The release includes over ten new features (show below) as well as bug fixes.
- [core] add
crash-handler.wait-pipe-closeparameter #1092 - [core] introduce an option to bypass the
serverheader sent from upstream #1226 - [access-log] add
%{remote}pfor logging the remote port #1166 - [access-log] JSON logging #1208
- [access-log] add specifier for logging per-request environment variables #1221
- [access-log] add support for
<,>modifiers for logging either the original or the final response #1238 - [file] add directive for serving gzipped files, decompressing them on-the-fly #1140
- [http2] recognize
x-http2-push-onlyattribute onlinkheader #1169 - [http2] add optional timeout for closing connections upon graceful shutdown #1108
- [proxy] add directives for tweaking headers sent to upstream #1126
- [proxy] add directive for controlling the
viarequest header #1225 - [ssl] add directive for logging session ID #1164
Some notable changes are covered in separate blogposts: H2O version 2.2 beta released with TLS 1.3 support and other improvements, JSON logging support is added to H2O HTTP/2 server version 2.2.0-beta3.
Full list of changes can be found here.
The release also comes with the up-to-date version of mruby. Recently, a series of security defects have been reported for the language runtime. Our understanding is that many of the vulnerabilities rely on an attacker writing the script (a model that does not apply to how mruby is used in H2O). However, you can turn off mruby support by providing
-DWITH_MRUBY=OFF as an argument to CMake, or update mruby to the latest version simply by replacing the contents of deps/mruby with that of github.com/mruby/mruby.
