H2O - the optimized HTTP/1, HTTP/2, HTTP/3 server

Overview

H2O - an optimized HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3 (experimental)

Build Status Coverity Scan Build Status Fuzzing Status

Copyright (c) 2014-2019 DeNA Co., Ltd., Kazuho Oku, Tatsuhiko Kubo, Domingo Alvarez Duarte, Nick Desaulniers, Marc Hörsken, Masahiro Nagano, Jeff Marrison, Daisuke Maki, Laurentiu Nicola, Justin Zhu, Tatsuhiro Tsujikawa, Ryosuke Matsumoto, Masaki TAGAWA, Masayoshi Takahashi, Chul-Woong Yang, Shota Fukumori, Satoh Hiroh, Fastly, Inc., David Carlier, Frederik Deweerdt, Jonathan Foote, Yannick Koechlin, Harrison Bowden, Kazantsev Mikhail

H2O is a new generation HTTP server. Not only is it very fast, it also provides much quicker response to end-users when compared to older generations of HTTP servers.

Written in C and licensed under the MIT License, it can also be used as a library.

For more information, please refer to the documentation at h2o.examp1e.net.

Reporting Security Issues

Please report vulnerabilities to [email protected]. See SECURITY.md for more information.

Issues
  • Change SSL config to more secure defaults:

    Change SSL config to more secure defaults:

    • Minumum TLSv1.2
    • Cipher suite default: ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
    • Switch to server preference for cipher choice

    ssllabs.com https://www.ssllabs.com/ssltest/analyze.html?d=yay.im

    This is rejecting a number of (admittedly very old) clients so we might want to loosen the defaults a bit?

    opened by deweerdt 40
  • Add some validation for headers in characters

    Add some validation for headers in characters

    We add strict validation for the headers that are present in the header name and the header field. We have a special case for pseudo headers, since there's a limited list of those that are allowed.

    opened by deweerdt 34
  • h2o ad-hoc tracer

    h2o ad-hoc tracer

    Hello

    Here's a first proof-of-concept regarding an ad-hoc tracer for h2o based off dtrace probes. The aim was to be cost free when not attached, and still performant under load.

    I implemented a small test client for it in python using EBPF/BCC, but any language can be used really. The script is here, and would require BCC. I pasted a sample output below.

    The PR implements a communication socket to the tracing program. It allows to stop any tracing processing if the tracer program disconnects or crashes, and also some lightweight communication to filter out some events from being processed. This socket port is settable using the config below.

    Cheers !

    listen:
        port: 4321
        tracing: ON
    
    % sudo ./picotracer.py `pgrep h2o`
    >> 1553636178731756      36    SSLNew            TLSv1.3 AES256-GCM 0x7ff626ffcac0
    >> 1553636178731756      36    NewConnH2         10.0.2.15:9090 10.0.2.15:34200
    >> 1553636178731756      36    RxHeader          user-agent curl/7.64.0
    >> 1553636178731756      36    RxHeader          accept */*
    >> 1553636178731756      36    NewReq            HTTP/2 GET /assets/2.ts
    >> 1553636178731756      36    Proxy             [unix:/tmp/h2o.sock]
    >> 1553636178731756      36    ProxyTxHdr        user-agent curl/7.64.0
    >> 1553636178731756      36    ProxyTxHdr        accept */*
    >> 1553636178731756      36    ProxyNewReq       HTTP/1.1 GET /assets/2.ts
    >> 1553636178731756      36    ProxyRxHdr        date Tue, 26 Mar 2019 21:36:18 GMT
    >> 1553636178731756      36    ProxyRxHdr        content-type video/mp2t
    >> 1553636178731756      36    ProxyRxHdr        last-modified Mon, 06 Aug 2018 09:07:10 GMT
    >> 1553636178731756      36    ProxyRxHdr        etag "5b680fbe-1a8780"
    >> 1553636178731756      36    ProxyRxHdr        accept-ranges bytes
    >> 1553636178731756      36    ProxyNewRes       HTTP/1.1 200 len: 1738624
    >> 1553636178731756      36    TxHeader          date Tue, 26 Mar 2019 21:36:18 GMT
    >> 1553636178731756      36    TxHeader          content-type video/mp2t
    >> 1553636178731756      36    TxHeader          last-modified Mon, 06 Aug 2018 09:07:10 GMT
    >> 1553636178731756      36    TxHeader          etag "5b680fbe-1a8780"
    >> 1553636178731756      36    TxHeader          accept-ranges bytes
    >> 1553636178731756      36    NewRes            HTTP/2 200 len: 1738624
    
    opened by pldubouilh 29
  • Broken http/1.1 chunked body is silently relayed

    Broken http/1.1 chunked body is silently relayed

    When a transfer-encoding:chunked transfer is interrupted in the backend by a connection close, H2O currently just closes the frontend stream. This makes it not possible for the client to know that it's receiving truncated data, whereas it would be possible over plain HTTP/1.1, since the last chunk would be missing - Chrome and curl both report errors on truncated HTTP/1.1 chunked transfers, FF and Safari do not, as far as I can tell -. This adds a test that checks that a broken transfer-encoding:chunked transfer is translated into a RST_STREAM over H2.

    opened by deweerdt 28
  • (h2o), uid 80: exited on signal 6

    (h2o), uid 80: exited on signal 6

    Just a question: I sometimes get a lot of these in the kernel log messages on FreeBSD and HardenedBSD systesm running h2o.

    pid 56341 (h2o), uid 80: exited on signal 6
    

    Is this to be expected? Why does it exit so often?

    Note, there is nothing to be found in the h2o error log and neither in the php-fpm.log.

    opened by utrenkner 27
  • help: mruby handler & FreeBSD

    help: mruby handler & FreeBSD

    I'm trying to wrap my head around these mruby handlers used by h2o. I'm on h2o 1.7.0 from FreeBSD ports. This is what I'm trying right now, found at https://github.com/h2o/h2o/pull/405#issuecomment-136281330

    hosts:
      default:
        paths:
          "/":
            mruby.handler: |
              H2O.return 403, "Access Forbidden", "I will never show you this!"
    

    When I try to start h2o, I get:

    Starting h2o.
    [/usr/local/etc/h2o/h2o.conf:58] unknown command: mruby.handler
    /usr/local/etc/rc.d/h2o: WARNING: failed to start h2o
    

    What am I doing wrong?

    opened by basbebe 27
  • support basic-authentication using .htpasswd

    support basic-authentication using .htpasswd

    Tasks:

    • [ ] bundle mruby-string-crypt
    • [ ] adjust http://lowreal.net/2015/11/17/1 to read the password file, and bundle it

    Format of htpasswd file is specified in https://httpd.apache.org/docs/2.2/misc/password_encryptions.html.

    relates to #203

    mruby 
    opened by kazuho 26
  • Quic protocol support

    Quic protocol support

    Any plans for supporting QUIC?

    It seems that currently QUIC doesn't have a lot of changes over HTTP2(same HPACK, same semantics) layer, instead its main focus it's to improve upon TCP, by replacing it with UDP. I wonder if you've thought about it? I'm searching for a high performance QUIC/HTTP2 webserver.

    I guess, ideally, it would be only a matter of swapping the TCP under the current HTTP implementation, with QUIC's UDP replacement. But I guess it isn't that easy? Isn't it?

    How would you do it if you were to work on it?

    Thanks.

    opened by 6D65 25
  • No error status code received while stress testing h2o

    No error status code received while stress testing h2o

    Hello,

    I am trying to stress test h2o using h2load. Whenever a large number of requests fails h2load doesn't report any error status codes. I suppose it is not getting the response code from h2o

     h2load -n200000 -c1 -m100 -i ~/h2o-1.5.0-beta2/SCRIPTS/all_urls.txt
    
    
    starting benchmark...
    spawning thread #0: 1 total client(s). 200000 total requests
    TLS Protocol: TLSv1.2
    Cipher: ECDHE-RSA-AES128-GCM-SHA256
    Server Temp Key: ECDH P-256 256 bits
    Application protocol: h2
    progress: 10% done
    
    finished in 4.65s, 5956.86 req/s, 30.54MB/s
    requests: 200000 total, 27826 started, 200000 done, 27726 succeeded, 172274 failed, 172274 errored, 0 timeout
    status codes: 27726 2xx, 0 3xx, 0 4xx, 0 5xx
    traffic: 149060220 bytes total, 1443027 bytes headers (space savings 71.53%), 147058038 bytes data
                         min         max         mean         sd        +/- sd
    time for request:     3.92ms    106.90ms     14.17ms     10.23ms    86.44%
    time for connect:     5.10ms      5.10ms      5.10ms         0us   100.00%
    time to 1st byte:    14.04ms     14.04ms     14.04ms         0us   100.00%
    req/s           :    5958.32     5958.32     5958.32        0.00   100.00%
    

    As You can see a lot many requests have failed but no error status code has been reported. Also, I'd like to ask is it fine that a bigger bunch of requests are getting failed?

    opened by s0j0urn 23
  • Add channel class and task method for parallel processing in mruby

    Add channel class and task method for parallel processing in mruby

    This PR is for https://github.com/h2o/h2o/issues/1329

    TODO:

    • [x] add queue for when ch.push is called before ch.shift
    • [x] add tests
    • [x] use script to create embedded code
    opened by naritta 21
  • [http2] Server-driven priorities

    [http2] Server-driven priorities

    This PR adds an initial absolute priority header support based on draft-kazuho-httpbis-priority-04.

    This PR is an initial prototype and has several assumptions:

    • Back-end (e.g. file handler, reverse proxy origin) adds the priority header.
    • Request priorities from a client are modified based on back-end priority headers.
    • As for client-generated priorities, only assumes Chromium-style dependency tree (linear, weight-sorted list)
    • Only urgency parameter is interpreted. incremental parameter is ignored at the moment.
    opened by hfujita 20
  • [tls] [esni] Implement loading of ESNI keys for client and server

    [tls] [esni] Implement loading of ESNI keys for client and server

    This implements a handler in h2o server to load the ESNI keys and resource record.

    The h2o-httpclient has been updated as well to load and parse the DNS record, and use ESNI to connect to the server.

    The picotls changes are included here to simplify the review. When the PR is close to being finalized, those will be moved to https://github.com/h2o/picotls.

    opened by nalramli 0
  • MSG_ZEROCOPY + non-temporal stores from AES-GCM

    MSG_ZEROCOPY + non-temporal stores from AES-GCM

    For sending encrypted bytes to the socket with minimal overhead in terms of both memory bandwidth and CPU clock cycles, uses MSG_ZEROCOPY and non-temporal aes-gcm engine (https://github.com/h2o/picotls/pull/384).

    Builds on top of #2993, https://github.com/h2o/picotls/pull/384.

    opened by kazuho 0
  • zero copy

    zero copy

    Attempt to introduce zero copy to h2o. Alternative to #2976.

    #2976 aims to introduce an asynchronous variant of flatten callback to send vectors. In contrast, this PR requires each handler to generate send vectors that would be sent, preferably non-blocking, in their own way.

    Depends on: https://github.com/h2o/picotls/pull/383.

    Configuration Knobs: This PR adds following configuration directives:

    • proxy.zero-copy: ON|OFF|ALWAYS - sets if the proxy handler should buffer received bytes in a pipe. Default is "on," which means that a pipe should be used only if data can be sent to client using a zero-copy method. (i.e., splice). When set to "always," data is buffered in a pipe regardless of what the protocol to the client is, raising the chance of h2o reading from the pipe to serialize the bytes.
    • tls-offload: OFF|ON - turns on / off TLS offload. This is experimental. At the moment, only TLS/1.3 traffic using aes-gcm can be offloaded, and it would be slower than when set to "off," unless you can offload to hardware.

    ToDos:

    • File handler:
      • [x] Define send_ callback in file handler that uses sendfile (2).
    • Proxy handler:
      • [x] On linux, read response body into pipe. Then, in the send_ callback, send data from that pipe using splice (2).
      • [x] Tune the initial read size, so that not too many bytes would be read alongside the HTTP response headers.
    • Kernel TLS:
      • [x] picotls: it turned out that software kTLS is slower, but hardware-based kTLS might help. At the moment, the code does not support Key Updates and Close Alerts, but that should be fine for experiment and probably also for ordinary use case.
    • Sendvec:
      • [x] Adjust callback API to reflect the fact that we now have vectors that do not provide random access capability (pipe-backed!). At the moment, the API allows random access, and HTTP/3 handler uses the capability to fill content upon retransmission at the QUIC layer.
    • Tests:
      • ~~Resurrect some from #2976, as well as adding more.~~ Use of zero copy in the file handler and reverse proxy use-case is now covered by existing tests. The tests added to #2976 are either specific to io_uring or pull vector + file trunctation. We do not need the former in this PR, we will have a separate PR for the latter.

    Following items are planned to be addressed in a separate PR:

    • File handler:
      • [ ] Generate send vectors in a non-blocking manner, by "splice"-ing the file to a pipe on io_uring. Then, in the send_ callback, that pipe would be "splice"-ed to a socket. This is not going to be an overhead; that's what sendfile (2) does internally!
    • HTTP/2:
      • [ ] use h2o_socket_sendvec so that zero copy would be used when available
    • socket:
      • [ ] ktls with OpenSSL: as we expect performance improvement, even when software kTLS is used.
      • [ ] Handle Key Update, pending https://github.com/h2o/picotls/pull/383.
      • [ ] MSG_ZEROCOPY.
      • [ ] picotls - encrypt-in-place, to lessen pressure on cache and memory bus.
    opened by kazuho 0
  • [CI] build curl with http3 support and add `curl_supports_http3()` to t/Util.pm

    [CI] build curl with http3 support and add `curl_supports_http3()` to t/Util.pm

    There are cases where we'd like to use curl instead of h2o-httpclient in testing HTTP/3 features. For example, curl supports trailers but h2o-httpclient does not.

    This PR adds http3 support to curl in Ubuntu 20.04 images.

    opened by gfx 0
Releases(v2.3.0-beta2)
  • v2.3.0-beta2(Aug 13, 2019)

    This is the beta release of the 2.3 series with following changes from 2.3.0-beta1, including one vulnerability fix.

    • [security fix][http2] fix HTTP/2 DoS attack vectors CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 #2090 (Kazuho Oku)
    • [access-log] add support for logging to unix sockets #1746 (Frederik Deweerdt)
    • [access-log][proxy] rename key names of proxy timings #2082 (Ichito Nagata)
    • [file] add if-range header support #1751 (Lingmo Zhu)
    • [compress] extend x-compress-hint to be able to force either gzip or br compression #1808 (Frederik Deweerdt)
    • [compress][brotli] ensure there's a minimal good buffer size #1824 (Frederik Deweerdt)
    • [core] server timing tiny improvements #1818 (Ichito Nagata)
    • [core] flexible timeouts #1840 (Kazuho Oku)
    • [core] stop applying filters multiple times #1891 (Ichito Nagata)
    • [core] remove redundancy in how token index is determined #1903 (Kazuho Oku)
    • [core] use ALPN_ENTRY uniformly. #1987 (Masanori Ogino)
    • [core] allow to specify a list of CPUs to bind H2O to #2017 (Frederik Deweerdt)
    • [doc] fix for ssl_setup function in some libh2o examples #1802 (Byoungwoo Song)
    • [doc] improve documentation about extension property #2047 (Martin Michel)
    • [http1][http2] fix broken trailers issue #1798 (Ichito Nagata)
    • [http1] move chunked encoding code to http1 protocol handler #1819 (Ichito Nagata)
    • [http1] fix broken memory problem on keepalived connection #1823 (Ichito Nagata)
    • [http1] update picohttpparser and reject multiline headers #1933 (Ichito Nagata)
    • [http1] HTTP/1: handle the absolute url form #1941 (Frederik Deweerdt)
    • [http1] streaming request bodies #2007 (Frederik Deweerdt)
    • [http1] optional H1 behavior to forward connection closure #2015 (Toru Maesaka)
    • [http2] ORIGIN frame #1199 (Frederik Deweerdt)
    • [http2] http2client #1549 (Ichito Nagata)
    • [http2] http2-allow-cross-origin-push #1801 (Frederik Deweerdt)
    • [http2] :path pseudo header field cannot be empty #1822 (Ichito Nagata)
    • [http2] expose HPACK primitives #1845 (Kazuho Oku)
    • [http2] http2client #1549 (Ichito Nagata)
    • [http2] nitpicks in the HTTP2 response header parsing #1868 (Kazuho Oku)
    • [http2] forward content-length from upstream #1875 (Ichito Nagata)
    • [http2] don't push a path if a connection is closing. #1902 (Frederik Deweerdt)
    • [http2] don't call h2o_http2_conn_request_write from emit_writereq_of_openref (Frederik Deweerdt)
    • [http2] retain prioritization information for closed streams #1924 (Frederik Deweerdt)
    • [http2] HTTP/2 priorities fixes #1934 (Frederik Deweerdt)
    • [http2] fix failed assertion in update_stream_output_window #1951 (Frederik Deweerdt)
    • [http2] make sure the connection is registered with the stream before calling on_connect #1979 (Frederik Deweerdt)
    • [http2] h2o_http2_conn_unregister_stream assert on shutdown #2000 (Frederik Deweerdt)
    • [mime] update mimemap for .deb, .dll, .exe, .rar, .udeb and .zst. #1985 (Masanori Ogino)
    • [mime] support for USDZ MIME type for iOS 12 Safari #1861 (Kenta Moriuchi)
    • [mime] add MIME types for 3D models (GeoJSON, glTF) (Kenta Moriuchi)
    • [mruby] send early hints from mruby #1767 (Ichito Nagata)
    • [mruby] update mruby to 1.4.1 as well as the mrbgems #1778 (Kazuho Oku)
    • [mruby] use mrb_data_get_ptr to handle irregular cases in ruby layer #1794 (Ichito Nagata)
    • [mruby] prometheus middleware #1892 (Ichito Nagata)
    • [mruby] fix an invalid memory access by an mruby middleware #1945 (Toru Maesaka)
    • [mruby] fix heap-use-after-free bug of http_request #1975 (Ichito Nagata)
    • [mruby] fix invalid read on the stack #2003 (Frederik Deweerdt)
    • [proxy] forward broken chunk encoding to clients when upstream closes before sending anything #2070 (Frederik Deweerdt)
    • [ssl] check more errors returned by libcrypto #1797 (Kazuho Oku)
    • [ssl] more ssl stats #1837 (Ichito Nagata)
    • [ssl] support TLS 1.3 final #1844 (Kazuho Oku)
    • [ssl] send TLS alert on handshake failure when recent versions of OpenSSL is used #1872 (Kazuho Oku)
    • [ssl] use openssl crypto for the key exchange #1870 (Frederik Deweerdt)
    • [ssl] handle KeyUpdate #1882 (Kazuho Oku)
    • [ssl] fix session resumption (client-side) when used with OpenSSL 1.1.1 #2088 (Roberto Guimaraes)
    • [status] avoid redundant registration of status handlers #1815 (Kazuho Oku)
    • [libh2o] fix broken trailers issue #1798 (Ichito Nagata)
    • [libh2o] add header flags #1832 (Ichito Nagata)
    • [libh2o] client protocol abstraction #1855 (Kazuho Oku)
    • [libh2o] add an API to get the underlying socket from an httpclient #1957 (Toru Maesaka)
    • [libh2o] add application/xml to the is_compressible mime types #2016 (Uwe Trenkner)
    • [libh2o] fix issue in 'h2o_perror' about 'strerror_r' #2022 (Baodong Chen)
    • [libh2o] fix prototype for 'h2o_fatal' and replace 'abort(3)' with it #2020 (Baodong Chen)
    • [libh2o] install httpclient as part of h2o #2027 (Kazuho Oku)
    • [libh2o] add an h2o_now_nanosec() func to the Event Loop API #2053 (Toru Maesaka)
    • [libh2o] socket: Add h2o_socket_get_ssl_server_name() #2054 (Remi Gacogne)
    • [libh2o] keep track of mmap failures #2065 (Toru Maesaka)
    • [libh2o] split up the buffer reservation API #2031 (Toru Maesaka)
    • [libh2o] don't store the socket in the socket pool when unnecessary #2073 (Frederik Deweerdt)
    • [libh2o] expose bytes_written from httpclient #2080 (Ichito Nagata)
    • [libh2o] implement H2O_MULTITHREAD_ONCE #2086 (Kazuho Oku)
    • [misc] fix leased socket counting in socketpool #1750 (Lingmo Zhu)
    • [misc] knob to tune disk-based memory allocation threshold #1820 (Ricardo Nabinger Sanchez)
    • [misc] fuzzer target fix for FreeBSD #1862 (David Carlier)
    • [misc] clean up buildchain linuxisms & update FreeBSD URLs #1813 (Dave Cottlehuber)
    • [misc] minor facebook/infer 0.15.0 finds #1885 (Frederik Deweerdt)
    • [misc] httpclient misc changes #1877 (Ichito Nagata)
    • [misc] enables support of ccache #1905 (Lars K.W. Gohlke)
    • [misc] pass travis flag to docker and sudo #1908 (Pierre Dubouilh)
    • [misc] pass proper timeout value to uv_timer_start #1911 (Ichito Nagata)
    • [misc] refine socket pool entry timeout #1923 (Baodong Chen)
    • [misc] fix build error under Android O for boringssl #1960 (Baodong Chen)
    • [misc] fix compiler error under android O #1961 (Baodong Chen)
    • [misc] use predifined function 'h2o_socket_is_reading|writing' #1973 (Baodong Chen)
    • [misc] add 'H2O_ERROR_PRINTF' macro, default is 'fprintf(stderr,...)' #2008 (Baodong Chen)
    Source code(tar.gz)
    Source code(zip)
  • v2.2.6(Aug 13, 2019)

    This is a bug-fix release of the 2.2 series with following changes from 2.2.5, including a vulnerability fix.

    • [security fix][http2] fix HTTP/2 DoS attack vectors CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 #2090 (Kazuho Oku)
    Source code(tar.gz)
    Source code(zip)
  • v2.3.0-beta1(Jun 2, 2018)

    This is the first beta release of version 2.3 series. Changes from version 2.2.5 are as follows.

    • [core] forbid empty path string in configuration #1506 (Ichito Nagata)
    • [core] use eventfd instead of pipe on linux #1533 (Baodong Chen)
    • [core] remove redundancy #1568 #1569 #1584 #1596 (Baodong Chen)
    • [core] !env for respecting environment variables from the configuration file #1524 (Yannick Koechlin)
    • [core] avoid copying vector when calling writev #1600 (Kazuho Oku)
    • [core] alignment-aware allocation from memory pool #1605 (Baodong Chen)
    • [core] stash directive for storing arbitrary YAML data #1739 (Ichito Nagata)
    • [access-log] log connections that closed prior to sending a response #1235 (Kazuho Oku)
    • [compress] update brotli to 1.0.2 #1523 (Kazuho Oku)
    • [fastcgi] accept default as a keyword of the extensions attribute #1414 (Ichito Nagata)
    • [fastcgi] add verbose mode to fastcgi-cgi gateway #1466 (Kazuho Oku)
    • [fastcgi][mruby][proxy] do not delay sending the headers until some chunk of body becomes available #1508 (Ichito Nagata)
    • [http1][http2] support for server-timing #1646 #1717 (Ichito Nagata)
    • [http1][http2] forward informational responses #1727 (Ichito Nagata)
    • [http2] support critical attribute in preload link header #1436 (Kazuho Oku, Frederik Deweerdt)
    • [http2] continue to process active streams after sending GOAWAY upon graceful shutdown #1556 (Ichito Nagata)
    • [mime] more predefined types #1398 #1632 #1708 #1723 (Jxck, proyb6, OGINO Masanori)
    • [mime] mark /+json as compressible #1709 (OGINO Masanori)
    • [mruby] Rack middleware support #1217 (Ichito Nagata)
    • [mruby] allow running asynchronous operations unbounded to the Rack request being processed #1173 (Ichito Nagata)
    • [mruby] add channel class and task method for parallel processing #1336 (Ritta Narita)
    • [mruby] implement sleep #1348 (Ichito Nagata)
    • [mruby] implement Digest::SHA256 #1387 (Kazuho Oku)
    • [mruby] add option to specify mrbgem dependencies out of tree #1446 (Satoshi Tagomori)
    • [mruby] on exception, emit filenames and consistent line number of embedded mruby code #1537 (Satoshi Tagomori)
    • [mruby] introduce client-warning header for error notification #1562 (Ichito Nagata)
    • [mruby] allow fiber switch in constructor #1574 (Kazuho Oku)
    • [mruby] fix crash when the rack handler returns a non-number status code #1576 (Kazuho Oku)
    • [mruby] add support for redis #1152 (Ichito Nagata)
    • [mruby] replace iijson with mattn-json #1684 (Yannick Koechlin, Kazuho Oku)
    • [mruby] update mruby and modules #1462 #1685
    • [proxy] load balancing support (round-robin, least-conn) #1277 #1361 (Justin Zhu)
    • [proxy] cap the amount of request body being buffered #1357 (Frederik Deweerdt)
    • [proxy] cap the amount of response body being buffered #1358 (Frederik Deweerdt)
    • [proxy] introduce separate timeouts for connection establishment and first-byte #1402 (Frederik Deweerdt)
    • [proxy] forward the error to the client when upstream closes the connection abruptly #1490 (Ichito Nagata)
    • [proxy] add option to skip supplementation of a Date header #1495 (Frederik Deweerdt)
    • [proxy] do not abort when receiving an invalid transfer-encoding header from upstream #1688 (Ichito Nagata)
    • [reproxy] connection pooling for reproxy #1434 (Ichito Nagata)
    • [ssl] support redis as a data store for session cache / ticket #1087 (Ichito Nagata)
    • [ssl] unbundle libressl #1546 (Kazuho Oku)
    • [ssl] add support for 425 Too Early status code #1344 (Kazuho Oku)
    • [libh2o] enable ECDH in the exmaple server #1602 (Varbin)
    • [libh2o] emit less system calls in websocket #1590 (Baodong Chen)
    • [libh2o] build examples using evloop #1589 (Baodong Chen)
    • [libh2o] add API to release thread-local data #1624 (Baodong Chen)
    • [libh2o] h2o_gettimeofday to obtain current time in microsecond order #1726 (Ichito Nagata)
    • [misc] include process id in crash backtrace #1254 (Kazuho Oku)
    • [misc] backtracing for BSD #1503 (Frederik Deweerdt)
    • [misc] fix build issues for Android #1521 (Joel Winarske)
    • [misc] switch to Docker-based CI #1551 #1580 (Kazuho Oku)
    Source code(tar.gz)
    Source code(zip)
  • v2.2.5(Jun 1, 2018)

    This is a bug-fix release of the 2.2 series with following changes from 2.2.4, including one vulnerability fix.

    • [security fix][access-log] fix buffer overflow CVE-2018-0608 #1775 (Frederik Deweerdt)
    • [fastcgi] index file name must be part of SCRIPT_NAME #1650 (Ichito Nagata)
    • [http2] do not compress cookies less than 20 bytes long #1389 (Julien Benoist)
    • [http2] stop opening new push streams after receiving GOAWAY #1555 (Ichito Nagata)
    • [http2] fix conformance issues #1579 #1582 #1599 (Kazuho Oku)
    • [mruby] drop the link rel=preload header with a x-http2-push-only attribute #1310 (Frederik Deweerdt)
    • [mruby] allow loading a file that shares the basename with one of the preloaded files #1662 (Ichito Nagata)
    • [proxy] fix I/O error when receiving multiple informational responses #1716 (Frederik Deweerdt)
    • [ssl] fix bug that prevents record size growing to maximum when latency optimization is disabled #1545 (Ichito Nagata)
    • [ssl] fix compatibility issues with libressl 2.7 #1707 (AIZAWA Hina)
    • [ssl] update picotls to support TLS 1.3 draft-26 #1718 (Kazuho Oku)
    Source code(tar.gz)
    Source code(zip)
  • v2.2.4(Dec 15, 2017)

    This is a bug-fix release of the 2.2 series, including two vulnerability fixes.

    • [security fix][access-log][ssl] fix crash when logging TLS 1.3 properties CVE-2017-10872 #1543 (MITSUNARI Shigeo)
    • [security fix][http2] fix crash when handling malformed HTTP/2 request CVE-2017-10908 #1544 (Kazuho Oku)
    • [access-log][compress] %b should log the amount of data sent after compression #1478 (Ichito Nagata)
    • [fastcgi][misc] respect H2O_PERL environment variable in share/h2o/setuidgid #1518 (Kazuho Oku)
    • [mime] fix Opus mimetype #1522 (Alex)
    • [mruby] fix runtime issue that prevents a closed variable from getting updated #1464 (Tatsushi Demachi)
    • [mruby] keep PATH_INFO undecoded #1480 (Ichito Nagata)
    • [mruby] fix keepalive not being used when the response to http_request is directly returned #1489 (Ichito Nagata)
    • [mruby] fix offset overflow of SCRIPT_INFO and PATH_INFO #1502 (Ichito Nagata)
    • [proxy][ssl] fix pointer corruption when connecting to origin via https (big-endian only) #1475 (Kazuho Oku)
    • [proxy] omit network I/O when handling internal redirect between hosts mapped to different ports #1498 (Ichito Nagata)
    • [ssl] fix crash on s390 (and possibly on other big-endian machines) #1474 (Apollon Oikonomopoulos)
    • [websocket] do not send upgrade header twice #1463 (Yamagishi Kazutoshi)
    Source code(tar.gz)
    Source code(zip)
  • v2.2.3(Oct 19, 2017)

    This is a bug-fix release of the 2.2 series, including two vulnerability fixes.

    • [security fix][http1] fix crash when receiving request with invalid framing CVE-2017-10868 #1459 (Frederik Deweerdt)
    • [security fix][proxy] fix stack overflow when sending huge request body to upstream CVE-2017-10869 #1460 (Frederik Deweerdt)
    • [core] disable buffering of stdout, stderr #1347 (Yannick Koechlin)
    • [expires] fix incorrect header emitted when units: month or year were used #1406 (Frederik Deweerdt)
    • [fastcgi] never return 304 if the file is a dynamic handler #1385 (Kazuho Oku)
    • [mime] flush all existing mapping when file.mime.settypes is used #1416 (Ichito Nagata)
    • [mruby] update mruby and modules #1320 #1338 #1413
    • [mruby] expose SERVER_PROTOCOL #1353 (Frederik Deweerdt)
    • [mruby] properly handle content-less response #1430 (Ichito Nagata)
    • [proxy] do not drop the Date request header #1408 (Ichito Nagata)
    • [ssl] fix deadlock during lazy initialzation #1425 (Apollon Oikonomopoulos)
    • [ssl] fix epoll-related crashes on OSCP updates #1427 (Apollon Oikonomopoulos)
    • [ssl] avoid spurious session ticket renewals #1444 (Apollon Oikonomopoulos)
    • [websocket] fix bug that might drop the first websocket frame #1276 (wuhanck)
    • [libh2o] clear OpenSSL's error queue before using it #1448 (Apollon Oikonomopoulos)
    • [doc] add documentation of duration-stats #1306 (Frederik Deweerdt)
    • [misc] fix build issues on OpenIndiana #1300 (David Carlier)
    • [misc] build on platforms without 64-bit atomics #1433 (Apollon Oikonomopoulos)
    Source code(tar.gz)
    Source code(zip)
  • v2.2.2(Apr 23, 2017)

    This is a bug-fix release for 2.2 series, fixing the following regression found in 2.2.1.

    • [ssl] fix OCSP stapling error when LibreSSL is used #1275 (Ian Moone)
    Source code(tar.gz)
    Source code(zip)
  • v2.2.1(Apr 22, 2017)

    This is a bug-fix release for 2.2 series, fixing the following issues found in 2.2.0.

    • [mruby] correct the line number reported on an exception #1239 #1251 (Ichito Nagata)
    • [mruby] retain the order of request headers sharing a single name #1271 (Kazuho Oku)
    • [ssl] fix assertion failure in decode_ssl_input #1264 (Kazuho Oku)
    • [ssl] fix OCSP stapling error when OpenSSL 1.1.0 is used #1270 (Kazuho Oku)
    • [libh2o] fix crash when abruptly closing an HTTP/2 connection on libuv #1250 (Kazuho Oku)
    • [libh2o] fix memory leak of _timestamp_cache #1255 (Kazuho Oku)
    • [doc] restore doc of %{...}e #1252 (Kazuho Oku)
    • [doc] fix typo suggesting using brotli instead of br #1263 (Bogdan Khomutsky)
    • [misc] fix undefined behaviors detected by ubsan #1246 (Frederik Deweerdt)
    Source code(tar.gz)
    Source code(zip)
  • v2.2.0(Apr 5, 2017)

    This is the first release for 2.2 series, with the following new features and bug fixes from 2.1.0.

    • [core] add crash-handler.wait-pipe-close parameter #1092 (Frederik Deweerdt)
    • [core] introduce an option to bypass the server header sent from upstream #1226 (Frederik Deweerdt)
    • [core] apply global- and host-level configuration to requests not applicable to any of the path-level configurations #1231 (Kazuho Oku)
    • [access-log] add %{remote}p for logging the remote port #1166 (Kazuho Oku)
    • [access-log] add support for JSON-style escapes and null #1208 (Kazuho Oku)
    • [access-log] add specifier for logging per-request environment variables #1221 (Yannick Koechlin)
    • [access-log] add support for <, > modifiers for logging either the original or the final response #1238 (Kazuho Oku)
    • [access-log] do not emit request-total-time twice #1017 (Kazuho Oku)
    • [fastcgi] fix a bug that closes the FastCGI listener socket during startup #1203 (Frederik Deweerdt)
    • [file] add directive for serving gzipped files, decompressing them on-the-fly #1140 (Ichito Nagata)
    • [headers] fix buffer overrun during startup #1180 (Frederik Deweerdt)
    • [http1][proxy] preserve the cases of characters used in header names #1194 (Frederik Deweerdt)
    • [http1][proxy] fix undefined behavior in HTTP/1 parser #1189 (Frederik Deweerdt)
    • [http1] stop reading from socket after sending 400 to avoid the risk of assertion failure #1223 (Frederik Deweerdt)
    • [http2] recognize x-http2-push-only attribute on link header #1169 (Frederik Deweerdt)
    • [http2] add optional timeout for closing connections upon graceful shutdown #1108 (Frederik Deweerdt)
    • [http2] do not ack an acked PING frame #1175 (Moto Ishisawa)
    • [http2] reject requests exceeding the maximum allowed size more efficiently #1183 (Frederik Deweerdt)
    • [mruby] remove dependenty to mkmf #1197 (Yuki Kurihara)
    • [mruby] correct the line number reported on an exception #1239 (Ichito Nagata)
    • [proxy] add directives for tweaking headers sent to upstream #1126 (Justin Zhu)
    • [proxy] retain case-sensitivity of unix socket paths #1131 (Frederik Deweerdt)
    • [proxy] add directive for controlling the via request header #1225 (Frederik Deweerdt)
    • [ssl] add directive for logging session ID #1164 (Yannick Koechlin)
    • [ssl] add support for TLS 1.3 draft-18 #1204 (Kazuho Oku)
    • [ssl] stop evicting session entries in memcached when they are removed from internal cache #1185 (Ichito Nagata)
    • [ssl] fix crash when a secp384r1, secp521r1 certificate is used with TLS 1.3 #1214 (Kazuho Oku)
    • [ssl] fix build failure with OpenSSL 1.1.0 #1216 (Kazuho Oku)
    • [ssl] add doc for handshake-timeout #1233 (Kazuho Oku)
    • [status] fix race condition during start-up #1242 (Frederik Deweerdt)
    • [libh2o] implement h2o_evloop_destroy #1200 (kazan417)
    • [misc] add test code for fuzzing #1174 #1182 #1191 #1192 (Frederik Deweerdt, Jonathan Foote)
    • [misc] fix issues reported by Coverity #1168 #1172 #1179 (Harrison Bowden, Frederik Deweerdt)
    Source code(tar.gz)
    Source code(zip)
  • v2.2.0-beta3(Mar 22, 2017)

    This is a beta release of version 2.2, with following new features and improvements.

    • [core] introduce an option to bypass the server header sent from upstream #1226 (Frederik Deweerdt)
    • [core] apply global- and host-level configuration to requests not applicable to any of the path-level configurations #1231 (Kazuho Oku)
    • [access-log] in JSON logging, remove surrounding quotes arround null #1229 (Kazuho Oku)
    • [ssl] add doc for handshake-timeout #1233 (Kazuho Oku)
    Source code(tar.gz)
    Source code(zip)
  • v2.2.0-beta2(Mar 14, 2017)

    This is a beta release of version 2.2, with following new features and improvements.

    • [access-log] add support for JSON-style escapes and null #1208 (Kazuho Oku)
    • [access-log] add specifier for logging per-request environment variables #1221 (Yannick Koechlin)
    • [http1] stop reading from socket after sending 400 to avoid the risk of assertion failure #1223 (Frederik Deweerdt)
    • [proxy] add directive for controlling the via request header #1225 (Frederik Deweerdt)
    • [ssl] fix crash when a secp384r1, secp521r1 certificate is used with TLS 1.3 #1214 (Kazuho Oku)
    • [ssl] fix build failure with OpenSSL 1.1.0 #1216 (Kazuho Oku)
    Source code(tar.gz)
    Source code(zip)
  • v2.2.0-beta1(Feb 28, 2017)

    This is the first beta release of version 2.2, with following new features and improvements.

    • [core] add crash-handler.wait-pipe-close parameter #1092 (Frederik Deweerdt)
    • [access-log] do not emit request-total-time twice #1017 (Kazuho Oku)
    • [fastcgi] fix a bug that closes the FastCGI listener socket during startup #1203 (Frederik Deweerdt)
    • [file] add directive for serving gzipped files, decompressing them on-the-fly #1140 (Ichito Nagata)
    • [headers] fix buffer overrun during startup #1180 (Frederik Deweerdt)
    • [http1][proxy] preserve the cases of characters used in header names #1194 (Frederik Deweerdt)
    • [http1][proxy] fix undefined behavior in HTTP/1 parser #1189 (Frederik Deweerdt)
    • [http2] recognize x-http2-push-only attribute on link header #1169 (Frederik Deweerdt)
    • [http2] add optional timeout for closing connections upon graceful shutdown #1108 (Frederik Deweerdt)
    • [http2] do not ack an acked PING frame #1175 (Moto Ishisawa)
    • [http2] reject requests exceeding the maximum allowed size more efficiently #1183 (Frederik Deweerdt)
    • [mruby] remove dependenty to mkmf #1197 (Yuki Kurihara)
    • [proxy] add directives for tweaking headers sent to upstream #1126 (Justin Zhu)
    • [proxy] retain case-sensitivity of unix socket paths #1131 (Frederik Deweerdt)
    • [ssl] add directive for logging session ID #1164 (Yannick Koechlin)
    • [ssl] add support for TLS 1.3 draft-18 #1204 (Kazuho Oku)
    • [ssl] stop evicting session entries in memcached when they are removed from internal cache #1185 (Ichito Nagata)
    • [libh2o] implement h2o_evloop_destroy #1200 (kazan417)
    • [misc] add test code for fuzzing #1174 #1182 #1191 #1192 (Frederik Deweerdt, Jonathan Foote)
    • [misc] fix issues reported by Coverity #1168 #1172 #1179 (Harrison Bowden, Frederik Deweerdt)
    Source code(tar.gz)
    Source code(zip)
  • v2.1.0(Jan 18, 2017)

    This is the first release for 2.1 series, with the following new features and bug fixes from 2.0.6.

    • [core] TCP latency optimization #873 #1076 (Kazuho Oku)
    • [core] provide tag to include other YAML files from the configuration file #1022 (Ichito Nagata)
    • [core] accept sequence of mappings for path-level configuration #1042 (Ichito Nagata)
    • [core] fix broken support for TCP Fast Open in OS X #1065 (Ichito Nagata)
    • [access-log] provide directive to emit request-level errors #1075 (Kazuho Oku)
    • [access-log] emit values of all set-cookie headers concatenated #1161 (Kazuho Oku)
    • [fastcgi] fix connection failure when fastcgi.spawn is used with an uid #1119 (Kazuho Oku)
    • [file] more pre-defined MIME types #1103 (Joe Duarte)
    • [http2][proxy] recognize link rel=preload headers in interim response as a trigger to push resources #916 (Kazuho Oku)
    • [http1][http2] validate characters used in the headers #974 #1044 (Frederik Deweerdt, Kazuho Oku)
    • [http1][http2] notify error downstream when an error occurred while generating a response #1031 (Frederik Deweerdt)
    • [http1][http2] fix resource leak upon upgrade failure to HTTP/2 #1161 (Frederik Deweerdt)
    • [http2] add http2-push-preload directive to turn off H2 push being initiated by link rel=preload header #929 (Kazuho Oku)
    • [http2] add support for cache-digest header #967 #988 (Kazuho Oku)
    • [http2] drop host header in HTTP/2 layer #973 #998 (Frederik Deweerdt, Kazuho Oku)
    • [http2] don't use etag for calculating casper cookie #986 (Kazuho Oku)
    • [http2] add support for H2 debug state #1019 (Ichito Nagata)
    • [mruby] add dos_detector mruby handler #1013 (Ichito Nagata)
    • [mruby] add DSL for access control lists (acl) #1016 (Ichito Nagata)
    • [mruby] share mruby state and constants between handlers #1032 (Ichito Nagata)
    • [mruby] add library for address-block-based access control #1038 (Ichito Nagata)
    • [proxy] add an option to connect to upstream using PROXY protocol #930 (Kazuho Oku)
    • [proxy] don't escape : in URI path #977 (Frederik Deweerdt)
    • [proxy] preserve received URLs as much as possible #985 #1071 (Frederik Deweerdt)
    • [proxy] add an option to prevent emiting x-forwarded-* headers #999 (Frederik Deweerdt)
    • [proxy] cache TLS session used for upstream connections #1053 (Ichito Nagata)
    • [proxy] turn on/off on-the-fly compression based on the x-compress-hint header #1085 (Frederik Deweerdt)
    • [ssl] set add_lock callback to prevent unnecessary lock-add-unlock #983 (Roberto Guimaraes)
    • [ssl] add support for OpenSSL 1.1.0 #1064 (Kazuho Oku)
    • [status] collect and report HTTP statistics #893 (Frederik Deweerdt)
    • [status] report additional stats when jemalloc is used #1017 (Frederik Deweerdt)
    • [throttle] add new handler for throttling the response bandwidth #917 (Justin Zhu)
    • [libh2o] provide h2o_rand that calls the appropriate random function depending on the OS #927 (David CARLIER)
    • [libh2o] do not require use of picohttpparser.h when using the HTTP/1 client #946 (Kazuho Oku)
    • [libh2o] install library files to the correct location #1116 (Frederik Deweerdt)
    • [misc] provide crash-handler directive to customize crash logging #935 (Frederik Deweerdt)
    • [misc] guess the default location of h2o.conf #969 (Davsid Carlier)
    • [misc] allow to disable libuv even when it is found #995 (Frederik Deweerdt)
    • [misc] add font/woff2 to the default mime-type mapping #1066 (Andy Davies)
    • [misc] mark JavaScript and JSON files as compressible by default #1067 (Kazuho Oku)
    Source code(tar.gz)
    Source code(zip)
  • v2.0.6(Jan 5, 2017)

    This is a bug-fix release for 2.0 series, with the following changes:

    • [compress] fix the compression quality being ignored #1154 (Yannick Koechlin)
    • [mruby] stop GIT access during build #1149 (parly)
    Source code(tar.gz)
    Source code(zip)
  • v2.1.0-beta4(Dec 21, 2016)

    This is a beta release for 2.1 series, including following new features, bug fixes, and a security fix. Users of 2.1.0-beta series are encouraged to update to the latest version.

    • [security fix] fix use-after-free vulnerability CVE-2016-7835 #1144 (Frederik Deweerdt, Kazuho Oku)
    • [core] fix busy loop after receiving SIGTERM (linux) #1100 (Kazuho Oku, Frederik Deweerdt)
    • [core] don't try to register kevent changes more than once (*BSD, OS X) #1113 (Ichito Nagata)
    • [compress] set vary: accept-encoding upon negotiation failure of the compression method #1083 (Frederik Deweerdt)
    • [fastcgi] fix connection failure when fastcgi.spawn is used with an uid #1119 (Kazuho Oku)
    • [file] more pre-defined MIME types #1103 (Joe Duarte)
    • [file] add missing </ul> #1106 (Kazuho Oku)
    • [http2] fix a bug that left connections open #1090 (Kazuho Oku)
    • [http2] ignore PRIORITY frames that reference closed pushed streams #1105 (Frederik Deweerdt)
    • [http2] add Secure attribute to the casper cookie #1134 (Kazuho Oku)
    • [http2] permit use of HEADERS with a smaller stream ID than a preceding PRIORITY #1136 (Frederik Deweerdt, Kazuho Oku)
    • [mruby] update mruby to HEAD #1135 (Kazuho Oku)
    • [proxy] set content-length: 0 when receiving a zero-byte POST or PUT #1080 (Frederik Deweerdt)
    • [proxy] turn on/off on-the-fly compression based on the x-compress-hint header #1085 (Frederik Deweerdt)
    • [ssl] update libressl to 2.4.4 #1127 (Kazuho Oku)
    • [ssl] erase OCSP stapling data when the stapling updater returns a permanent failure #1117 (Kazuho Oku)
    • [libh2o] install library files to the correct location #1116 (Frederik Deweerdt)
    Source code(tar.gz)
    Source code(zip)
  • v2.0.5(Dec 21, 2016)

    This is a bug-fix release for 2.0 series including a security fix. Users of H2O prior to version 2.0.4 are encouraged to update to 2.0.5 immediately.

    • [security fix] fix use-after-free vulnerability CVE-2016-7835 #1144 (Frederik Deweerdt, Kazuho Oku)
    • [core] fix busy loop after receiving SIGTERM (linux) #1100 (Kazuho Oku, Frederik Deweerdt)
    • [core] don't try to register kevent changes more than once (*BSD, OS X) #1113 (Ichito Nagata)
    • [compress] set vary: accept-encoding upon negotiation failure of the compression method #1083 (Frederik Deweerdt)
    • [file] add missing </ul> #1106 (Kazuho Oku)
    • [http2] fix a bug that left connections open #1090 (Kazuho Oku)
    • [http2] ignore PRIORITY frames that reference closed pushed streams #1105 (Frederik Deweerdt)
    • [http2] add Secure attribute to the casper cookie #1134 (Kazuho Oku)
    • [http2] permit use of HEADERS with a smaller stream ID than a preceding PRIORITY #1136 (Frederik Deweerdt, Kazuho Oku)
    • [mruby] update mruby to HEAD #1135 (Kazuho Oku)
    • [proxy] set content-length: 0 when receiving a zero-byte POST or PUT #1080 (Frederik Deweerdt)
    • [ssl] update libressl to 2.4.4 #1127 (Kazuho Oku)
    • [ssl] erase OCSP stapling data when the stapling updater returns a permanent failure #1117 (Kazuho Oku)
    Source code(tar.gz)
    Source code(zip)
  • v2.1.0-beta3(Sep 14, 2016)

    This is a beta release for 2.1 series, including following new features, bug fixes, and a security fix. Users of 2.1.0-beta series are encouraged to update to the latest version.

    • [security fix][core] fix DoS attack vector CVE-2016-4864 #1077 (Frederik Deweerdt, Kazuho Oku)
    • [core] enable TCP latency optimization by default #873 #1076 (Kazuho Oku)
    • [core] fix broken support for TCP Fast Open in OS X #1065 (Ichito Nagata)
    • [access-log] provide directive to emit request-level errors #1075 (Kazuho Oku)
    • [proxy] cache TLS session used for upstream connections #1053 (Ichito Nagata)
    • [proxy] escape NUL when rebuilding an URL #985 (Frederik Deweerdt)
    • [misc] add font/woff2 to the default mime-type mapping #1066 (Andy Davies)
    • [misc] mark JavaScript and JSON files as compressible by default #1067 (Kazuho Oku)
    • [libh2o] fix crash on connect timeout #960 (disigma)
    Source code(tar.gz)
    Source code(zip)
  • v2.0.4(Sep 14, 2016)

    This is a bug-fix release for 2.0 series, including a bug fix and a security fix. Users of H2O prior to version 2.0.3 are encouraged to update to 2.0.4 immediately.

    • [security fix][core] fix DoS attack vector CVE-2016-4864 #1077 (Frederik Deweerdt, Kazuho Oku)
    • [libh2o] fix crash on connect timeout #960 (disigma)
    Source code(tar.gz)
    Source code(zip)
  • v2.1.0-beta2(Sep 8, 2016)

    This is a beta release for 2.1 series, including following new features and bug fixes.

    • [core] accept sequence of mappings for path-level configuration #1042 (Ichito Nagata)
    • [core] provide tag to include other YAML files from the configuration file #1022 (Ichito Nagata)
    • [fastcgi] setenv should displace HTTP headers #996 (Kazuho Oku)
    • [file] don't use readdir_r on Linux, Solaris #1046 #1052 (Frederik Deweerdt, Kazuho Oku)
    • [http1][http2] validate characters used in the headers #974 $1044 (Frederik Deweerdt, Kazuho Oku)
    • [http1][http2] notify error downstream when an error occurred while generating a response #1031 (Frederik Deweerdt)
    • [http2] add support for cache-digest header #967 #988 (Kazuho Oku)
    • [http2] add support for H2 debug state #1019 (Ichito Nagata)
    • [http2] fix buffer overrun #972 (Frederik Deweerdt)
    • [http2] drop host header in HTTP/2 layer #973 #998 (Frederik Deweerdt, Kazuho Oku)
    • [http2] fix assertion failure: sock->super._cb.write != ((void *)0)' failed #873 #966 #976 (Kazuho Oku)
    • [http2] don't use etag for calculating casper cookie #986 (Kazuho Oku)
    • [http2] fix negative error code sent when cancelling a pushed stream #1039 (Frederik Deweerdt)
    • [http2] fix a bug that may cause a stream to stall #1040 (Frederik Deweerdt)
    • [http2] fix a bug that reset the stream when receiving HEADERS after PRIORITY #1043 (Frederik Deweerdt)
    • [mruby] add dos_detector mruby handler #1013 (Ichito Nagata)
    • [mruby] add DSL for access control lists (acl) #1016 (Ichito Nagata)
    • [mruby] add library for address-block-based access control #1038 (Ichito Nagata)
    • [mruby] share mruby state and constants between handlers #1032 (Ichito Nagata)
    • [mruby] fix mruby handler becoming unusable after failed connection in http_request on FreeBSD #1062 (Kazuho Oku)
    • [proxy] add an option to prevent emiting x-forwarded-* headers #999 (Frederik Deweerdt)
    • [proxy] add an option to connect to upstream using PROXY protocol #930 (Kazuho Oku)
    • [proxy] don't escape : in URI path #977 (Frederik Deweerdt)
    • [proxy] preserve received URLs as much as possible #985 (Frederik Deweerdt)
    • [ssl] set add_lock callback to prevent unnecessary lock-add-unlock #983 (Roberto Guimaraes)
    • [ssl] add support for OpenSSL 1.1.0 #1064 (Kazuho Oku)
    • [status] report additional stats when jemalloc is used #1017 (Frederik Deweerdt)
    • [misc] guess the default location of h2o.conf #969 (Davsid Carlier)
    • [misc] fix build error when libuv is not found #1008 (nextgenthemes)
    • [misc] fix assertion failure when YAML alias and merge is used in certain way #1011 (Kazuho Oku)
    • [misc] allow to disable libuv even when it is found #995 (Frederik Deweerdt)
    Source code(tar.gz)
    Source code(zip)
  • v2.0.3(Sep 8, 2016)

    This is a bug-fix release of 2.0 series, fixing following issues found in 2.0.2.

    • [file] don't use readdir_r on Linux, Solaris #1046 #1052 (Frederik Deweerdt, Kazuho Oku)
    • [http2] fix negative error code sent when cancelling a pushed stream #1039 (Frederik Deweerdt)
    • [http2] fix a bug that may cause a stream to stall #1040 (Frederik Deweerdt)
    • [http2] fix a bug that reset the stream when receiving HEADERS after PRIORITY #1043 (Frederik Deweerdt)
    • [mruby] fix mruby handler becoming unusable after failed connection in http_request on FreeBSD #1062 (Kazuho Oku)
    Source code(tar.gz)
    Source code(zip)
  • v2.0.2(Aug 2, 2016)

    This is a bug-fix release of 2.0 series, fixing following issues found in 2.0.1.

    • [fastcgi] setenv should displace HTTP headers #996 (Kazuho Oku)
    • [http2] fix buffer overrun #972 (Frederik Deweerdt)
    • [misc] fix build error when libuv is not found #1008 (nextgenthemes)
    • [misc] fix assertion failure when YAML alias and merge is used in certain way #1011 (Kazuho Oku)
    Source code(tar.gz)
    Source code(zip)
  • v2.1.0-beta1(Jun 24, 2016)

    This is a beta release for 2.1 series, including following new features.

    • [http2][proxy] recognize link rel=preload headers in interim response as a trigger to push resources #916 (Kazuho Oku)
    • [http2] add http2-push-preload directive to turn off H2 push being initiated by link rel=preload header #929 (Kazuho Oku)
    • [http2][experimental] add feedback-based latency optimization mode #873 (Kazuho Oku)
    • [status] collect and report HTTP statistics #893 (Frederik Deweerdt)
    • [throttle] add new handler for throttling the response bandwidth #917 (Justin Zhu)
    • [misc] provide crash-handler directive to customize crash logging #935 (Frederik Deweerdt)
    • [libh2o] provide h2o_rand that calls the appropriate random function depending on the OS #927 (David CARLIER)
    • [libh2o] do not require use of picohttpparser.h when using the HTTP/1 client #946 (Kazuho Oku)
    Source code(tar.gz)
    Source code(zip)
  • v2.0.1(Jun 24, 2016)

    This is a bug-fix release of 2.0 series, fixing following issues found in 2.0.0.

    • [fastcgi] fix internal server error when PHP returns a huge header #958 (Kazuho Oku)
    • [http2] recognize link header containing multiple links #950 (Frederik Deweerdt)
    • [libh2o] fix resource leaks upon startup failure #936 (David CARLIER)
    • [libh2o] do not require linking to libbrotli externally #941 (Kazuho Oku)
    Source code(tar.gz)
    Source code(zip)
  • v2.0.0(Jun 1, 2016)

    This is a major update release, with following changes (including new features and bug fixes) from 1.7.3.

    • [core][breaking change] do not automatically append / to path-level configuration #820 (Kazuho Oku)
    • [core] support << in configuration file #786 (Kazuho Oku)
    • [core] configurable server: header #877 (Frederik Deweerdt)
    • [core] add directive for customizing the path of temporary buffer files #911 (Kazuho Oku)
    • [core] fix crash when receiving SIGTERM during start-up #878 (Frederik Deweerdt)
    • [core] spawn the configured number of DNS client threads #880 (Sean McArthur)
    • [access-log] add directive for logging protocol-specific values #801 (Kazuho Oku)
    • [access-log][fastcgi][mruby] per-request environment variables #868 (Kazuho Oku)
    • [access-log] fix memory leak during start-up #864 (Frederik Deweerdt)
    • [compress] on-the-fly compression using brotli, as well as directives to tune the compression parameters #802, #924 (Kazuho Oku, Frederik Deweerdt)
    • [compress][expires] refrain from setting redundant cache-control tokens #846 (Kazuho Oku)
    • [file] file.file directive for mapping specific file #822 (Kazuho Oku)
    • [file] send-compress directive (renamed from send-gzip) to support pre-compressed files using brotli #802 (Kazuho Oku)
    • [file] cache open failures #836 (Kazuho Oku)
    • [http2] support for nopush attribute in the link rel=preload header #863 (Satoh Hiroh)
    • [http2] support for push after delegation #866 (Kazuho Oku)
    • [http2] ignore push indications made by a pushed response #897 (Kazuho Oku)
    • [http2] accept capacity-bits attribute of the http2-casper configuration directive #882 (Satoh Hiroh)
    • [http2] avoid memcpy during HPACK huffman encoding #749 (Kazuho Oku)
    • [http2] fix potential stall when http2-max-concurrent-requests-per-connection is set to a small number #912 (Kazuho Oku)
    • [http2] refuse push a single resource more than once #903 (Kazuho Oku)
    • [http2] fix assertion failure when receiving more data than expected during upgrade #922 (Frederik Deweerdt)
    • [mruby] add $H2O_ROOT/share/h2o/mruby to the default load path #851 (Kazuho Oku)
    • [proxy] add support for HTTPS #875 (Kazuho Oku)
    • [proxy] add an configuration option to pass through x-forwarded-proto request header #883 (Kazuho Oku)
    • [proxy] log error when upstream connection is unexpectedly closed #895 (Frederik Deweerdt)
    • [ssl] update libressl to 2.2.7 #898 (Kazuho Oku)
    • [ssl] support ECDH curves other than P-256 #841 (Kazuho Oku)
    • [ssl] add support for text-based memcache protocol #854 (Kazuho Oku)
    • [ssl] fix memory leak when using TLS resumption with the memcached backend #856 (Kazuho Oku)
    • [ssl] fix "undefined subroutine" error in the OCSP updater #872 (Masayuki Matsuki)
    • [ssl] cap the number of OCSP updaters running concurrently #891 (Kazuho Oku)
    • [ssl] fix use-after-free when using session resumption with memcached backend #923 (Frederik Deweerdt)
    • [libh2o] add API for obtaining the socket descriptor #886 (Frederik Deweerdt)
    • [libh2o] add API to selectively disable automated I/O on reads and writes #890 (Frederik Deweerdt)
    • [libh2o] bugfix: h2o_mem_swap swaps only the first 256 bytes #924 (Frederik Deweerdt)
    • [status] introduce the status handler #848 (Kazuho Oku)
    • [misc] install examples #850 (James Rouzier)
    Source code(tar.gz)
    Source code(zip)
  • v2.0.0-beta5(May 26, 2016)

    This is a new beta release for 2.0 series, including bug fixes and a security fix. Users of version 2.0.0-beta4 or earlier are encouraged to update to the latest version.

    • [security fix][http2] fix use-after-free on premature connection close (CVE-2016-4817) #920 (Frederik Deweerdt)
    • [core] fix SIGBUS when temporary disk space is full #910 (Kazuho Oku)
    • [core] add directive for customizing the path of temporary buffer files #911 (Kazuho Oku)
    • [http2] fix potential stall when http2-max-concurrent-requests-per-connection is set to a small number #912 (Kazuho Oku)
    • [http2] refuse push a single resource more than once #903 (Kazuho Oku)
    • [mruby] do not drop link header #913 (Kazuho Oku)
    • [mruby] fix memory leak during initialization #906 (Frederik Deweerdt)
    • [mruby] fix race condition in mruby regex handler #908 (Kazuho Oku)
    • [libh2o] fix crash in h2o_url_stringify #918 (Kazuho OKu)
    Source code(tar.gz)
    Source code(zip)
  • v1.7.3(May 26, 2016)

    This is a new release for 1.7 series, including bug fixes and a security fix. Users of version 1.7.2 or earlier are encouraged to update to the latest version.

    • [security fix][http2] fix use-after-free on premature connection close (CVE-2016-4817) #920 (Frederik Deweerdt)
    • [core] fix SIGBUS when temporary disk space is full #910 (Kazuho Oku)
    • [mruby] do not drop link header #913 (Kazuho Oku)
    • [mruby] fix memory leak during initialization #906 (Frederik Deweerdt)
    • [mruby] fix race condition in mruby regex handler #908 (Kazuho Oku)
    • [libh2o] fix crash in h2o_url_stringify #918 (Kazuho OKu)
    Source code(tar.gz)
    Source code(zip)
  • v2.0.0-beta4(May 9, 2016)

    This is a beta release of the 2.0 series, fixing the following issue found in 2.0.0-beta3.

    • [ssl] fix build issue on CentOS 7 (and others that have tolower defined as a macro) #901 (Kazuho Oku)
    Source code(tar.gz)
    Source code(zip)
  • v2.0.0-beta3(May 9, 2016)

    This is a beta release of the 2.0 series, with following changes including feature additions and bug fixes. The release also updates the bundled LibreSSL to 2.2.7 that includes a fix for CVE-2016-2107.

    • [core] configurable server: header #877 (Frederik Deweerdt)
    • [core] fix crash when receiving SIGTERM during start-up #878 (Frederik Deweerdt)
    • [core] spawn the configured number of DNS client threads #880 (Sean McArthur)
    • [access-log][fastcgi][mruby] per-request environment variables #868 (Kazuho Oku)
    • [access-log] fix memory leak during start-up #864 (Frederik Deweerdt)
    • [http2] support for nopush attribute in the link rel=preload header #863 (Satoh Hiroh)
    • [http2] support for push after delegation #866 (Kazuho Oku)
    • [http2] accept capacity-bits attribute of the http2-casper configuration directive #882 (Satoh Hiroh)
    • [http2] ignore push indications made by a pushed response #897 (Kazuho Oku)
    • [proxy] add support for HTTPS #875 (Kazuho Oku)
    • [proxy] add an configuration option to pass through x-forwarded-proto request header #883 (Kazuho Oku)
    • [proxy] log error when upstream connection is unexpectedly closed #895 (Frederik Deweerdt)
    • [ssl] update libressl to 2.2.7 #898 (Kazuho Oku)
    • [ssl] add support for text-based memcache protocol #854 (Kazuho Oku)
    • [ssl] fix memory leak when using TLS resumption with the memcached backend #856 (Kazuho Oku)
    • [ssl] fix "undefined subroutine" error in the OCSP updater #872 (Masayuki Matsuki)
    • [ssl] cap the number of OCSP updaters running concurrently #891 (Kazuho Oku)
    • [libh2o] add API for obtaining the socket descriptor #886 (Frederik Deweerdt)
    • [libh2o] add API to selectively disable automated I/O on reads and writes #890 (Frederik Deweerdt)
    Source code(tar.gz)
    Source code(zip)
  • v1.7.2(May 9, 2016)

    This is a bug-fix release of 1.7 series, fixing following issues found in 1.7.1. The release also updates the bundled LibreSSL to 2.2.7 that includes a fix for CVE-2016-2107.

    • [core] fix crash when receiving SIGTERM during start-up #878 (Frederik Deweerdt)
    • [core] spawn the configured number of DNS client threads #880 (Sean McArthur)
    • [http2] accept capacity-bits attribute of the http2-casper configuration directive #882 (Satoh Hiroh)
    • [ssl] update libressl to 2.2.7 #898 (Kazuho Oku)
    • [ssl] fix memory leak when using TLS resumption with the memcached backend #856 (Kazuho Oku)
    • [ssl] fix "undefined subroutine" error in the OCSP updater #872 (Masayuki Matsuki)
    Source code(tar.gz)
    Source code(zip)
  • v2.0.0-beta2(Mar 23, 2016)

    This is a beta release of the 2.0 series, with following changes including feature additions and bug fixes.

    • [compress] fix potential SEGV when encoding brotli #849 (Kazuho Oku)
    • [compress][expires] refrain from setting redundant cache-control tokens #846 (Kazuho Oku)
    • [mruby] add $H2O_ROOT/share/h2o/mruby to the default load path #851 (Kazuho Oku)
    • [status] introduce the status handler #848 (Kazuho Oku)
    • [misc] install examples #850 (James Rouzier)
    Source code(tar.gz)
    Source code(zip)
A collection of C++ HTTP libraries including an easy to use HTTP server.

Proxygen: Facebook's C++ HTTP Libraries This project comprises the core C++ HTTP abstractions used at Facebook. Internally, it is used as the basis fo

Facebook 7.5k May 10, 2022
Pushpin is a reverse proxy server written in C++ that makes it easy to implement WebSocket, HTTP streaming, and HTTP long-polling services.

Pushpin is a reverse proxy server written in C++ that makes it easy to implement WebSocket, HTTP streaming, and HTTP long-polling services. The project is unique among realtime push solutions in that it is designed to address the needs of API creators. Pushpin is transparent to clients and integrates easily into an API stack.

Fanout 3.1k May 8, 2022
Gromox - Groupware server backend with MAPI/HTTP, RPC/HTTP, IMAP, POP3 and PHP-MAPI support for grommunio

Gromox is the central groupware server component of grommunio. It is capable of serving as a replacement for Microsoft Exchange and compatibles. Conne

grommunio 115 Apr 2, 2022
LAppS - Lua Application Server for micro-services with default communication over WebSockets. The fastest and most vertically scalable WebSockets server implementation ever. Low latency C++ <-> Lua stack roundtrip.

LAppS - Lua Application Server This is an attempt to provide very easy to use Lua Application Server working over WebSockets protocol (RFC 6455). LApp

null 47 Apr 25, 2022
Windows named pipe server that forwards connections to given TCP server

PipeTcp An asynchronous Windows named pipe server that forwards connections to given TCP server. Pre-built binaries can be found in Releases. Invocati

Jinoh Kang 3 Nov 16, 2021
A small data-oriented and SIMD-optimized 3D rigid body physics library.

nudge Nudge is a small data-oriented and SIMD-optimized 3D rigid body physics library. For more information, see: http://rasmusbarr.github.io/blog/dod

null 228 May 13, 2022
An optimized Webcash mining daemon.

Webminer An experimental vector-accelerated CPU miner for the Webcash electronic payment network. Webminer is tested and known to work on recent versi

Mark Friedenbach 11 May 15, 2022
Cross-platform, efficient, customizable, and robust asynchronous HTTP/WebSocket server C++14 library with the right balance between performance and ease of use

What Is RESTinio? RESTinio is a header-only C++14 library that gives you an embedded HTTP/Websocket server. It is based on standalone version of ASIO

Stiffstream 845 May 11, 2022
A C++ header-only HTTP/HTTPS server and client library

cpp-httplib A C++11 single-file header-only cross platform HTTP/HTTPS library. It's extremely easy to setup. Just include the httplib.h file in your c

null 7k May 14, 2022
Ultra fast and low latency asynchronous socket server & client C++ library with support TCP, SSL, UDP, HTTP, HTTPS, WebSocket protocols and 10K connections problem solution

CppServer Ultra fast and low latency asynchronous socket server & client C++ library with support TCP, SSL, UDP, HTTP, HTTPS, WebSocket protocols and

Ivan Shynkarenka 834 May 18, 2022
C++ library for creating an embedded Rest HTTP server (and more)

The libhttpserver reference manual Tl;dr libhttpserver is a C++ library for building high performance RESTful web servers. libhttpserver is built upon

Sebastiano Merlino 654 May 11, 2022
Mongoose Embedded Web Server Library - a multi-protocol embedded networking library with TCP/UDP, HTTP, WebSocket, MQTT built-in protocols, async DNS resolver, and non-blocking API.

Mongoose - Embedded Web Server / Embedded Networking Library Mongoose is a networking library for C/C++. It implements event-driven non-blocking APIs

Cesanta Software 8.2k May 8, 2022
cherry: A Minimal HTTP Server

cherry: A Minimal HTTP Server Inspired by the Capriccio project and the Zaver HTTP server, cherry started out as an experimental project trying to inc

Zee 22 Feb 21, 2022
http server code by c

Lamphttp HTTP服务 Lamphttp是使用c语言实现的http服务,目前市面上有非常多的http服务,比如大名鼎鼎的Nginx 那么对于Lamphttp存在的意义是什么呢?对于Lamphttp主要是为了理解了tcp/ip到http的中间 这一层的实现,说白了就是当作学习用的. 虽然Lam

D-灯先生 45 Jan 21, 2022
Phorklift is an HTTP server and proxy daemon, with clear, powerful and dynamic configuration.

Phorklift is an HTTP server and proxy daemon, with clear, powerful and dynamic configuration.

null 43 Mar 1, 2022
kleinsHTTP: A stupid stupidly simple http server.

kleinsHTTP: A stupid stupidly simple http server. About I wanted to create an api server using C++ as it is my favorite language however i was unable

Timo Schrader 12 Oct 15, 2021
prometheus exporter using workflow HTTP server

wfprometheus This is a light prometheus exporter using workflow HTTP server. This project is currently in the development stage, and the first version

Sogou Open Source 9 Oct 23, 2021
websocket and http client and server library, coming with ws, a command line swiss army knife utility

Hello world IXWebSocket is a C++ library for WebSocket client and server development. It has minimal dependencies (no boost), is very simple to use an

Machine Zone, Inc. 306 May 12, 2022
Tiny HTTP Server on C, using only standard libraries

hell_o Linux only. Tiny HTTP Server on C, using only standard libraries. It is unfinished yet, going to add working interface and rewrite handler late

null 3 Feb 1, 2022