Wednesday, April 5, 2017

H2O version 2.2.0 released

Today I am happy to announce the release of H2O HTTP/2 server version 2.2.0.

The release includes over ten new features (show below) as well as bug fixes.

  • [core] add crash-handler.wait-pipe-close parameter #1092
  • [core] introduce an option to bypass the server header sent from upstream #1226
  • [access-log] add %{remote}p for logging the remote port #1166
  • [access-log] JSON logging #1208
  • [access-log] add specifier for logging per-request environment variables #1221
  • [access-log] add support for <, > modifiers for logging either the original or the final response #1238
  • [file] add directive for serving gzipped files, decompressing them on-the-fly #1140
  • [http2] recognize x-http2-push-only attribute on link header #1169
  • [http2] add optional timeout for closing connections upon graceful shutdown #1108
  • [proxy] add directives for tweaking headers sent to upstream #1126
  • [proxy] add directive for controlling the via request header #1225
  • [ssl] add directive for logging session ID #1164

Some notable changes are covered in separate blogposts: H2O version 2.2 beta released with TLS 1.3 support and other improvements, JSON logging support is added to H2O HTTP/2 server version 2.2.0-beta3.

Full list of changes can be found here.

The release also comes with the up-to-date version of mruby. Recently, a series of security defects have been reported for the language runtime. Our understanding is that many of the vulnerabilities rely on an attacker writing the script (a model that does not apply to how mruby is used in H2O). However, you can turn off mruby support by providing -DWITH_MRUBY=OFF as an argument to CMake, or update mruby to the latest version simply by replacing the contents of deps/mruby with that of