Wednesday, March 23, 2016

H2O version 2.0.0-beta2 released, with a new "status" handler

Today I am happy to announce the release of H2O HTTP/2 server version 2.0.0-beta2.

The release comes with the new status handler that shows the HTTP requests in-flight. Now, you can monitor what's going on inside H2O!

Some notable features are:
  • both HTTP/1 and HTTP/2 requests are shown
  • HTTP/2 priorities are shown
  • the screen can be updated automatically by clicking the Refresh checkbox

Under the hood, the status is served via a JSON API (lib/handler/status.c L169), and rendered by a static HTML document(share/h2o/status/index.html). So it would be easy for anyone to extend the status or retrieve and use the status from another program.

The documentation of the status handler can be found here.

Thursday, March 17, 2016

File-level mapping introduced in H2O version 2.0

As the developer of H2O, the lack of ability to define a mapping for a specific path (not a directory) has been one of the complaints I hear the most. Finally, we have a fix for the issue, and that is why the next release will be given the number 2.0.

Starting from H2O version 2.0.0beta-1, it is possible to write a configuration like the following. The example maps all requests to a FastCGI server, with the exception of /robots.txt and /favicon.ico being served statically.
      port: /tmp/fcgi.sock
      type: unix
    file.file: /path/to/robots.txt
    file.file: /path/to/favicon.png
Pretty straight forward, isn't it?

For details, please refer to the updated documentation of paths directive, or refer to the discussion in the pull request.

Tuesday, March 15, 2016

H2O HTTP/2 server goes 2.0 adding support for Brotli

Today, I am happy to announce the release of H2O version 2.0.0-beta1, the first release of the 2.0 series. In the release, we have added support for Brotli in two ways.

For those who do not know, Brotli is a new compression method developed by Google. It is said to compress files ~20% smaller than gzip - means less bandwidth consumed and faster rendering on the client side. Mozilla has already added support for Brotli in Firefox 44, and Chrome is gradually turning the knob on as well.

Starting with H2O version 2.0.0-beta1, when the file.send-compressed directive is set to ON, the server sends a file with .br or .gz suffix instead of file being requested should such file exist. For example, if index.html is requested with a Accept-Encoding: br request header, and if a file named exists, the server sends the contents of as the response with the Content-Encoding: br response header being set. In case the client is capable of decompressing both algorithms both algorithms and if both of .br and .gz files exist, the .br file is selected as the response.
# send pre-compressed files (.br or .gz)
file.send-compressed: ON

The other directive: compress controls on-the-fly compression. When turned on, it compresses the response as it is being sent to the client, using either brotli or gzip depending on the configuration and browser support. This can be used for compressing output from PHP and other dynamically-generated content.
# perform on-the-fly compression (brotli or gzip)
compress: [ brotli, gzip ]
Server administrators may also be interested in fine-tuning the compression quality of the compression methods. The following configuration sets the compression quality of brotli to 4 and gzip to 6, a suggested setting by Understanding Brotli's Potential - The Akamai Blog. The compression speed becomes about half of the default (1 for both gzip and brotli), but the size of the content after compression is expected to become ~15% smaller for both methods.
# perform more effective (but CPU-intensive) compression
  brotli: 4
  gzip:   6

In my upcoming blogposts I will cover other changes in the 2.0 release of H2O. Stay tuned!

Friday, March 11, 2016

H2O version 1.7.1 released

Today we have shipped version 1.7.1 of the H2O HTTP/2 server.

It includes several bug fixes and stability improvements from 1.7.0. Users of existing versions are recommended to upgrade to 1.7.1.

Please refer to the Changelog of 1.7.1 for details.

Wednesday, February 10, 2016

Name Constraints を使った独自CAの運用手順

ウェブブラウザが新機能をHTTPSでしか有効にしないことが多くなってきたので、開発環境でもHTTPSを使いたい。でも、開発環境用にサーバ証明書を買うのは手間。Let's Encryptも運用がめんどくさいとか、社内からしかアクセスできないサーバへの証明書発行が難しいとかいろいろあるし…ってそこでName Constraintsを使った独自CAですよ奥さん。

Name Constraints が何であるかについては、以前オレオレ認証局の適切な運用とName Constraintsに書いたとおり。

本稿では、Name Constraintsを使うCAの運用手順を説明する。

1. CA鍵と証明書の作成

1.1. CAの秘密鍵を作成
% openssl genrsa -out ca.key 2048

1.2. openssl.cnfにCA証明書に設定する属性を指定するセクションを追記

1.3. CA証明書の作成
% openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
  -extensions private_ca

2. 証明書管理用ディレクトリを作成
% mkdir -p demoCA/newcerts
% touch demoCA/index.txt
% echo 00 > demoCA/serial

3. 証明書発行要求を受け取って証明書を発行
% openssl ca -keyfile ca.key -cert ca.crt \
  -extensions usr_cert -policy policy_anything -days 365 \
  -md sha256 -in -out



Friday, February 5, 2016

H2O HTTP/2 server 1.7.0 released; added a new benchmark

Today, I am happy to announce the release of H2O HTTP/2 server, version 1.7.0.

Major additions in this update are:
  • asynchronous HTTP client for mruby handler
  • Support for CGI and Basic Authentication
  • Support for wild-card hostnames

You can find more detailed description of the additions in my previous blogpost: H2O version 1.7.0-beta1 released with enhanced mruby scripting, CGI, and much more. And along with the new features, we have also enabled the use of Neverbleed by default, to reduce the risk of private key disclosure in case of a vulnerability.

We have also updated the numbers of the request-per-seconds benchmark.

I have seen many people hesitating to move to HTTPS or HTTP/2 in fear of performance issues. But what is apparent from this benchmark is that the performance of HTTP/2 with TLS is actually on par with HTTP/1 without TLS (in case of nginx) or much faster (in case of H2O).

Details of the benchmark (along with other benchmarks) can be found at

Wednesday, January 13, 2016

H2O 1.6.2 released fixing a response splitting vulnerability in redirect handler

I have just released H2O version 1.6.2 that includes a fix for a response splitting vulnerability found in prior releases.

Users using the redirect directive are affected; they are advised to update immediately.

Edit: version 1.7.0-beta3 has also been released fixing the same issue in the earlier releases of 1.7.0 beta series.

Related Links: