Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 2.3.11 Changelog
  • mod_win32: Added shebang check for '! so that .vbs scripts work as CGI. Win32's cscript interpreter can only use a single quote as comment char. [Guenter Knauf]
  • mod_proxy: balancer-manager now uses POST instead of GET. [Jim Jagielski]
  • core: new util function: ap_parse_form_data(). Previously, this capability was tucked away in mod_request. [Jim Jagielski]
  • core: new hook: ap_run_pre_read_request. [Jim Jagielski]
  • modules: Fix many modules that were not correctly initializing if they were not active during server startup but got enabled later during a graceful restart. [Stefan Fritsch]
  • core: Create new ap_state_query function that allows modules to determine if the current configuration run is the initial one at server startup, and if the server is started for testing/config dumping only. [Stefan Fritsch]
  • mod_proxy: Runtime configuration of many parameters for existing balancers via the balancer-manager. [Jim Jagielski]
  • mod_proxy: Runtime addition of new workers (BalancerMember) for existing balancers via the balancer-manager. [Jim Jagielski]
  • mod_cache: When a bad Expires date is present, we need to behave as if the Expires is in the past, not as if the Expires is missing. PR 16521. [Co-Advisor ]
  • mod_cache: We must ignore quoted-string values that appear in a Cache-Control header. PR 50199. [Graham Leggett]
  • mod_dav: Revert change to send 501 error if unknown Content-* header is received for a PUT request. PR 42978. [Stefan Fritsch]
  • mod_cache: Respect s-maxage as described by RFC2616 14.9.3, which must take precedence if present. PR 35247. [Graham Leggett]
  • mod_ssl: Fix a possible startup failure if multiple SSL vhosts are configured with the same ServerName and private key file. [Masahiro Matsuya , Joe Orton]
  • mod_socache_dc: Make module compile by fixing some typos. PR 50735 [Mark Montague ]
  • prefork: Update MPM state in children during a graceful stop or restart. PR 41743. [Andrew Punch ]
  • mod_mime: Ignore leading dots when looking for mime extensions. PR 50434 [Stefan Fritsch]
  • core: Add support to set variables with the 'Define' directive. The variables that can then be used in the config using the ${VAR} syntax known from envvar interpolation. [Stefan Fritsch]
  • mod_proxy_http: make adding of X-Forwarded-* headers configurable. ProxyAddHeaders defaults to On. [Vincent Deffontaines]
  • mod_slotmem_shm: Increase memory alignment for slotmem data. [Rainer Jung]
  • mod_ssl: Add config options for OCSP: SSLOCSPResponderTimeout, SSLOCSPResponseMaxAge, SSLOCSPResponseTimeSkew. [Kaspar Brand ]
  • mod_ssl: Revamp output buffering to reduce network overhead for output fragmented into many buckets, such as chunked HTTP responses. [Joe Orton]
  • core: Apply sections to all requests, not only to file base requests. Allow to use inside , , and sections. The merging of sections now happens after the merging of sections, even if an section is embedded inside a or section. [Stefan Fritsch]
  • mod_proxy: Refactor usage of shared data by dropping the scoreboard and using slotmem. Create foundation for dynamic growth/changes of members within a balancer. Remove BalancerNonce in favor of a per-balancer 'nonce' parameter. [Jim Jagielski]
  • mod_status: Don't show slots which are disabled by MaxClients as open. PR 47022 [Jordi Prats , Stefan Fritsch]
  • mpm_prefork: Fix ap_mpm_query results for AP_MPMQ_MAX_DAEMONS and AP_MPMQ_MAX_THREADS.
  • mod_authz_core: Fix bug in merging logic if user-based and non-user-based authorization directives were mixed. [Stefan Fritsch]
  • mod_authn_socache: change directive name from AuthnCacheProvider to AuthnCacheProvideFor. The term "provider" is overloaded in this module, and we should avoid confusion between the provider of a backend (AuthnCacheSOCache) and the authn provider(s) for which this module provides cacheing (AuthnCacheProvideFor). [Nick Kew]
  • mod_proxy_http: Allocate the fake backend request from a child pool of the backend connection, instead of misusing the pool of the frontend request. Fixes a thread safety issue where buckets set aside in the backend connection leak into other threads, and then disappear when the frontend request is cleaned up, in turn causing corrupted buckets to make other threads spin. [Graham Leggett]
  • mod_ssl: Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and escape other special characters with backslashes. The old format can still be used with the LegacyDNStringFormat argument to SSLOptions.
  • core, mod_rewrite: Make the REQUEST_SCHEME variable available to scripts and mod_rewrite. [Stefan Fritsch]
  • mod_rewrite: Allow to use arbitrary boolean expressions (ap_expr) in RewriteCond. [Stefan Fritsch]
  • mod_rewrite: Allow to unset environment variables using E=!VAR. PR 49512. [Mark Drayton , Stefan Fritsch]
  • mod_headers: Restore the 2.3.8 and earlier default for the first argument of the Header directive ("onsuccess"). [Eric Covener]
  • core: Disallow the mixing of relative and absolute Options PR 33708. [Sönke Tesch ]
  • core: When exporting request headers to HTTP_* environment variables, drop variables whose names contain invalid characters. Describe in the docs how to restore the old behaviour. [Malte S. Stretz ]
  • core: When selecting an IP-based virtual host, favor an exact match for the port over a wildcard (or omitted) port instead of favoring the one that came first in the configuration file. [Eric Covener]
  • core: Overlapping virtual host address/port combinations now implicitly enable name-based virtual hosting for that address. The NameVirtualHost directive has no effect, and _default_ is interpreted the same as "*". [Eric Covener]
  • core: In the absence of any Options directives, the default is now "FollowSymlinks" instead of "All". [Igor Galić]
  • rotatelogs: Add -e option to write logs through to stdout for optional further processing. [Graham Leggett]
  • mod_ssl: Correctly read full lines in input filter when the line is incomplete during first read. PR 50481. [Ruediger Pluem]
  • mod_authz_core: Add AuthzSendForbiddenOnFailure directive to allow sending '403 FORBIDDEN' instead of '401 UNAUTHORIZED' if authorization fails for an authenticated user. PR 40721. [Stefan Fritsch]