Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Puma is a simple, fast, multi-threaded, and highly parallel HTTP 1.1 server for Ruby/Rack applications.
Puma is a server for Rack-powered HTTP applications written in Ruby. It is:
Originally designed as a server for Rubinius, Puma also works well with Ruby (MRI) and JRuby.
On MRI, there is a Global VM Lock (GVL) that ensures only one thread can run Ruby code at a time. But if you're doing a lot of blocking IO (such as HTTP calls to external APIs like Twitter), Puma still improves MRI's throughput by allowing IO waiting to be done in parallel. Truly parallel Ruby implementations (TruffleRuby, JRuby) don't have this limitation.
$ gem install puma
$ puma
Without arguments, puma will look for a rackup (.ru) file in
working directory called config.ru
.
Puma will install/compile with support for ssl sockets, assuming OpenSSL development files are installed on the system.
If the system does not have OpenSSL development files installed, Puma will install/compile, but it will not allow ssl connections.
Puma is the default server for Rails, included in the generated Gemfile.
Start your server with the rails
command:
$ rails server
Many configuration options and Puma features are not available when using rails server
. It is recommended that you use Puma's executable instead:
$ bundle exec puma
You can run your Sinatra application with Puma from the command line like this:
$ ruby app.rb -s Puma
In order to actually configure Puma using a config file, like puma.rb
, however, you need to use the puma
executable. To do this, you must add a rackup file to your Sinatra app:
# config.ru
require './app'
run Sinatra::Application
You can then start your application using:
$ bundle exec puma
Puma provides numerous options. Consult puma -h
(or puma --help
) for a full list of CLI options, or see Puma::DSL
or dsl.rb.
You can also find several configuration examples as part of the test suite.
For debugging purposes, you can set the environment variable PUMA_LOG_CONFIG
with a value
and the loaded configuration will be printed as part of the boot process.
Puma uses a thread pool. You can set the minimum and maximum number of threads that are available in the pool with the -t
(or --threads
) flag:
$ puma -t 8:32
Puma will automatically scale the number of threads, from the minimum until it caps out at the maximum, based on how much traffic is present. The current default is 0:16
and on MRI is 0:5
. Feel free to experiment, but be careful not to set the number of maximum threads to a large number, as you may exhaust resources on the system (or cause contention for the Global VM Lock, when using MRI).
Be aware that additionally Puma creates threads on its own for internal purposes (e.g. handling slow clients). So, even if you specify -t 1:1, expect around 7 threads created in your application.
Puma also offers "clustered mode". Clustered mode fork
s workers from a master process. Each child process still has its own thread pool. You can tune the number of workers with the -w
(or --workers
) flag:
$ puma -t 8:32 -w 3
Or with the WEB_CONCURRENCY
environment variable:
$ WEB_CONCURRENCY=3 puma -t 8:32
Note that threads are still used in clustered mode, and the -t
thread flag setting is per worker, so -w 2 -t 16:16
will spawn 32 threads in total, with 16 in each worker process.
If the WEB_CONCURRENCY
environment variable is set to "auto"
and the concurrent-ruby
gem is available in your application, Puma will set the worker process count to the result of available processors.
For an in-depth discussion of the tradeoffs of thread and process count settings, see our docs.
In clustered mode, Puma can "preload" your application. This loads all the application code prior to forking. Preloading reduces total memory usage of your application via an operating system feature called copy-on-write.
If the WEB_CONCURRENCY
environment variable is set to a value > 1 (and --prune-bundler
has not been specified), preloading will be enabled by default. Otherwise, you can use the --preload
flag from the command line:
$ puma -w 3 --preload
Or, if you're using a configuration file, you can use the preload_app!
method:
# config/puma.rb
workers 3
preload_app!
Preloading can’t be used with phased restart, since phased restart kills and restarts workers one-by-one, and preloading copies the code of master into the workers.
When using clustered mode, Puma's configuration DSL provides before_fork
and on_worker_boot
hooks to run code when the master process forks and child workers are booted respectively.
It is recommended to use these hooks with preload_app!
, otherwise constants loaded by your
application (such as Rails
) will not be available inside the hooks.
# config/puma.rb
before_fork do
# Add code to run inside the Puma master process before it forks a worker child.
end
on_worker_boot do
# Add code to run inside the Puma worker process after forking.
end
In addition, there is an on_refork
hook which is used only in fork_worker
mode,
when the worker 0 child process forks a grandchild worker:
on_refork do
# Used only when fork_worker mode is enabled. Add code to run inside the Puma worker 0
# child process before it forks a grandchild worker.
end
Importantly, note the following considerations when Ruby forks a child process:
SocketError
, Errno::EPIPE
, and EOFError
.Therefore, we recommend the following:
before_fork
and on_refork
to disconnect the parent's socket
connections when forking, so that they are not accidentally copied to the child process.on_worker_boot
to restart any background threads on the forked child.Puma's configuration DSL provides master process lifecycle hooks on_booted
, on_restart
, and on_stopped
which may be used to specify code blocks to run on each event:
# config/puma.rb
on_booted do
# Add code to run in the Puma master process after it boots,
# and also after a phased restart completes.
end
on_restart do
# Add code to run in the Puma master process when it receives
# a restart command but before it restarts.
end
on_stopped do
# Add code to run in the Puma master process when it receives
# a stop command but before it shuts down.
end
If Puma encounters an error outside of the context of your application, it will respond with a 400/500 and a simple
textual error message (see Puma::Server#lowlevel_error
or server.rb).
You can specify custom behavior for this scenario. For example, you can report the error to your third-party
error-tracking service (in this example, rollbar):
lowlevel_error_handler do |e, env, status|
if status == 400
message = "The server could not process the request due to an error, such as an incorrectly typed URL, malformed syntax, or a URL that contains illegal characters.\n"
else
message = "An error has occurred, and engineers have been informed. Please reload the page. If you continue to have problems, contact support@example.com\n"
Rollbar.critical(e)
end
[status, {}, [message]]
end
Bind Puma to a socket with the -b
(or --bind
) flag:
$ puma -b tcp://127.0.0.1:9292
To use a UNIX Socket instead of TCP:
$ puma -b unix:///var/run/puma.sock
If you need to change the permissions of the UNIX socket, just add a umask parameter:
$ puma -b 'unix:///var/run/puma.sock?umask=0111'
Need a bit of security? Use SSL sockets:
$ puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert'
localhost
gem, for development use):Puma supports the localhost
gem for self-signed certificates. This is particularly useful if you want to use Puma with SSL locally, and self-signed certificates will work for your use-case. Currently, the integration can only be used in MRI.
Puma automatically configures SSL when the localhost
gem is loaded in a development
environment:
Add the gem to your Gemfile:
group(:development) do
gem 'localhost'
end
And require it implicitly using bundler:
require "bundler"
Bundler.require(:default, ENV["RACK_ENV"].to_sym)
Alternatively, you can require the gem in your configuration file, either config/puma/development.rb
, config/puma.rb
, or set via the -C
cli option:
require 'localhost'
# configuration methods (from Puma::DSL) as needed
Additionally, Puma must be listening to an SSL socket:
$ puma -b 'ssl://localhost:9292' -C config/use_local_host.rb
# The following options allow you to reach Puma over HTTP as well:
$ puma -b ssl://localhost:9292 -b tcp://localhost:9393 -C config/use_local_host.rb
To use or avoid specific SSL ciphers for TLSv1.2 and below, use ssl_cipher_filter
or ssl_cipher_list
options.
$ puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ssl_cipher_filter=!aNULL:AES+SHA'
$ puma -b 'ssl://127.0.0.1:9292?keystore=path_to_keystore&keystore-pass=keystore_password&ssl_cipher_list=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA'
To configure the available TLSv1.3 ciphersuites, use ssl_ciphersuites
option (not available for JRuby).
$ puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ssl_ciphersuites=TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256'
See https://www.openssl.org/docs/man1.1.1/man1/ciphers.html for cipher filter format and full list of cipher suites.
Disable TLS v1 with the no_tlsv1
option:
$ puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&no_tlsv1=true'
To enable verification flags offered by OpenSSL, use verification_flags
(not available for JRuby):
$ puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&verification_flags=PARTIAL_CHAIN'
You can also set multiple verification flags (by separating them with a comma):
$ puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&verification_flags=PARTIAL_CHAIN,CRL_CHECK'
List of available flags: USE_CHECK_TIME
, CRL_CHECK
, CRL_CHECK_ALL
, IGNORE_CRITICAL
, X509_STRICT
, ALLOW_PROXY_CERTS
, POLICY_CHECK
, EXPLICIT_POLICY
, INHIBIT_ANY
, INHIBIT_MAP
, NOTIFY_POLICY
, EXTENDED_CRL_SUPPORT
, USE_DELTAS
, CHECK_SS_SIGNATURE
, TRUSTED_FIRST
, SUITEB_128_LOS_ONLY
, SUITEB_192_LOS
, SUITEB_128_LOS
, PARTIAL_CHAIN
, NO_ALT_CHAINS
, NO_CHECK_TIME
(see https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_hostflags.html#VERIFICATION-FLAGS).
To enable runtime decryption of an encrypted SSL key (not available for JRuby), use key_password_command
:
$ puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&key_password_command=/path/to/command.sh'
key_password_command
must:
For example:
#!/bin/sh
echo "this is my password"
key_password_command
can be used with key
or key_pem
. If the key
is not encrypted, the executable will not be called.
Puma has a built-in status and control app that can be used to query and control Puma.
$ puma --control-url tcp://127.0.0.1:9293 --control-token foo
Puma will start the control server on localhost port 9293. All requests to the control server will need to include control token (in this case, token=foo
) as a query parameter. This allows for simple authentication. Check out Puma::App::Status
or status.rb to see what the status app has available.
You can also interact with the control server via pumactl
. This command will restart Puma:
$ pumactl --control-url 'tcp://127.0.0.1:9293' --control-token foo restart
To see a list of pumactl
options, use pumactl --help
.
You can also provide a configuration file with the -C
(or --config
) flag:
$ puma -C /path/to/config
If no configuration file is specified, Puma will look for a configuration file at config/puma.rb
. If an environment is specified (via the --environment
flag or through the APP_ENV
, RACK_ENV
, or RAILS_ENV
environment variables) Puma looks for a configuration file at config/puma/<environment_name>.rb
and then falls back to config/puma.rb
.
If you want to prevent Puma from looking for a configuration file in those locations, include the --no-config
flag:
$ puma --no-config
# or
$ puma -C "-"
The other side-effects of setting the environment are whether to show stack traces (in development
or test
), and setting RACK_ENV may potentially affect middleware looking for this value to change their behavior. The default puma RACK_ENV value is development
. You can see all config default values in Puma::Configuration#puma_default_options
or configuration.rb.
Check out Puma::DSL
or dsl.rb to see all available options.
Puma includes the ability to restart itself. When available (MRI, Rubinius, JRuby), Puma performs a "hot restart". This is the same functionality available in Unicorn and NGINX which keep the server sockets open between restarts. This makes sure that no pending requests are dropped while the restart is taking place.
For more, see the Restart documentation.
Puma responds to several signals. A detailed guide to using UNIX signals with Puma can be found in the Signals documentation.
Some platforms do not support all Puma features.
For MRI versions 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.3.4 and 2.4.1, you may see stream closed in another thread (IOError)
. It may be caused by a Ruby bug. It can be fixed with the gem https://rubygems.org/gems/stopgap_13632:
if %w(2.2.7 2.2.8 2.2.9 2.2.10 2.3.4 2.4.1).include? RUBY_VERSION
begin
require 'stopgap_13632'
rescue LoadError
end
end
Puma has support for Capistrano with an external gem.
Additionally, Puma has support for built-in daemonization via the puma-daemon ruby gem. The gem restores the daemonize
option that was removed from Puma starting version 5, but only for MRI Ruby.
It is common to use process monitors with Puma. Modern process monitors like systemd or rc.d provide continuous monitoring and restarts for increased reliability in production environments:
Community guides:
Find details for contributing in the contribution guide.
Puma is copyright Evan Phoenix and contributors, licensed under the BSD 3-Clause license. See the included LICENSE file for details.
FAQs
Unknown package
We found that puma demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.