << "GET / HTTP/1.1\r\nHost: foo:\r\n" \
+                  "X-Forwarded-SSL: on\r\n\r\n"
+    env = parser.parse
+    assert_kind_of Hash, env
+    assert_equal 'foo', env['SERVER_NAME']
+    assert_equal '80', env['SERVER_PORT']
+    assert_equal 'http', env['rack.url_scheme']
+  end
+
+  def teardown
+    HttpParser.trust_x_forwarded = true
+  end
+end

data/unicorn.gemspec

@@ -1,7 +1,9 @@
 # -*- encoding: binary -*-
-
 ENV["VERSION"] or abort "VERSION= must be specified"
 manifest = File.readlines('.manifest').map! { |x| x.chomp! }
+require 'wrongdoc'
+extend Wrongdoc::Gemspec
+name, summary, title = readme_metadata
 
 # don't bother with tests that fork, not worth our time to get working
 # with `gem check -t` ... (of course we care for them when testing with
@@ -12,35 +14,20 @@ end.compact
 
 Gem::Specification.new do |s|
   s.name = %q{unicorn}
-  s.version = ENV["VERSION"]
-
-  s.authors = ["Unicorn hackers"]
+  s.version = ENV["VERSION"].dup
+  s.authors = ["#{name} hackers"]
+  s.summary = summary
   s.date = Time.now.utc.strftime('%Y-%m-%d')
-  s.description = File.read("README").split(/\n\n/)[1].delete('\\')
+  s.description = readme_description
   s.email = %q{mongrel-unicorn@rubyforge.org}
   s.executables = %w(unicorn unicorn_rails)
   s.extensions = %w(ext/unicorn_http/extconf.rb)
-
-  s.extra_rdoc_files = File.readlines('.document').map! do |x|
-    x.chomp!
-    if File.directory?(x)
-      manifest.grep(%r{\A#{x}/})
-    elsif File.file?(x)
-      x
-    else
-      nil
-    end
-  end.flatten.compact
-
+  s.extra_rdoc_files = extra_rdoc_files(manifest)
   s.files = manifest
-  s.homepage = %q{http://unicorn.bogomips.org/}
-
-  summary = %q{Rack HTTP server for fast clients and Unix}
-  s.rdoc_options = [ "-t", "Unicorn: #{summary}" ]
+  s.homepage = Wrongdoc.config[:rdoc_url]
+  s.rdoc_options = rdoc_options
   s.require_paths = %w(lib ext)
   s.rubyforge_project = %q{mongrel}
-  s.summary = summary
-
   s.test_files = test_files
 
   # for people that are absolutely stuck on Rails 2.3.2 and can't
@@ -48,9 +35,10 @@ Gem::Specification.new do |s|
   # commented out.  Nevertheless, upgrading to Rails 2.3.4 or later is
   # *strongly* recommended for security reasons.
   s.add_dependency(%q<rack>)
-  s.add_dependency(%q<kgio>, '~> 2.0.0')
+  s.add_dependency(%q<kgio>, '~> 2.1')
 
   s.add_development_dependency('isolate', '~> 3.0.0')
+  s.add_development_dependency('wrongdoc', '~> 1.0.1')
 
   # s.licenses = %w(GPLv2 Ruby) # licenses= method is not in older RubyGems
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: unicorn
 version: !ruby/object:Gem::Version 
-  hash: 3
+  hash: 13
   prerelease: false
   segments: 
   - 3
+  - 2
   - 1
-  - 0
-  version: 3.1.0
+  version: 3.2.1
 platform: ruby
 authors: 
 - Unicorn hackers
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-12-09 00:00:00 +00:00
+date: 2010-12-26 00:00:00 +00:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -40,12 +40,11 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        hash: 15
+        hash: 1
         segments: 
         - 2
-        - 0
-        - 0
-        version: 2.0.0
+        - 1
+        version: "2.1"
   type: :runtime
   version_requirements: *id002
 - !ruby/object:Gem::Dependency 
@@ -64,12 +63,28 @@ dependencies:
         version: 3.0.0
   type: :development
   version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: wrongdoc
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 21
+        segments: 
+        - 1
+        - 0
+        - 1
+        version: 1.0.1
+  type: :development
+  version_requirements: *id004
 description: |-
-  Unicorn is an HTTP server for Rack applications designed to only serve
+  \Unicorn is an HTTP server for Rack applications designed to only serve
   fast clients on low-latency, high-bandwidth connections and take
   advantage of features in Unix/Unix-like kernels.  Slow clients should
   only be served by placing a reverse proxy capable of fully buffering
-  both the the request and response in between Unicorn and slow clients.
+  both the the request and response in between \Unicorn and slow clients.
 email: mongrel-unicorn@rubyforge.org
 executables: 
 - unicorn
@@ -90,6 +105,7 @@ extra_rdoc_files:
 - TODO
 - NEWS
 - ChangeLog
+- LATEST
 - lib/unicorn.rb
 - lib/unicorn/app/exec_cgi.rb
 - lib/unicorn/app/inetd.rb
@@ -119,6 +135,7 @@ files:
 - .gitignore
 - .mailmap
 - .manifest
+- .wrongdoc.yml
 - CONTRIBUTORS
 - COPYING
 - ChangeLog
@@ -134,6 +151,7 @@ files:
 - HACKING
 - ISSUES
 - KNOWN_ISSUES
+- LATEST
 - LICENSE
 - NEWS
 - PHILOSOPHY
@@ -250,6 +268,8 @@ files:
 - t/t0014-rewindable-input-true.sh
 - t/t0014.ru
 - t/t0015-configurator-internals.sh
+- t/t0016-trust-x-forwarded-false.sh
+- t/t0017-trust-x-forwarded-true.sh
 - t/t0100-rack-input-tests.sh
 - t/t0116-client_body_buffer_size.sh
 - t/t0116.ru
@@ -347,6 +367,7 @@ files:
 - test/unit/test_configurator.rb
 - test/unit/test_http_parser.rb
 - test/unit/test_http_parser_ng.rb
+- test/unit/test_http_parser_xftrust.rb
 - test/unit/test_request.rb
 - test/unit/test_response.rb
 - test/unit/test_server.rb
@@ -365,6 +386,8 @@ post_install_message:
 rdoc_options: 
 - -t
 - "Unicorn: Rack HTTP server for fast clients and Unix"
+- -W
+- http://git.bogomips.org/cgit/unicorn.git/tree/%s
 require_paths: 
 - lib
 - ext
@@ -397,6 +420,7 @@ test_files:
 - test/unit/test_configurator.rb
 - test/unit/test_http_parser.rb
 - test/unit/test_http_parser_ng.rb
+- test/unit/test_http_parser_xftrust.rb
 - test/unit/test_request.rb
 - test/unit/test_response.rb
 - test/unit/test_server.rb