H2O - the optimized HTTP/1, HTTP/2, HTTP/3 server

Last update: Nov 18, 2022

Related tags

Overview

H2O - an optimized HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3 (experimental)

Copyright (c) 2014-2019 DeNA Co., Ltd., Kazuho Oku, Tatsuhiko Kubo, Domingo Alvarez Duarte, Nick Desaulniers, Marc Hörsken, Masahiro Nagano, Jeff Marrison, Daisuke Maki, Laurentiu Nicola, Justin Zhu, Tatsuhiro Tsujikawa, Ryosuke Matsumoto, Masaki TAGAWA, Masayoshi Takahashi, Chul-Woong Yang, Shota Fukumori, Satoh Hiroh, Fastly, Inc., David Carlier, Frederik Deweerdt, Jonathan Foote, Yannick Koechlin, Harrison Bowden, Kazantsev Mikhail

H2O is a new generation HTTP server. Not only is it very fast, it also provides much quicker response to end-users when compared to older generations of HTTP servers.

Written in C and licensed under the MIT License, it can also be used as a library.

For more information, please refer to the documentation at h2o.examp1e.net.

Reporting Security Issues

Please report vulnerabilities to [email protected]. See SECURITY.md for more information.

Comments

Change SSL config to more secure defaults:
Minumum TLSv1.2

Cipher suite default: ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256

Switch to server preference for cipher choice

ssllabs.com https://www.ssllabs.com/ssltest/analyze.html?d=yay.im

This is rejecting a number of (admittedly very old) clients so we might want to loosen the defaults a bit?
opened by deweerdt 40
Add some validation for headers in characters

We add strict validation for the headers that are present in the header name and the header field. We have a special case for pseudo headers, since there's a limited list of those that are allowed.

opened by deweerdt 34

h2o ad-hoc tracer

Hello

Here's a first proof-of-concept regarding an ad-hoc tracer for h2o based off dtrace probes. The aim was to be cost free when not attached, and still performant under load.

I implemented a small test client for it in python using EBPF/BCC, but any language can be used really. The script is here, and would require BCC. I pasted a sample output below.

The PR implements a communication socket to the tracing program. It allows to stop any tracing processing if the tracer program disconnects or crashes, and also some lightweight communication to filter out some events from being processed. This socket port is settable using the config below.

Cheers !

listen:
    port: 4321
    tracing: ON

% sudo ./picotracer.py `pgrep h2o`
>> 1553636178731756      36    SSLNew            TLSv1.3 AES256-GCM 0x7ff626ffcac0
>> 1553636178731756      36    NewConnH2         10.0.2.15:9090 10.0.2.15:34200
>> 1553636178731756      36    RxHeader          user-agent curl/7.64.0
>> 1553636178731756      36    RxHeader          accept */*
>> 1553636178731756      36    NewReq            HTTP/2 GET /assets/2.ts
>> 1553636178731756      36    Proxy             [unix:/tmp/h2o.sock]
>> 1553636178731756      36    ProxyTxHdr        user-agent curl/7.64.0
>> 1553636178731756      36    ProxyTxHdr        accept */*
>> 1553636178731756      36    ProxyNewReq       HTTP/1.1 GET /assets/2.ts
>> 1553636178731756      36    ProxyRxHdr        date Tue, 26 Mar 2019 21:36:18 GMT
>> 1553636178731756      36    ProxyRxHdr        content-type video/mp2t
>> 1553636178731756      36    ProxyRxHdr        last-modified Mon, 06 Aug 2018 09:07:10 GMT
>> 1553636178731756      36    ProxyRxHdr        etag "5b680fbe-1a8780"
>> 1553636178731756      36    ProxyRxHdr        accept-ranges bytes
>> 1553636178731756      36    ProxyNewRes       HTTP/1.1 200 len: 1738624
>> 1553636178731756      36    TxHeader          date Tue, 26 Mar 2019 21:36:18 GMT
>> 1553636178731756      36    TxHeader          content-type video/mp2t
>> 1553636178731756      36    TxHeader          last-modified Mon, 06 Aug 2018 09:07:10 GMT
>> 1553636178731756      36    TxHeader          etag "5b680fbe-1a8780"
>> 1553636178731756      36    TxHeader          accept-ranges bytes
>> 1553636178731756      36    NewRes            HTTP/2 200 len: 1738624

opened by pldubouilh 29

Broken http/1.1 chunked body is silently relayed

When a transfer-encoding:chunked transfer is interrupted in the backend by a connection close, H2O currently just closes the frontend stream. This makes it not possible for the client to know that it's receiving truncated data, whereas it would be possible over plain HTTP/1.1, since the last chunk would be missing - Chrome and curl both report errors on truncated HTTP/1.1 chunked transfers, FF and Safari do not, as far as I can tell -. This adds a test that checks that a broken transfer-encoding:chunked transfer is translated into a RST_STREAM over H2.

opened by deweerdt 28
(h2o), uid 80: exited on signal 6
Just a question: I sometimes get a lot of these in the kernel log messages on FreeBSD and HardenedBSD systesm running h2o.

pid 56341 (h2o), uid 80: exited on signal 6

Is this to be expected? Why does it exit so often?

Note, there is nothing to be found in the h2o error log and neither in the php-fpm.log.
opened by utrenkner 27
help: mruby handler & FreeBSD
I'm trying to wrap my head around these mruby handlers used by h2o. I'm on h2o 1.7.0 from FreeBSD ports. This is what I'm trying right now, found at https://github.com/h2o/h2o/pull/405#issuecomment-136281330

hosts: default: paths: "/": mruby.handler: | H2O.return 403, "Access Forbidden", "I will never show you this!"

When I try to start h2o, I get:

Starting h2o. [/usr/local/etc/h2o/h2o.conf:58] unknown command: mruby.handler /usr/local/etc/rc.d/h2o: WARNING: failed to start h2o

What am I doing wrong?
opened by basbebe 27
support basic-authentication using .htpasswd
Tasks:

[ ] bundle mruby-string-crypt

[ ] adjust http://lowreal.net/2015/11/17/1 to read the password file, and bundle it

Format of htpasswd file is specified in https://httpd.apache.org/docs/2.2/misc/password_encryptions.html.

relates to #203
mruby
opened by kazuho 26
Quic protocol support

Any plans for supporting QUIC?

It seems that currently QUIC doesn't have a lot of changes over HTTP2(same HPACK, same semantics) layer, instead its main focus it's to improve upon TCP, by replacing it with UDP. I wonder if you've thought about it? I'm searching for a high performance QUIC/HTTP2 webserver.

I guess, ideally, it would be only a matter of swapping the TCP under the current HTTP implementation, with QUIC's UDP replacement. But I guess it isn't that easy? Isn't it?

How would you do it if you were to work on it?

Thanks.

opened by 6D65 25

No error status code received while stress testing h2o

Hello,

I am trying to stress test h2o using h2load. Whenever a large number of requests fails h2load doesn't report any error status codes. I suppose it is not getting the response code from h2o

 h2load -n200000 -c1 -m100 -i ~/h2o-1.5.0-beta2/SCRIPTS/all_urls.txt


starting benchmark...
spawning thread #0: 1 total client(s). 200000 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 10% done

finished in 4.65s, 5956.86 req/s, 30.54MB/s
requests: 200000 total, 27826 started, 200000 done, 27726 succeeded, 172274 failed, 172274 errored, 0 timeout
status codes: 27726 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 149060220 bytes total, 1443027 bytes headers (space savings 71.53%), 147058038 bytes data
                     min         max         mean         sd        +/- sd
time for request:     3.92ms    106.90ms     14.17ms     10.23ms    86.44%
time for connect:     5.10ms      5.10ms      5.10ms         0us   100.00%
time to 1st byte:    14.04ms     14.04ms     14.04ms         0us   100.00%
req/s           :    5958.32     5958.32     5958.32        0.00   100.00%

As You can see a lot many requests have failed but no error status code has been reported. Also, I'd like to ask is it fine that a bigger bunch of requests are getting failed?

opened by s0j0urn 23

Add channel class and task method for parallel processing in mruby
This PR is for https://github.com/h2o/h2o/issues/1329

TODO:

[x] add queue for when ch.push is called before ch.shift

[x] add tests

[x] use script to create embedded code
opened by naritta 21
[http2] Server-driven priorities
This PR adds an initial absolute priority header support based on draft-kazuho-httpbis-priority-04.

This PR is an initial prototype and has several assumptions:

Back-end (e.g. file handler, reverse proxy origin) adds the priority header.

Request priorities from a client are modified based on back-end priority headers.

As for client-generated priorities, only assumes Chromium-style dependency tree (linear, weight-sorted list)

Only urgency parameter is interpreted. incremental parameter is ignored at the moment.
opened by hfujita 20
[h2olog] re-implementing h2olog v1 features in v2 (h2olog v2 part 2)
This PR is aimed at re-implementing h2olog v2 features with v2, based on the branch of #3149.

FWIW this PR is made against https://github.com/h2o/h2o/pull/3149 so far in order to make the diff smallest, but is not intended to be merged into the branch. The base branch will be changed to master after #3081 is merged.

[x] -H

[x] -S

[ ] -A

[ ] -N

[ ] -t

[ ] Removing the use of BCC from h2olog

[ ] Removing the use of eBPF maps from h2o

This PR is a part of #3059.
opened by gfx 0
libh2o websocket server send asynchronous
HI,

I am trying to use libh2o for websockets. I managed to get basic working where a client is able to connect to the server. I want to send asynchronous messages to multiple clients when connected. something similar to #572. For some reason, I can only send 2 messages no matter how many messages I add to queue.

When I use only 1 client, the async function I have looks as below. This as it is works but only sends 2 messages. When I uncomment ws_conn->sock->_cb.write = 0; then it sends all messages from the queue to the client.

int send_ws_message(void * websocket_ptr, char * message, bool on_connect) { h2o_websocket_conn_t * ws_conn = (h2o_websocket_conn_t *) websocket_ptr; struct wslay_event_msg msgarg = {WSLAY_TEXT_FRAME, (uint8_t *) message, strlen(message)}; wslay_event_queue_msg(ws_conn->ws_ctx, &msgarg); h2o_websocket_proceed(ws_conn); // ws_conn->sock->_cb.write = 0; return 1; }

But this only works for 1 client. If I add a second client this does not work.

Does anyone has any example which I can take a look at or if any one can help me to figure out whats am I missing here?

Really appreciate your time and help.
opened by zhemant 2
[h2olog2] change the h2olog-h2o protocol to be cleartext HTTP/1

Re-implements h2o_log server as a standard h2o handler in order to pass parameters from h2olog to h2o. The feature is not yet implemented but will be used to implement h2olog options such as -a.

This PR is made against https://github.com/h2o/h2o/pull/3081 and is a part of #3059.

opened by gfx 0

HTTP/2 Prioritization

It seems that the prioritization is not happening according to: https://www.rfc-editor.org/rfc/rfc7540.html#section-5.3.2

This states that:

Streams with the same parent SHOULD be allocated resources proportionally based on their weight. Thus, if stream B depends on stream A with weight 4, stream C depends on stream A with weight 12, and no progress can be made on stream A, stream B ideally receives one-third of the resources allocated to stream C.

However the behavior I am seeing is that whenever the weight of A > B that A gets 2x the resources of B.

Below is simple libcurl code that shows this behaviour:

#include <stdio.h>
#include <curl/curl.h>

int main(void)
{
	CURL *curl;
	CURL *curl2;
	CURLcode res;

	curl_global_init(CURL_GLOBAL_ALL);

	curl = curl_easy_init();
	curl2 = curl_easy_init();
	CURLM *multi_handle = curl_multi_init();
	curl_multi_setopt(multi_handle, CURLMOPT_PIPELINING, CURLPIPE_MULTIPLEX);
	curl_easy_setopt(curl, CURLOPT_URL, "https://localhost:8083/a.txt");

	curl_easy_setopt(curl2, CURLOPT_URL, "https://localhost:8083/b.txt");

	curl_easy_setopt(curl, CURLOPT_PIPEWAIT, 1L);
	curl_easy_setopt(curl2, CURLOPT_PIPEWAIT, 1L);

	curl_easy_setopt(curl, CURLOPT_STREAM_WEIGHT, 1L);
	curl_easy_setopt(curl2, CURLOPT_STREAM_WEIGHT, 20L);
	curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
	curl_easy_setopt(curl2, CURLOPT_SSL_VERIFYPEER, 0);


	curl_multi_add_handle(multi_handle, curl);
	curl_multi_add_handle(multi_handle, curl2);
	/* Perform the request, res will get the return code */

	int still_running = 1;
	while(still_running) {
		CURLMcode mc; /* curl_multi_poll() return code */
		int numfds;

		/* we start some action by calling perform right away */
		mc = curl_multi_perform(multi_handle, &still_running);

		if(still_running)
			/* wait for activity, timeout or "nothing" */
			mc = curl_multi_poll(multi_handle, NULL, 0, 1000, &numfds);

		if(mc != CURLM_OK) {
			fprintf(stderr, "curl_multi_wait() failed, code %d.\n", mc);
			break;
		}
	}
	curl_multi_remove_handle(multi_handle, curl);
	curl_multi_remove_handle(multi_handle, curl2);
	curl_easy_cleanup(curl);
	curl_easy_cleanup(curl2);
	curl_multi_cleanup(multi_handle);
	curl_global_cleanup();
	return 0;
}

The files a.txt and b.txt are large (1.4GB) equally sized files filled with a\n and b\n respectively. The output of the libcurl code will show around 2x the amount of b's than a's.

Either I'm doing something wrong in my curl code, or this is a bug?

opened by wlemoine 1

Windows CMake build: OPENSSL_CRYPTO_LIBRARY

Hello!

First, this is the error I get:

PS C:\Users\Ingwie Phoenix\work\h2o\out.win> cmake . -DOPENSSL_ROOT_DIR="C:/Users/Ingwie Phoenix/Downloads/libressl-3.6.0/libressl-3.6.0/dist/" -DOPENSSL_CRYPTO_LIBRARY="C:\Users\Ingwie Phoenix\Downloads\libressl-3.6.0\libressl-3.6.0\dist\lib\crypto-50.lib"
CMake Error at C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/Common7/IDE/CommonExtensions/Microsoft/CMake/CMake/share/cmake-3.20/Modules/FindPackageHandleStandardArgs.cmake:230 (message):
  Could NOT find OpenSSL, try to set the path to OpenSSL root folder in the
  system variable OPENSSL_ROOT_DIR (missing: OPENSSL_CRYPTO_LIBRARY) (found
  version "2.0.0")
Call Stack (most recent call first):
  C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/Common7/IDE/CommonExtensions/Microsoft/CMake/CMake/share/cmake-3.20/Modules/FindPackageHandleStandardArgs.cmake:594 (_FPHSA_FAILURE_MESSAGE)
  C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/Common7/IDE/CommonExtensions/Microsoft/CMake/CMake/share/cmake-3.20/Modules/FindOpenSSL.cmake:570 (find_package_handle_standard_args)
  CMakeLists.txt:69 (FIND_PACKAGE)


-- Configuring incomplete, errors occurred!
See also "C:/Users/Ingwie Phoenix/work/h2o/out.win/CMakeFiles/CMakeOutput.log".
See also "C:/Users/Ingwie Phoenix/work/h2o/out.win/CMakeFiles/CMakeError.log".

The OPENSSL_ROOT_DIR is a freshly built LibreSSL build - not the CMake build folder but a fully installed one via -DCMAKE_INSTALL_PREFIX.

Am I missing something here?

I tried building via msbuild, but that errored immediately on literally the first character of the project file. Apologies for the error being in german, but see yourself:

PS C:\Users\Ingwie Phoenix\work\h2o> msbuild .\h2o.xcodeproj\
Microsoft (R)-Build-Engine, Version 16.11.2+f32259642 für .NET Framework
Copyright (C) Microsoft Corporation. Alle Rechte vorbehalten.

Der Buildvorgang wurde am 25.10.2022 13:23:18 gestartet.
Projekt "C:\Users\Ingwie Phoenix\work\h2o\h2o.xcodeproj\project.pbxproj" auf Knoten "1" (Standardziele).
C:\Users\Ingwie Phoenix\work\h2o\h2o.xcodeproj\project.pbxproj(1,1): error MSB4025: Die Projektdatei konnte nicht geladen werden. Ungültige Daten auf Stammebene. Zeile 1, Position 1.
Die Erstellung des Projekts "C:\Users\Ingwie Phoenix\work\h2o\h2o.xcodeproj\project.pbxproj" ist abgeschlossen (Standardziele) -- FEHLER.


Fehler beim Buildvorgang.

"C:\Users\Ingwie Phoenix\work\h2o\h2o.xcodeproj\project.pbxproj" (Standardziel) (1) ->
  C:\Users\Ingwie Phoenix\work\h2o\h2o.xcodeproj\project.pbxproj(1,1): error MSB4025: Die Projektdatei konnte nicht geladen werden. Ungültige Daten auf Stammebene. Zeile 1, Position 1.

    0 Warnung(en)
    1 Fehler

Verstrichene Zeit 00:00:00.02

Thanks in advance.

Kind regards, Ingwie

opened by IngwiePhoenix 0

Community? Mailing list? Where do I ask questions? :)

Hello!

Not quite an "issue", but I am currently reading the Matrix protocol specification and want to write a homeserver implementation in C - which led me to come across h2o, and libh2o respectively.

I would like to ask a few questions to have general pointers as to where to look for what - but I couldn't find any link to any kind of community/discussion place? I am visually impaired; chances are I actually ended up missing it...

So in case I have, where may I ask questions?

Thank you and have a great day!

opened by IngwiePhoenix 0

Releases(v2.3.0-beta2)

v2.3.0-beta2(Aug 13, 2019)
This is the beta release of the 2.3 series with following changes from 2.3.0-beta1, including one vulnerability fix.

[security fix][http2] fix HTTP/2 DoS attack vectors CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 #2090 (Kazuho Oku)

[access-log] add support for logging to unix sockets #1746 (Frederik Deweerdt)

[access-log][proxy] rename key names of proxy timings #2082 (Ichito Nagata)

[file] add if-range header support #1751 (Lingmo Zhu)

[compress] extend x-compress-hint to be able to force either gzip or br compression #1808 (Frederik Deweerdt)

[compress][brotli] ensure there's a minimal good buffer size #1824 (Frederik Deweerdt)

[core] server timing tiny improvements #1818 (Ichito Nagata)

[core] flexible timeouts #1840 (Kazuho Oku)

[core] stop applying filters multiple times #1891 (Ichito Nagata)

[core] remove redundancy in how token index is determined #1903 (Kazuho Oku)

[core] use ALPN_ENTRY uniformly. #1987 (Masanori Ogino)

[core] allow to specify a list of CPUs to bind H2O to #2017 (Frederik Deweerdt)

[doc] fix for ssl_setup function in some libh2o examples #1802 (Byoungwoo Song)

[doc] improve documentation about extension property #2047 (Martin Michel)

[http1][http2] fix broken trailers issue #1798 (Ichito Nagata)

[http1] move chunked encoding code to http1 protocol handler #1819 (Ichito Nagata)

[http1] fix broken memory problem on keepalived connection #1823 (Ichito Nagata)

[http1] update picohttpparser and reject multiline headers #1933 (Ichito Nagata)

[http1] HTTP/1: handle the absolute url form #1941 (Frederik Deweerdt)

[http1] streaming request bodies #2007 (Frederik Deweerdt)

[http1] optional H1 behavior to forward connection closure #2015 (Toru Maesaka)

[http2] ORIGIN frame #1199 (Frederik Deweerdt)

[http2] http2client #1549 (Ichito Nagata)

[http2] http2-allow-cross-origin-push #1801 (Frederik Deweerdt)

[http2] :path pseudo header field cannot be empty #1822 (Ichito Nagata)

[http2] expose HPACK primitives #1845 (Kazuho Oku)

[http2] http2client #1549 (Ichito Nagata)

[http2] nitpicks in the HTTP2 response header parsing #1868 (Kazuho Oku)

[http2] forward content-length from upstream #1875 (Ichito Nagata)

[http2] don't push a path if a connection is closing. #1902 (Frederik Deweerdt)

[http2] don't call h2o_http2_conn_request_write from emit_writereq_of_openref (Frederik Deweerdt)

[http2] retain prioritization information for closed streams #1924 (Frederik Deweerdt)

[http2] HTTP/2 priorities fixes #1934 (Frederik Deweerdt)

[http2] fix failed assertion in update_stream_output_window #1951 (Frederik Deweerdt)

[http2] make sure the connection is registered with the stream before calling on_connect #1979 (Frederik Deweerdt)

[http2] h2o_http2_conn_unregister_stream assert on shutdown #2000 (Frederik Deweerdt)

[mime] update mimemap for .deb, .dll, .exe, .rar, .udeb and .zst. #1985 (Masanori Ogino)

[mime] support for USDZ MIME type for iOS 12 Safari #1861 (Kenta Moriuchi)

[mime] add MIME types for 3D models (GeoJSON, glTF) (Kenta Moriuchi)

[mruby] send early hints from mruby #1767 (Ichito Nagata)

[mruby] update mruby to 1.4.1 as well as the mrbgems #1778 (Kazuho Oku)

[mruby] use mrb_data_get_ptr to handle irregular cases in ruby layer #1794 (Ichito Nagata)

[mruby] prometheus middleware #1892 (Ichito Nagata)

[mruby] fix an invalid memory access by an mruby middleware #1945 (Toru Maesaka)

[mruby] fix heap-use-after-free bug of http_request #1975 (Ichito Nagata)

[mruby] fix invalid read on the stack #2003 (Frederik Deweerdt)

[proxy] forward broken chunk encoding to clients when upstream closes before sending anything #2070 (Frederik Deweerdt)

[ssl] check more errors returned by libcrypto #1797 (Kazuho Oku)

[ssl] more ssl stats #1837 (Ichito Nagata)

[ssl] support TLS 1.3 final #1844 (Kazuho Oku)

[ssl] send TLS alert on handshake failure when recent versions of OpenSSL is used #1872 (Kazuho Oku)

[ssl] use openssl crypto for the key exchange #1870 (Frederik Deweerdt)

[ssl] handle KeyUpdate #1882 (Kazuho Oku)

[ssl] fix session resumption (client-side) when used with OpenSSL 1.1.1 #2088 (Roberto Guimaraes)

[status] avoid redundant registration of status handlers #1815 (Kazuho Oku)

[libh2o] fix broken trailers issue #1798 (Ichito Nagata)

[libh2o] add header flags #1832 (Ichito Nagata)

[libh2o] client protocol abstraction #1855 (Kazuho Oku)

[libh2o] add an API to get the underlying socket from an httpclient #1957 (Toru Maesaka)

[libh2o] add application/xml to the is_compressible mime types #2016 (Uwe Trenkner)

[libh2o] fix issue in 'h2o_perror' about 'strerror_r' #2022 (Baodong Chen)

[libh2o] fix prototype for 'h2o_fatal' and replace 'abort(3)' with it #2020 (Baodong Chen)

[libh2o] install httpclient as part of h2o #2027 (Kazuho Oku)

[libh2o] add an h2o_now_nanosec() func to the Event Loop API #2053 (Toru Maesaka)

[libh2o] socket: Add h2o_socket_get_ssl_server_name() #2054 (Remi Gacogne)

[libh2o] keep track of mmap failures #2065 (Toru Maesaka)

[libh2o] split up the buffer reservation API #2031 (Toru Maesaka)

[libh2o] don't store the socket in the socket pool when unnecessary #2073 (Frederik Deweerdt)

[libh2o] expose bytes_written from httpclient #2080 (Ichito Nagata)

[libh2o] implement H2O_MULTITHREAD_ONCE #2086 (Kazuho Oku)

[misc] fix leased socket counting in socketpool #1750 (Lingmo Zhu)

[misc] knob to tune disk-based memory allocation threshold #1820 (Ricardo Nabinger Sanchez)

[misc] fuzzer target fix for FreeBSD #1862 (David Carlier)

[misc] clean up buildchain linuxisms & update FreeBSD URLs #1813 (Dave Cottlehuber)

[misc] minor facebook/infer 0.15.0 finds #1885 (Frederik Deweerdt)

[misc] httpclient misc changes #1877 (Ichito Nagata)

[misc] enables support of ccache #1905 (Lars K.W. Gohlke)

[misc] pass travis flag to docker and sudo #1908 (Pierre Dubouilh)

[misc] pass proper timeout value to uv_timer_start #1911 (Ichito Nagata)

[misc] refine socket pool entry timeout #1923 (Baodong Chen)

[misc] fix build error under Android O for boringssl #1960 (Baodong Chen)

[misc] fix compiler error under android O #1961 (Baodong Chen)

[misc] use predifined function 'h2o_socket_is_reading|writing' #1973 (Baodong Chen)

[misc] add 'H2O_ERROR_PRINTF' macro, default is 'fprintf(stderr,...)' #2008 (Baodong Chen)

Source code(tar.gz)
Source code(zip)
v2.2.6(Aug 13, 2019)
This is a bug-fix release of the 2.2 series with following changes from 2.2.5, including a vulnerability fix.

[security fix][http2] fix HTTP/2 DoS attack vectors CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 #2090 (Kazuho Oku)

Source code(tar.gz)
Source code(zip)
v2.3.0-beta1(Jun 2, 2018)
This is the first beta release of version 2.3 series. Changes from version 2.2.5 are as follows.

[core] forbid empty path string in configuration #1506 (Ichito Nagata)

[core] use eventfd instead of pipe on linux #1533 (Baodong Chen)

[core] remove redundancy #1568 #1569 #1584 #1596 (Baodong Chen)

[core] !env for respecting environment variables from the configuration file #1524 (Yannick Koechlin)

[core] avoid copying vector when calling writev #1600 (Kazuho Oku)

[core] alignment-aware allocation from memory pool #1605 (Baodong Chen)

[core] stash directive for storing arbitrary YAML data #1739 (Ichito Nagata)

[access-log] log connections that closed prior to sending a response #1235 (Kazuho Oku)

[compress] update brotli to 1.0.2 #1523 (Kazuho Oku)

[fastcgi] accept default as a keyword of the extensions attribute #1414 (Ichito Nagata)

[fastcgi] add verbose mode to fastcgi-cgi gateway #1466 (Kazuho Oku)

[fastcgi][mruby][proxy] do not delay sending the headers until some chunk of body becomes available #1508 (Ichito Nagata)

[http1][http2] support for server-timing #1646 #1717 (Ichito Nagata)

[http1][http2] forward informational responses #1727 (Ichito Nagata)

[http2] support critical attribute in preload link header #1436 (Kazuho Oku, Frederik Deweerdt)

[http2] continue to process active streams after sending GOAWAY upon graceful shutdown #1556 (Ichito Nagata)

[mime] more predefined types #1398 #1632 #1708 #1723 (Jxck, proyb6, OGINO Masanori)

[mime] mark /+json as compressible #1709 (OGINO Masanori)

[mruby] Rack middleware support #1217 (Ichito Nagata)

[mruby] allow running asynchronous operations unbounded to the Rack request being processed #1173 (Ichito Nagata)

[mruby] add channel class and task method for parallel processing #1336 (Ritta Narita)

[mruby] implement sleep #1348 (Ichito Nagata)

[mruby] implement Digest::SHA256 #1387 (Kazuho Oku)

[mruby] add option to specify mrbgem dependencies out of tree #1446 (Satoshi Tagomori)

[mruby] on exception, emit filenames and consistent line number of embedded mruby code #1537 (Satoshi Tagomori)

[mruby] introduce client-warning header for error notification #1562 (Ichito Nagata)

[mruby] allow fiber switch in constructor #1574 (Kazuho Oku)

[mruby] fix crash when the rack handler returns a non-number status code #1576 (Kazuho Oku)

[mruby] add support for redis #1152 (Ichito Nagata)

[mruby] replace iijson with mattn-json #1684 (Yannick Koechlin, Kazuho Oku)

[mruby] update mruby and modules #1462 #1685

[proxy] load balancing support (round-robin, least-conn) #1277 #1361 (Justin Zhu)

[proxy] cap the amount of request body being buffered #1357 (Frederik Deweerdt)

[proxy] cap the amount of response body being buffered #1358 (Frederik Deweerdt)

[proxy] introduce separate timeouts for connection establishment and first-byte #1402 (Frederik Deweerdt)

[proxy] forward the error to the client when upstream closes the connection abruptly #1490 (Ichito Nagata)

[proxy] add option to skip supplementation of a Date header #1495 (Frederik Deweerdt)

[proxy] do not abort when receiving an invalid transfer-encoding header from upstream #1688 (Ichito Nagata)

[reproxy] connection pooling for reproxy #1434 (Ichito Nagata)

[ssl] support redis as a data store for session cache / ticket #1087 (Ichito Nagata)

[ssl] unbundle libressl #1546 (Kazuho Oku)

[ssl] add support for 425 Too Early status code #1344 (Kazuho Oku)

[libh2o] enable ECDH in the exmaple server #1602 (Varbin)

[libh2o] emit less system calls in websocket #1590 (Baodong Chen)

[libh2o] build examples using evloop #1589 (Baodong Chen)

[libh2o] add API to release thread-local data #1624 (Baodong Chen)

[libh2o] h2o_gettimeofday to obtain current time in microsecond order #1726 (Ichito Nagata)

[misc] include process id in crash backtrace #1254 (Kazuho Oku)

[misc] backtracing for BSD #1503 (Frederik Deweerdt)

[misc] fix build issues for Android #1521 (Joel Winarske)

[misc] switch to Docker-based CI #1551 #1580 (Kazuho Oku)

Source code(tar.gz)
Source code(zip)
v2.2.5(Jun 1, 2018)
This is a bug-fix release of the 2.2 series with following changes from 2.2.4, including one vulnerability fix.

[security fix][access-log] fix buffer overflow CVE-2018-0608 #1775 (Frederik Deweerdt)

[fastcgi] index file name must be part of SCRIPT_NAME #1650 (Ichito Nagata)

[http2] do not compress cookies less than 20 bytes long #1389 (Julien Benoist)

[http2] stop opening new push streams after receiving GOAWAY #1555 (Ichito Nagata)

[http2] fix conformance issues #1579 #1582 #1599 (Kazuho Oku)

[mruby] drop the link rel=preload header with a x-http2-push-only attribute #1310 (Frederik Deweerdt)

[mruby] allow loading a file that shares the basename with one of the preloaded files #1662 (Ichito Nagata)

[proxy] fix I/O error when receiving multiple informational responses #1716 (Frederik Deweerdt)

[ssl] fix bug that prevents record size growing to maximum when latency optimization is disabled #1545 (Ichito Nagata)

[ssl] fix compatibility issues with libressl 2.7 #1707 (AIZAWA Hina)

[ssl] update picotls to support TLS 1.3 draft-26 #1718 (Kazuho Oku)

Source code(tar.gz)
Source code(zip)
v2.2.4(Dec 15, 2017)
This is a bug-fix release of the 2.2 series, including two vulnerability fixes.

[security fix][access-log][ssl] fix crash when logging TLS 1.3 properties CVE-2017-10872 #1543 (MITSUNARI Shigeo)

[security fix][http2] fix crash when handling malformed HTTP/2 request CVE-2017-10908 #1544 (Kazuho Oku)

[access-log][compress] %b should log the amount of data sent after compression #1478 (Ichito Nagata)

[fastcgi][misc] respect H2O_PERL environment variable in share/h2o/setuidgid #1518 (Kazuho Oku)

[mime] fix Opus mimetype #1522 (Alex)

[mruby] fix runtime issue that prevents a closed variable from getting updated #1464 (Tatsushi Demachi)

[mruby] keep PATH_INFO undecoded #1480 (Ichito Nagata)

[mruby] fix keepalive not being used when the response to http_request is directly returned #1489 (Ichito Nagata)

[mruby] fix offset overflow of SCRIPT_INFO and PATH_INFO #1502 (Ichito Nagata)

[proxy][ssl] fix pointer corruption when connecting to origin via https (big-endian only) #1475 (Kazuho Oku)

[proxy] omit network I/O when handling internal redirect between hosts mapped to different ports #1498 (Ichito Nagata)

[ssl] fix crash on s390 (and possibly on other big-endian machines) #1474 (Apollon Oikonomopoulos)

[websocket] do not send upgrade header twice #1463 (Yamagishi Kazutoshi)

Source code(tar.gz)
Source code(zip)
v2.2.3(Oct 19, 2017)
This is a bug-fix release of the 2.2 series, including two vulnerability fixes.

[security fix][http1] fix crash when receiving request with invalid framing CVE-2017-10868 #1459 (Frederik Deweerdt)

[security fix][proxy] fix stack overflow when sending huge request body to upstream CVE-2017-10869 #1460 (Frederik Deweerdt)

[core] disable buffering of stdout, stderr #1347 (Yannick Koechlin)

[expires] fix incorrect header emitted when units: month or year were used #1406 (Frederik Deweerdt)

[fastcgi] never return 304 if the file is a dynamic handler #1385 (Kazuho Oku)

[mime] flush all existing mapping when file.mime.settypes is used #1416 (Ichito Nagata)

[mruby] update mruby and modules #1320 #1338 #1413

[mruby] expose SERVER_PROTOCOL #1353 (Frederik Deweerdt)

[mruby] properly handle content-less response #1430 (Ichito Nagata)

[proxy] do not drop the Date request header #1408 (Ichito Nagata)

[ssl] fix deadlock during lazy initialzation #1425 (Apollon Oikonomopoulos)

[ssl] fix epoll-related crashes on OSCP updates #1427 (Apollon Oikonomopoulos)

[ssl] avoid spurious session ticket renewals #1444 (Apollon Oikonomopoulos)

[websocket] fix bug that might drop the first websocket frame #1276 (wuhanck)

[libh2o] clear OpenSSL's error queue before using it #1448 (Apollon Oikonomopoulos)

[doc] add documentation of duration-stats #1306 (Frederik Deweerdt)

[misc] fix build issues on OpenIndiana #1300 (David Carlier)

[misc] build on platforms without 64-bit atomics #1433 (Apollon Oikonomopoulos)

Source code(tar.gz)
Source code(zip)
v2.2.2(Apr 23, 2017)
This is a bug-fix release for 2.2 series, fixing the following regression found in 2.2.1.

[ssl] fix OCSP stapling error when LibreSSL is used #1275 (Ian Moone)

Source code(tar.gz)
Source code(zip)
v2.2.1(Apr 22, 2017)
This is a bug-fix release for 2.2 series, fixing the following issues found in 2.2.0.

[mruby] correct the line number reported on an exception #1239 #1251 (Ichito Nagata)

[mruby] retain the order of request headers sharing a single name #1271 (Kazuho Oku)

[ssl] fix assertion failure in decode_ssl_input #1264 (Kazuho Oku)

[ssl] fix OCSP stapling error when OpenSSL 1.1.0 is used #1270 (Kazuho Oku)

[libh2o] fix crash when abruptly closing an HTTP/2 connection on libuv #1250 (Kazuho Oku)

[libh2o] fix memory leak of _timestamp_cache #1255 (Kazuho Oku)

[doc] restore doc of %{...}e #1252 (Kazuho Oku)

[doc] fix typo suggesting using brotli instead of br #1263 (Bogdan Khomutsky)

[misc] fix undefined behaviors detected by ubsan #1246 (Frederik Deweerdt)

Source code(tar.gz)
Source code(zip)
v2.2.0(Apr 5, 2017)
This is the first release for 2.2 series, with the following new features and bug fixes from 2.1.0.

[core] add crash-handler.wait-pipe-close parameter #1092 (Frederik Deweerdt)

[core] introduce an option to bypass the server header sent from upstream #1226 (Frederik Deweerdt)

[core] apply global- and host-level configuration to requests not applicable to any of the path-level configurations #1231 (Kazuho Oku)

[access-log] add %{remote}p for logging the remote port #1166 (Kazuho Oku)

[access-log] add support for JSON-style escapes and null #1208 (Kazuho Oku)

[access-log] add specifier for logging per-request environment variables #1221 (Yannick Koechlin)

[access-log] add support for <, > modifiers for logging either the original or the final response #1238 (Kazuho Oku)

[access-log] do not emit request-total-time twice #1017 (Kazuho Oku)

[fastcgi] fix a bug that closes the FastCGI listener socket during startup #1203 (Frederik Deweerdt)

[file] add directive for serving gzipped files, decompressing them on-the-fly #1140 (Ichito Nagata)

[headers] fix buffer overrun during startup #1180 (Frederik Deweerdt)

[http1][proxy] preserve the cases of characters used in header names #1194 (Frederik Deweerdt)

[http1][proxy] fix undefined behavior in HTTP/1 parser #1189 (Frederik Deweerdt)

[http1] stop reading from socket after sending 400 to avoid the risk of assertion failure #1223 (Frederik Deweerdt)

[http2] recognize x-http2-push-only attribute on link header #1169 (Frederik Deweerdt)

[http2] add optional timeout for closing connections upon graceful shutdown #1108 (Frederik Deweerdt)

[http2] do not ack an acked PING frame #1175 (Moto Ishisawa)

[http2] reject requests exceeding the maximum allowed size more efficiently #1183 (Frederik Deweerdt)

[mruby] remove dependenty to mkmf #1197 (Yuki Kurihara)

[mruby] correct the line number reported on an exception #1239 (Ichito Nagata)

[proxy] add directives for tweaking headers sent to upstream #1126 (Justin Zhu)

[proxy] retain case-sensitivity of unix socket paths #1131 (Frederik Deweerdt)

[proxy] add directive for controlling the via request header #1225 (Frederik Deweerdt)

[ssl] add directive for logging session ID #1164 (Yannick Koechlin)

[ssl] add support for TLS 1.3 draft-18 #1204 (Kazuho Oku)

[ssl] stop evicting session entries in memcached when they are removed from internal cache #1185 (Ichito Nagata)

[ssl] fix crash when a secp384r1, secp521r1 certificate is used with TLS 1.3 #1214 (Kazuho Oku)

[ssl] fix build failure with OpenSSL 1.1.0 #1216 (Kazuho Oku)

[ssl] add doc for handshake-timeout #1233 (Kazuho Oku)

[status] fix race condition during start-up #1242 (Frederik Deweerdt)

[libh2o] implement h2o_evloop_destroy #1200 (kazan417)

[misc] add test code for fuzzing #1174 #1182 #1191 #1192 (Frederik Deweerdt, Jonathan Foote)

[misc] fix issues reported by Coverity #1168 #1172 #1179 (Harrison Bowden, Frederik Deweerdt)

Source code(tar.gz)
Source code(zip)
v2.2.0-beta3(Mar 22, 2017)
This is a beta release of version 2.2, with following new features and improvements.

[core] introduce an option to bypass the server header sent from upstream #1226 (Frederik Deweerdt)

[core] apply global- and host-level configuration to requests not applicable to any of the path-level configurations #1231 (Kazuho Oku)

[access-log] in JSON logging, remove surrounding quotes arround null #1229 (Kazuho Oku)

[ssl] add doc for handshake-timeout #1233 (Kazuho Oku)

Source code(tar.gz)
Source code(zip)
v2.2.0-beta2(Mar 14, 2017)
This is a beta release of version 2.2, with following new features and improvements.

[access-log] add support for JSON-style escapes and null #1208 (Kazuho Oku)

[access-log] add specifier for logging per-request environment variables #1221 (Yannick Koechlin)

[http1] stop reading from socket after sending 400 to avoid the risk of assertion failure #1223 (Frederik Deweerdt)

[proxy] add directive for controlling the via request header #1225 (Frederik Deweerdt)

[ssl] fix crash when a secp384r1, secp521r1 certificate is used with TLS 1.3 #1214 (Kazuho Oku)

[ssl] fix build failure with OpenSSL 1.1.0 #1216 (Kazuho Oku)

Source code(tar.gz)
Source code(zip)
v2.2.0-beta1(Feb 28, 2017)
This is the first beta release of version 2.2, with following new features and improvements.

[core] add crash-handler.wait-pipe-close parameter #1092 (Frederik Deweerdt)

[access-log] do not emit request-total-time twice #1017 (Kazuho Oku)

[fastcgi] fix a bug that closes the FastCGI listener socket during startup #1203 (Frederik Deweerdt)

[file] add directive for serving gzipped files, decompressing them on-the-fly #1140 (Ichito Nagata)

[headers] fix buffer overrun during startup #1180 (Frederik Deweerdt)

[http1][proxy] preserve the cases of characters used in header names #1194 (Frederik Deweerdt)

[http1][proxy] fix undefined behavior in HTTP/1 parser #1189 (Frederik Deweerdt)

[http2] recognize x-http2-push-only attribute on link header #1169 (Frederik Deweerdt)

[http2] add optional timeout for closing connections upon graceful shutdown #1108 (Frederik Deweerdt)

[http2] do not ack an acked PING frame #1175 (Moto Ishisawa)

[http2] reject requests exceeding the maximum allowed size more efficiently #1183 (Frederik Deweerdt)

[mruby] remove dependenty to mkmf #1197 (Yuki Kurihara)

[proxy] add directives for tweaking headers sent to upstream #1126 (Justin Zhu)

[proxy] retain case-sensitivity of unix socket paths #1131 (Frederik Deweerdt)

[ssl] add directive for logging session ID #1164 (Yannick Koechlin)

[ssl] add support for TLS 1.3 draft-18 #1204 (Kazuho Oku)

[ssl] stop evicting session entries in memcached when they are removed from internal cache #1185 (Ichito Nagata)

[libh2o] implement h2o_evloop_destroy #1200 (kazan417)

[misc] add test code for fuzzing #1174 #1182 #1191 #1192 (Frederik Deweerdt, Jonathan Foote)

[misc] fix issues reported by Coverity #1168 #1172 #1179 (Harrison Bowden, Frederik Deweerdt)

Source code(tar.gz)
Source code(zip)
v2.1.0(Jan 18, 2017)
This is the first release for 2.1 series, with the following new features and bug fixes from 2.0.6.

[core] TCP latency optimization #873 #1076 (Kazuho Oku)

[core] provide tag to include other YAML files from the configuration file #1022 (Ichito Nagata)

[core] accept sequence of mappings for path-level configuration #1042 (Ichito Nagata)

[core] fix broken support for TCP Fast Open in OS X #1065 (Ichito Nagata)

[access-log] provide directive to emit request-level errors #1075 (Kazuho Oku)

[access-log] emit values of all set-cookie headers concatenated #1161 (Kazuho Oku)

[fastcgi] fix connection failure when fastcgi.spawn is used with an uid #1119 (Kazuho Oku)

[file] more pre-defined MIME types #1103 (Joe Duarte)

[http2][proxy] recognize link rel=preload headers in interim response as a trigger to push resources #916 (Kazuho Oku)

[http1][http2] validate characters used in the headers #974 #1044 (Frederik Deweerdt, Kazuho Oku)

[http1][http2] notify error downstream when an error occurred while generating a response #1031 (Frederik Deweerdt)

[http1][http2] fix resource leak upon upgrade failure to HTTP/2 #1161 (Frederik Deweerdt)

[http2] add http2-push-preload directive to turn off H2 push being initiated by link rel=preload header #929 (Kazuho Oku)

[http2] add support for cache-digest header #967 #988 (Kazuho Oku)

[http2] drop host header in HTTP/2 layer #973 #998 (Frederik Deweerdt, Kazuho Oku)

[http2] don't use etag for calculating casper cookie #986 (Kazuho Oku)

[http2] add support for H2 debug state #1019 (Ichito Nagata)

[mruby] add dos_detector mruby handler #1013 (Ichito Nagata)

[mruby] add DSL for access control lists (acl) #1016 (Ichito Nagata)

[mruby] share mruby state and constants between handlers #1032 (Ichito Nagata)

[mruby] add library for address-block-based access control #1038 (Ichito Nagata)

[proxy] add an option to connect to upstream using PROXY protocol #930 (Kazuho Oku)

[proxy] don't escape : in URI path #977 (Frederik Deweerdt)

[proxy] preserve received URLs as much as possible #985 #1071 (Frederik Deweerdt)

[proxy] add an option to prevent emiting x-forwarded-* headers #999 (Frederik Deweerdt)

[proxy] cache TLS session used for upstream connections #1053 (Ichito Nagata)

[proxy] turn on/off on-the-fly compression based on the x-compress-hint header #1085 (Frederik Deweerdt)

[ssl] set add_lock callback to prevent unnecessary lock-add-unlock #983 (Roberto Guimaraes)

[ssl] add support for OpenSSL 1.1.0 #1064 (Kazuho Oku)

[status] collect and report HTTP statistics #893 (Frederik Deweerdt)

[status] report additional stats when jemalloc is used #1017 (Frederik Deweerdt)

[throttle] add new handler for throttling the response bandwidth #917 (Justin Zhu)

[libh2o] provide h2o_rand that calls the appropriate random function depending on the OS #927 (David CARLIER)

[libh2o] do not require use of picohttpparser.h when using the HTTP/1 client #946 (Kazuho Oku)

[libh2o] install library files to the correct location #1116 (Frederik Deweerdt)

[misc] provide crash-handler directive to customize crash logging #935 (Frederik Deweerdt)

[misc] guess the default location of h2o.conf #969 (Davsid Carlier)

[misc] allow to disable libuv even when it is found #995 (Frederik Deweerdt)

[misc] add font/woff2 to the default mime-type mapping #1066 (Andy Davies)

[misc] mark JavaScript and JSON files as compressible by default #1067 (Kazuho Oku)

Source code(tar.gz)
Source code(zip)
v2.0.6(Jan 5, 2017)
This is a bug-fix release for 2.0 series, with the following changes:

[compress] fix the compression quality being ignored #1154 (Yannick Koechlin)

[mruby] stop GIT access during build #1149 (parly)

Source code(tar.gz)
Source code(zip)
v2.1.0-beta4(Dec 21, 2016)
This is a beta release for 2.1 series, including following new features, bug fixes, and a security fix. Users of 2.1.0-beta series are encouraged to update to the latest version.

[security fix] fix use-after-free vulnerability CVE-2016-7835 #1144 (Frederik Deweerdt, Kazuho Oku)

[core] fix busy loop after receiving SIGTERM (linux) #1100 (Kazuho Oku, Frederik Deweerdt)

[core] don't try to register kevent changes more than once (*BSD, OS X) #1113 (Ichito Nagata)

[compress] set vary: accept-encoding upon negotiation failure of the compression method #1083 (Frederik Deweerdt)

[fastcgi] fix connection failure when fastcgi.spawn is used with an uid #1119 (Kazuho Oku)

[file] more pre-defined MIME types #1103 (Joe Duarte)

[file] add missing </ul> #1106 (Kazuho Oku)

[http2] fix a bug that left connections open #1090 (Kazuho Oku)

[http2] ignore PRIORITY frames that reference closed pushed streams #1105 (Frederik Deweerdt)

[http2] add Secure attribute to the casper cookie #1134 (Kazuho Oku)

[http2] permit use of HEADERS with a smaller stream ID than a preceding PRIORITY #1136 (Frederik Deweerdt, Kazuho Oku)

[mruby] update mruby to HEAD #1135 (Kazuho Oku)

[proxy] set content-length: 0 when receiving a zero-byte POST or PUT #1080 (Frederik Deweerdt)

[proxy] turn on/off on-the-fly compression based on the x-compress-hint header #1085 (Frederik Deweerdt)

[ssl] update libressl to 2.4.4 #1127 (Kazuho Oku)

[ssl] erase OCSP stapling data when the stapling updater returns a permanent failure #1117 (Kazuho Oku)

[libh2o] install library files to the correct location #1116 (Frederik Deweerdt)

Source code(tar.gz)
Source code(zip)
v2.0.5(Dec 21, 2016)
This is a bug-fix release for 2.0 series including a security fix. Users of H2O prior to version 2.0.4 are encouraged to update to 2.0.5 immediately.

[security fix] fix use-after-free vulnerability CVE-2016-7835 #1144 (Frederik Deweerdt, Kazuho Oku)

[core] fix busy loop after receiving SIGTERM (linux) #1100 (Kazuho Oku, Frederik Deweerdt)

[core] don't try to register kevent changes more than once (*BSD, OS X) #1113 (Ichito Nagata)

[compress] set vary: accept-encoding upon negotiation failure of the compression method #1083 (Frederik Deweerdt)

[file] add missing </ul> #1106 (Kazuho Oku)

[http2] fix a bug that left connections open #1090 (Kazuho Oku)

[http2] ignore PRIORITY frames that reference closed pushed streams #1105 (Frederik Deweerdt)

[http2] add Secure attribute to the casper cookie #1134 (Kazuho Oku)

[http2] permit use of HEADERS with a smaller stream ID than a preceding PRIORITY #1136 (Frederik Deweerdt, Kazuho Oku)

[mruby] update mruby to HEAD #1135 (Kazuho Oku)

[proxy] set content-length: 0 when receiving a zero-byte POST or PUT #1080 (Frederik Deweerdt)

[ssl] update libressl to 2.4.4 #1127 (Kazuho Oku)

[ssl] erase OCSP stapling data when the stapling updater returns a permanent failure #1117 (Kazuho Oku)

Source code(tar.gz)
Source code(zip)
v2.1.0-beta3(Sep 14, 2016)
This is a beta release for 2.1 series, including following new features, bug fixes, and a security fix. Users of 2.1.0-beta series are encouraged to update to the latest version.

[security fix][core] fix DoS attack vector CVE-2016-4864 #1077 (Frederik Deweerdt, Kazuho Oku)

[core] enable TCP latency optimization by default #873 #1076 (Kazuho Oku)

[core] fix broken support for TCP Fast Open in OS X #1065 (Ichito Nagata)

[access-log] provide directive to emit request-level errors #1075 (Kazuho Oku)

[proxy] cache TLS session used for upstream connections #1053 (Ichito Nagata)

[proxy] escape NUL when rebuilding an URL #985 (Frederik Deweerdt)

[misc] add font/woff2 to the default mime-type mapping #1066 (Andy Davies)

[misc] mark JavaScript and JSON files as compressible by default #1067 (Kazuho Oku)

[libh2o] fix crash on connect timeout #960 (disigma)

Source code(tar.gz)
Source code(zip)
v2.0.4(Sep 14, 2016)
This is a bug-fix release for 2.0 series, including a bug fix and a security fix. Users of H2O prior to version 2.0.3 are encouraged to update to 2.0.4 immediately.

[security fix][core] fix DoS attack vector CVE-2016-4864 #1077 (Frederik Deweerdt, Kazuho Oku)

[libh2o] fix crash on connect timeout #960 (disigma)

Source code(tar.gz)
Source code(zip)
v2.1.0-beta2(Sep 8, 2016)
This is a beta release for 2.1 series, including following new features and bug fixes.

[core] accept sequence of mappings for path-level configuration #1042 (Ichito Nagata)

[core] provide tag to include other YAML files from the configuration file #1022 (Ichito Nagata)

[fastcgi] setenv should displace HTTP headers #996 (Kazuho Oku)

[file] don't use readdir_r on Linux, Solaris #1046 #1052 (Frederik Deweerdt, Kazuho Oku)

[http1][http2] validate characters used in the headers #974 $1044 (Frederik Deweerdt, Kazuho Oku)

[http1][http2] notify error downstream when an error occurred while generating a response #1031 (Frederik Deweerdt)

[http2] add support for cache-digest header #967 #988 (Kazuho Oku)

[http2] add support for H2 debug state #1019 (Ichito Nagata)

[http2] fix buffer overrun #972 (Frederik Deweerdt)

[http2] drop host header in HTTP/2 layer #973 #998 (Frederik Deweerdt, Kazuho Oku)

[http2] fix assertion failure: sock->super._cb.write != ((void *)0)' failed #873 #966 #976 (Kazuho Oku)

[http2] don't use etag for calculating casper cookie #986 (Kazuho Oku)

[http2] fix negative error code sent when cancelling a pushed stream #1039 (Frederik Deweerdt)

[http2] fix a bug that may cause a stream to stall #1040 (Frederik Deweerdt)

[http2] fix a bug that reset the stream when receiving HEADERS after PRIORITY #1043 (Frederik Deweerdt)

[mruby] add dos_detector mruby handler #1013 (Ichito Nagata)

[mruby] add DSL for access control lists (acl) #1016 (Ichito Nagata)

[mruby] add library for address-block-based access control #1038 (Ichito Nagata)

[mruby] share mruby state and constants between handlers #1032 (Ichito Nagata)

[mruby] fix mruby handler becoming unusable after failed connection in http_request on FreeBSD #1062 (Kazuho Oku)

[proxy] add an option to prevent emiting x-forwarded-* headers #999 (Frederik Deweerdt)

[proxy] add an option to connect to upstream using PROXY protocol #930 (Kazuho Oku)

[proxy] don't escape : in URI path #977 (Frederik Deweerdt)

[proxy] preserve received URLs as much as possible #985 (Frederik Deweerdt)

[ssl] set add_lock callback to prevent unnecessary lock-add-unlock #983 (Roberto Guimaraes)

[ssl] add support for OpenSSL 1.1.0 #1064 (Kazuho Oku)

[status] report additional stats when jemalloc is used #1017 (Frederik Deweerdt)

[misc] guess the default location of h2o.conf #969 (Davsid Carlier)

[misc] fix build error when libuv is not found #1008 (nextgenthemes)

[misc] fix assertion failure when YAML alias and merge is used in certain way #1011 (Kazuho Oku)

[misc] allow to disable libuv even when it is found #995 (Frederik Deweerdt)

Source code(tar.gz)
Source code(zip)
v2.0.3(Sep 8, 2016)
This is a bug-fix release of 2.0 series, fixing following issues found in 2.0.2.

[file] don't use readdir_r on Linux, Solaris #1046 #1052 (Frederik Deweerdt, Kazuho Oku)

[http2] fix negative error code sent when cancelling a pushed stream #1039 (Frederik Deweerdt)

[http2] fix a bug that may cause a stream to stall #1040 (Frederik Deweerdt)

[http2] fix a bug that reset the stream when receiving HEADERS after PRIORITY #1043 (Frederik Deweerdt)

[mruby] fix mruby handler becoming unusable after failed connection in http_request on FreeBSD #1062 (Kazuho Oku)

Source code(tar.gz)
Source code(zip)
v2.0.2(Aug 2, 2016)
This is a bug-fix release of 2.0 series, fixing following issues found in 2.0.1.

[fastcgi] setenv should displace HTTP headers #996 (Kazuho Oku)

[http2] fix buffer overrun #972 (Frederik Deweerdt)

[misc] fix build error when libuv is not found #1008 (nextgenthemes)

[misc] fix assertion failure when YAML alias and merge is used in certain way #1011 (Kazuho Oku)

Source code(tar.gz)
Source code(zip)
v2.1.0-beta1(Jun 24, 2016)
This is a beta release for 2.1 series, including following new features.

[http2][proxy] recognize link rel=preload headers in interim response as a trigger to push resources #916 (Kazuho Oku)

[http2] add http2-push-preload directive to turn off H2 push being initiated by link rel=preload header #929 (Kazuho Oku)

[http2][experimental] add feedback-based latency optimization mode #873 (Kazuho Oku)

[status] collect and report HTTP statistics #893 (Frederik Deweerdt)

[throttle] add new handler for throttling the response bandwidth #917 (Justin Zhu)

[misc] provide crash-handler directive to customize crash logging #935 (Frederik Deweerdt)

[libh2o] provide h2o_rand that calls the appropriate random function depending on the OS #927 (David CARLIER)

[libh2o] do not require use of picohttpparser.h when using the HTTP/1 client #946 (Kazuho Oku)

Source code(tar.gz)
Source code(zip)
v2.0.1(Jun 24, 2016)
This is a bug-fix release of 2.0 series, fixing following issues found in 2.0.0.

[fastcgi] fix internal server error when PHP returns a huge header #958 (Kazuho Oku)

[http2] recognize link header containing multiple links #950 (Frederik Deweerdt)

[libh2o] fix resource leaks upon startup failure #936 (David CARLIER)

[libh2o] do not require linking to libbrotli externally #941 (Kazuho Oku)

Source code(tar.gz)
Source code(zip)
v2.0.0(Jun 1, 2016)
This is a major update release, with following changes (including new features and bug fixes) from 1.7.3.

[core][breaking change] do not automatically append / to path-level configuration #820 (Kazuho Oku)

[core] support << in configuration file #786 (Kazuho Oku)

[core] configurable server: header #877 (Frederik Deweerdt)

[core] add directive for customizing the path of temporary buffer files #911 (Kazuho Oku)

[core] fix crash when receiving SIGTERM during start-up #878 (Frederik Deweerdt)

[core] spawn the configured number of DNS client threads #880 (Sean McArthur)

[access-log] add directive for logging protocol-specific values #801 (Kazuho Oku)

[access-log][fastcgi][mruby] per-request environment variables #868 (Kazuho Oku)

[access-log] fix memory leak during start-up #864 (Frederik Deweerdt)

[compress] on-the-fly compression using brotli, as well as directives to tune the compression parameters #802, #924 (Kazuho Oku, Frederik Deweerdt)

[compress][expires] refrain from setting redundant cache-control tokens #846 (Kazuho Oku)

[file] file.file directive for mapping specific file #822 (Kazuho Oku)

[file] send-compress directive (renamed from send-gzip) to support pre-compressed files using brotli #802 (Kazuho Oku)

[file] cache open failures #836 (Kazuho Oku)

[http2] support for nopush attribute in the link rel=preload header #863 (Satoh Hiroh)

[http2] support for push after delegation #866 (Kazuho Oku)

[http2] ignore push indications made by a pushed response #897 (Kazuho Oku)

[http2] accept capacity-bits attribute of the http2-casper configuration directive #882 (Satoh Hiroh)

[http2] avoid memcpy during HPACK huffman encoding #749 (Kazuho Oku)

[http2] fix potential stall when http2-max-concurrent-requests-per-connection is set to a small number #912 (Kazuho Oku)

[http2] refuse push a single resource more than once #903 (Kazuho Oku)

[http2] fix assertion failure when receiving more data than expected during upgrade #922 (Frederik Deweerdt)

[mruby] add $H2O_ROOT/share/h2o/mruby to the default load path #851 (Kazuho Oku)

[proxy] add support for HTTPS #875 (Kazuho Oku)

[proxy] add an configuration option to pass through x-forwarded-proto request header #883 (Kazuho Oku)

[proxy] log error when upstream connection is unexpectedly closed #895 (Frederik Deweerdt)

[ssl] update libressl to 2.2.7 #898 (Kazuho Oku)

[ssl] support ECDH curves other than P-256 #841 (Kazuho Oku)

[ssl] add support for text-based memcache protocol #854 (Kazuho Oku)

[ssl] fix memory leak when using TLS resumption with the memcached backend #856 (Kazuho Oku)

[ssl] fix "undefined subroutine" error in the OCSP updater #872 (Masayuki Matsuki)

[ssl] cap the number of OCSP updaters running concurrently #891 (Kazuho Oku)

[ssl] fix use-after-free when using session resumption with memcached backend #923 (Frederik Deweerdt)

[libh2o] add API for obtaining the socket descriptor #886 (Frederik Deweerdt)

[libh2o] add API to selectively disable automated I/O on reads and writes #890 (Frederik Deweerdt)

[libh2o] bugfix: h2o_mem_swap swaps only the first 256 bytes #924 (Frederik Deweerdt)

[status] introduce the status handler #848 (Kazuho Oku)

[misc] install examples #850 (James Rouzier)

Source code(tar.gz)
Source code(zip)
v2.0.0-beta5(May 26, 2016)
This is a new beta release for 2.0 series, including bug fixes and a security fix. Users of version 2.0.0-beta4 or earlier are encouraged to update to the latest version.

[security fix][http2] fix use-after-free on premature connection close (CVE-2016-4817) #920 (Frederik Deweerdt)

[core] fix SIGBUS when temporary disk space is full #910 (Kazuho Oku)

[core] add directive for customizing the path of temporary buffer files #911 (Kazuho Oku)

[http2] fix potential stall when http2-max-concurrent-requests-per-connection is set to a small number #912 (Kazuho Oku)

[http2] refuse push a single resource more than once #903 (Kazuho Oku)

[mruby] do not drop link header #913 (Kazuho Oku)

[mruby] fix memory leak during initialization #906 (Frederik Deweerdt)

[mruby] fix race condition in mruby regex handler #908 (Kazuho Oku)

[libh2o] fix crash in h2o_url_stringify #918 (Kazuho OKu)

Source code(tar.gz)
Source code(zip)
v1.7.3(May 26, 2016)
This is a new release for 1.7 series, including bug fixes and a security fix. Users of version 1.7.2 or earlier are encouraged to update to the latest version.

[security fix][http2] fix use-after-free on premature connection close (CVE-2016-4817) #920 (Frederik Deweerdt)

[core] fix SIGBUS when temporary disk space is full #910 (Kazuho Oku)

[mruby] do not drop link header #913 (Kazuho Oku)

[mruby] fix memory leak during initialization #906 (Frederik Deweerdt)

[mruby] fix race condition in mruby regex handler #908 (Kazuho Oku)

[libh2o] fix crash in h2o_url_stringify #918 (Kazuho OKu)

Source code(tar.gz)
Source code(zip)
v2.0.0-beta4(May 9, 2016)
This is a beta release of the 2.0 series, fixing the following issue found in 2.0.0-beta3.

[ssl] fix build issue on CentOS 7 (and others that have tolower defined as a macro) #901 (Kazuho Oku)

Source code(tar.gz)
Source code(zip)
v2.0.0-beta3(May 9, 2016)
This is a beta release of the 2.0 series, with following changes including feature additions and bug fixes. The release also updates the bundled LibreSSL to 2.2.7 that includes a fix for CVE-2016-2107.

[core] configurable server: header #877 (Frederik Deweerdt)

[core] fix crash when receiving SIGTERM during start-up #878 (Frederik Deweerdt)

[core] spawn the configured number of DNS client threads #880 (Sean McArthur)

[access-log][fastcgi][mruby] per-request environment variables #868 (Kazuho Oku)

[access-log] fix memory leak during start-up #864 (Frederik Deweerdt)

[http2] support for nopush attribute in the link rel=preload header #863 (Satoh Hiroh)

[http2] support for push after delegation #866 (Kazuho Oku)

[http2] accept capacity-bits attribute of the http2-casper configuration directive #882 (Satoh Hiroh)

[http2] ignore push indications made by a pushed response #897 (Kazuho Oku)

[proxy] add support for HTTPS #875 (Kazuho Oku)

[proxy] add an configuration option to pass through x-forwarded-proto request header #883 (Kazuho Oku)

[proxy] log error when upstream connection is unexpectedly closed #895 (Frederik Deweerdt)

[ssl] update libressl to 2.2.7 #898 (Kazuho Oku)

[ssl] add support for text-based memcache protocol #854 (Kazuho Oku)

[ssl] fix memory leak when using TLS resumption with the memcached backend #856 (Kazuho Oku)

[ssl] fix "undefined subroutine" error in the OCSP updater #872 (Masayuki Matsuki)

[ssl] cap the number of OCSP updaters running concurrently #891 (Kazuho Oku)

[libh2o] add API for obtaining the socket descriptor #886 (Frederik Deweerdt)

[libh2o] add API to selectively disable automated I/O on reads and writes #890 (Frederik Deweerdt)

Source code(tar.gz)
Source code(zip)
v1.7.2(May 9, 2016)
This is a bug-fix release of 1.7 series, fixing following issues found in 1.7.1. The release also updates the bundled LibreSSL to 2.2.7 that includes a fix for CVE-2016-2107.

[core] fix crash when receiving SIGTERM during start-up #878 (Frederik Deweerdt)

[core] spawn the configured number of DNS client threads #880 (Sean McArthur)

[http2] accept capacity-bits attribute of the http2-casper configuration directive #882 (Satoh Hiroh)

[ssl] update libressl to 2.2.7 #898 (Kazuho Oku)

[ssl] fix memory leak when using TLS resumption with the memcached backend #856 (Kazuho Oku)

[ssl] fix "undefined subroutine" error in the OCSP updater #872 (Masayuki Matsuki)

Source code(tar.gz)
Source code(zip)
v2.0.0-beta2(Mar 23, 2016)
This is a beta release of the 2.0 series, with following changes including feature additions and bug fixes.

[compress] fix potential SEGV when encoding brotli #849 (Kazuho Oku)

[compress][expires] refrain from setting redundant cache-control tokens #846 (Kazuho Oku)

[mruby] add $H2O_ROOT/share/h2o/mruby to the default load path #851 (Kazuho Oku)

[status] introduce the status handler #848 (Kazuho Oku)

[misc] install examples #850 (James Rouzier)

Source code(tar.gz)
Source code(zip)