The release includes over ten new features (show below) as well as bug fixes.
- [core] add
crash-handler.wait-pipe-close
parameter #1092 - [core] introduce an option to bypass the
server
header sent from upstream #1226 - [access-log] add
%{remote}p
for logging the remote port #1166 - [access-log] JSON logging #1208
- [access-log] add specifier for logging per-request environment variables #1221
- [access-log] add support for
<
,>
modifiers for logging either the original or the final response #1238 - [file] add directive for serving gzipped files, decompressing them on-the-fly #1140
- [http2] recognize
x-http2-push-only
attribute onlink
header #1169 - [http2] add optional timeout for closing connections upon graceful shutdown #1108
- [proxy] add directives for tweaking headers sent to upstream #1126
- [proxy] add directive for controlling the
via
request header #1225 - [ssl] add directive for logging session ID #1164
Some notable changes are covered in separate blogposts: H2O version 2.2 beta released with TLS 1.3 support and other improvements, JSON logging support is added to H2O HTTP/2 server version 2.2.0-beta3.
Full list of changes can be found here.
The release also comes with the up-to-date version of mruby. Recently, a series of security defects have been reported for the language runtime. Our understanding is that many of the vulnerabilities rely on an attacker writing the script (a model that does not apply to how mruby is used in H2O). However, you can turn off mruby support by providing
-DWITH_MRUBY=OFF
as an argument to CMake, or update mruby to the latest version simply by replacing the contents of deps/mruby
with that of github.com/mruby/mruby.