Thruster is an HTTP/2 proxy for simple production-ready deployments of Rails applications. It runs alongside the Puma webserver to provide a few additional features that help your app run efficiently and safely on the open Internet:
- HTTP/2 support
- Automatic TLS certificate management with Let's Encrypt
- Basic HTTP caching of public assets
- X-Sendfile support and compression, to efficiently serve static files
Thruster aims to be as zero-config as possible. It has no configuration file, and most features are automatically enabled with sensible defaults. The goal is that simply running your Puma server with Thruster should be enough to get a production-ready setup.
The only exception to this is TLS provisioning: in order for Thruster to
provision TLS certificates, it needs to know which domain those certificates
should be for. So to use TLS, you need to set the TLS_DOMAIN environment
variable. If you don't set this variable, Thruster will run in HTTP-only mode.
Thruster also wraps the Puma process so that you can use it without managing
multiple processes yourself. This is particularly useful when running in a
containerized environment, where you typically won't have a process manager
available to coordinate the processes. Instead you can use Thruster as your
CMD, and it will manage Puma for you.
Thruster was originally created for the ONCE project, where we wanted a no-fuss way to serve a Rails application from a single container, directly on the open Internet. We've since found it useful for simple deployments of other Rails applications.
Thruster is distributed as a Ruby gem. Because Thruster is written in Go, we provide several pre-built platform-specific binaries. Installing the gem will automatically fetch the appropriate binary for your platform.
To install it, add it to your application's Gemfile:
gem 'thruster'Or install it globally:
$ gem install thrusterTo run your Puma application inside Thruster, prefix your usual command string
with thrust. For example:
$ thrust bin/rails serverOr with automatic TLS:
$ TLS_DOMAIN=myapp.example.com thrust bin/rails serverIn most cases, Thruster should work out of the box with no additional configuration. But if you need to customize its behavior, there are a few environment variables that you can set.
To prevent naming clashes with your application's own environment variables,
Thruster's environment variables can optionally be prefixed with THRUSTER_.
For example, TLS_DOMAIN can also be written as THRUSTER_TLS_DOMAIN. Whenever
a prefixed variable is set, it will take precedence over the unprefixed version.
Thruster includes built-in mitigation for the BREACH attack, which allows attackers to extract secrets from compressed encrypted traffic.
- Random Jitter (Enabled by Default): Thruster adds a random amount of "jitter" (padding) to the size of compressed responses. This makes it significantly harder for attackers to infer the content based on the compressed size. The default jitter is 32 bytes, controlled by
GZIP_COMPRESSION_JITTER. - Compression Guard (Optional): For higher security, you can disable compression entirely for authenticated requests (requests containing
Cookie,Authorization, orX-Csrf-Tokenheaders) by settingGZIP_COMPRESSION_DISABLE_ON_AUTH=true. This eliminates the side-channel entirely for sensitive traffic but may increase bandwidth usage.
By default, Thruster prioritizes performance while providing baseline protection via jitter. Operators with strict security requirements should consider enabling the Compression Guard.