nghttp2.org

HTTP/2 C library and tools

Nghttp2 v1.7.0

We released nghttp2 v1.7.0.

This release contains the more strict error handling in libnghttp2 code to provide more diagnostics to applications. We made many improvements to h2load, and nghttpx in this release.

For libnghttp2, we now validate important header fields, :authority, host, and :scheme, strictly by checking the characters used in them. These header fields are usually used by server as routing purpose, and they may appear in different header fields when forwarded. It is better to basic error handling here so that we can reduce possible attack vectors.

Previously, nghttp2_submit_headers and nghttp2_submit_request functions did not return error when self dependency was made. Now it returns error code when such argument is passed.

Previously, when linking OpenSSL library statically, build was failed because -ldl was not passed to linker, so we had to add it using LIBS. Now it is automatically added to linker options.

In libnghttp2_asio library, nghttp2::asio_http2::server::http2::get_io_services() has been renamed as nghttp2::asio_http2::server::http2::io_services() to follow nameing convention. Previously, calling nghttp2::asio_http2::server::stop() did not stop acceptor. Now it stops acceptor too.

h2load now support UNIX domain socket to connect to server. Previously, -m option of h2load was auto, which defaulted to the number of URIs passed in command-line. Now it is removed, and the default value is 1. This is because -m option specifies the number of pipelined requests in HTTP/1, and disabling HTTP pipelining more reflects the practical usage of HTTP/1. The statistics calculation of h2load is now sampling based, instead of taking into account of all requets/clients to reduce memory consumption.

nghttpd now gets --no-content-length option to omit content-length in response.

nghttpx now interleaves pushed streams with the associated stream if pushed streams are JavaScript or CSS resources, which is determined by content-type response header field. The initial value of request/response buffer size (--backend-request-buffer and --backend-response-buffer options) is now increased to 128K. We have fixed the bug that --listener-disable-timeout option is not used. Now nghttpx does not emit :authority if request does not contain authority information. This happens when :authority header field is missing in HTTP/2 request, and origin or asterisk form is used in HTTP/1.1 request. nghttpx now supports RFC 7239 Forwarded header field. By default, Forwarded header field is not added. When it is instructed to be added, nghttpx emits obfuscated strings for by and for parameters. Vernon Tang fixed the bug which causes crash at start up when running on IPv6 only. Now nghttpx does not apply --max-header-fields and --header-field-buffer to response header fields, since they are meant to be applied to request header fields only. ayanamist fixed the bug that nghttpx wrongly lower-cased header field value supplied via --add-request-header-field and add-response-header-field options.