Overview of new features in Apache HTTP Server 2.6

Core Enhancements ¶

ContentDigest directive and Content-MD5 header

The ContentDigest directive and support for the the Content-MD5 header has been removed from the server, corresponding with the removal of this header from RFC 7231 Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content.

Listen directive options

The Listen directive now supports an optional options=... argument, allowing per-listener socket options to be configured, including the multipathtcp option to enable Multipath TCP where supported by the platform.

Asynchronous filtering and write completion

The new AsyncFilter directive declares which filter types support asynchronous handling, and support for asynchronous write completion has been extended throughout the core. This underpins the asynchronous proxying and WebSocket handling described below.

HTTP/1.1 strictness controls

New core directives give finer control over HTTP/1.1 conformance: HttpExpectStrict controls whether a 417 is returned when a client omits a 100-Continue expectation, and HttpContentLengthHeadZero controls Content-Length handling for HEAD requests.

Per-context log level overrides

The new LogLevelOverride directive allows the log level to be overridden for individual client IP addresses, easing targeted debugging on a live server.

systemd socket activation

httpd can now be configured to start via systemd socket activation.

New DefaultStateDir directive.

The DefaultStateDir directive has been added to specify a directory for storing persistent state.

Zone/scope support in IPv6 addresses

If built against APR 1.7.0 or later, zones (scopes) can be specified in an IPv6 link-local address used with the Listen or VirtualHost directive.

New Modules ¶

mod_auth_bearer, mod_autht_core, mod_autht_jwt

A new authentication-token (autht) provider framework has been added alongside the existing authn/authz provider stacks. mod_auth_bearer implements RFC 6750 Bearer token authentication as a front-end (analogous to mod_auth_basic), mod_autht_core hosts the autht provider registry, and mod_autht_jwt provides JSON Web Token signing and verification.

mod_crypto

This new module can encrypt and decrypt request and response bodies via input and output filters, using the APR crypto drivers.

mod_journald, mod_syslog

These new modules provide support for logging to syslog or journald.

mod_log_json

This new module provides structured access logging in JSON format.

mod_proxy_beacon

This new module lets back-end reverse-proxy servers announce themselves over a UDP datagram channel so that they are automatically added to their front-end proxy balancer.

mod_allowhandlers

This new module restricts which handlers may run in a given context, providing an additional layer of access control.

Module Enhancements ¶

mod_ssl

The following mod_ssl enhancements are included:

• SSLRandomSeed directive is now deprecated and is ignored if building against OpenSSL 1.1.1 or later.
• The SSLKEYLOGFILE environment variable can now be set to log private key material for off-line decryption of SSL/TLS protocol dumps using third-party tools.
• The new SSLPolicy directive allows a named bundle of SSL settings to be defined once and applied to multiple virtual hosts.

mod_proxy, mod_proxy_wstunnel

Proxying can now run asynchronously under the event MPM, freeing worker threads while waiting on slow back-ends. This includes asynchronous handling of Upgraded protocols and WebSockets, tuned by the new ProxyAsyncDelay, ProxyAsyncIdleTimeout, ProxyWebsocketAsyncDelay and ProxyWebsocketIdleTimeout directives.

mod_http2

HTTP/2 gains support for bootstrapping WebSockets as described in RFC 8441 (enabled with the new H2WebSockets directive), the new H2EarlyHint directive for adding headers carried in a 103 Early Hints response, and accurate accounting of bytes sent for the %O log format.

mod_dav

WebDAV gains directory quota support (DAVquota), Microsoft WebDAV protocol extensions (DAVMSext), the DAVHonorMtimeHeader and DAVLockDBType directives, and improved strong-ETag compliance.

Other module enhancements

mod_autoindex adds IndexForbiddenReturn404; mod_mime adds MimeOptions; and mod_session_cookie adds SessionCookieMaxAge.

mod_cgid

If configured with --enable-cgid-fdpassing, the CGI daemon will set up stderr handling in the same way as mod_cgi.

Program Enhancements ¶

htpasswd

The htpasswd utility can now generate SHA-256 or SHA-512 crypt() hashes where supported by the C library.

Module Developer Changes ¶

Core / HTTP module separation

A large amount of code has been moved out of the http module into the core server — including the default handler, the default input and output filters, and the core configuration directives — so that the server can run with or without the HTTP module loaded. As part of this work ap_set_etag() moved from the http module into the core.

New metadata bucket types and HTTP filter split

New REQUEST, RESPONSE and HEADERS metadata bucket types have been added to the API, along with a new method for setting the standard Date and Server response headers and helpers for formatting parts of HTTP/1.x (headers, end chunks) for reuse outside the core, e.g. in mod_proxy. The HTTP_IN filter has been split into a generic-HTTP filter and an HTTP/1.x-specific HTTP1_BODY_IN filter, and a new body_indeterminate flag on request_rec indicates that a request body may be present and must be read or discarded.

Strong ETag support and request binary notes

A concept of "binary notes" has been added to request_rec, allowing packed bit flags to be set on a request. The first such note, AP_REQUEST_STRONG_ETAG, lets modules force a strong ETag to comply with RFC requirements such as those mandated by various WebDAV extensions. New functions ap_make_etag_ex() and ap_set_etag_fd() give full control over ETag generation.

New type ap_method_mask_t.

The ap_method_mask_t type has been added and is now used for the method_mask field in ap_method_list_t, AP_METHOD_BIT, allowed field of request_rec, limited field of cmd_parms.

mod_ssl.h mod_ssl API changes.

The ssl_var_lookup optional function API now takes a const char *name argument and returns a const char * string value. The pool argument must now be non-NULL.

Removed APIs

Corresponding with the removal of the Content-MD5 header, the ap_md5digest() and ap_md5contextTo64() functions have been removed.

The developer documentation contains a detailed list of API changes.