uninterruptible 2.2.1 → 2.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/README.md +3 -2
- data/lib/uninterruptible/configuration.rb +13 -1
- data/lib/uninterruptible/network_restrictions.rb +39 -0
- data/lib/uninterruptible/server.rb +11 -2
- data/lib/uninterruptible/version.rb +1 -1
- data/lib/uninterruptible.rb +3 -0
- metadata +4 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 4b2930d6fcae73edfbb4d6f39cd6e5995304d8a5
|
|
4
|
+
data.tar.gz: 6c22d922f5cd20810d5849d322af57bb69a22abe
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 32742c8851a675116a8489b3f62b666eb0e1ede1ba54f9682d0c47287ead8d1ba6c4abe50bd9755f8bd1d579b35d20e880f3aa2b3328569cf45413104a322343
|
|
7
|
+
data.tar.gz: 740993f1d8a5d940acd874ba3f990846dfde887dd26124fd0944f59ef7d542104890ed879b4cb7bc369a8248318ec2fb98932433ac7e556ef3efc97f0aa73de7
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
|
@@ -69,6 +69,7 @@ echo_server.configure do |config|
|
|
|
69
69
|
config.tls_certificate = nil # Certificate to use for TLS, reads file from ENV['TLS_CERTIFICATE'] if set
|
|
70
70
|
config.verify_client_tls_certificate = false # Should client TLS certificates be required and verifiyed? Falls back to ENV['VERIFY_CLIENT_TLS_CERTIFICATE']
|
|
71
71
|
config.client_tls_certificate_ca = nil # Path to a trusted CA for client certificates. Implies `config.verify_client_tls_certificate = true`. Falls back to ENV['CLIENT_TLS_CERTIFICATE_CA']
|
|
72
|
+
config.allowed_networks = ['127.0.0.1/8', '2001:db8::/32'] # A list of networks that clients are allowed to connect from. If blank, all networks are allowed. Falls back to a comma-separated list from ENV['ALLOWED_NETWORKS']
|
|
72
73
|
end
|
|
73
74
|
```
|
|
74
75
|
|
|
@@ -96,8 +97,8 @@ By default, Uninterruptible operates on a very simple one thread per connection
|
|
|
96
97
|
something more advanced such as a threadpool or an event driven pattern you can define this in your server class.
|
|
97
98
|
|
|
98
99
|
By overriding `accept_client_connection` you can change how connections are accepted and handled. It is recommended
|
|
99
|
-
that you call `process_request` from this method and
|
|
100
|
-
`process_request` tracks the number of active connections to the server.
|
|
100
|
+
that you call `process_request` from this method and implement `handle_request` to do the bulk of the work since
|
|
101
|
+
`process_request` tracks the number of active connections to the server and handles network restrictions.
|
|
101
102
|
|
|
102
103
|
`accept_client_connection` is called whenever a connection is waiting to be accepted on the socket server.
|
|
103
104
|
|
|
@@ -6,7 +6,7 @@ module Uninterruptible
|
|
|
6
6
|
AVAILABLE_SSL_VERSIONS = %w[TLSv1_1 TLSv1_2].freeze
|
|
7
7
|
|
|
8
8
|
attr_writer :bind, :bind_port, :bind_address, :pidfile_path, :start_command, :log_path, :log_level, :tls_version,
|
|
9
|
-
:tls_key, :tls_certificate, :verify_client_tls_certificate, :client_tls_certificate_ca
|
|
9
|
+
:tls_key, :tls_certificate, :verify_client_tls_certificate, :client_tls_certificate_ca, :allowed_networks
|
|
10
10
|
|
|
11
11
|
# Available TCP Port for the server to bind to (required). Falls back to environment variable PORT if set.
|
|
12
12
|
#
|
|
@@ -94,5 +94,17 @@ module Uninterruptible
|
|
|
94
94
|
def client_tls_certificate_ca
|
|
95
95
|
@client_tls_certificate_ca || ENV['CLIENT_TLS_CERTIFICATE_CA']
|
|
96
96
|
end
|
|
97
|
+
|
|
98
|
+
# Specifiy allowed networks to reject all connections except those originating from allowed networks. Set to an
|
|
99
|
+
# array of networks in CIDR format. If environment variable ALLOWED_NETWORKS is set, a comma separated list will be
|
|
100
|
+
# read from that. Setting this enables #block_connections?
|
|
101
|
+
def allowed_networks
|
|
102
|
+
@allowed_networks || (ENV['ALLOWED_NETWORKS'] && ENV['ALLOWED_NETWORKS'].split(',')) || []
|
|
103
|
+
end
|
|
104
|
+
|
|
105
|
+
# True when allowed_networks is set
|
|
106
|
+
def block_connections?
|
|
107
|
+
!allowed_networks.empty?
|
|
108
|
+
end
|
|
97
109
|
end
|
|
98
110
|
end
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
module Uninterruptible
|
|
2
|
+
class NetworkRestrictions
|
|
3
|
+
attr_reader :configuration
|
|
4
|
+
|
|
5
|
+
# @param [Uninterruptible::Configuration] configuration Object with allowed_networks configuration
|
|
6
|
+
def initialize(configuration)
|
|
7
|
+
@configuration = configuration
|
|
8
|
+
check_configuration!
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
# Should the incoming connection be allowed to connect?
|
|
12
|
+
#
|
|
13
|
+
# @param [TCPSocket] client_socket Incoming socket from the client connection
|
|
14
|
+
def connection_allowed_from?(client_address)
|
|
15
|
+
return true unless configuration.block_connections?
|
|
16
|
+
allowed_networks.any? { |allowed_network| allowed_network.include?(client_address) }
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
private
|
|
20
|
+
|
|
21
|
+
# Parse the list of allowed networks from the configuration and turn them into IPAddr objects
|
|
22
|
+
#
|
|
23
|
+
# @return [Array<IPAddr>] Parsed list of IP networks
|
|
24
|
+
def allowed_networks
|
|
25
|
+
@allowed_networks ||= configuration.allowed_networks.map do |network|
|
|
26
|
+
IPAddr.new(network)
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
# Check the configuration parameters for network restrictions
|
|
31
|
+
#
|
|
32
|
+
# @raise [Uninterruptible::ConfigurationError] Correct options are not set for network restrictions
|
|
33
|
+
def check_configuration!
|
|
34
|
+
unless configuration.bind.start_with?('tcp://')
|
|
35
|
+
raise ConfigurationError, "Network restrictions can only be used on TCP servers"
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
|
@@ -89,7 +89,6 @@ module Uninterruptible
|
|
|
89
89
|
# concurrency model.
|
|
90
90
|
def accept_client_connection
|
|
91
91
|
Thread.start(socket_server.accept_nonblock) do |client_socket|
|
|
92
|
-
logger.debug "Accepted connection from #{client_socket.peeraddr.last}"
|
|
93
92
|
process_request(client_socket)
|
|
94
93
|
end
|
|
95
94
|
end
|
|
@@ -101,7 +100,13 @@ module Uninterruptible
|
|
|
101
100
|
def process_request(client_socket)
|
|
102
101
|
mutex.synchronize { @active_connections += 1 }
|
|
103
102
|
begin
|
|
104
|
-
|
|
103
|
+
client_address = client_socket.peeraddr.last
|
|
104
|
+
if network_restrictions.connection_allowed_from?(client_address)
|
|
105
|
+
logger.debug "Accepting connection from #{client_address}"
|
|
106
|
+
handle_request(client_socket)
|
|
107
|
+
else
|
|
108
|
+
logger.debug "Rejecting connection from #{client_address}"
|
|
109
|
+
end
|
|
105
110
|
ensure
|
|
106
111
|
client_socket.close
|
|
107
112
|
mutex.synchronize { @active_connections -= 1 }
|
|
@@ -196,6 +201,10 @@ module Uninterruptible
|
|
|
196
201
|
end
|
|
197
202
|
end
|
|
198
203
|
|
|
204
|
+
def network_restrictions
|
|
205
|
+
@network_restrictions ||= Uninterruptible::NetworkRestrictions.new(server_configuration)
|
|
206
|
+
end
|
|
207
|
+
|
|
199
208
|
# The current configuration of this server
|
|
200
209
|
#
|
|
201
210
|
# @return [Uninterruptible::Configuration] Current or new configuration if unset.
|
data/lib/uninterruptible.rb
CHANGED
|
@@ -1,8 +1,11 @@
|
|
|
1
1
|
require 'openssl'
|
|
2
|
+
require 'ipaddr'
|
|
3
|
+
|
|
2
4
|
require "uninterruptible/version"
|
|
3
5
|
require 'uninterruptible/ssl_extensions'
|
|
4
6
|
require 'uninterruptible/configuration'
|
|
5
7
|
require 'uninterruptible/binder'
|
|
8
|
+
require 'uninterruptible/network_restrictions'
|
|
6
9
|
require 'uninterruptible/tls_server_factory'
|
|
7
10
|
require 'uninterruptible/server'
|
|
8
11
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: uninterruptible
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dan Wentworth
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2018-03-16 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -75,6 +75,7 @@ files:
|
|
|
75
75
|
- lib/uninterruptible.rb
|
|
76
76
|
- lib/uninterruptible/binder.rb
|
|
77
77
|
- lib/uninterruptible/configuration.rb
|
|
78
|
+
- lib/uninterruptible/network_restrictions.rb
|
|
78
79
|
- lib/uninterruptible/server.rb
|
|
79
80
|
- lib/uninterruptible/ssl_extensions.rb
|
|
80
81
|
- lib/uninterruptible/tls_server_factory.rb
|
|
@@ -100,7 +101,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
100
101
|
version: '0'
|
|
101
102
|
requirements: []
|
|
102
103
|
rubyforge_project:
|
|
103
|
-
rubygems_version: 2.5.1
|
|
104
|
+
rubygems_version: 2.5.2.1
|
|
104
105
|
signing_key:
|
|
105
106
|
specification_version: 4
|
|
106
107
|
summary: Zero-downtime restarts for your trivial socket servers
|