nateberkopec on master
Clean up and format markdown do… (compare)
dentarg on localhost-ssl-docs
dentarg on master
Improve localhost SSL integrati… (compare)
I have a rails app (written by an outside company) running in Puma 3.11.4 on Ruby 2.2 (I know, sorry) and am running into all sorts of errors that I think have already been fixed in newer versions. As part of figuring out what's going on sorting out TLS problems and 100% CPU puma, our vendor tells us that it is "best practice" to not have Puma handle TLS but instead have nginx in front.
currently we have (more or less):
puma (in docker container) <---TLS port--- AWS Application Load Balancer <---TLS port------ some browser
and the vendor says that the well established best practice is:
puma (in docker container) <---TCP port--- nginx <----TLS port---- AWS Application Load Balancer <---TLS port------ some browser
because "puma isn't meant to handle TLS"
is that correct at all? I can't find anything to support it with some rudimentary searching. Also having two proxies seems like we're just asking for trouble.
I'm also just trying to update their code to use newer Puma and newer Ruby where I suspect those TLS issues will be fixed (at least from reading the
I have a change for those that might be using Puma + JRuby; to enable Netty's OpenSSL native bindings.
I'd welcome feedback from JRuby users
Speed: In local testing, we've seen performance improvements of 3x over the JDK. GCM, which is used by the only cipher suite required by the HTTP/2 RFC, is 10-500x faster.