- bump PORTREVISON (fix changes config_vars.mk that is used to build third party modules)
PR: 215594
Submitted by: Marcelo Araujo
MFH: 2016Q4
Sponsored by: iXsystems
- backport r1719967
mod_ssl: fix build with openssl < 0.9.8m (missing semicolon).
This release also contains the patch for FreeBSD PR 204304
Make the fix for fully qualifying REDIRECT_URL from PR#57785 opt-in.
http://svn.apache.org/viewvc?view=revision&revision=1712268
Changes with Apache 2.4.18
*) mod_ssl: for all ssl_engine_vars.c lookups, fall back to master connection
if conn_rec itself holds no valid SSLConnRec*. Fixes PR58666.
[Stefan Eissing]
*) mod_http2: connection level window for flow control is set to protocol
maximum of 2GB-1, preventing window exhaustion when sending data on many
streams with higher cumulative window size.
Reducing write frequency unless push promises need to be flushed.
[Stefan Eissing]
*) mod_http2: required minimum version of libnghttp2 is 1.2.1
[Stefan Eissing]
*) mod_proxy_fdpass: Fix AH01153 error when using the default configuration.
In earlier version of httpd, you can explicitelly set the 'flusher' parameter
to 'flush' as a workaround. (i.e. flusher=flush)
Add documentation for the 'flusher' parameter when defining a proxy worker.
[Christophe Jaillet]
*) mod_ssl: For the "SSLStaplingReturnResponderErrors off" case, make sure
to only staple responses with certificate status "good". [Kaspar Brand]
*) mod_http2: new directive 'H2PushPriority' to allow priority specifications
on server pushed streams according to their content-type.
[Stefan Eissing]
*) mod_http2: fixes crash on connection abort for a busy connection.
fixes crash on a request that did not produce any response.
[Stefan Eissing]
*) mod_http2: trailers are sent after reponse body if set in request_rec
trailers_out before the end-of-request bucket is sent through the
output filters. [Stefan Eissing]
*) mod_http2: incoming trailers (headers after request body) are properly
forwarded to the processing engine. [Stefan Eissing]
*) mod_http2: new directive 'H2Push' to en-/disable HTTP/2 server
pushes a server/virtual host. Pushes are initiated by the presence
of 'Link:' headers with relation 'preload' on a response. [Stefan Eissing]
*) mod_http2: write performance of http2 improved for larger resources,
especially static files. [Stefan Eissing]
*) core: if the first HTTP/1.1 request on a connection goes to a server that
prefers different protocols, these protocols are announced in a Upgrade:
header on the response, mentioning the preferred protocols.
[Stefan Eissing]
*) mod_http2: new directives 'H2TLSWarmUpSize' and 'H2TLSCoolDownSecs'
to control TLS record sizes during connection lifetime.
[Stefan Eissing]
*) mod_http2: new directive 'H2ModernTLSOnly' to enforce security
requirements of RFC 7540 on TLS connections. [Stefan Eissing]
*) core: add ap_get_protocol_upgrades() to retrieve the list of protocols
that a client could possibly upgrade to. Use in first request on a
connection to announce protocol choices. [Stefan Eissing]
*) mod_http2: reworked deallocation on connection shutdown and worker
abort. Separate parent pool for all workers. worker threads are joined
on planned worker shutdown. [Yann Ylavic, Stefan Eissing]
*) mod_ssl: when receiving requests for other virtual hosts than the handshake
server, the SSL parameters are checked for equality. With equal
configuration, requests are passed for processing. Any change will trigger
the old behaviour of "421 Misdirected Request".
SSL now remembers the cipher suite that was used for the last handshake.
This is compared against for any vhost/directory cipher specification.
Detailed examination of renegotiation is only done when these do not
match.
Renegotiation is 403ed when a master connection is present. Exact reason
is given additionally in a request note. [Stefan Eissing]
*) core: Fix scoreboard crash (SIGBUS) on hardware requiring strict 64bit
alignment (SPARC64, PPC64). [Yann Ylavic]
*) mod_cache: Accept HT (Horizontal Tab) when parsing cache related header
fields as described in RFC7230. [Christophe Jaillet]
*) core/util_script: making REDIRECT_URL a full URL is now opt-in
via new 'QualifyRedirectURL' directive.
*) core: Limit to ten the number of tolerated empty lines between request,
and consume them before the pipelining check to avoid possible response
delay when reading the next request without flushing. [Yann Ylavic]
*) mod_ssl: Extend expression parser registration to support ssl variables
in any expression using mod_rewrite syntax "%{SSL:VARNAME}" or function
syntax "ssl(VARNAME)". [Rainer Jung]
PR: 204304
with head apache@
- change MPM backend from static to dynamic,
but keep mpm_prefork for compatiblity with e.g. php modules
- install dedicated MPM load file in case httpd was build with modular MPM
(modules.d/000_mpm_prefork_fallback.conf)
- disable SSLv3 and SSLv2 fallback in sample httpd-ssl-conf
- use @sample macro instead EXAMPLESDIR
- add some SSLCipherSuite examples for OpenSSL >= 1.0.x
- add libressl support [1]
- add pkg-install script (to handle new modular MPM build)
- build now most all modules, so users using packages don't have
to run a custom build for missing modules
- fix suexec mode
PR: 196139 [1]
MFH: 2015Q1
The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for various modern desktop and server operating
systems, such as UNIX and Windows NT. The goal of this project is to
provide a secure, efficient and extensible server which provides HTTP
services in sync with the current HTTP standards.
The 2.x branch of Apache Web Server includes several improvements like
threading, use of APR, native IPv6 and SSL support, and many more.
WWW: http://httpd.apache.org/
Note:
Since apache24 does not enable every module by default in httpd.conf the
list of modules to build was preselected to match build param
--enable-modules=most
MPM selection is now an OPTION also if the MPM is build statically or
dynamically. In the later case all modules are build/installed but only
the selected MPM has an entry in httpd.conf (see apache issue 53882)
Per default the MPM prefork (static) will be build, to get the best
compatibility.
Custom variants like itk/peruser are not supported at the moment.
Port based on my work prototype from the apache@ list and patch from
PR 174617
with hat apache@
PR: 174617
Submitted by: <swall@redcom.com>
