Apache HTTPD 2.4.55

Changes with Apache 2.4.55

*) mod_dav: Open the lock database read-only when possible. PR 36636 [Wilson Felipe wfelipe gmail.com, manu]

*) mod_proxy_http2: apply the standard httpd content type handling to responses from the backend, as other proxy modules do. Fixes PR 66391. Thanks to Jérôme Billiras for providing the patch. [Stefan Eissing]

*) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981 [Basant Kumar Kukreja basant.kukreja sun.com, Alejandro Alvarez alejandro.alvarez.ayllon cern.ch]

*) mod_proxy_hcheck: Honor worker timeout settings. [Yann Ylavic]

*) mod_http2: version 2.0.10 of the module, synchronizing changes with the gitgub version. This is a partial rewrite of how connections and streams are handled.
- an APR pollset and pipes (where supported) are used to monitor the main connection and react to IO for request/response handling. This replaces the stuttered timed waits of earlier versions.
- H2SerializeHeaders directive still exists, but has no longer an effect. - Clients that seemingly misbehave still get less resources allocated, but ongoing requests are no longer disrupted.
- Fixed an issue since 1.15.24 that "Server" headers in proxied requests were overwritten instead of preserved. [PR by @daum3ns]
- A regression in v1.15.24 was fixed that could lead to httpd child processes not being terminated on a graceful reload or when reaching MaxConnectionsPerChild. When unprocessed h2 requests were queued at the time, these could stall. See #212.
- Improved information displayed in 'server-status' for H2 connections when Extended Status is enabled. Now one can see the last request that IO operations happened on and transferred IO stats are updated as well.
- When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection send a GOAWAY frame much too early on new connections, leading to invalid protocol state and a client failing the request. See PR65731 at https://bz.apache.org/bugzilla/show_bug.cgi?id=65731. The module now initializes the HTTP/2 protocol correctly and allows the client to submit one request before the shutdown via a GOAWAY frame is being announced.
- :scheme pseudo-header values, not matching the connection scheme, are forwarded via absolute uris to the http protocol processing to preserve semantics of the request. Checks on combinations of pseudo-headers values/absence have been added as described in RFC 7540. Fixes #230.
- A bug that prevented trailers (e.g. HEADER frame at the end) to be generated in certain cases was fixed. See #233 where it prevented gRPC responses to be properly generated.
- Request and response header values are automatically stripped of leading and trialing space/tab characters. This is equivalent behaviour to what Apache httpd's http/1.1 parser does. The checks for this in nghttp2 v1.50.0+ are disabled.
- Extensive testing in production done by Alessandro Bianchi (@alexskynet) on the v2.0.x versions for stability. Many thanks!

*) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when request ':authority' is known. Improved test case that did not catch that the previous 'fix' was incorrect.

*) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski]

*) mod_proxy: The AH03408 warning for a forcibly closed backend connection is now logged at INFO level. [Yann Ylavic]

*) mod_ssl: When dumping the configuration, the existence of certificate/key files is no longer tested. [Joe Orton]

*) mod_authn_core: Add expression support to AuthName and AuthType. [Graham Leggett]

*) mod_ssl: when a proxy connection had handled a request using SSL, an error was logged when "SSLProxyEngine" was only configured in the location/proxy section and not the overall server. The connection continued to work, the error log was in error. Fixed PR66190. [Stefan Eissing]

*) mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302. [Alessandro Cavaliere alessandro.cavalier7 unibo.it]

*) mod_proxy_hcheck: Detect AJP/CPING support correctly. PR 66300. [Alessandro Cavaliere alessandro.cavalier7 unibo.it]

*) mod_http2: Export mod_http2.h as public header. [Stefan Eissing]

*) mod_md: a new directive `MDStoreLocks` can be used on cluster setups with a shared file system for `MDStoreDir` to order activation of renewed certificates when several cluster nodes are restarted at the same time. Store locks are not enabled by default. Restored curl_easy cleanup behaviour from v2.4.14 and refactored the use of curl_multi for OCSP requests to work with that. Fixes https://github.com/icing/mod_md/issues/293.

*) core: Avoid an overflow on large inputs in ap_is_matchexp. PR 66033 [Ruediger Pluem]

*) mod_heartmonitor: Allow "HeartbeatMaxServers 0" to use file based storage instead of slotmem. Needed after setting HeartbeatMaxServers default to the documented value 10 in 2.4.54. PR 66131. [Jérôme Billiras]

*) mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery This is a game changer for performances if client use PROPFIND a lot, PR 66313. [Emmanuel Dreyfus]

Release 2.4.55 · apache/httpd