httpx 1.2.0 has been released.

HTTPX.get("https://gitlab.com/honeyryderchuck/httpx")

HTTPX is an HTTP client library for the Ruby programming language.

Among its features, it supports:

• HTTP/2 and HTTP/1.x protocol versions
• Concurrent requests by default
• Simple and chainable API
• Proxy Support (HTTP(S), CONNECT tunnel, Socks4/4a/5)
• Simple Timeout System
• Lightweight by default (require what you need)

And also:

• Compression (gzip, deflate, brotli)
• Streaming Requests
• Authentication (Basic Auth, Digest Auth, AWS Sigv4)
• Expect 100-continue
• Multipart Requests
• Cookies
• HTTP/2 Server Push
• H2C Upgrade
• Automatic follow redirects
• International Domain Names
• GRPC
• Circuit breaker
• WebDAV
• SSRF Filter
• Datadog integration
• Faraday integration
• Webmock integration
• Sentry integration

Here are the updates since the last release:

1.2.0 Features :ssrf_filter plugin

The :ssrf_filter plugin prevents server-side request forgery attacks, by blocking requests to the internal network. This is useful when the URLs used to perform requests aren’t under the developer control (such as when they are inserted via a web application form).

http = HTTPX.plugin(:ssrf_filter)

# this works
response = http.get("https://example.com")

# this doesn't
response = http.get("http://localhost:3002")
response = http.get("http://[::1]:3002")
response = http.get("http://169.254.169.254/latest/meta-data/")

More info under https://honeyryderchuck.gitlab.io/httpx/wiki/SSRF-Filter

:callbacks plugin

The session callbacks introduced in v0.24.0 are in its own plugin. Older code will still work and emit a deprecation warning.

More info under https://honeyryderchuck.gitlab.io/httpx/wiki/Callbacks

:redirect_on option for :follow_redirects plugin

This option allows passing a callback which, when returning false, can interrupt the redirect loop.

http = HTTPX.plugin(:follow_redirects).with(redirect_on: ->(location_uri) { BLACKLIST_HOSTS.include?(location_uri.host) ]

:close_on_handshake_timeout timeout

A new :timeout option, :close_handshake_timeout, is added, which monitors connection readiness when performing HTTP/2 connection termination handshake.

Improvements

• Internal “eden connections” concept was removed, and connection objects are now kept-and-reused during the lifetime of a session, even when closed. This simplified connectio pool implementation and improved performance.
• request using :proxy and :retries plugin enabled sessions will now retry on proxy connection establishment related errors.

Bugfixes

• webmock adapter: mocked responses storing decoded payloads won’t try to decode them again (fixes vcr/webmock integrations).
• webmock adapter: fix issue related with making real requests over webmock-enabled connection.

1.1.5 improvements

• pattern matching support for responses has been backported to ruby 2.7 as well.

bugfixes

• stream plugin: fix for HTTPX::StreamResponse#each_line not yielding the last line of the payload when not delimiter-terminated.
• stream plugin: fix webmock adapter integration when methods calls would happen in the HTTPX::StreamResponse#each block.
• stream plugin: fix :follow_redirects plugin integration which was caching the redirect response and using it for method calls inside the HTTPX::StreamResponse#each block.
• “103 early hints” responses will be ignored when processing the response (it was causing the response returned by sesssions to hold its headers, instead of the following 200 response, while keeping the 200 response body).

1.1.4 bugfixes

• datadog adapter: use Gem::Version to invoke the correct configuration API.
• stream plugin: do not preempt request enqueuing (this was making integration with the :follow_redirects plugin fail when set up with webmock).

1.1.3 improvements security

• when using :follow_redirects plugin, the “authorization” header will be removed when following redirect responses to a different origin.

bugfixes

• fixed :stream plugin not following redirect responses when used with the :follow_redirects plugin.
• fixed :stream plugin not doing content decoding when responses were p.ex. gzip-compressed.
• fixed bug preventing usage of IPv6 loopback or link-local addresses in the request URL in systems with no IPv6 internet connectivity (the request was left hanging).
• protect all code which may initiate a new connection from abrupt errors (such as internet turned off), as it was done on the initial request call.

chore

internal usage of mutex_m has been removed (mutex_m is going to be deprecated in ruby 3.3).

1.1.2 improvements

• only moving eden connections to idle when they’re recycled.

bugfixes

• skip closing a connection which is already closed during reset.
• sentry adapter: fixed super call which didn’t have a super method (this prevented usinng sentry-enabled sessions with the :retries plugin).
• sentry adapter: fixing registering of sentry config.
• sentry adapter: do not propagate traces when relevant sdk options are disabled (such as propagate_traces).

1.1.1 improvements

• (Re-)enabling default retries in DNS name queries; this had been disabled as a result of revamping timeouts, and resulted in queries only being sent once, which is very little for UDP-related traffic, and breaks if using DNs rate-limiting software. Retries the query just once, for now.

bugfixes

• reset timers when adding new intervals, as these may be added as a result on after-select connection handling, and must wait for the next tick cycle (before the patch, they were triggering too soon).
• fixed “on close” callback leak on connection reuse, which caused linear performance regression in benchmarks performing one request per connection.
• fixed hanging connection when an HTTP/1.1 emitted a “connection: close” header but the server would not emit one (it closes the connection now).
• fixed recursive dns cached lookups which may have already expired, and created nil entries in the returned address list.
• dns system resolver is now able to retry on failure.

chore

• remove duplicated callback unregistering connections.