nghttp2.org

HTTP/2 C library and tools

Nghttp2 v1.1.1

We released nghttp2 v1.1.1.

We should have written this blog after v1.1.0 was released, but we found some memory leaks in nghttpx, and while tracing this, we have found another issue. Although these issues have existed well before v1.1.0, we decided to fix these issues, and make an another release.

As a result, v1.1.0 became very short term release, but it contains many changes, so we describe changes since v1.0.5 here.

First thing first, the bug fixes in libnghttp2 library. We found bug which causes receive window exhaustion if automatic flow control feature is disabled, and peer sends illegal HTTP message body.

Gabi Davar kindly offered a patch to enhance msvc build and python setup script.

Klaus Ziegler sent us a patch to compile nghttp2 with IRIX gcc-4.7.

nghttp now gets --max-concurrent-streams option to control the concurrency. Regarding nghttp, acesso sent us a patch to add comment on HAR on pushed objects.

We fixed memory leaks and stability issues in nghttpx.

nghttpx now supports backend routing based on request host and path by extending -b option. The detailed syntax is explained in nghttpx man page. The routing pattern is very similar to ServeMux in net/http package from Go programming language. For example, if we want to route request to “/httpbin/” to 127.0.0.1 port 8000, and rest of the requests to 127.0.0.1 port 8081, we can write configuration file like so:

1
2
backend=127.0.0.1,8000;/httpbin/
backend=127.0.0.1,8081

The second rule above is equivalent to 127.0.0.1,8001;/, which matches all request paths. This is called catch-all pattern, and nghttpx requires this catch-all pattern.

You can use also request host to route request:

1
2
backend=127.0.0.1,8000;example.org/
backend=127.0.0.1,8080;blog.example.org/

All requests whose host header field (:authority header field for HTTP/2) are routed to 127.0.0.1 port 8000, and all requests for blog.example.org are routed to 127.0.0.1 port 8080.

This host-path based routing is available for both HTTP/1 and HTTP/2 backend (in other words, it is enabled in default mode, --http2-bridge and --client). It is disabled if -s or -p is given.

nghttpx also gets --include option to include configurations from another file. This is useful to share configurations between different nghttpx instances. The accesslog format variable now can be enclosed with curly braces for disambiguation (e.g., ${remote_addr}). SSL/TLS related log variables, such as TLS protocol version, ciphers, etc, have been also added.

h2load gets --cipher option to specify specific cipher suites to use.

Nghttp2 v1.0.5

We released nghttp2 v1.0.5.

This release fixes the bug in nghttpx that causes crash if --http2-bridge is used, and both frontend and backend enable TLS, and OCSP stapling is enabled. It also fixes the another bug in priority handling.

Nghttp2 v1.0.4

We released nghttp2 v1.0.4.

This release fixes assertion failure in stream_update_dep_on_detach_item function, as reported in GH-264.

Nghttp2 v1.0.3

We released nghttp2 v1.0.3.

This release fixes the bug that PRIORITY frame including dependency to itself for idle stream resulted in fatal error from nghttp2_session_mem_recv or nghttp2_session_recv in server-side session. Now it is treated gracefully, and GOAWAY of type PROTOCOL_ERROR is issued.

We optimized priority tree handling to Firefox style dependency tree, and it dramatically speeds up the processing. The worst case, linearly linked dependency tree, is also much improved.

Now LibreSSL can be used to build nghttp2 applications. ocsp-fetch-response script also supports LibreSSL too.

We fixed the bug in nghttpx that x-forwarded-proto header field did not reflect the frontend scheme if used with HTTP/2 backend.

Nghttp2 v1.0.2

We released nghttp2 v1.0.2.

This release fixes the bug which causes connection window exhaustion if automatic flow-control is disabled (nghttp2_option_set_no_auto_window_update()) and certain race condition is met. When this happened, remote peer could not send any more DATA because there was no connection window left.

For Windows build, we now define NGHTTP2_EXTERN to __declspec(dllimport) when using nghttp2 library.

We translated fetch-ocsp-response script into Python, and it is now under script directory.

We got several patches to enhance Python API from Fabian Wiesel.

We fixed the bug in libevent-client that included broken :path in request if request URI did not contain path part.

For nghttpx, we added --add-request-header option to add arbitrary header fields to backend server. We also enabled generic HTTP Upgrade in HTTP/1.1 frontend (HTTP/2 disallows this, so it is not available). This means nghttpx now can proxy WebSocket connection between client and backend server.

Nghttp2 v1.0.1

We released nghttp2 v1.0.1.

This release fixes compilation error with MSVC eailer than 2013.

Previously, we used golang spdy package from golang.org/x/net/spdy for integration tests, but now it is removed from their repository. We pushed its copy to our github account and make integration tests work again. We will drop SPDY support when Chrome drops SPDY, until then we use that repository.

Previously, nghttpx did not allow HTTP Upgrade from POST request, or even it just erroneously terminated connection, due to the bug in http-parser. Now http-parser has been updated, and we fixed our code to allow HTTP Upgrade from POST request, if response header has not been sent to the client.

We fixed another nghttpx bug. Previously, nghttpx sent PUSH_PROMISE after associated response HEADERS. Now it is corrected, and PUSH_PROMISE is sent before associated response HEADERS.

Previously, nghttpd did not close connection after settings timeout and GOAWAY was sent. Now it is corrected, and nghttpd closes connection after GOAWAY is sent in this particular situation.

Previously, h2load erroneously dropped connection, saying there is no viable protocol negotiated, if it is built with ALPN support (OpenSSL >= 1.0.2), and server supports NPN-only, and it sends NPN protocol list correctly. Now it is corrected, and h2load works with NPN-only servers.

Nghttp2 v1.0.0

We finally released nghttp2 v1.0.0! Hooray!

This release is based on v0.7.15, and does not introduce any feature, but changed existing API in backward incompatible way. We hope these changes will improve usability of our API. Please read this article to upgrade from older release.

Now that HTTP/2 and HPACK RFCs are published, v1.0.0 uses h2 and h2c as primary protocol identifiers. For TLS connections, all bundled applications still accept h2-14 and h2-16. h2-14 and h2-16 will be removed in the future release. On the other hand, HTTP Upgrade now only accepts h2c only, and h2c-14 is not acceptable anymore.

Nghttp2 v0.7.15

We released nghttp2 v0.7.15.

This release fixes access violation in libnghttp2. This bug was found and patched by Etienne Cimon. We also fixed the bug that inflatehd crashed with malformed input.

We received another crash report for nghttpx. After investigation, we found the offending commit, 585af938287d329333d9c755698fb25aa6471dab. Reverting that commit has fixed the crash. This bug has existed since v0.7.6 release.

While working with libcurl development to implement multiplexed uploading, we added --echo-upload option to nghttpd. This feature, if enabled, sends back request body to the client if request method is POST or PUT. This will help debugging uploading feature for client side development.

Unless there is critical bug, this is the last release for 0.7 series. The development continues to 1.x series!

Nghttp2 v0.7.14

We released nghttp2 v0.7.14.

This release fixes global-buffer-overflow bug in HPACK compression code introduced in nghttp2 v0.7.12. We strongly recommend to upgrade the old installation to this latest release.

Previously, the example code in nghttp2_select_next_protocol documentation had a wrong code which could lead to segmentation fault, due to incorrect return value if no protocol was selected. Now it is corrected.

Previously, when header decompression failed for incoming PUSH_PROMISE, RST_STREAM was sent to the associated stream, instead of the promised stream. Now it is corrected, and RST_STREAM is sent to the promised stream.

Zhuoyun Wei kindly offered systemd and upstart configuration file for nghttpx proxy. Zhuoyun Wei also offered a patch to improve logrotate configuration file for nghttpx.

We updated sphinx_rtd_theme to the latest, which includes even nicer UI.

h2load now shows 2 new metrics: time to connect and TTFB (time to first byte). Thank you to ericcarlschwartz for bringing this awesome feature.

nghttpd now has -m option to specify its SETTINGS_MAX_CONCURRENT_STREAMS limit.

nghttpx now logs absolute URI in access log if it is configured as HTTP/2 or client proxy. It also gets --header-field-buffer and --max-header-fields options to specify maximum header field buffer size it can be received. Previously, it was hardcoded as 32KiB.

We fixed the bug in nghttp that it aborted with assertion error if very large value was given to -t option.

Nghttp2 v0.7.13

We released nghttp2 v0.7.13.

This release fixes the bug that promised stream was reset if NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE was returned from nghttp2_on_header_callback for PUSH_PROMISE. Instead, associated stream was reset.

nghttp2_on_begin_headers_callback now accepts NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE as return code just like nghttp2_on_header_callback.

h2load now effectively disables flow control by setting large window size. Previously h2load used default flow control window as described in HTTP/2 and SPDY specification. The window size is 64KiB, which is a bit small, and cannot utilize full server performance when response size is not too small. Basically, we do this kind of benchmarking test to measure server’s throughput, and optimal performance. Smaller window certainly degrades performance even in local testing because server is so fast that it has to wait for WINDOW_UPDATE from h2load. To make default behaviour suitable for peak performance test, we decided to disable flow control in h2load by setting large enough window size. Most users used h2load without -w or -W options, so they were implicitly throttled by flow control and the result was affected by that negatively. Now flow control is disabled by default, the result may improve depending on the implementations.

libnghttp2_asio server’s listen_and_serve function now takes asynchronous parameter, and if it is true, the function returns immediately and caller can gracefully shutdown server. This patch was contributed from Xiaoguang Sun.