diff options
-rw-r--r-- | lib/unicorn/configurator.rb | 2 | ||||
-rw-r--r-- | lib/unicorn/http_server.rb | 3 | ||||
-rw-r--r-- | lib/unicorn/ssl_client.rb | 11 | ||||
-rw-r--r-- | lib/unicorn/ssl_configurator.rb | 104 | ||||
-rw-r--r-- | lib/unicorn/ssl_server.rb | 42 | ||||
-rw-r--r-- | test/unit/test_sni_hostnames.rb | 47 |
6 files changed, 0 insertions, 209 deletions
diff --git a/lib/unicorn/configurator.rb b/lib/unicorn/configurator.rb index 5962418..d14e608 100644 --- a/lib/unicorn/configurator.rb +++ b/lib/unicorn/configurator.rb @@ -1,6 +1,5 @@ # -*- encoding: binary -*- require 'logger' -require 'unicorn/ssl_configurator' # Implements a simple DSL for configuring a \Unicorn server. # @@ -13,7 +12,6 @@ require 'unicorn/ssl_configurator' # See the link:/TUNING.html document for more information on tuning unicorn. class Unicorn::Configurator include Unicorn - include Unicorn::SSLConfigurator # :stopdoc: attr_accessor :set, :config_file, :after_reload diff --git a/lib/unicorn/http_server.rb b/lib/unicorn/http_server.rb index 69bf362..a523fce 100644 --- a/lib/unicorn/http_server.rb +++ b/lib/unicorn/http_server.rb @@ -1,5 +1,4 @@ # -*- encoding: binary -*- -require "unicorn/ssl_server" # This is the process manager of Unicorn. This manages worker # processes which in turn handle the I/O and application process. @@ -21,7 +20,6 @@ class Unicorn::HttpServer attr_reader :pid, :logger include Unicorn::SocketHelper include Unicorn::HttpResponse - include Unicorn::SSLServer # backwards compatibility with 1.x Worker = Unicorn::Worker @@ -618,7 +616,6 @@ class Unicorn::HttpServer self.timeout /= 2.0 # halve it for select() @config = nil build_app! unless preload_app - ssl_enable! @after_fork = @listener_opts = @orig_app = nil readers = LISTENERS.dup readers << worker diff --git a/lib/unicorn/ssl_client.rb b/lib/unicorn/ssl_client.rb deleted file mode 100644 index a8c79e3..0000000 --- a/lib/unicorn/ssl_client.rb +++ /dev/null @@ -1,11 +0,0 @@ -# -*- encoding: binary -*- -# :stopdoc: -class Unicorn::SSLClient < Kgio::SSL - alias write kgio_write - alias close kgio_close - - # this is no-op for now, to be fixed in kgio-monkey if people care - # about SSL support... - def shutdown(how = nil) - end -end diff --git a/lib/unicorn/ssl_configurator.rb b/lib/unicorn/ssl_configurator.rb deleted file mode 100644 index 34f09ec..0000000 --- a/lib/unicorn/ssl_configurator.rb +++ /dev/null @@ -1,104 +0,0 @@ -# -*- encoding: binary -*- -# :stopdoc: -# This module is included in Unicorn::Configurator -# :startdoc: -# -module Unicorn::SSLConfigurator - def ssl(&block) - ssl_require! - before = @set[:listeners].dup - opts = @set[:ssl_opts] = {} - yield - (@set[:listeners] - before).each do |address| - (@set[:listener_opts][address] ||= {})[:ssl_opts] = opts - end - ensure - @set.delete(:ssl_opts) - end - - def ssl_certificate(file) - ssl_set(:ssl_certificate, file) - end - - def ssl_certificate_key(file) - ssl_set(:ssl_certificate_key, file) - end - - def ssl_client_certificate(file) - ssl_set(:ssl_client_certificate, file) - end - - def ssl_dhparam(file) - ssl_set(:ssl_dhparam, file) - end - - def ssl_ciphers(openssl_cipherlist_spec) - ssl_set(:ssl_ciphers, openssl_cipherlist_spec) - end - - def ssl_crl(file) - ssl_set(:ssl_crl, file) - end - - def ssl_prefer_server_ciphers(bool) - ssl_set(:ssl_prefer_server_ciphers, check_bool(bool)) - end - - def ssl_protocols(list) - ssl_set(:ssl_protocols, list) - end - - def ssl_verify_client(on_off_optional) - ssl_set(:ssl_verify_client, on_off_optional) - end - - def ssl_session_timeout(seconds) - ssl_set(:ssl_session_timeout, seconds) - end - - def ssl_verify_depth(depth) - ssl_set(:ssl_verify_depth, depth) - end - - # Allows specifying an engine for OpenSSL to use. We have not been - # able to successfully test this feature due to a lack of hardware, - # Reports of success or patches to unicorn-public@bogomips.org is - # greatly appreciated. - def ssl_engine(engine) - ssl_warn_global(:ssl_engine) - ssl_require! - OpenSSL::Engine.load - OpenSSL::Engine.by_id(engine) - @set[:ssl_engine] = engine - end - - def ssl_compression(bool) - # OpenSSL uses the SSL_OP_NO_COMPRESSION flag, Flipper follows suit - # with :ssl_no_compression, but we negate it to avoid exposing double - # negatives to the user. - ssl_set(:ssl_no_compression, check_bool(:ssl_compression, ! bool)) - end - -private - - def ssl_warn_global(func) # :nodoc: - Hash === @set[:ssl_opts] or return - warn("`#{func}' affects all SSL contexts in this process, " \ - "not just this block") - end - - def ssl_set(key, value) # :nodoc: - cur = @set[:ssl_opts] - Hash === cur or - raise ArgumentError, "#{key} must be called inside an `ssl' block" - cur[key] = value - end - - def ssl_require! # :nodoc: - require "flipper" - require "unicorn/ssl_client" - rescue LoadError - warn "install 'kgio-monkey' for SSL support" - raise - end -end diff --git a/lib/unicorn/ssl_server.rb b/lib/unicorn/ssl_server.rb deleted file mode 100644 index c00c3ae..0000000 --- a/lib/unicorn/ssl_server.rb +++ /dev/null @@ -1,42 +0,0 @@ -# -*- encoding: binary -*- -# :stopdoc: -# this module is meant to be included in Unicorn::HttpServer -# It is an implementation detail and NOT meant for users. -module Unicorn::SSLServer - attr_accessor :ssl_engine - - def ssl_enable! - sni_hostnames = rack_sni_hostnames(@app) - seen = {} # we map a single SSLContext to multiple listeners - listener_ctx = {} - @listener_opts.each do |address, address_opts| - ssl_opts = address_opts[:ssl_opts] or next - listener_ctx[address] = seen[ssl_opts.object_id] ||= begin - unless sni_hostnames.empty? - ssl_opts = ssl_opts.dup - ssl_opts[:sni_hostnames] = sni_hostnames - end - ctx = Flipper.ssl_context(ssl_opts) - # FIXME: make configurable - ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_OFF - ctx - end - end - Unicorn::HttpServer::LISTENERS.each do |listener| - ctx = listener_ctx[sock_name(listener)] or next - listener.extend(Kgio::SSLServer) - listener.ssl_ctx = ctx - listener.kgio_ssl_class = Unicorn::SSLClient - end - end - - # ugh, this depends on Rack internals... - def rack_sni_hostnames(rack_app) # :nodoc: - hostnames = {} - if Rack::URLMap === rack_app - mapping = rack_app.instance_variable_get(:@mapping) - mapping.each { |hostname,_,_,_| hostnames[hostname] = true } - end - hostnames.keys - end -end diff --git a/test/unit/test_sni_hostnames.rb b/test/unit/test_sni_hostnames.rb deleted file mode 100644 index 457afee..0000000 --- a/test/unit/test_sni_hostnames.rb +++ /dev/null @@ -1,47 +0,0 @@ -# -*- encoding: binary -*- -require "test/unit" -require "unicorn" - -# this tests an implementation detail, it may change so this test -# can be removed later. -class TestSniHostnames < Test::Unit::TestCase - include Unicorn::SSLServer - - def setup - GC.start - end - - def teardown - GC.start - end - - def test_host_name_detect_one - app = Rack::Builder.new do - map "http://sni1.example.com/" do - use Rack::ContentLength - use Rack::ContentType, "text/plain" - run lambda { |env| [ 200, {}, [] ] } - end - end.to_app - hostnames = rack_sni_hostnames(app) - assert hostnames.include?("sni1.example.com") - end - - def test_host_name_detect_multiple - app = Rack::Builder.new do - map "http://sni2.example.com/" do - use Rack::ContentLength - use Rack::ContentType, "text/plain" - run lambda { |env| [ 200, {}, [] ] } - end - map "http://sni3.example.com/" do - use Rack::ContentLength - use Rack::ContentType, "text/plain" - run lambda { |env| [ 200, {}, [] ] } - end - end.to_app - hostnames = rack_sni_hostnames(app) - assert hostnames.include?("sni2.example.com") - assert hostnames.include?("sni3.example.com") - end -end |