Waitress

Waitress is meant to be a production-quality pure-Python WSGI server with very acceptable performance. It has no dependencies except ones which live in the Python standard library. It runs on CPython on Unix and Windows under Python 2.7+ and Python 3.5+. It is also known to run on PyPy 1.6.0 on UNIX. It supports HTTP/1.0 and HTTP/1.1.

Extended Documentation

Change History

1.4.4 (2020-06-01)

  • Fix an issue with keep-alive connections in which memory usage was higher than expected because output buffers were being reused across requests on a long-lived connection and each buffer would not be freed until it was full or the connection was closed. Buffers are now rotated per-request to stabilize their behavior.

    See https://github.com/Pylons/waitress/pull/300

  • Waitress threads have been updated to contain their thread number. This will allow loggers that use that information to print the thread that the log is coming from.

    See https://github.com/Pylons/waitress/pull/302

1.4.3 (2020-02-02)

Security Fixes

  • In Waitress version 1.4.2 a new regular expression was added to validate the headers that Waitress receives to make sure that it matches RFC7230. Unfortunately the regular expression was written in a way that with invalid input it leads to catastrophic backtracking which allows for a Denial of Service and CPU usage going to a 100%.

    This was reported by Fil Zembowicz to the Pylons Project. Please see https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc for more information.

1.4.2 (2020-01-02)

Security Fixes

  • This is a follow-up to the fix introduced in 1.4.1 to tighten up the way Waitress strips whitespace from header values. This makes sure Waitress won't accidentally treat non-printable characters as whitespace and lead to a potental HTTP request smuggling/splitting security issue.

    Thanks to ZeddYu Lu for the extra test cases.

    Please see the security advisory for more information: https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4

    CVE-ID: CVE-2019-16789

Bugfixes

1.4.1 (2019-12-24)

Security Fixes

  • Waitress did not properly validate that the HTTP headers it received were properly formed, thereby potentially allowing a front-end server to treat a request different from Waitress. This could lead to HTTP request smuggling/splitting.

    Please see the security advisory for more information: https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4

    CVE-ID: CVE-2019-16789

1.4.0 (2019-12-20)

Bugfixes

  • Waitress used to slam the door shut on HTTP pipelined requests without setting the Connection: close header as appropriate in the response. This is of course not very friendly. Waitress now explicitly sets the header when responding with an internally generated error such as 400 Bad Request or 500 Internal Server Error to notify the remote client that it will be closing the connection after the response is sent.

  • Waitress no longer allows any spaces to exist between the header field-name and the colon. While waitress did not strip the space and thereby was not vulnerable to any potential header field-name confusion, it should have sent back a 400 Bad Request. See https://github.com/Pylons/waitress/issues/273

Security Fixes

  • Waitress implemented a "MAY" part of the RFC7230 (https://tools.ietf.org/html/rfc7230#section-3.5) which states:

    Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR.

    Unfortunately if a front-end server does not parse header fields with an LF the same way as it does those with a CRLF it can lead to the front-end and the back-end server parsing the same HTTP message in two different ways. This can lead to a potential for HTTP request smuggling/splitting whereby Waitress may see two requests while the front-end server only sees a single HTTP message.

    For more information I can highly recommend the blog post by ZeddYu Lu https://blog.zeddyu.info/2019/12/08/HTTP-Smuggling-en/

    Please see the security advisory for more information: https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p

    CVE-ID: CVE-2019-16785

  • Waitress used to treat LF the same as CRLF in Transfer-Encoding: chunked requests, while the maintainer doesn't believe this could lead to a security issue, this is no longer supported and all chunks are now validated to be properly framed with CRLF as required by RFC7230.

  • Waitress now validates that the Transfer-Encoding header contains only transfer codes that it is able to decode. At the moment that includes the only valid header value being chunked.

    That means that if the following header is sent:

    Transfer-Encoding: gzip, chunked

    Waitress will send back a 501 Not Implemented with an error message stating as such, as while Waitress supports chunked encoding it does not support gzip and it is unable to pass that to the underlying WSGI environment correctly.

    Waitress DOES NOT implement support for Transfer-Encoding: identity eventhough identity was valid in RFC2616, it was removed in RFC7230. Please update your clients to remove the Transfer-Encoding header if the only transfer coding is identity or update your client to use Transfer-Encoding: chunked instead of Transfer-Encoding: identity, chunked.

    Please see the security advisory for more information: https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p

    CVE-ID: CVE-2019-16786

  • While validating the Transfer-Encoding header, Waitress now properly handles line-folded Transfer-Encoding headers or those that contain multiple comma seperated values. This closes a potential issue where a front-end server may treat the request as being a chunked request (and thus ignoring the Content-Length) and Waitress using the Content-Length as it was looking for the single value chunked and did not support comma seperated values.

  • Waitress used to explicitly set the Content-Length header to 0 if it was unable to parse it as an integer (for example if the Content-Length header was sent twice (and thus folded together), or was invalid) thereby allowing for a potential request to be split and treated as two requests by HTTP pipelining support in Waitress. If Waitress is now unable to parse the Content-Length header, a 400 Bad Request is sent back to the client.

    Please see the security advisory for more information: https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6

1.3.1 (2019-08-27)

Bugfixes

1.3.0 (2019-04-22)

Deprecations

Features

Bugfixes

1.2.1 (2019-01-25)

Bugfixes

1.2.0 (2019-01-15)

No changes since the last beta release. Enjoy Waitress!

1.2.0b3 (2019-01-07)

Bugfixes

1.2.0b2 (2019-02-02)

Bugfixes

  • Fixed logic to no longer warn on writes where the output is required to have a body but there may not be any data to be written. Solves issue posted on the Pylons Project mailing list with 1.2.0b1.

1.2.0b1 (2018-12-31)

Happy New Year!

Features

  • Setting the trusted_proxy setting to '*' (wildcard) will allow all upstreams to be considered trusted proxies, thereby allowing services behind Cloudflare/ELBs to function correctly whereby there may not be a singular IP address that requests are received from.

    Using this setting is potentially dangerous if your server is also available from anywhere on the internet, and further protections should be used to lock down access to Waitress. See https://github.com/Pylons/waitress/pull/224

  • Waitress has increased its support of the X-Forwarded-* headers and includes Forwarded (RFC7239) support. This may be used to allow proxy servers to influence the WSGI environment. See https://github.com/Pylons/waitress/pull/209

    This also provides a new security feature when using Waitress behind a proxy in that it is possible to remove untrusted proxy headers thereby making sure that downstream WSGI applications don't accidentally use those proxy headers to make security decisions.

    The documentation has more information, see the following new arguments:

    • trusted_proxy_count

    • trusted_proxy_headers

    • clear_untrusted_proxy_headers

    • log_untrusted_proxy_headers (useful for debugging)

    Be aware that the defaults for these are currently backwards compatible with older versions of Waitress, this will change in a future release of waitress. If you expect to need this behaviour please explicitly set these variables in your configuration, or pin this version of waitress.

    Documentation: https://docs.pylonsproject.org/projects/waitress/en/latest/reverse-proxy.html

  • Waitress can now accept a list of sockets that are already pre-bound rather than creating its own to allow for socket activation. Support for init systems/other systems that create said activated sockets is not included. See https://github.com/Pylons/waitress/pull/215

  • Server header can be omitted by specifying ident=None or ident=''. See https://github.com/Pylons/waitress/pull/187

Bugfixes

Compatibility

  • Waitress has now "vendored" asyncore into itself as waitress.wasyncore. This is to cope with the eventuality that asyncore will be removed from the Python standard library in 3.8 or so.

Documentation

1.1.0 (2017-10-10)

Features

  • Waitress now has a __main__ and thus may be called with python -mwaitress

Bugfixes

1.0.2 (2017-02-04)

Features

  • Python 3.6 is now officially supported in Waitress

Bugfixes

  • Add a work-around for libc issue on Linux not following the documented standards. If getnameinfo() fails because of DNS not being available it should return the IP address instead of the reverse DNS entry, however instead getnameinfo() raises. We catch this, and ask getnameinfo() for the same information again, explicitly asking for IP address instead of reverse DNS hostname. See https://github.com/Pylons/waitress/issues/149 and https://github.com/Pylons/waitress/pull/153

1.0.1 (2016-10-22)

Bugfixes

  • IPv6 support on Windows was broken due to missing constants in the socket module. This has been resolved by setting the constants on Windows if they are missing. See https://github.com/Pylons/waitress/issues/138

  • A ValueError was raised on Windows when passing a string for the port, on Windows in Python 2 using service names instead of port numbers doesn't work with getaddrinfo. This has been resolved by attempting to convert the port number to an integer, if that fails a ValueError will be raised. See https://github.com/Pylons/waitress/issues/139

1.0.0 (2016-08-31)

Bugfixes

  • Removed AI_ADDRCONFIG from the call to getaddrinfo, this resolves an issue whereby getaddrinfo wouldn't return any addresses to bind to on hosts where there is no internet connection but localhost is requested to be bound to. See https://github.com/Pylons/waitress/issues/131 for more information.

Deprecations

  • Python 2.6 is no longer supported.

Features

  • IPv6 support

  • Waitress is now able to listen on multiple sockets, including IPv4 and IPv6. Instead of passing in a host/port combination you now provide waitress with a space delineated list, and it will create as many sockets as required.

    from waitress import serve
serve(wsgiapp, listen='0.0.0.0:8080 [::]:9090 *:6543')

Security

0.9.0 (2016-04-15)

Deprecations

  • Python 3.2 is no longer supported by Waitress.

  • Python 2.6 will no longer be supported by Waitress in future releases.

Security/Protections

Bugfixes

0.8.10 (2015-09-02)

  • Add support for Python 3.4, 3.5b2, and PyPy3.

  • Use a nonglobal asyncore socket map by default, trying to prevent conflicts with apps and libs that use the asyncore global socket map ala https://github.com/Pylons/waitress/issues/63. You can get the old use-global-socket-map behavior back by passing asyncore.socket_map to the create_server function as the map argument.

  • Waitress violated PEP 3333 with respect to reraising an exception when start_response was called with an exc_info argument. It would reraise the exception even if no data had been sent to the client. It now only reraises the exception if data has actually been sent to the client. See https://github.com/Pylons/waitress/pull/52 and https://github.com/Pylons/waitress/issues/51

  • Add a docs section to tox.ini that, when run, ensures docs can be built.

  • If an application value of None is supplied to the create_server constructor function, a ValueError is now raised eagerly instead of an error occuring during runtime. See https://github.com/Pylons/waitress/pull/60

  • Fix parsing of multi-line (folded) headers. See https://github.com/Pylons/waitress/issues/53 and https://github.com/Pylons/waitress/pull/90

  • Switch from the low level Python thread/_thread module to the threading module.

  • Improved exception information should module import go awry.

0.8.9 (2014-05-16)

  • Fix tests under Windows. NB: to run tests under Windows, you cannot run "setup.py test" or "setup.py nosetests". Instead you must run python.exe -c "import nose; nose.main()". If you try to run the tests using the normal method under Windows, each subprocess created by the test suite will attempt to run the test suite again. See https://github.com/nose-devs/nose/issues/407 for more information.

  • Give the WSGI app_iter generated when wsgi.file_wrapper is used (ReadOnlyFileBasedBuffer) a close method. Do not call close on an instance of such a class when it's used as a WSGI app_iter, however. This is part of a fix which prevents a leakage of file descriptors; the other part of the fix was in WebOb (https://github.com/Pylons/webob/commit/951a41ce57bd853947f842028bccb500bd5237da).

  • Allow trusted proxies to override wsgi.url_scheme via a request header, X_FORWARDED_PROTO. Allows proxies which serve mixed HTTP / HTTPS requests to control signal which are served as HTTPS. See https://github.com/Pylons/waitress/pull/42.

0.8.8 (2013-11-30)

  • Fix some cases where the creation of extremely large output buffers (greater than 2GB, suspected to be buffers added via wsgi.file_wrapper) might cause an OverflowError on Python 2. See https://github.com/Pylons/waitress/issues/47.

  • When the url_prefix adjustment starts with more than one slash, all slashes except one will be stripped from its beginning. This differs from older behavior where more than one leading slash would be preserved in url_prefix.

  • If a client somehow manages to send an empty path, we no longer convert the empty path to a single slash in PATH_INFO. Instead, the path remains empty. According to RFC 2616 section "5.1.2 Request-URI", the scenario of a client sending an empty path is actually not possible because the request URI portion cannot be empty.

  • If the url_prefix adjustment matches the request path exactly, we now compute SCRIPT_NAME and PATH_INFO properly. Previously, if the url_prefix was /foo and the path received from a client was /foo, we would set both SCRIPT_NAME and PATH_INFO to /foo. This was incorrect. Now in such a case we set PATH_INFO to the empty string and we set SCRIPT_NAME to /foo. Note that the change we made has no effect on paths that do not match the url_prefix exactly (such as /foo/bar); these continue to operate as they did. See https://github.com/Pylons/waitress/issues/46

  • Preserve header ordering of headers with the same name as per RFC 2616. See https://github.com/Pylons/waitress/pull/44

  • When waitress receives a Transfer-Encoding: chunked request, we no longer send the TRANSFER_ENCODING nor the HTTP_TRANSFER_ENCODING value to the application in the environment. Instead, we pop this header. Since we cope with chunked requests by buffering the data in the server, we also know when a chunked request has ended, and therefore we know the content length. We set the content-length header in the environment, such that applications effectively never know the original request was a T-E: chunked request; it will appear to them as if the request is a non-chunked request with an accurate content-length.

  • Cope with the fact that the Transfer-Encoding value is case-insensitive.

  • When the --unix-socket-perms option was used as an argument to waitress-serve, a TypeError would be raised. See https://github.com/Pylons/waitress/issues/50.

0.8.7 (2013-08-29)

  • The HTTP version of the response returned by waitress when it catches an exception will now match the HTTP request version.

  • Fix: CONNECTION header will be HTTP_CONNECTION and not CONNECTION_TYPE (see https://github.com/Pylons/waitress/issues/13)

0.8.6 (2013-08-12)

  • Do alternate type of checking for UNIX socket support, instead of checking for platform == windows.

  • Functional tests now use multiprocessing module instead of subprocess module, speeding up test suite and making concurrent execution more reliable.

  • Runner now appends the current working directory to sys.path to support running WSGI applications from a directory (i.e., not installed in a virtualenv).

  • Add a url_prefix adjustment setting. You can use it by passing script_name='/foo' to waitress.serve or you can use it in a PasteDeploy ini file as script_name = /foo. This will cause the WSGI SCRIPT_NAME value to be the value passed minus any trailing slashes you add, and it will cause the PATH_INFO of any request which is prefixed with this value to be stripped of the prefix. You can use this instead of PasteDeploy's prefixmiddleware to always prefix the path.

0.8.5 (2013-05-27)

  • Fix runner multisegment imports in some Python 2 revisions (see https://github.com/Pylons/waitress/pull/34).

  • For compatibility, WSGIServer is now an alias of TcpWSGIServer. The signature of BaseWSGIServer is now compatible with WSGIServer pre-0.8.4.

0.8.4 (2013-05-24)

  • Add a command-line runner called waitress-serve to allow Waitress to run WSGI applications without any addional machinery. This is essentially a thin wrapper around the waitress.serve() function.

  • Allow parallel testing (e.g., under detox or nosetests --processes) using PID-dependent port / socket for functest servers.

  • Fix integer overflow errors on large buffers. Thanks to Marcin Kuzminski for the patch. See: https://github.com/Pylons/waitress/issues/22

  • Add support for listening on Unix domain sockets.

0.8.3 (2013-04-28)

Features

  • Add an asyncore_loop_timeout adjustment value, which controls the timeout value passed to asyncore.loop; defaults to 1.

Bug Fixes

0.8.2 (2012-11-14)

Bug Fixes

  • https://corte.si/posts/code/pathod/pythonservers/index.html pointed out that sending a bad header resulted in an exception leading to a 500 response instead of the more proper 400 response without an exception.

  • Fix a race condition in the test suite.

  • Allow "ident" to be used as a keyword to serve() as per docs.

  • Add py33 to tox.ini.

0.8.1 (2012-02-13)

Bug Fixes

  • A brown-bag bug prevented request concurrency. A slow request would block subsequent the responses of subsequent requests until the slow request's response was fully generated. This was due to a "task lock" being declared as a class attribute rather than as an instance attribute on HTTPChannel. Also took the opportunity to move another lock named "outbuf lock" to the channel instance rather than the class. See https://github.com/Pylons/waitress/pull/1 .

0.8 (2012-01-31)

Features

  • Support the WSGI wsgi.file_wrapper protocol as per https://www.python.org/dev/peps/pep-0333/#optional-platform-specific-file-handling. Here's a usage example:

    import os

here = os.path.dirname(os.path.abspath(__file__))

def myapp(environ, start_response):
    f = open(os.path.join(here, 'myphoto.jpg'), 'rb')
    headers = [('Content-Type', 'image/jpeg')]
    start_response(
        '200 OK',
        headers
        )
    return environ['wsgi.file_wrapper'](f, 32768)

    The signature of the file wrapper constructor is (filelike_object, block_size). Both arguments must be passed as positional (not keyword) arguments. The result of creating a file wrapper should be returned as the app_iter from a WSGI application.

    The object passed as filelike_object to the wrapper must be a file-like object which supports at least the read() method, and the read() method must support an optional size hint argument. It should support the seek() and tell() methods. If it does not, normal iteration over the filelike object using the provided block_size is used (and copying is done, negating any benefit of the file wrapper). It should support a close() method.

    The specified block_size argument to the file wrapper constructor will be used only when the filelike_object doesn't support seek and/or tell methods. Waitress needs to use normal iteration to serve the file in this degenerate case (as per the WSGI spec), and this block size will be used as the iteration chunk size. The block_size argument is optional; if it is not passed, a default value``32768`` is used.

    Waitress will set a Content-Length header on the behalf of an application when a file wrapper with a sufficiently filelike object is used if the application hasn't already set one.

    The machinery which handles a file wrapper currently doesn't do anything particularly special using fancy system calls (it doesn't use sendfile for example); using it currently just prevents the system from needing to copy data to a temporary buffer in order to send it to the client. No copying of data is done when a WSGI app returns a file wrapper that wraps a sufficiently filelike object. It may do something fancier in the future.

0.7 (2012-01-11)

Features

  • Default send_bytes value is now 18000 instead of 9000. The larger default value prevents asyncore from needing to execute select so many times to serve large files, speeding up file serving by about 15%-20% or so. This is probably only an optimization for LAN communications, and could slow things down across a WAN (due to higher TCP overhead), but we're likely to be behind a reverse proxy on a LAN anyway if in production.

  • Added an (undocumented) profiling feature to the serve() command.

0.6.1 (2012-01-08)

Bug Fixes

  • Remove performance-sapping call to pull_trigger in the channel's write_soon method added mistakenly in 0.6.

0.6 (2012-01-07)

Bug Fixes

  • A logic error prevented the internal outbuf buffer of a channel from being flushed when the client could not accept the entire contents of the output buffer in a single succession of socket.send calls when the channel was in a "pending close" state. The socket in such a case would be closed prematurely, sometimes resulting in partially delivered content. This was discovered by a user using waitress behind an Nginx reverse proxy, which apparently is not always ready to receive data. The symptom was that he received "half" of a large CSS file (110K) while serving content via waitress behind the proxy.

0.5 (2012-01-03)

Bug Fixes

  • Fix PATH_INFO encoding/decoding on Python 3 (as per PEP 3333, tunnel bytes-in-unicode-as-latin-1-after-unquoting).

0.4 (2012-01-02)

Features

  • Added "design" document to docs.

Bug Fixes

  • Set default connection_limit back to 100 for benefit of maximal platform compatibility.

  • Normalize setting of last_activity during send.

  • Minor resource cleanups during tests.

  • Channel timeout cleanup was broken.

0.3 (2012-01-02)

Features

  • Dont hang a thread up trying to send data to slow clients.

  • Use self.logger to log socket errors instead of self.log_info (normalize).

  • Remove pointless handle_error method from channel.

  • Queue requests instead of tasks in a channel.

Bug Fixes

  • Expect: 100-continue responses were broken.

0.2 (2011-12-31)

Bug Fixes

  • Set up logging by calling logging.basicConfig() when serve is called (show tracebacks and other warnings to console by default).

  • Disallow WSGI applications to set "hop-by-hop" headers (Connection, Transfer-Encoding, etc).

  • Don't treat 304 status responses specially in HTTP/1.1 mode.

  • Remove out of date interfaces.py file.

  • Normalize logging (all output is now sent to the waitress logger rather than in degenerate cases some output being sent directly to stderr).

Features

  • Support HTTP/1.1 Transfer-Encoding: chunked responses.

  • Slightly better docs about logging.

0.1 (2011-12-30)

  • Initial release.

Known Issues

Support and Development

The Pylons Project web site is the main online source of Waitress support and development information.

To report bugs, use the issue tracker.

If you've got questions that aren't answered by this documentation, contact the Pylons-discuss maillist or join the #pyramid IRC channel.

Browse and check out tagged and trunk versions of Waitress via the Waitress GitHub repository. To check out the trunk via git, use this command:

git clone git@github.com:Pylons/waitress.git

To find out how to become a contributor to Waitress, please see the guidelines in contributing.md and How to Contribute Source Code and Documentation.

Why?

At the time of the release of Waitress, there are already many pure-Python WSGI servers. Why would we need another?

Waitress is meant to be useful to web framework authors who require broad platform support. It's neither the fastest nor the fanciest WSGI server available but using it helps eliminate the N-by-M documentation burden (e.g. production vs. deployment, Windows vs. Unix, Python 3 vs. Python 2, PyPy vs. CPython) and resulting user confusion imposed by spotty platform support of the current (2012-ish) crop of WSGI servers. For example, gunicorn is great, but doesn't run on Windows. paste.httpserver is perfectly serviceable, but doesn't run under Python 3 and has no dedicated tests suite that would allow someone who did a Python 3 port to know it worked after a port was completed. wsgiref works fine under most any Python, but it's a little slow and it's not recommended for production use as it's single-threaded and has not been audited for security issues.

At the time of this writing, some existing WSGI servers already claim wide platform support and have serviceable test suites. The CherryPy WSGI server, for example, targets Python 2 and Python 3 and it can run on UNIX or Windows. However, it is not distributed separately from its eponymous web framework, and requiring a non-CherryPy web framework to depend on the CherryPy web framework distribution simply for its server component is awkward. The test suite of the CherryPy server also depends on the CherryPy web framework, so even if we forked its server component into a separate distribution, we would have still needed to backfill for all of its tests. The CherryPy team has started work on Cheroot, which should solve this problem, however.

Waitress is a fork of the WSGI-related components which existed in zope.server. zope.server had passable framework-independent test coverage out of the box, and a good bit more coverage was added during the fork. zope.server has existed in one form or another since about 2001, and has seen production usage since then, so Waitress is not exactly "another" server, it's more a repackaging of an old one that was already known to work fairly well.