-
Notifications
You must be signed in to change notification settings - Fork 40
/
ChangeLog
1680 lines (1480 loc) · 83.6 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
* Fixed handling of Timeout vs. KeepAliveTimeout when first request on a
connection was reset.
v2.0.29
--------------------------------------------------------------------------------
* fixed a compiler warning about an unused static var when AP_MPMQ_CAN_WAITIO
is not defined.
v2.0.28
--------------------------------------------------------------------------------
* When HTTP/2 flow controls blocks further writes, return processing to an
async mpm to free a worker thread. The connection needs window updates from
the client in such a case and can leave monitoring the socket to the mpm.
So far, only effective on Apache httpd 2.5.0 (trunk).
[ylavic, icing]
* Backport fix of CVE-2024-36387 from Apache 2.4.60.
v2.0.27
--------------------------------------------------------------------------------
* Added `cmake` support provided by @jfclere. Many thanks.
* Improved handling of excess request headers to lead to an early
stream reset.
v2.0.26
--------------------------------------------------------------------------------
* Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes #272.
* Fixed small memory leak in h2 header bucket free. Thanks to
Michael Kaufmann for finding this and providing the fix.
v2.0.25
--------------------------------------------------------------------------------
* Fixed a bug that prevented immediate memory release of reset streams
on rare occasions. Memory was reclaimed instead at connection close.
This could be exploited, unless nghttp2 v1.57.0 is used, in a variation
of the Rapid Reset attack. Apache httpd issued CVE-2023-45802 for this.
* Synchronized with Apache httpd svn trunk
v2.0.24
--------------------------------------------------------------------------------
* fixed a compile time issue for Windows builds.
v2.0.23
--------------------------------------------------------------------------------
* Improved timeout handling for streams that are sending response data.
* mod_proxy_http2: fix `X-Forward-Host` header to carry the correct value.
refs https://bz.apache.org/bugzilla/show_bug.cgi?id=66752.
v2.0.22
--------------------------------------------------------------------------------
* Added support for bootstrapping WebSockets via HTTP/2, as described in
RFC 8441.
* A new directive 'H2WebSockets on|off' has been added. The feature is
disabled by default for compatibility reasons.
* In Apache httpd development trunk (e.g. version 2.5.x) it is possible to use
this with the proxy module to reverse proxy to a backend WebSockets server.
This requires some new internal plumbing code in the server for getting I/O
events on the HTTP/2 stream serving the connection.
This "plumbing" is planned to be ported back into Apache 2.4.x.
* For implementors of Apache modules using WebSockets, mod_h2 offers an
optional function that provides an alternative to "older" Apache versions.
See http2_get_pollfd_from_conn, declared in mod_http2.h.
v2.0.21
--------------------------------------------------------------------------------
* The reporting of `Total Accesses` in the server-status page was fixed. It
counted HTTP/2 requests twice. Test case added for this. Fixes PR 66801.
* New directive `H2ProxyRequests on|off` to enable handling of HTTP/2 requests
in a forward proxy configuration. In addition to `ProxyRequests` for
HTTP/1.1. Set both directives to `on` to allow both HTTP versions.
* Fixed an inconsistency in main connection io state after the connection
write encountered an error. Related to PR 66649.
v2.0.20
--------------------------------------------------------------------------------
* Fixed a compiler warning about an uninitialized var used in logging.
v2.0.19
--------------------------------------------------------------------------------
* Fixed a bug that could lead to a crash in main connection output handling.
This occured only when the last request on a HTTP/2 connection had been
processed and the session decided to shut down. This could lead to an attempt
to send a final GOAWAY while the previous write was still in progress.
See PR 66646.
* added `--enable-debug` to configure which adds rutime checks and asserts,
useful for development. Not recommended for production use.
* fixed error handling when flushing output on main connection.
v2.0.18
--------------------------------------------------------------------------------
* mod_proxy_http2: fixed using the wrong "bucket_alloc" from the backend
connection when sending data on the frontend one. This caused crashes
or infinite loops in rare situations.
* Fixed a bug that did cleanup of consumed and pending buckets in
the wrong order when a bucket_beam was destroyed.
v2.0.17
--------------------------------------------------------------------------------
* mod_proxy_http2: fixed a bug in retry/response handling that could lead
to wrong status codes or HTTP messages send at the end of response bodies
exceeding the announced content-length.
v2.0.16
--------------------------------------------------------------------------------
* mod_proxy_http2: fix retry handling to not leak temporary errors.
On detecting that that an existing connection was shutdown by the other
side, a 503 response leaked even though the request was retried on a
fresh connection.
* Fixed a bug that applied request filters twice on redirects. This led to
double chunked-encoding internally on POST requests without content-length.
Fix by Yann Ylavic.
See <https://bz.apache.org/bugzilla/show_bug.cgi?id=66597>.
* mod_proxy_http2: added checks for space/ctrls in nocanon path/urls
before forwarding. By Yann Ylavic.
v2.0.15
--------------------------------------------------------------------------------
* Fixed #253 where requests were not logged and accounted in a timely
fashion when the connection return to "keepalive" handling, e.g. when
the request served was the last outstanding one.
This led to late appearance in access logs with wrong duration times
reported.
* New directive 'H2EarlyHint name value' to add headers to a response,
picked up already when a "103 Early Hints" response is sent. 'name' and
'value' must comply to the HTTP field restrictions.
This directive can be repeated several times and header fields of the
same names add. Sending a 'Link' header with 'preload' relation will
also cause a HTTP/2 PUSH if enabled and supported by the client.
* accurately report the bytes sent for a request in the '%O' Log format.
This addresses #203, a long outstanding issue where mod_h2 has reported
numbers over-eagerly from internal buffering and not what has actually
been placed on the connection.
The numbers are now the same with and without H2CopyFiles enabled.
v2.0.14
--------------------------------------------------------------------------------
* fixed a crash during connection termination. See Apache PR 66539.
* fixed a memory leak in calc_sha256_hash().
v2.0.13
--------------------------------------------------------------------------------
* New directive 'H2MaxDataFrameLen n' to limit the maximum amount of response
body bytes put into a single HTTP/2 DATA frame. Setting this to 0 places
no limit (but the max size allowed by the protocol is observed).
The module, by default, tries to use the maximum size possible, which is
somewhat around 16KB.
This sets the maximum. When less response data is availble, smaller frames
will be sent.
v2.0.12
--------------------------------------------------------------------------------
* client resets of HTTP/2 streams led to unwanted 500 errors
reported in access logs and error documents. The processing of the
reset was correct, only unneccesary reporting was caused.
* Upgrade requests from HTTP/1.1 to HTTP/2 via the "Upgrade" header were
always ignored for a request with a body. The check for this was incomplete
and missed bodies announced via "Transfer-Encoding". Fixed. Refs #243
v2.0.11
--------------------------------------------------------------------------------
* WARNING: the directive "H2HeaderStrictness" from v2.0.4 has been
removed again. Leading/trailing whitespace in header values is now
being stripped both for requests and responses. The checks for this
in nghttp2 v1.50.0+ are now always disabled.
This means that clients that send leading/trailing ws continue to
work, but that whitespace makes no difference in processing a request.
This is the same behaviour as in http/1.1 where the Apache parser does
the stripping as well (since forever).
v2.0.10
--------------------------------------------------------------------------------
* Extensive testing in production done by Alessandro Bianchi (@alexskynet)
on the v2.0.x versions for stability. Many thanks!
* refactored stream response handling to reflect the different phases
(response/data/trailers) more clearly and help resolving cpu busy loops.
* Adding more negative tests for handling of errored responses to cover
edge cases.
* mod_http2: fixed handling of response where neiter an EOS nor an ERROR was
received as a cause to reset the stream.
* mod_proxy_http2: generating error buckets for fault response bodies, to
signal failure to fron when response header were already sent.
v2.0.9
--------------------------------------------------------------------------------
* Fixed a bug where errors during reponse body handling did not lead to
a proper RST_STREAM. Instead processing went into an infinite loop.
Extended test cases to catch this condition.
v2.0.8
--------------------------------------------------------------------------------
* Delaying input setup of a stream just before processing starts. This allows
any EOS indicator arriving from the client before that to take effect.
Without knowing that a stream has no input, internal processing has to
simulate chunked encoding. This is not wrong, but somewhat more expensive
and mod_security has been reported to be allergic to seeing 'chunked'
on some requests. See <https://bz.apache.org/bugzilla/show_bug.cgi?id=66282>.
* mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
request ':authority' is known. Improved test case that did not catch that
the previous 'fix' was incorrect.
v2.0.7
--------------------------------------------------------------------------------
* fixed idle connection handling for non-async MPMs, like worker.
With mpm_worker, idle conection could go into a busy loop waiting for
new data to arrive.
v2.0.6
--------------------------------------------------------------------------------
* fixed handling of connection `Timeout` setting to not apply when streams
are still being processed. Adjusted test case expectation.
* referring to #234, adding an explicit close after a request has been
processed to prevent missing EOS indicators from leaving a stream open
indefinitely.
* fixed a race condition in end-of-input handling for requests (introduced
in the v2.0.x line).
v2.0.5
--------------------------------------------------------------------------------
* Synchronized changes from Apache trunk development. Improvements in pollset
handling and simplification of response data passing to main connection.
* Improvements in shutdown scenarios that wake up a potentially sleeping
pollset that might block a clean child exit.
v2.0.4
--------------------------------------------------------------------------------
* new directive `H2HeaderStrictness (highest|rfc7540|rfc9113)` to configure
the strictness of HTTP header checks. rfc9113 forbids leading and trailing
whitespace in headers and is supported when building against
nghttp2 v1.50.0 or newer. The default is the backward compatible
behavior, e.g. rfc7540.
* Integrated improvements from Apache httpd 2.4.x branch:
- remove unused and insecure code. Fixes PR66037.
- preserve the port number given in a HTTP/1.1
request that was Upgraded to HTTP/2. Fixes PR65881.
v2.0.3
--------------------------------------------------------------------------------
* A bug that prevented trailers (e.g. HEADER frame at the end) to be
generated in certain cases was fixed. See #233 where it prevented
gRPC responses to be properly generated.
* :scheme pseudo-header values, not matching the
connection scheme, are forwarded via absolute uris to the
http protocol processing to preserve semantics of the request.
Checks on combinations of pseudo-headers values/absence
have been added as described in RFC 7540. Fixes #230.
* Fix possible beam bucket double free from session destroy. [ylavic]
v2.0.2
--------------------------------------------------------------------------------
* When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection
send a GOAWAY frame much too early on new connections, leading to invalid
protocol state and a client failing the request. See PR65731 at
<https://bz.apache.org/bugzilla/show_bug.cgi?id=65731>.
The module now initializes the HTTP/2 protocol correctly and allows the
client to submit one request before the shutdown via a GOAWAY frame
is being announced.
v2.0.1
--------------------------------------------------------------------------------
* Improved information displayed in 'server-status' for H2 connections when
Extended Status is enabled. Now one can see the last request that IO
operations happened on and transferred IO stats are updated as well.
* Fixed a bug that let to an infinite loop in v2.0.0 when the client closed
the connection.
* Fixing NULL dereference if server variable SSL_PROTOCOL is unset.
* Setting DefaultRuntimeDir and PidFile in test configuration to override
any platform defaults.
* Disabling pollset use when compiling with APR version < 1.6.0
v2.0.0
--------------------------------------------------------------------------------
* Fixed input handling for requests without body that nevertheless try
to read one (e.g. mod_cgid handling) to deliver at least an EOS bucket
before signalling an EOF.
* A regression in v1.15.24 was fixed that could lead to httpd child
processes not being terminated on a graceful reload or when reaching
MaxConnectionsPerChild. When unprocessed h2 requests were queued at
the time, these could stall. See #212.
* Fixed an issue since 1.15.24 that "Server" headers in proxied requests
were overwritten instead of preserved. [PR by @daum3ns]
v2.0.0-rc4
--------------------------------------------------------------------------------
* fixing an uninitialized status code when pollsets are not used for streams.
v2.0.0-rc3
--------------------------------------------------------------------------------
* Added an alternate implementation when polling of file descriptors is
not supported by the OS. This is automatically detected via the APR
header files, but can be enforces by adding '--disable-poll-streams'
to the './configure' when building the module.
This should allow the module to work on Windows again.
v2.0.0-rc2
--------------------------------------------------------------------------------
* Switching from a thread-safe apr pollset (not supported under Windows) to
a wakeable pollset implementation.
* Adding a clear error in the logs if the pollset could not be created.
v2.0.0-rc1
--------------------------------------------------------------------------------
* HTTP/2 connections now use pollsets to monitor the status of the
ongoing streams and their main connection.
* Fixed a bug where, without 'H2SerializeHeaders' some errors, such
as a input timeout, did not produce the correct response.
* Added directove 'H2StreamTimeout' to configure a separate value for HTTP/2
streams, overriding server's 'Timeout' configuration. [rpluem]
* Removed work-arounds for older versions of libnghttp2 and checking
during configure that at least version 1.15.0 is present. Which, due
to its age, should not make a difference to anyone.
* The HTTP/2 connection state handler, based on an experiment and draft
at the IETF http working group (abandoned for some time), has been removed.
* H2SerializeHeaders no longer has an effect. A warning is logged when it is
set to "on". The switch enabled the internal writing of requests to be parsed
by the internal HTTP/1.1 protocol handler and was introduced to avoid
potential incompatibilities during the introduction of HTTP/2.
* Removed the abort/redo of tasks when mood swings lower the active
limit. This probably hurts the server more than it helps. Some
setup, like proxied connections, can be slow to respond to the
abort of a connection.
v1.15.24
--------------------------------------------------------------------------------
* With Apache httpd 2.4.49 or newer, h2 idle workers are terminated on a graceful
restart/shutdown immediately. This happens independant of any h2 connections being
processed or not.
* Switch to using OpenSSL EVP_* API to avoid deprecation warnings with
OpenSSL 3.0. [@notroj]
v1.15.23
--------------------------------------------------------------------------------
* H2MinWorker is reduced automatically to 1 during graceful shutdown
of a child process (e.g. server reload). This lets all ongoing requests
continue, but shuts down unused threads early.
The H2MaxWorkerIdleSeconds is also reduced to 1, so that any workers
for ongoing tasks will close down fast.
v1.15.22
--------------------------------------------------------------------------------
* Added a timeout to h2 worker cleanup to exit latest after 5 seconds of
waiting on idle workers to terminate. This happens after all connections
have been processed. a WARNING is logged in case workers lagged behind.
This is a stopgap to an underlying issue introduced by the recent
dynamic worker changes.
* H2 sessions normally log a warning when the connection is torn down
without them being able to send a last GOAWAY frame. This logging
happens at DEBUG level during the stopping of a child process.
* `configure` now checks for `apache2ctl` if `apachectl` was not found.
* `configure` now longer errors when no apachectl was found but warns
that the test suite will not work.
* The test suite now clears Apache's error log on start and checks after
the run if unexpected errors or warnings were logged.
v1.15.21
--------------------------------------------------------------------------------
* Making h2 connection "mood swings" to ignore clients resetting
requests which have at least produced the response headers and
one DATA chunk. This targets long-running requests like
websockets and server-side-events (SSE), where a RST_STREAM
ius the cleint's only option of terminating such requests.
With this change, clients are no longer punished for it.
See also: <https://bz.apache.org/bugzilla/show_bug.cgi?id=65402>
(background: "mood swings" influence how many resources are
available to a connection, e.g. how many h2 workers may be
working for it at a given point in time.)
* Making H2Min/MaxWorkers behave as intended again. The module will initially
create H2MinWorkers threads and add up to H2MaxWorkers when needed. These
additional workers time out when idle after H2MaxWorkerIdleSeconds and
disappear again.
* When the shutdown of a child is detected (e.g. graceful shutdown), the
module will terminate all idle workers above H2MinWorkers right away.
This detection currently only happens when a HTTP/2 connection is active.
See also #212.
* Restoring compatibility with apache httpd 2.4.48 again.
* Adding a docker image for testing on archlinux. Use:
> docker-compose build archlinux
> docker-compose run archlinux
* Adding a docker image for testing on Debian 'sid'. Use:
> docker-compose build debian-sid
> docker-compose run debian-sid
v1.15.20
--------------------------------------------------------------------------------
* requires apache httpd 2.4.48
* Align handling of 304 response headers with behaviour of http/1.1. [ylavic]
* now shares code with http/1.1 protocol implementation
for checking validity of methods and other request parameter. [ylavic]
* Using the new ap_ssl_* functions available since Apache 2.4.48
* Some compatibility fixes with the ever evolving OpenSSL API
v1.15.19
--------------------------------------------------------------------------------
* Fixed the Makefile to include the test module in the distribution, so that
tests can be build an run from the tar file. Fixes #210.
v1.15.18
--------------------------------------------------------------------------------
* Fixed a race condition that could lead to streams being aborted
(RST to the client), although a response had been produced.
v1.15.17
--------------------------------------------------------------------------------
* Integrated changes from Apache trunk.
* Log requests and sent the configured error response in case of early detected
errors like too many or too long headers. [Ruediger Pluem]
* added test for buffering across a mod_http2+mod_proxy_http2 connection
* added TRACE2 logging to show buffering flag when writing task output
* new option 'H2OutputBuffering on/off' which controls the buffering of stream output.
The default is on, which is the behaviour of older mod-h2 versions. When off, all
bytes are made available immediately to the main connection for sending them
out to the client. This fixes interop issues with certain flavours of gRPC, see
als #207.
* Eliminated some Python deprecation warnings in test code.
v1.15.16
--------------------------------------------------------------------------------
* Fixed reporting of transferred bytes for mod_logio for modifiers %O (and %S) to
report the number of transferred header and body lengths. This is still only
an approximation of the bytes on the connection. The data is subject to header
compression and h2 framing afterwards. Grain of salt. Fixes #203.
v1.15.14
--------------------------------------------------------------------------------
* Removing support for abandoned draft of http-wg regarding cache-digests.
v1.15.13
--------------------------------------------------------------------------------
* Fixes #200: "LimitRequestFields 0" now disables the limit, as documented.
v1.15.12
--------------------------------------------------------------------------------
* Fixes #201: do not count repeated headers with same name against the field
count limit. The are merged internally, as if sent in a single HTTP/1 line.
* Refrain from detecting (intermediate) responses, when the connection has
already been aborted or non-flush meta buckets are encountered.
* Changed terminology to master/secondary connections in the source.
* Test against the installed version of the module. This allows test cases
to work with other versions.
v1.15.11
--------------------------------------------------------------------------------
* mod_proxy_http2: the "ping" proxy parameter
(see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used
when checking the liveliness of a new or reused h2 connection to the backend.
With short durations, this makes load-balancing more responsive. The module
will hold back requests until ping conditions are met, using features of the
HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]
v1.15.10
--------------------------------------------------------------------------------
* mod_proxy_http2: respect ProxyTimeout settings on backend connections
while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
v1.15.9
--------------------------------------------------------------------------------
* Since v1.15.4 mod_reqtimeout was enabled for h2 connections. This lead to closing of
h2 connections when a handshake timeout was configured, irregardless if the handshake
did happen or not. Added a positive test next to the negative one to ensure that
mod_reqtimeout is removed after a successful handshake. Fixes #196
v1.15.8
--------------------------------------------------------------------------------
* Fixed an unfortunate regression introduced in v1.15.7 that prevented
H2_STREAM_ID to be set. Fixes <https://bz.apache.org/bugzilla/show_bug.cgi?id=64330>
and Windows crashes reported in <https://www.apachelounge.com/viewtopic.php?p=39012#39012>.
* Synch with code spell/APLOGNO changes from Apache svn.
v1.15.7
--------------------------------------------------------------------------------
* Fixes issue #195 regarding h2 slave connection ids that resulted in duplicate
request ids being generated under loads.
v1.15.6
--------------------------------------------------------------------------------
* Fix by Joe Orton for a gcc 10 warnings on s390x.
v1.15.5
--------------------------------------------------------------------------------
* Fixed rare cases where a h2 worker could deadlock the main connection. All the good
bits in this thanks to Yann Ylavic.
v1.15.4
--------------------------------------------------------------------------------
* Fixed interaction with mod_reqtimeout. mod-h2 was knocking it out completely, however
it allow configuration of the TLS handshake timeout and that is very useful indeed.
Also, fixed a stupid mistake of mine that made `H2Direct` always `on`, irregardless
of configuration. Found and reported by <Armin.Abfalterer@united-security-providers.ch> and
<Marcial.Rion@united-security-providers.ch>. Thanks!
* Switched test suite and test cgis to python3. A regression in cgi.Fieldstorage() makes
tests skip chunked uploads at the moment. Sad.
* Merged PR by @mkaufmann that avoids multiple field lengths violations to be logged
on the same request.
v1.15.3
--------------------------------------------------------------------------------
* fixes Timeout vs. KeepAliveTimeout behaviour, see PR 63534 (for trunk now,
mpm event backport to 2.4.x up for vote).
* Fixes stream cleanup when connection throttling is in place.
* Counts stream resets by client on streams initiated by client as cause
for connection throttling.
* Header length checks are now logged similar to HTTP/1.1 protocol handler (thanks @mkaufmann)
* Header length is checked also on the merged value from several header instances
and results in a 431 response.
v1.15.2
--------------------------------------------------------------------------------
* fixing mod_proxy_http2 to support trailers in both directions. See PR 63502.
v1.15.1
--------------------------------------------------------------------------------
* further copying of passed data to disentangle worker and main connection.
v1.15.0
--------------------------------------------------------------------------------
- reverted as no good.
v1.14.3
--------------------------------------------------------------------------------
* Integrated latest changes from trunk. In particular mod_proxy_http2 connection
reuse and retry changes by @rpluem.
v1.14.2
--------------------------------------------------------------------------------
* Integrated a forgotten request init fix from Apache subversion
* When a TLS renegotiation is denied, configured error documents could prevent
the proper HTTP/2 stream reset to happen. Fix by Michael Kaufmann (@mkauf).
* Added a test case for #172
v1.14.1
--------------------------------------------------------------------------------
* Tweaks to new H2Padding, now simply is of the form:
```H2Padding numbits```
and applies a *random* number of padding bytes to each payload frame. The
range is from [0, 2^N[. The default is 0, so no padding.
v1.14.0
--------------------------------------------------------------------------------
* new configuration directive:
```H2Padding [ 'prefer' | 'enforce' ] numbits```
to control padding of HTTP/2 payload frames. 'numbits' is a number from 0-8,
where 0 disables padding and 1-8 is the power of 2 that frame lengths are
rounded to. The default is 4 bits, e.g. frames are padded to be a multiple
of 16 (2^4).
While 'enforce' always applies this to all payload frames, the default 'prefer'
option caps frame length at H2TLSWarmUpSize when in effect.
v1.13.1
--------------------------------------------------------------------------------
* mod_http2: cleanup of the now dead h2_req_engine support, no functional change.
v1.13.0
--------------------------------------------------------------------------------
* mod_proxy_http2: simplifying implementation and reducing memory use by only
running a single request at the time on a h2 backend connection. The previous
implementation was just not good enough regarding flow control on the overall
server and too complex compared to the performance benefits achieved. The goal
with this change is to establish a solid base from which to optimize things
again.
* Fixes slave connection input filter to use proper return code on speculative read
encountering an EOF.
* Starting test_600 for mod_proxy_http2 use on server itself
v1.12.5
--------------------------------------------------------------------------------
* Analyzing PR63170 more, mod_proxy_http2 needs to differentiate between its hosting
stream gone and its master connection gone. The later is terminal, the former is not.
* mod_proxy_http2: ping the other side of an idle connection only when not already
waiting on a PING response.
v1.12.4
--------------------------------------------------------------------------------
* Fixed an issue where a proxy_http2 handler entered an infinit loop when encountering
certain errors on the backend connection.
See <https://bz.apache.org/bugzilla/show_bug.cgi?id=63170>.
v1.12.3
--------------------------------------------------------------------------------
* fixed bug in nghttp output parsing that filters now Frames sent/received inbetween
response body DATA.
* added test cases for nghttp output parsing which is screen scraping, so controlled
failure make debugging issues easier
* fixed an issue with curl detecting when configure --with-curl=path was used.
* added multi-resource retrieval tests via nghttp -a
* added Test for the h2 status handler
* More POST and form upload tests with nghttp client
* added POST tests in a http: proxied setup
v1.12.2
--------------------------------------------------------------------------------
* Fixed keepalives counter on slave connections.
v1.12.1
--------------------------------------------------------------------------------
* Fixed Bug introduce in v1.12.0 where mod_proxy_http2 no longer set the server name
on new backend connections.
* Fixed issue where mod_proxy_http2 would trigger an invalid internal state when retrying requests.
* applied patch for #167 provided by Michael Kaufmann (@mkauf) about errors on
HEAD requests (h2 streams not closed cleanly), for example those served by mod_cgid.
v1.12.0
--------------------------------------------------------------------------------
* H2Upgrade can be configured per directory/location. Test case added.
* H2Push can be disabled per directory/location. Test case added.
* Configuration rework to open up several directives for use in locations and directories
and .htaccess files.
* Merging changes from httpd/trunk + httpd/branches/2.4.x to have a unified source again.
v1.11.4
--------------------------------------------------------------------------------
* Changed cleanup strategy for slave connections.
* Added test case for <https://bz.apache.org/bugzilla/show_bug.cgi?id=62654>
* Adding an mpm check so that mod_http2 also compiles against Apache httpd trunk.
v1.11.3
--------------------------------------------------------------------------------
* Adding defensive code for stream EOS handling, in case the request handler somehow
missed to signal it the normal way. Should address #167 and #170.
v1.11.2
--------------------------------------------------------------------------------
* Fixed configure to no longer require ```libcurl-devel```, but only the ```curl```
command with h2 support for testing.
v1.11.1
--------------------------------------------------------------------------------
* added test/Makefile.in to the release tar ball, so that peopl just need
automake to build (reported in #169 by @uhliarik, fix proposed by @notroj)
* added -avoid-version to the linker flags (thanks to Oden Erikson, @odeneriksson)
* added tests for 100 interim responses
* added tests for trailers
* added tests for conditional request header
* added tests for invalid characters in response header
* added Upgrade: response header tests
* added vars require configuration tests
* added ssl renegotiation tests
v1.11.0
--------------------------------------------------------------------------------
* connection IO event handling reworked. Instead of reacting on incoming bytes, the
state machine now acts on incoming frames that are affecting it. This reduces
state transitions.
* pytest suite now covers some basic tests on h2 selection, GET and POST
* started to add pytest suite from existing bash tests
v1.10.21
--------------------------------------------------------------------------------
* Code cleanups from Apache subversion
* New optional function to query the number of h2 workers from Apache branch
v1.10.20
--------------------------------------------------------------------------------
* Restore keepalive handling of v1.10.16. Idle connections are kept open
for the duration.
v1.10.19
--------------------------------------------------------------------------------
* adding regular memory cleanup when transferring large response bodies. This
reduces memory footprint and avoids memory exhaustion when transferring large files
on 32-bit architectures.
v1.10.18
--------------------------------------------------------------------------------
* fixes a race condition where aborting streams triggers an unnecessary timeout.
v1.10.17
--------------------------------------------------------------------------------
* accurate reporting of h2 data input/output per request via mod_logio. Fixes
an issue where output sizes where counted n-times on reused slave connections. See #158.
* normalized connection prefix logging when trace2 is enabled for direct h2 connection
detection.
v1.10.16
--------------------------------------------------------------------------------
* Removed no longer used code in stream cleanup, disabled beam events
during pool shutdown, discouraged content-encoding filter from applying
themselves to http2_status responses.
v1.10.15
--------------------------------------------------------------------------------
* discourage gzip/brotli content encoding on http2-status responses as
they are inserted into the reponse when filters are already done.
v1.10.14
--------------------------------------------------------------------------------
* fixed unfair scheduling when number of active connections
exceeded the scheduling fifo capacity.
v1.10.13
--------------------------------------------------------------------------------
* avoid unnecessary data retrieval for a trace log. Allow certain
information retrievals on null bucket beams where it makes sense.
* Fixed configure to check first for libs and then add compiler flags
v1.10.12
--------------------------------------------------------------------------------
* Reverting 1.10.11 change since showed no effect on issue #120
* Fixes a race condition on request body handling.
v1.10.11
--------------------------------------------------------------------------------
* DoS flow control protection is less agressive as long as active tasks stay
below worker capacity. Intended to fix problems with media streaming.
v1.10.10
--------------------------------------------------------------------------------
* adding signalling of data available before waiting on beam buffer to drain. Missing this causes suspended streams to stall and time out.
v1.10.9
--------------------------------------------------------------------------------
* cleanup of bucket beam change signaling to track down issue #143
v1.10.8
--------------------------------------------------------------------------------
* a stream could stall and not send any more output to the client which in the end aborts the connection due to a timeout.
v1.10.7
--------------------------------------------------------------------------------
* disable and give warning when mpm_prefork is encountered. The server will
continue to work, but HTTP/2 will no longer be negotiated.
* improved implementation of ready queue.
v1.10.6
--------------------------------------------------------------------------------
* Fix for possible CPU busy loop introduced in v1.10.3 where a stream may keep
the session in continuous check for state changes that never happen.
v1.10.5
--------------------------------------------------------------------------------
* fail requests without ERROR log in case we need to read interim
responses and see only garbage. This can happen if proxied servers send
data where none should be, e.g. a body for a HEAD request.
v1.10.4
--------------------------------------------------------------------------------
* mod_proxy_http2: adding support for Reverse Proxy Request headers.
v1.10.3
--------------------------------------------------------------------------------
* fixed possible deadlock that could occur when connections were
terminated early with ongoing streams. Fixed possible hanger with timeout
on race when connection considers itself idle.
v1.10.2
--------------------------------------------------------------------------------
* MaxKeepAliveRequests now limits the number of times a
slave connection gets reused.
* Client streams that lack the EOF flag get now forcefully
closed with a RST_STREAM (NO_ERROR) when the request has been answered.
* Only when 'HttpProtocolOptions Unsafe' is configured, will
control characters in response headers or trailers be forwarded to the
client. Otherwise, in the default configuration, a request will eiher
fail with status 500 or the stream will be reset by a RST_STREAM frame.
v1.10.1
--------------------------------------------------------------------------------
* Fixed bug in re-attempting proxy requests after connection error.
Reliability of reconnect handling improved.
* Fixed two rare deadlocks with new non-nested mutex use.
* No longer mapping Link: header urls in proxy requests when preserve host
is set.
v1.10.0
--------------------------------------------------------------------------------
* better performance, eliminated need for nested locks and
thread privates. Moving request setups from the main connection to the
worker threads. Increase number of spare connections kept.
* input buffering and dynamic flow windows for increased
throughput. Requires nghttp2 >= v1.5.0 features. Announced at startup
in mod_http2 INFO log as feature 'DWINS'.
* h2 workers with improved scalability for better scheduling
performance. There are H2MaxWorkers threads created at start and the
number is kept constant for now.
* obsoleted option H2SessionExtraFiles, will be ignored and
just log a warning.
* fixed PR60869 by making h2 workers exit explicitly waking up
all threads to exit in a defined way.
v1.9.3
--------------------------------------------------------------------------------
* moving session cleanup to pre_close hook to avoid races with
modules already shut down and slave connections still operating.
* stream timeouts now change to vhost values once the request
is parsed and processing starts. Initial values are taken from base
server or SNI host as before. [Stefan Eissing]
* fixed retry behaviour for http2 proxy connections when frontend
connection uses http/1.1.
* separate mutex instances for each bucket beam, resulting in
less lock contention. input beams only created when necessary.
v1.9.2
--------------------------------------------------------------------------------
* mod_http2: adding allocator mutex to session pool due to reports of rare
crashes.
v1.9.1
--------------------------------------------------------------------------------
* mod_proxy_http2: support for ProxyPreserveHost directive
v1.9.0
--------------------------------------------------------------------------------
* not counting file buckets again stream max buffer limits.
Effectively transferring static files in one step from slave to master
connection.
* mod_http2: comforting ap_check_pipeline() on slave connections
to facilitate reuse (see https://github.com/icing/mod_h2/issues/128).
[reported by Armin Abfalterer]
* mod_http2: http/2 streams now with state handling/transitions as defined
in RFC7540. Stream cleanup/connection shutdown reworked to become easier
to understand/maintain/debug. Added many asserts on state and cleanup
transitions.
v1.8.11
--------------------------------------------------------------------------------
* regression fix on bugzilla PR 59348, on graceful restart, ongoing
streams are finished normally before the final GOAWAY is sent.
* do not attempt to generated a response on an already aborted slave connection
* fix potential double cleanup of bucket beam memory
v1.8.10
--------------------------------------------------------------------------------
* fixes bugzilla PR60599, sending proper response for conditional requests
answered by mod_cache. (orignal patch by Jeff Wheelhouse)
v1.8.9
--------------------------------------------------------------------------------
* rework of stream resource cleanup to avoid a crash in a close
of a lingering connection. Prohibit special file bucket beaming for
shared buckets. Files sent in stream output now use the stream pool
as read buffer, reducing memory footprint of connections.
(much help from Yann Ylavic)
v1.8.8
--------------------------------------------------------------------------------
* streaming of request output now reacts timely to data
from other streams becoming available. Same for new incoming requests.
v1.8.7
--------------------------------------------------------------------------------
* fix for possible page fault when stream is resumed during session shutdown.
(Patch by sidney-j-r-m, github)
* fix for h2 session ignoring new responses while already
open streams continue to have data available.
v1.8.6
--------------------------------------------------------------------------------
* adding support for MergeTrailers directive.
* limiting DATA frame sizes by TLS record sizes in use on the
connection. Flushing outgoing frames earlier.
v1.8.5
--------------------------------------------------------------------------------
* Removed debug log statements left over in 1.8.4 release.
v1.8.4
--------------------------------------------------------------------------------
* Cleanup beamer registry on server reload, Fixes Apache bugzilla PR60510.
Patch by Pavel Mateja <pavel@verotel.cz>
* Fixes #126 e.g. beam bucket lifetime handling when data is sent
over temporary pools.
v1.8.3
--------------------------------------------------------------------------------
* CVE-2016-8740: Mitigate DoS memory exhaustion via endless
CONTINUATION frames. Reported by Naveen Tiwari <naveen.tiwari@asu.edu> and
CDF/SEFCOM at Arizona State University
* Removing some warning when streams are cleaned up that were never scheduled
v1.8.2
--------------------------------------------------------------------------------
* new directive 'H2EarlyHints' to enable sending of HTTP status 103 interim
responses. Off by default since some browser still choke on them.
* mod_proxy_http2 will, when used on top of a HTTP/1.x connection, only
forward 100 responses from the backend if the client expects them. All
other responses in the 100 range are filtered.
v1.8.0
--------------------------------------------------------------------------------
* mod_http2: new directive 'H2PushResource' to enable early pushes before
processing of the main request starts. Resources are announced to the
client in Link headers on a 103 early hint response.
All responses with status code <400 are inspected for Link header and
trigger pushes accordingly. 304 still does prevent pushes.
'H2PushResource' can mark resources as 'critical' which gives them higher
priority than the main resource. This leads to preferred scheduling for
processing and, when content is available, will send it first. 'critical'
is also recognized on Link headers.
* mod_proxy_http2: uris in Link headers are now mapped back to a suitable
local url when available. Relative uris with an absolute path are mapped
as well. This makes reverse proxy mapping available for resources
announced in this header.
With 103 interim responses being forwarded to the main client connection,
this effectively allows early pushing of resources by a reverse proxied
backend server.
* mod_proxy_http2: adding support for 103 status code, as proposed by
Kazuho Oku.
v1.7.9
--------------------------------------------------------------------------------
* fixed a crash in stream shutdown introduced in 1.7.8
v1.7.8
--------------------------------------------------------------------------------
* unannounced and multiple interim responses (status code < 200)
are parsed and forwarded to client until a final response arrives.
* mod_proxy_http2: improved robustness when main connection is closed early
by resetting all ongoing streams against the backend.
* mod_http2: allocators from slave connections are released earlier, resulting
in less overall memory use on busy, long lived connections.
v1.7.6
--------------------------------------------------------------------------------
* fixed crash in beam memory handling introduced in 1.7.x changes
v1.7.5
--------------------------------------------------------------------------------
* properly implemented 100-continue handling for proxy setups, be it
mod_proxy_http or mod_proxy_http2
* reusing backend HTTP/2 connections more than a second old will hold back
request bodies until a PING response is received. Headers are still sent
right away since those are repeatable on a new connection.
v1.7.3
--------------------------------------------------------------------------------
* reverts some int -> apr_uint32_t changes made in 1.7.0 to address possible
crashes.
v1.7.2
--------------------------------------------------------------------------------
* fixes compilation error on 32 bit systems when generating slave connection id.
v1.7.1
--------------------------------------------------------------------------------
* fix for build issues on Windows platforms
v1.7.0
--------------------------------------------------------------------------------
* rewrite of how responses and trailers are transferred between master and
slave connections.
* Reduction of internal states for tasks and streams, reducing complexity
for increased stability.
* Heuristic id generation for slave connections to better keep promise of
connection ids unique at given point in time. This fixes problems with
mod_cgid in high load situtations.
* Fix for handling of incoming trailers when no request body is sent.
v1.6.2
--------------------------------------------------------------------------------
* fixes a race that led to output blocking (stream not finishing)
v1.6.1
--------------------------------------------------------------------------------
* if configured with nghttp2 1.14.0 and onward, invalid request
headers will immediately reset the stream with a PROTOCOL error. Feature
logged by module on startup as 'INVHD' in info message.
* fixed handling of stream buffers during shutdown.
v1.6.0
--------------------------------------------------------------------------------
* handling graceful shutdown gracefully, e.g. processing existing streams to the end.
* h2 status resource follows latest draft, see
http://www.ietf.org/id/draft-benfield-http2-debug-state-01.txt
Configure it as
<Location "/.well-known/h2/state">
SetHandler http2-status
</Location>
* support for 'Expect: 100-continue' handling
v1.5.13
--------------------------------------------------------------------------------
* new H2CopyFiles directive that changes treatment of file handles in
responses. Necessary in order to fix broken lifetime handling in modules
such as mod_wsgi. Use 'H2CopyFiles off' where ever you need it.
* removing timeouts on master connection while requests are being processed.
Requests may timeout, but the master only times out when no more requests
are active.
v1.5.12
--------------------------------------------------------------------------------
* fixed connection flushing when handling SETTINGS and no stream is open.
(thanks @summerwind)
* fix for request abort when connections drops, introduced in 1.5.8
* more rigid error handling in DATA frame assembly, leading
to deterministic connection errors if assembly fails.
v1.5.10
--------------------------------------------------------------------------------
* fixed bug in error handling when passing DATA frames.
v1.5.9
--------------------------------------------------------------------------------
* more strict error handling and logging in DATA frame assembly.
v1.5.8
--------------------------------------------------------------------------------
* mod_http2: improved cleanup of connection/streams/tasks to always
have deterministic order regardless of event initiating it. Addresses
reported crashes due to memory read after free issues.
v1.5.7