Phusion Passenger 5.0.9

Version 5.0.9 of the Phusion Passenger application server for Ruby, Python, Node.js and Meteor has been released. It features an important fix for HTTP keep-alive (Apache) and improves internal robustness. We've also welcomed libuv as a replacement for libeio.

If you hadn't already, be sure to check out the many major improvements that the 5.x series of Passenger introduces. And please be aware that you can enjoy enterprise features and sponsor the open source development directly by buying Phusion Passenger Enterprise.

Apache keep-alive fixed

It was discovered that when using Passenger 5.x / Apache, HTTP connections were being closed instead of being kept alive (GH-1516). This happened because a Connection: close header that is used for internal communication between Passenger processes was leaking to the client. This mostly affected HTTPS servers, which should now become less loaded.

Escaped slashes with Nginx

Because URIs sent by the client could be modified by Nginx (e.g. due to rewrite rules), Passenger previously passed this Nginx-processed url to the application. The side-effect of this is that Nginx unescapes characters like %2F (escaped slash), thereby breaking applications that pass parameters with encoded slashes in the path string instead of in the query part or body.

Passenger now checks if the URI is actually modified, and if not, passes the raw URI to the application. This makes escaping work correctly out-of-the-box, as long as there are no applicable rewrite rules.

Robustness & compatibility

On the client facing side, we've fixed a crash that could occur if some HTTP request headers are present, but have an empty value (GH-1524).

On the application facing side, we've made the Ruby handler more robust against incorrect Rack responses to prevent connections getting corrupted or stuck. This could happen for example if the application unintentionally returned a nil response body (GH-1512).

We've also changed the Ruby handler to close the Rack response body even when the socket connection is hijacked by the application. This change maximizes compatibility with existing Rack middlewares and applications, such as Rack::Lock. The intended behavior is not clear from the Rack specification, and different Ruby app servers do different things, but all things considered this looks like the best way. Background information can be found in this issue discussion.

Solaris compilation issues fixed

With the kind help of a user we've completed the partial fixes from 5.0.8 regarding compilation issues on Solaris systems with certain Apache setups (GH-1508).

Default Nginx: 1.8.0

For Passenger setups that use Nginx, the default version of Nginx that Passenger will install is now 1.8.0 (previously 1.6.3). You can still use Passenger with older Nginx versions by manually indicating this while walking through the installer.

Miscellaneous bug fixes

  • When the passenger-status tool tries to cleanup a stale instance directory, it will no longer abort with an error when it fails to do that. It will now merely print a warning. Fixes StackOverflow question 30354732.
  • Fixes a few small one-time memory leaks in the Passenger agent. This wraps up the workitems discovered in valgrind runs on earlier versions.
  • Fixes use of uninitialized metrics. This could happen for a brief moment after spawning.
  • [Apache] If you pass the --apxs2-path parameter to passenger-install-apache2-module, and the apxs2 path that you specified is not in PATH, then the installer would think that Apache installation is broken. This has been fixed.
  • [Nginx] Fixes that crash that would occur if Nginx is configured to log to syslog. And to prevent log messages from disappearing into a black hole, Passenger will now ask you to set passenger_log_file if Nginx is configured to log to syslog. Closes GH-1514.
  • [Standalone] Prevents an existing instance from being shut down if starting a new instance fails.

Improvements

  • Internal refactoring: we've replaced libeio with libuv. This makes some of our code simpler. Closes GH-1428.

Installing or upgrading to 5.0.9

We recommend upgrading to the latest version of Passenger, especially if you are on version 5.0.5 or below.

OS X
OS X
Debian
Debian
Ubuntu
Ubuntu
Heroku
Heroku
Red Hat
Red Hat
CentOS
CentOS
Ruby gem
Ruby gem
Tarball
Tarball
Ruby gem
Docker

If you are upgrading from 4.x, please read the 5.0 upgrade notes to learn about potential upgrade caveats.

Final

Phusion Passenger's core is open source. Please fork or watch us on Github. :)

comments powered by Disqus