-*- coding: utf-8 -*-
Changes with Apache 2.5.1
- *) mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is
- in play, the proper HTTP/2 stream reset did not trigger with H2_ERR_HTTP_1_1_REQUIRED.
- Fixed. [Michael Kaufmann]
-
- *) mod_http2: new configuration directive: ```H2Padding numbits``` to control
- padding of HTTP/2 payload frames. 'numbits' is a number from 0-8,
- controlling the range of padding bytes added to a frame. The actual number
- added is chosen randomly per frame. This applies to HEADERS, DATA and PUSH_PROMISE
- frames equally. The default continues to be 0, e.g. no padding. [Stefan Eissing]
-
- *) mod_http2: ripping out all the h2_req_engine internal features now that mod_proxy_http2
- has no more need for it. Optional functions are still declared but no longer implemented.
- While previous mod_proxy_http2 will work with this, it is recommeneded to run the matching
- versions of both modules. [Stefan Eissing]
-
- *) mod_proxy_http2: changed mod_proxy_http2 implementation and fixed several bugs which
- resolve PR63170. The proxy module does now a single h2 request on the (reused)
- connection and returns. [Stefan Eissing]
+ *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.
+ [Michael Kaufmann <mail michael-kaufmann.ch>]
+
+ *) mod_md: Explicitly setting file permissions to break out of umasks. We want our
+ non-privilegded apache user to be able to read them. See github issue
+ <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]
- *) mod_http2/mod_proxy_http2: proxy_http2 checks correct master connection aborted status
- to trigger immediate shutdown of backend connections. This is now always signalled
- by mod_http2 when the the session is being released.
- proxy_http2 now only sends a PING frame to the backend when there is not already one
- in flight. [Stefan Eissing]
+ *) Merge consecutive slashes in URL's. Opt-out with `MergeSlashes OFF`.
+ [Eric Covener]
- *) mod_proxy_http2: fixed an issue where a proxy_http2 handler entered an infinite
- loop when encountering certain errors on the backend connection.
- See <https://bz.apache.org/bugzilla/show_bug.cgi?id=63170>. [Stefan Eissing]
+ *) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend
+ connection is recycled/reused to avoid a possible crash with some SSLProxy
+ configurations in <Location> or <Proxy> context. PR 63256. [Yann Ylavic]
+
+ *) mod_mime: Add `MimeOptions` directive to allow Content-Type or all metadata
+ detection to use only the last (right-most) file extension or to be
+ disabled per-dir. [Eric Covener]
+
+ *) MPMs unix: bind the bucket number of each child to its slot number, for a
+ more efficient per bucket maintenance. [Yann Ylavic]
*) http: Fix possible empty response with mod_ratelimit for HEAD requests.
PR 63192. [Yann Ylavic]
configuration (SSLFIPS on) and not active by default in OpenSSL.
PR 63136. [Yann Ylavic]
- *) mod_http2: Configuration directoves H2Push and H2Upgrade can now be specified per
- Location/Directory, e.g. disabling PUSH for a specific set of resources. [Stefan Eissing]
-
- *) mod_http2: HEAD requests to some module such as mod_cgid caused the stream to
- terminate improperly and cause a HTTP/2 PROTOCOL_ERROR.
- Fixes <https://github.com/icing/mod_h2/issues/167>. [Michael Kaufmann]
-
*) mod_ssl: give mod_md the chance to override certificate after ALPN protocol
negotiation. [Stefan Eissing]
- *) mod_http2: enable re-use of slave connections again. Fixed slave connection
- keepalives counter. [Stefan Eissing]
-
*) mod_proxy_wstunnel: Fix websocket proxy over UDS.
PR 62932 <pavel dcmsys.com>
MinSpareThreads, issue new one-time message AH10159. Matches worker MPM.
[Eric Covener]
- *) mod_http2: adding defensive code for stream EOS handling, in case the request handler
- missed to signal it the normal way (eos buckets). Addresses github issues
- https://github.com/icing/mod_h2/issues/164, https://github.com/icing/mod_h2/issues/167
- and https://github.com/icing/mod_h2/issues/170. [Stefan Eissing]
-
*) mod_proxy_scgi, mod_proxy_uwsgi: improve error handling when sending the
body of the response. [Jim Jagielski]
*) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499
[Dominik Stillhard <dominik.stillhard united-security-providers.ch>]
- *) mod_http2: connection IO event handling reworked. Instead of reacting on
- incoming bytes, the state machine now acts on incoming frames that are
- affecting it. This reduces state transitions. [Stefan Eissing]
-
*) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
before signals handling to avoid lifetime issues on restart or shutdown.
PR 62658. [Yann Ylavic]
PKCS#11 OpenSSL engine. [Anderson Sasaki <ansasaki redhat.com>,
Joe Orton]
- *) mod_http2: adding an abort function to slave connections' pools, so out-of-memory
- events lead to a control process abort, as on HTTP/1.x connections. [Stefan Eissing]
-
- *) mod_http2: adding regular memory cleanup when transferring large response bodies. This
- reduces memory footprint and avoids memory exhaustion when transferring large files
- on 32-bit architectures. Fixes PR 62325. [Stefan Eissing]
-
*) http: LimitRequestBody applies to proxied requests. [Yann Ylavic]
*) mod_logio: Add LogIOTrackTTFU and %^FU logformat to log the time
*) mod_ssl: proper checks for libressl 2.07/8 and its TLSv1_3 support, see PR 62236.
[Bernard Spil <brnrd@freebsd.org>]
- *) mod_http2: on level trace2, log any unsuccessful HTTP/2 direct connection upgrade
- with base64 encoding to unify its appearance in possible bug reports. [Stefan Eissing]
-
*) mod_cgi: Add CGIScriptTimeout to make mod_cgi's timeout per-directory and
independent of the core Timeout directive. PR 62229.
[Hank Ibell <hwibell gmail.com>]
*) core: adding AP_DECLARE for ap_parse_vhost_addrs() and minor bumb mmn. Resolves
building mod_ssl on Windows. [Stefan Eissing, Gregg Smith]
- *) mod_http2: discourage gzip/brotli content encoding on http2-status responses as
- they are inserted into the reponse when filters are already done. [Stefan Eissing]
-
*) core: adding defines to allow interworking with honggfuzz without
further patches. [Stefan Eissing, Robert Swiecki]
should be accepted after the authorization scheme. \t are also tolerated.
[Christophe Jaillet]
- *) mod_http2: fixed unfair scheduling when number of active connections
- exceeded the scheduling fifo capacity. [Stefan Eissing]
-
*) core: Support zone/scope in IPv6 link-local addresses in Listen and
VirtualHost directives (requires APR 1.7.x or later). PR 59396. [Joe Orton]