| -*- coding: utf-8 -*- |
| Changes with Apache 2.5.1 |
| |
| *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS |
| protection. PR63688. [Armin Abfalterer <a.abfalterer gmail.com>] |
| |
| *) mod_authn_socache: Increase the maximum length of strings that can be cached by |
| the module from 100 to 256. PR 62149 [<thorsten.meinl knime.com>] |
| |
| *) mod_ssl: reverting a 2.4.40 change where a superfluous SSLCertificateChainFile configuration |
| for a domain managed by mod_md caused a startup error. This happened when mod_md installed |
| its fallback certificate, before it got the first real certificate from Lets Encrypt. |
| [Stefan Eissing] |
| |
| *) core, mod_rewrite: Set PCRE_DOTALL by default. Revert via |
| RegexDefaultOptions -DOTALL [Yann Ylavic] |
| |
| *) core: Remove request details from built-in error documents [Eric Covener] |
| |
| *) mod_http2: core setting "LimitRequestFieldSize" is not additionally checked on |
| merged header fields, just as HTTP/1.1 does. [Stefan Eissing, Michael Kaufmann] |
| |
| *) mod_http2: fixed a bug that prevented proper stream cleanup when connection |
| throttling was in place. Stream resets by clients on streams initiated by them |
| are counted as possible trigger for throttling. [Stefan Eissing] |
| |
| *) mod_http2/mpm_event: Fixes the behaviour when a HTTP/2 connection has nothing |
| more to write with streams ongoing (flow control block). The timeout waiting |
| for the client to send WINODW_UPDATE was incorrectly KeepAliveTimeout and not |
| Timeout as it should be. Fixes PR 63534. [Yann Ylavic, Stefan Eissing] |
| |
| *) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for |
| adding certificates and keys to a virtual host. An additional hook allows |
| answering special TLS connections as used in ACME challenges. |
| Adding 2 new hooks for init/get of OCSP stapling status information when |
| other modules want to provide those. Falls back to own implementation with |
| same behaviour as before. |
| [Stefan Eissing] |
| |
| *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+. |
| [Graham Leggett] |
| |
| *) mod_proxy_http2: adding support for handling trailers in both directions. PR 63502. |
| [Stefan Eissing] |
| |
| *) mod_reqtimeout: Fix default rates missing (not applied) in 2.4.39. |
| PR 63325. [Yann Ylavic] |
| |
| *) mod_ldap: Avoid potential crashes in util_ldap_cache_module_kill() or other |
| LDAP related functions during graceful restart of a busy server. PR63305. |
| [Martin FĂșsek <mfusek newps.cz>] |
| |
| *) mod_cache: Fix parsing of quoted Cache-Control token arguments. |
| PR 63288. [Yann Ylavic] |
| |
| *) mod_md: Store permissions are enforced on file creation, enforcing restrictions in |
| spite of umask. Fixes <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing] |
| |
| *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure. |
| [Michael Kaufmann <mail michael-kaufmann.ch>] |
| |
| *) Merge consecutive slashes in URL's. Opt-out with `MergeSlashes OFF`. |
| [Eric Covener] |
| |
| *) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend |
| connection is recycled/reused to avoid a possible crash with some SSLProxy |
| configurations in <Location> or <Proxy> context. PR 63256. [Yann Ylavic] |
| |
| *) mod_mime: Add `MimeOptions` directive to allow Content-Type or all metadata |
| detection to use only the last (right-most) file extension or to be |
| disabled per-dir. [Eric Covener] |
| |
| *) MPMs unix: bind the bucket number of each child to its slot number, for a |
| more efficient per bucket maintenance. [Yann Ylavic] |
| |
| *) http: Fix possible empty response with mod_ratelimit for HEAD requests. |
| PR 63192. [Yann Ylavic] |
| |
| *) mod_cache_socache: Avoid reallocations and be safe with outgoing data |
| lifetime. [Yann Ylavic] |
| |
| *) mod_reqtimeout: Allow to configure (TLS-)handshake timeouts. |
| PR 61310. [Yann Ylavic] |
| |
| *) mod_auth_digest: Fix a race condition. Authentication with valid credentials could be |
| refused in case of concurrent accesses from different users. |
| PR 63124 [Simon Kappel <simon.kappel axis.com>] |
| |
| *) mod_ssl: Don't unset FIPS mode on restart unless it's forced by |
| configuration (SSLFIPS on) and not active by default in OpenSSL. |
| PR 63136. [Yann Ylavic] |
| |
| *) mod_ssl: give mod_md the chance to override certificate after ALPN protocol |
| negotiation. [Stefan Eissing] |
| |
| *) mod_proxy_wstunnel: Fix websocket proxy over UDS. |
| PR 62932 <pavel dcmsys.com> |
| |
| *) mod_negociation: LanguagePriority should be case-insensitive in order to |
| match AddLanguage behavior. PR 39730 [Christophe Jaillet] |
| |
| *) mod_session: Always decode session attributes early. [Hank Ibell] |
| |
| *) core: Incorrect values for environment variables are substituted when |
| multiple environment variables are specified in a directive. [Hank Ibell] |
| |
| *) core: Split out the ability to parse wildcard files and directories |
| from the Include/IncludeOptional directives into a generic set of |
| functions ap_dir_nofnmatch() and ap_dir_fnmatch(). [Graham Leggett] |
| |
| *) mod_ssl: Fix mod_authz provider for "require ssl" directive to check correctly |
| on HTTP/2 connections. Fixes PR 62654. [Stefan Eissing] |
| |
| *) mod_ssl: clear *SSL errors before loading certificates and checking |
| afterwards. Otherwise errors are reported when other SSL using modules |
| are in play. Fixes PR 62880. [Michael Kaufmann] |
| |
| *) core: Ensure that aborted connections are logged as such. PR 62823 |
| [Arnaud Grandville <contact@grandville.net>] |
| |
| *) mpm_event: Stop issuing AH00484 "server reached MaxRequestWorkers..." when |
| there are still idle threads available. When there are less idle threads than |
| MinSpareThreads, issue new one-time message AH10159. Matches worker MPM. |
| [Eric Covener] |
| |
| *) mod_proxy_scgi, mod_proxy_uwsgi: improve error handling when sending the |
| body of the response. [Jim Jagielski] |
| |
| *) mod_session_cookie: avoid duplicate Set-Cookie header in the response. |
| [Emmanuel Dreyfus <manu@netbsd.org>, Luca Toscano] |
| |
| *) mod_dav_fs: Set a default DAVLockDB within the state directory. |
| [Joe Orton] |
| |
| *) core: Add DefaultStateDir and layout-specific state directory |
| created at "make install". [Joe Orton] |
| |
| *) ab: Add client certificate support. [Graham Leggett] |
| |
| *) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499 |
| [Dominik Stillhard <dominik.stillhard united-security-providers.ch>] |
| |
| *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and |
| before signals handling to avoid lifetime issues on restart or shutdown. |
| PR 62658. [Yann Ylavic] |
| |
| *) core: Add StrictHostCheck to allow ucnonfigured hostnames to be |
| rejected. [Eric Covener] |
| |
| *) mod_status: Cumulate CPU time of exited child processes in the |
| "cu" and "cs" values. Add CPU time of the parent process to the |
| "c" and "s" values. |
| [Rainer Jung] |
| |
| *) mod_status: Add cumulated response duration time in milliseconds. |
| [Rainer Jung] |
| |
| *) mod_status: Complete the data shown for async MPMs in "auto" mode. |
| Added number of processes, number of stopping processes and number |
| of busy and idle workers. [Rainer Jung] |
| |
| *) mod_proxy: Improve the balancer member data shown in mod_status when |
| "ProxyStatus" is "On": add "busy" count and show byte counts in auto |
| mode always in units of kilobytes. [Rainer Jung] |
| |
| *) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative |
| redirects, subsequent ProxyPassReverse statements, whether they are |
| relative or absolute, may fail. PR 60408. [Peter Haworth <pmh1wheel gmail.com>] |
| |
| *) mod_ratelimit: Don't interfere with "chunked" encoding, fixing regression |
| introduced in 2.4.34. PR 62568. [Yann Ylavic] |
| |
| *) mod_proxy_http: forward 100-continue, and minimize race conditions when |
| reusing backend connections. PR 60330. [Yann Ylavic, Jean-Frederic Clere] |
| |
| *) mod_proxy: Remove load order and link dependency between mod_lbmethod_* |
| modules and mod_proxy. PR 62557. [Ruediger Pluem, William Rowe] |
| |
| *) mod_md: more robust handling of http-01 challenges and hands-off when module |
| should not be involved, e.g. challenge setup by another ACME client. [Stefan Eissing] |
| |
| *) ru, zh-cn and zh-tw translations of errordocs have been added. |
| Contributed by Alexander Gaganashvili and CodeingBoy |
| |
| *) mod_userdir: If several directories are given in a UserDir directive, only files |
| in the first existing one are checked. If the file is not found there, the |
| other possible directories are not checked. The doc clearly states that they |
| will be checked one by one, until a match is found or an external redirect is |
| performed. PR 59636. |
| [Christophe Jaillet] |
| |
| *) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when |
| this type of map is present in the configuration. PR62311. |
| [Hank Ibell <hwibell gmail.com>] |
| |
| *) mod_ldap: Abort on LDAP locking errors. [Eric Covener] |
| |
| *) mod_ssl: Support loading certificates and private keys from the |
| PKCS#11 OpenSSL engine. [Anderson Sasaki <ansasaki redhat.com>, |
| Joe Orton] |
| |
| *) http: LimitRequestBody applies to proxied requests. [Yann Ylavic] |
| |
| *) mod_logio: Add LogIOTrackTTFU and %^FU logformat to log the time |
| difference between request start and last request body byte read (finished upload). |
| [Rainer Jung] |
| |
| *) mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre4, other libs may |
| need more sugar). SSL(Proxy)CipherSuite now has an optional first parameter for the |
| protocol the ciphers are for. |
| Directive "SSLVerifyClient" now triggers certificate retrieval from the client (this |
| is not fully tested - but fails in similar fashion as in TLSv1.2 in my setups). |
| Verifying the client fails exactly the same for HTTP/2 connections for all SSL protocols, |
| as this would need to trigger the master connection thread - which we do not support |
| right now. |
| Renegotiation of ciphers is intentionally ignored for TLSv1.3 connections. "SSLCipherSuite" |
| does not allow to specify TLSv1.3 ciphers in a directory context (because it cannot work) and |
| TLSv1.2 or lower ciphers are not relevant, as cipher suites are completely separate. |
| This means there is a bit if a world split when simultaneously having TLSv1.2 and TLSv1.3 |
| connections to the same server. |
| [Yann Ylavic, Stefan Eissing] |
| |
| *) mod_ssl: proper checks for libressl 2.07/8 and its TLSv1_3 support, see PR 62236. |
| [Bernard Spil <brnrd@freebsd.org>] |
| |
| *) mod_cgi: Add CGIScriptTimeout to make mod_cgi's timeout per-directory and |
| independent of the core Timeout directive. PR 62229. |
| [Hank Ibell <hwibell gmail.com>] |
| |
| *) mod_ssl: heavily simplified SSLPolicy. No more user defines, no propxy policies, |
| just the basic "modern", "intermediate" and "old" as specified by Mozilla security. |
| [Stefan Eissing] |
| |
| *) mod_md: fixes error in renew window calculation that may lead to mod_md running |
| watchdog in a tight loop until actual renewal becomes necessary. [Stefan Eissing] |
| |
| *) mod_md: /.well-known/acme-challenge requests that cannot be answered for hostnames |
| outside the configured MDs are free to be answered by other handlers. This allows |
| co-existance between mod_md and other ACME clients on the same server (implements PR62189). |
| [Stefan Eissing, Arkadiusz Miskiewicz <arekm@maven.pl>] |
| |
| *) core: Create a conn_config_t structure to hold an extendable core config rather |
| than consuming the whole pointer with the connection socket. [Graham Leggett] |
| |
| *) core: adding AP_DECLARE for ap_parse_vhost_addrs() and minor bumb mmn. Resolves |
| building mod_ssl on Windows. [Stefan Eissing, Gregg Smith] |
| |
| *) core: adding defines to allow interworking with honggfuzz without |
| further patches. [Stefan Eissing, Robert Swiecki] |
| |
| *) mod_headers: 'RequestHeader set|edit|edit_r Content-Type X' could |
| inadvertently modify the Content-Type _response_ header. Applies to |
| Content-Type only and likely to only affect static file responses. |
| [Eric Covener] |
| |
| *) mod_cgi: Improve AH01215 messages to make it more clear that the message is |
| the CGI scripts stderr output. PR 61980. [Hank Ibell <hwibell gmail.com>] |
| |
| *) mod_headers: Allow 'Header unset Content-Type' to remove the Content-Type |
| header. PR 61983. [Hank Ibell <hwibell gmail.com>] |
| |
| *) mod_md v1.1.8: new configuration directive "MDBaseServer on|off" to allow/inhibit |
| management of the base server domains outside VirtualHosts. By default, this is "off", |
| e.g. mod_md will not manage certificates or perform https: redirections on the |
| base server. [Stefan Eissing] |
| |
| *) core: Add "AcceptErrorsNonFatal" to allow ECONNREFUSED, ECONNABORTED, and |
| ECONNRESET during the client accept() to not trigger graceful shutdown of |
| the child process. [Eric Covener] |
| |
| *) mod_md v1.1.7: |
| - MDMustStaple was unable to create the necessary OpenSSL OBJ identifier on some platforms, |
| possibly because this fails if the OID is already configured in ```openssl.cnf```, see |
| [here](https://github.com/openssl/openssl/issues/2795). |
| - Two memory leaks in cert issuer and alt-names lookup eliminated by Yann Ylavic. |
| - Changing MDMustStaple triggers certificate renewal. |
| - More verbosity when *not* handing out certificates, e.g. mod_ssl asks, but mod_md has no |
| idea what it is talking about. Some people report misbehaviour here. |
| - Re-enabled support for md_get_credentials() function that was used in older mod_ssl |
| patch, so that people with old patched servers get a chance to upgrade. |
| [Stefan Eissing, Yann Ylavic] |
| |
| *) mod_susbtitute: Allow expressions in the subtitution, prefixed with expr= |
| [Eric Covener] |
| |
| *) mod_md: fixed mem pool usage for auto-added server names. Added |
| error logging of exact ACME response when challenges failed. |
| [Stefan Eissing] |
| |
| *) mod_md: reverses most of v1.0.5 optimization of post_config init, so that |
| mod_ssl can ask for certiticates without crashing. [Stefan Eissing] |
| |
| *) mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules. |
| PR 61857. [Yann Ylavic] |
| |
| *) mod_proxy_html: fix handling of <meta http-equiv> elements. |
| PR 58121. [Nick Kew] |
| |
| *) mod_md: fixed backward compatibility to old <ManagedDomain configuration. |
| Add higher level WARNING log when initial request to ACME server fails, mentioning |
| some advice. [Stefan Eissing] |
| |
| *) mod_md: name change in configuration directives. The old names are still working |
| in this version, so you can safely upgrade. They will give warnings in the log and |
| will disappear in the immediate future. ManagedDomain is now MDomain, |
| <ManagedDomain> is now <MDomainSet>. [Stefan Eissing] |
| |
| *) mod_ssl: renamed section <SSLPolicy to <SSLPolicyDefine. Fixed behaviour |
| for new server config merge flag. Denying global, only once used directives |
| inside a SSLPolicyDefine. [Stefan Eissing] |
| |
| *) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces |
| should be accepted after the authorization scheme. \t are also tolerated. |
| [Christophe Jaillet] |
| |
| *) core: Support zone/scope in IPv6 link-local addresses in Listen and |
| VirtualHost directives (requires APR 1.7.x or later). PR 59396. [Joe Orton] |
| |
| *) mod_md: v1.0.5, restricting post_config dry run to be more silent and performing |
| only necessary work for mod_ssl to be also happy with the configuration. |
| [Stefan Eissing] |
| |
| *) mod_md: v1.0.4, removed the 'a2md' utility command from build. Only used in github |
| testing. Avoid problems with our build system that had problems after the latest |
| changes to make a clean initial build. Remove the windows a2md.dsp therefore also. |
| [Stefan Eissing] |
| |
| *) mod_ssl: Fail with 403 if the username for FakeBasicAuth mode |
| includes a colon character. PR 52644. [Joe Orton] |
| |
| *) mod_md: v1.0.3, fixed various bugs in persisting job properties, so that status is |
| persisted accross child process changes and staging is reset on reloads. Changed |
| MDCertificateAgreement url checks. As long as the CA reports that the account has |
| an agreement, no further checking is done. Existing accounts need no changes when |
| a new agreement comes out. [Stefan Eissing] |
| |
| *) mod_watchdog: Correct some log messages. [Rainer Jung] |
| |
| *) mod_noloris: complete build setup. [Rainer Jung] |
| |
| *) mod_md: fix static compilation. [Rainer Jung] |
| |
| *) mod_md: fix compilation of helper binary a2md. [Rainer Jung] |
| |
| *) core: fix pcre feature detection in configure when using pcre2. [Rainer Jung] |
| |
| Changes with Apache 2.5.0-alpha |
| |
| *) mod_md: v1.0.1, ServerName/Alias names from pure-http: virtual hosts are no longer |
| auto-added to a Managed Domain. Error counts of jobs are presisted. When the server |
| restarts (gracefully) any errored staging areas are purged to reset the signup/renewal |
| process. [Stefan Eissing] |
| |
| *) mod_md: v1.0.0, new config directive 'MDNotifyCmd' to hook in a program when Managed |
| Domains have obtained/renewed their certificates successfully. [Stefan Eissing] |
| |
| *) mod_md: v0.9.9, fix for applying challenge type based on available ports. [Stefan Eissing] |
| |
| *) mod_md: v0.9.7 |
| - Use of the new module flag |
| - Removed obsolete function from interface to mod_ssl. |
| - Fallback certificates has version set and no longer claims to be a CA. (re issue #32) |
| - MDRequireHttps now happens before any Redirect. |
| [Stefan Eissing] |
| |
| *) mod_ssl: unshare SSLSrvConfigRec instances between base server and virtual hosts. This avoids |
| overwrites of later initializattions (vhost_id), selective disables by "SSLEngine addr-list" |
| and certificate/key pickup from mod_md. [Stefan Eissing] |
| |
| *) mod_md: v0.9.6: a "MDRequireHttps permament" configured domain automatically sends out |
| HSTS (rfc 6797) headers in https: responses. [Stefan Eissing] |
| |
| *) mod_ssl: adding ssl_policies.h[.in] for policy cipher/protocol definitions. Use |
| update_policies.py to update manually from Mozilla JSON definitions at |
| https://statics.tls.security.mozilla.org/server-side-tls-conf.json |
| [Stefan Eissing] |
| |
| *) mod_md: v0.9.5: |
| - New directive (srly: what do you expect at this point?) "MDMustStaple on|off" to control if |
| new certificates are requested with the OCSP Must Staple extension. |
| - Known limitation: when the server is configured to ditch and restart child processes, for example |
| after a certain number of connections/requests, the mod_md watchdog instance might migrate |
| to a new child process. Since not all its state is persisted, some messsages might appear a |
| second time in the logs. |
| - Adding checks when 'MDRequireHttps' is used. It is considered an error when 'MDPortMap 443:-' |
| is used - which negates that a https: port exists. Also, a warning is logged if no |
| VirtualHost can be found for a Managed Domain that has port 443 (or the mapped one) in |
| its address list. |
| - New directive 'MDRequireHttps' for redirecting http: traffic to a Managed Domain, permanently |
| or temporarily. |
| - Fix for using a fallback certificate on initial signup of a Managed Domain. Requires also |
| a changed mod_ssl patch (v5) to take effect. |
| - compatibility with libressl |
| [Stefan Eissing] |
| |
| *) mod_md: v0.9.2: new directive 'MDHttpProxy' to define a proxy for outgoing connection, |
| some minor bugfixes, twiddle the build system to avoid non-pic code generation. |
| [Stefan Eissing] |
| |
| *) mod_md: v0.9.1: |
| - various fixes in MDRenewWindow handling when specifying percent. Serialization changed. If |
| someone already used percent configurations, it is advised to change these to a new value, |
| reload and change back to the wanted ones. |
| - various fixes in handling of MDPrivateKeys when specifying 2048 bits (the default) explicitly. |
| - mod_md version removed from top level md_store.json file. The store has its own format version |
| to facilitate upgrades. |
| [Stefan Eissing] |
| |
| *) mod_md: v0.9.0: |
| Certificate provisioning from Let's Encrypt (and other ACME CAs) for mod_ssl virtual hosts. |
| [Stefan Eissing] |
| |
| *) mod_ssl: add SSLPolicy (define/use) and SSLProxyPolicy directives plus documentation. Add |
| core definitions for policies 'modern', 'intermediate' and 'old', as defined by Mozilla |
| in <https://wiki.mozilla.org/Security/Server_Side_TLS>. [Stefan Eissing] |
| |
| *) mod_md: new module for managing domains across VirtualHosts with ACME protocol |
| implementation for automated certificate signup and renewal. Default CA is |
| the test area of Let's Encrypt right now, so certificates root will not be valid. |
| Will be switched to the real service endpoint rather soon. If you need it now, |
| configure 'MDCertificateAuthority https://acme-v01.api.letsencrypt.org/directory'. |
| [Stefan Eissing] |
| |
| *) mod_rewrite: Add 'RewriteOptions LongURLOptimization' to free memory |
| from each set of unmatched rewrite conditions. |
| [Eric Covener] |
| |
| *) Allow the argument to <IfFile>, <IfDefine>, <IfSection>, <IfDirective>, |
| and <IfModule> to be quoted. This is primarily for the benefit of |
| <IfFile>. [Eric Covener] |
| |
| *) Introduce request taint checking framework to prevent privilege |
| hijacking through .htaccess. [Nick Kew] |
| |
| *) Add <IfDirective> and <IfSection> directives. [Joe Orton] |
| |
| *) When using mod_status with the Event MPM, report the number of requests |
| associated with an active connection in the "ACC" field. Previously |
| zero was always reported with this MPM. PR60647. [Eric Covener] |
| |
| *) mod_proxy_wstunnel: Reliably run before mod_proxy_http. |
| [Eric Covener] |
| |
| *) http: Allow unknown response status' lines returned in the form of |
| "HTTP/x.x xxx Status xxx". [Yann Ylavic] |
| |
| *) core: Add <IfFile> configuration section to allow any file on disk to be |
| used as a conditional. [Edward Lu, Eric Covener] |
| |
| *) mod_crypto: Add the all purpose crypto filters with support for HLS. |
| [Graham Leggett] |
| |
| *) core: Drop an invalid Last-Modified header value coming |
| from a FCGI/CGI script instead of replacing it with Unix epoch. |
| Warn the users about Last-Modified header value replacements |
| and violations of the RFC. |
| [Yann Ylavic, Luca Toscano, William Rowe, Jacob Champion] |
| |
| *) mod_dav: Allow other modules to become providers and add ACLs |
| to the DAV response. |
| [Jari Urpalainen <jari.urpalainen nokia.com>, Graham Leggett] |
| |
| *) mod_dav: Add dav_begin_multistatus, dav_send_one_response, |
| dav_finish_multistatus, dav_send_multistatus, dav_handle_err, |
| dav_failed_proppatch, dav_success_proppatch to mod_dav.h. |
| [Jari Urpalainen <jari.urpalainen nokia.com>, Graham Leggett] |
| |
| *) core: explicitly exclude 'h2' from protocols announced via an Upgrade: |
| header as commanded by http-wg. [Stefan Eissing] |
| |
| *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy |
| AJP13 authentication. PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>] |
| |
| *) mpm: Generalise the ap_mpm_register_socket functions to accept pipes |
| or sockets. [Graham Leggett] |
| |
| *) core: Extend support for setting aside data from the network input filter |
| to any connection or request input filter. [Graham Leggett] |
| |
| *) core: Split ap_create_request() from ap_read_request(). [Graham Leggett] |
| |
| *) mod_auth_digest: Fix compatibility with expression-based Authname. PR59039. |
| [Eric Covener] |
| |
| *) mpm: Add a complete_connection hook that confirms whether an MPM is allowed |
| to leave the WRITE_COMPLETION phase. Move filter code out of the MPMs. |
| [Graham Leggett] |
| |
| *) mod_cache: Consider Cache-Control: s-maxage in expiration |
| calculations. [Eric Covener] |
| |
| *) mod_cache: Allow caching of responses with an Expires header |
| in the past that also has Cache-Control: max-age or s-maxage. |
| PR55156. [Eric Covener] |
| |
| *) mod_session: Introduce SessionExpiryUpdateInterval which allows to |
| configure the session/cookie expiry's update interval. PR 57300. |
| [Paul Spangler <paul.spangler ni.com>] |
| |
| *) core: Extend support for asynchronous write completion from the |
| network filter to any connection or request filter. [Graham Leggett] |
| |
| *) mod_auth_digest: remove AuthDigestEnableQueryStringHack which is no |
| more documented since dec 2012 (r1415960). [Christophe Jaillet] |
| |
| *) mod_charset_lite: On EBCDIC platforms, make sure mod_charset_lite runs |
| after other resource-level filters. [Eric Covener] |
| |
| *) http: Don't remove the Content-Length of zero from a HEAD response if |
| it comes from an origin server, module or script. [Yann Ylavic] |
| |
| *) http: Add support for RFC2324/RFC7168. [Graham Leggett] |
| |
| *) mod_authn_core: Add expression support to AuthName and AuthType. |
| [Graham Leggett] |
| |
| *) suexec: Filter out the HTTP_PROXY environment variable because it is |
| treated as alias for http_proxy by some programs. [Stefan Fritsch] |
| |
| *) mod_proxy_http: Don't establish or reuse a backend connection before pre- |
| fetching the request body, so to minimize the delay between it is supposed |
| to be alive and the first bytes sent: this is a best effort to prevent the |
| backend from closing because of idle or keepalive timeout in the meantime. |
| Also, handle a new "proxy-flushall" environment variable which allows to |
| flush any forwarded body data immediately. PR 56541+37920. [Yann Ylavic] |
| |
| *) core: Define and UnDefine are no longer permitted in |
| directory context. Previously they would always be evaulated |
| as the configuration was read without regard for the directory |
| context. [Eric Covener] |
| |
| *) config: For directives that do not expect any arguments, enforce |
| that none are specified in the configuration file. |
| [Joachim Zobel <jzobel heute-morgen.de>, Eric Covener] |
| |
| *) mod_rewrite: Improve 'bad flag delimeters' startup error by showing |
| how the input was tokenized. PR 56528. [Edward Lu <Chaosed0 gmail.com>] |
| |
| *) mod_proxy: Don't put non balancer-member workers in error state by |
| default for connection or 500/503 errors, and honor status=+I for |
| any error. PR 48388. [Yann Ylavic] |
| |
| *) ap_expr: Add filemod function for checking file modification dates |
| [Daniel Gruno] |
| |
| *) mod_authnz_ldap: Resolve crashes with LDAP authz and non-LDAP authn since |
| r1608202. [Eric Covener] |
| |
| *) apreq: Content-Length header should be always interpreted as a decimal. |
| Leading 0 could be erroneously considered as an octal value. PR 56598. |
| [Chris Card <ctcard hotmail com>] |
| |
| *) mod_proxy: Now allow for 191 character worker names, with non-fatal |
| errors if name is truncated. PR53218. [Jim Jagielski] |
| |
| *) mod_ssl: Add optional function "ssl_get_tls_cb" to allow support |
| for channel bindings. [Simo Sorce <simo redhat.com>] |
| |
| *) mod_proxy_wstunnel: Concurrent websockets messages could be |
| lost or delayed with ProxyWebsocketAsync enabled. |
| [Edward Lu <Chaosed0 gmail.com>] |
| |
| *) core, mod_info: Add compiled and loaded PCRE versions to version |
| number display. [Rainer Jung] |
| |
| *) mod_authnz_ldap: Return LDAP connections to the pool before the handler |
| is run, instead of waiting until the end of the request. [Eric Covener] |
| |
| *) mod_proxy_html: support automatic detection of doctype and processing |
| of FPIs. PR56285 [Micha Lenk <micha lenk info>, Nick Kew] |
| |
| *) core: Add ap_mpm_resume_suspended() API to allow a suspended connection |
| to resume. PR56333 |
| [Artem <artemciy gmail.com>, Edward Lu <Chaosed0 gmail.com>] |
| |
| *) core: Add ap_mpm_register_socket_callback_timeout() API. [Eric Covener] |
| |
| *) mod_proxy_wstunnel: Honor ProxyWebsocketIdleTimeout in asynchronous |
| processing mode. [Eric Covener] |
| |
| *) mod_authnz_ldap: Fail explicitly when the filter is too long. Remove |
| unnecessary apr_pstrdup() and strlen(). [Graham Leggett] |
| |
| *) Add the ldap-search option to mod_authnz_ldap, allowing authorization |
| to be based on arbitrary expressions that do not include the username. |
| [Graham Leggett] |
| |
| *) Add the ldap function to the expression API, allowing LDAP filters and |
| distinguished names based on expressions to be escaped correctly to |
| guard against LDAP injection. [Graham Leggett] |
| |
| *) Add module mod_ssl_ct, which provides an implementation of Certificate |
| Transparency (RFC 6962) for httpd. [Jeff Trawick] |
| |
| *) mod_proxy_wstunnel: Avoid sending error responses down an upgraded |
| websockets connection as it is being close down. [Eric Covener] |
| |
| *) mod_proxy_wstunnel: Allow the administrator to cap the amount |
| of time a synchronous websockets connection stays idle with |
| ProxyWebsocketIdleTimeout. [Eric Covener] |
| |
| *) mod_proxy_wstunnel: Change to opt-in for asynchronous support, adding |
| directives ProxyWebsocketAsync and ProxyWebsocketAsyncDelay. |
| [Eric Covener] |
| |
| *) mod_proxy_wstunnel: Stop leaking websockets backend connections under |
| event MPM (trunk-only). [Eric Covener] |
| |
| *) mod_proxy_http: Add detach_backend hook (potentially usable |
| in other proxy scheme handlers). [Jeff Trawick] |
| |
| *) mod_deflate: Add DeflateAlterETag to control how the ETag |
| is modified. The 'NoChange' parameter mimics 2.2.x behavior. |
| PR 45023, PR 39727. [Eric Covener] |
| |
| *) mod_dir: Default to 2.2-like behavior and skip execution when method is |
| neither GET nor POST, such as for DAV requests. PR 54914. [Chris Darroch] |
| |
| *) mod_rewrite: Rename the handler that does per-directory internal |
| redirects to "rewrite-redirect-handler" from "redirect-handler" so |
| it is less ambiguous and less likely to be reused. [Eric Covener] |
| |
| *) mod_rewrite: Protect against looping with the [N] flag by enforcing a |
| default limit of 10000 iterations, and allowing each rule to change its |
| limit. [Eric Covener] |
| |
| *) mod_ssl: Fix config merging of SSLOCSPEnable and SSLOCSPOverrideResponder. |
| [Jeff Trawick] |
| |
| *) Add HttpContentLengthHeadZero and HttpExpectStrict directives. |
| [Yehuda Sadeh <yehuda inktank com>, Justin Erenkrantz] |
| |
| *) mod_ssl: Add -t -DDUMP_CA_CERTS option which dumps the filenames of all |
| configured SSL CA certificates to stdout the same way as DUMP_CERTS does. |
| [Jan Kaluza] |
| |
| *) mod_ssl: Don't flush when an EOS is received. Prepares mod_ssl |
| to support write completion. [Graham Leggett] |
| |
| *) core: Add parse_errorlog_arg callback to ap_errorlog_provider |
| to allow providers to check the ErrorLog argument. [Jan Kaluza] |
| |
| *) mod_cgid: Use the servers Timeout for each read from a CGI script, |
| allow override with new CGIDRequestTimeout directive. PR43494 |
| [Eric Covener, Toshikuni Fukaya <toshikuni-fukaya cybozu co jp>] |
| |
| *) core: ensure any abnormal exit is reported to stderr if it's a tty. |
| PR 55670 [Nick Kew] |
| |
| *) mod_lua: Let the Inter-VM get/set functions work with a global |
| shared memory pool instead of a per-process pool. [Daniel Gruno] |
| |
| *) ldap: Support ldaps when using the Microsoft LDAP SDK. |
| PR 54626. [Jean-Frederic Clere] |
| |
| *) mod_authnz_ldap: Change default value of AuthLDAPMaxSubGroupDepth to 0 |
| to avoid performance problems when subgroups aren't in use. [Eric Covener] |
| |
| *) mod_syslog: New module implementing syslog ap_error_log provider. |
| Previously, this code was part of core, now it's in separate module. |
| [Jan Kaluza] |
| |
| *) core: Add ap_errorlog_provider to make ErrorLog logging modular. Move |
| syslog support from core to new mod_syslog. [Jan Kaluza] |
| |
| *) mod_status, mod_echo: Fix the display of client addresses. |
| They were truncated to 31 characters which is not enough for IPv6 addresses. |
| This is done by deprecating the use of the 'client' field and using |
| the new 'client64' field in worker_score. |
| PR 54848 [Bernhard Schmidt <berni birkenwald de>, Jim Jagielski] |
| |
| *) core: merge AllowEncodedSlashes from the base configuration into |
| virtual hosts. [Eric Covener] |
| |
| *) AIX: Install DSO's with "cp" instead of "install" in instdso.sh |
| [Eric Covener] |
| |
| *) mod_ldap: Don't keep retrying if a new LDAP connection times out. |
| [Eric Covener] |
| |
| *) mod_deflate: permit compilation of mod_deflate against a zlib that has |
| been configured with -D Z_PREFIX, which redefines the token "deflate". |
| [Eric Covener] |
| |
| *) mod_auth_digest: Use the secret when generating nonces in all cases and |
| not only when AuthName is used in .htaccess files (this change may cause |
| problems if used with round robin load balancers). Don't regenerate the |
| secret on graceful restarts. PR 54637 [Stefan Fritsch] |
| |
| *) core: Stop the HTTP_IN filter from attempting to write error buckets |
| to the output filters, which is bogus in the proxy case. Create a |
| clean mapping from APR codes to HTTP status codes, and use it where |
| needed. [Graham Leggett] |
| |
| *) mod_proxy: Ensure network errors detected by the proxy are returned as |
| 504 Gateway Timout as opposed to 502 Bad Gateway, in order to be |
| compliant with RFC2616 14.9.4 Cache Revalidation and Reload Controls. |
| |
| *) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981 |
| [Basant Kumar Kukreja <basant.kukreja sun.com>, Alejandro Alvarez |
| <alejandro.alvarez.ayllon cern.ch>] |
| |
| *) mod_ldap: LDAP connections used for authentication were not respecting |
| LDAPConnectionPoolTimeout. PR 54587 |
| |
| *) core: Add option to add valgrind support. Use it to reduce false positive |
| warnings in mod_ssl. [Stefan Fritsch] |
| |
| *) mod_authn_file, mod_authn_dbd, mod_authn_dbm, mod_authn_socache: |
| Cache the result of the most recent password hash verification for every |
| keep-alive connection. This saves some expensive calculations. |
| [Stefan Fritsch] |
| |
| *) http: Remove support for Request-Range header sent by Navigator 2-3 and |
| MSIE 3. [Stefan Fritsch] |
| |
| *) core, http: Extend HttpProtocol with an option to enforce stricter HTTP |
| conformance or to only log the found problems. [Stefan Fritsch] |
| |
| *) EventOpt MPM |
| |
| *) core: Add LogLevelOverride directive that allows to override the |
| loglevel for clients from certain IPs. This also works for things |
| like the SSL handshake where <If> LogLevel ... </If> is evaluated |
| too late. [Stefan Fritsch] |
| |
| *) core: Add new directive Warning to issue warnings from a configuration |
| file. Both Warning and Error now generate a timestamped log message. |
| [Fabien Coelho] |
| |
| *) ap_expr: Add SERVER_PROTOCOL_VERSION, ..._MAJOR, and ..._MINOR |
| variables. [Stefan Fritsch] |
| |
| *) core: New directive HttpProtocol which allows to disable HTTP/0.9 |
| support. [Stefan Fritsch] |
| |
| *) mod_allowhandlers: New module to forbid specific handlers for specific |
| directories. [Stefan Fritsch] |
| |
| *) mod_systemd: New module, for integration with systemd on Linux. |
| [Jan Kaluza <jkaluza redhat.com>] |
| |
| *) WinNT MPM: Store pid and generation for each thread in scoreboard |
| to allow tracking of threads from exiting children via mod_status |
| or other such mechanisms. [Jeff Trawick] |
| |
| *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR: |
| - APIs: ap_log_pid(), ap_remove_pid, ap_read_pid() |
| - mod_cache: thundering herd lock directory |
| - mod_lbmethod_heartbeat, mod_heartmonitor: heartbeat storage file |
| - mod_ldap: shared memory cache |
| - mod_socache_shmcb, mod_socache_dbm: shared memory or dbm for cache |
| [Jeff Trawick] |
| |
| *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210. |
| [Matthew Steele <mdsteele google.com>] |
| |
| *) cross-compile: allow to provide CC_FOR_BUILD so that gen_test_char will |
| be compiled by the build compiler instead of the host compiler. |
| Also set CC_FOR_BUILD to 'cc' when cross-compilation is detected. |
| PR 51257. [Guenter Knauf] |
| |
| *) core: In maintainer mode, replace apr_palloc with a version that |
| initializes the allocated memory with non-zero values, except if |
| AP_DEBUG_NO_ALLOC_POISON is defined. [Stefan Fritsch] |
| |
| *) mod_policy: Add a new testing module to help server administrators |
| enforce a configurable level of protocol compliance on their |
| servers and application servers behind theirs. [Graham Leggett] |
| |
| *) mod_firehose: Add a new debugging module able to record traffic |
| passing through the server in such a way that connections and/or |
| requests be reconstructed and replayed. [Graham Leggett] |
| |
| *) mod_noloris |
| |
| *) APREQ |
| |
| *) Simple MPM |
| |
| *) mod_serf |
| |
| [Apache 2.5.0-dev includes those bug fixes and changes with the |
| Apache 2.4.xx tree as documented below, except as noted.] |
| |
| Changes with Apache 2.4.x and later: |
| |
| *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?view=markup |
| |
| Changes with Apache 2.2.x and later: |
| |
| *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup |
| |
| Changes with Apache 2.0.x and later: |
| |
| *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup |