H2O - the optimized HTTP/1, HTTP/2, HTTP/3 server

H2O - an optimized HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3 (experimental)

Build Status Coverity Scan Build Status Fuzzing Status

Copyright (c) 2014-2019 DeNA Co., Ltd., Kazuho Oku, Tatsuhiko Kubo, Domingo Alvarez Duarte, Nick Desaulniers, Marc Hörsken, Masahiro Nagano, Jeff Marrison, Daisuke Maki, Laurentiu Nicola, Justin Zhu, Tatsuhiro Tsujikawa, Ryosuke Matsumoto, Masaki TAGAWA, Masayoshi Takahashi, Chul-Woong Yang, Shota Fukumori, Satoh Hiroh, Fastly, Inc., David Carlier, Frederik Deweerdt, Jonathan Foote, Yannick Koechlin, Harrison Bowden, Kazantsev Mikhail

H2O is a new generation HTTP server. Not only is it very fast, it also provides much quicker response to end-users when compared to older generations of HTTP servers.

Written in C and licensed under the MIT License, it can also be used as a library.

For more information, please refer to the documentation at h2o.examp1e.net.

Reporting Security Issues

Please report vulnerabilities to [email protected]. See SECURITY.md for more information.

Comments
  • Change SSL config to more secure defaults:

    Change SSL config to more secure defaults:

    • Minumum TLSv1.2
    • Cipher suite default: ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
    • Switch to server preference for cipher choice

    ssllabs.com https://www.ssllabs.com/ssltest/analyze.html?d=yay.im

    This is rejecting a number of (admittedly very old) clients so we might want to loosen the defaults a bit?

  • Add some validation for headers in characters

    Add some validation for headers in characters

    We add strict validation for the headers that are present in the header name and the header field. We have a special case for pseudo headers, since there's a limited list of those that are allowed.

  • h2o ad-hoc tracer

    h2o ad-hoc tracer

    Hello

    Here's a first proof-of-concept regarding an ad-hoc tracer for h2o based off dtrace probes. The aim was to be cost free when not attached, and still performant under load.

    I implemented a small test client for it in python using EBPF/BCC, but any language can be used really. The script is here, and would require BCC. I pasted a sample output below.

    The PR implements a communication socket to the tracing program. It allows to stop any tracing processing if the tracer program disconnects or crashes, and also some lightweight communication to filter out some events from being processed. This socket port is settable using the config below.

    Cheers !

    listen:
        port: 4321
        tracing: ON
    
    % sudo ./picotracer.py `pgrep h2o`
    >> 1553636178731756      36    SSLNew            TLSv1.3 AES256-GCM 0x7ff626ffcac0
    >> 1553636178731756      36    NewConnH2         10.0.2.15:9090 10.0.2.15:34200
    >> 1553636178731756      36    RxHeader          user-agent curl/7.64.0
    >> 1553636178731756      36    RxHeader          accept */*
    >> 1553636178731756      36    NewReq            HTTP/2 GET /assets/2.ts
    >> 1553636178731756      36    Proxy             [unix:/tmp/h2o.sock]
    >> 1553636178731756      36    ProxyTxHdr        user-agent curl/7.64.0
    >> 1553636178731756      36    ProxyTxHdr        accept */*
    >> 1553636178731756      36    ProxyNewReq       HTTP/1.1 GET /assets/2.ts
    >> 1553636178731756      36    ProxyRxHdr        date Tue, 26 Mar 2019 21:36:18 GMT
    >> 1553636178731756      36    ProxyRxHdr        content-type video/mp2t
    >> 1553636178731756      36    ProxyRxHdr        last-modified Mon, 06 Aug 2018 09:07:10 GMT
    >> 1553636178731756      36    ProxyRxHdr        etag "5b680fbe-1a8780"
    >> 1553636178731756      36    ProxyRxHdr        accept-ranges bytes
    >> 1553636178731756      36    ProxyNewRes       HTTP/1.1 200 len: 1738624
    >> 1553636178731756      36    TxHeader          date Tue, 26 Mar 2019 21:36:18 GMT
    >> 1553636178731756      36    TxHeader          content-type video/mp2t
    >> 1553636178731756      36    TxHeader          last-modified Mon, 06 Aug 2018 09:07:10 GMT
    >> 1553636178731756      36    TxHeader          etag "5b680fbe-1a8780"
    >> 1553636178731756      36    TxHeader          accept-ranges bytes
    >> 1553636178731756      36    NewRes            HTTP/2 200 len: 1738624
    
  • Broken http/1.1 chunked body is silently relayed

    Broken http/1.1 chunked body is silently relayed

    When a transfer-encoding:chunked transfer is interrupted in the backend by a connection close, H2O currently just closes the frontend stream. This makes it not possible for the client to know that it's receiving truncated data, whereas it would be possible over plain HTTP/1.1, since the last chunk would be missing - Chrome and curl both report errors on truncated HTTP/1.1 chunked transfers, FF and Safari do not, as far as I can tell -. This adds a test that checks that a broken transfer-encoding:chunked transfer is translated into a RST_STREAM over H2.

  • (h2o), uid 80: exited on signal 6

    (h2o), uid 80: exited on signal 6

    Just a question: I sometimes get a lot of these in the kernel log messages on FreeBSD and HardenedBSD systesm running h2o.

    pid 56341 (h2o), uid 80: exited on signal 6
    

    Is this to be expected? Why does it exit so often?

    Note, there is nothing to be found in the h2o error log and neither in the php-fpm.log.

  • help: mruby handler & FreeBSD

    help: mruby handler & FreeBSD

    I'm trying to wrap my head around these mruby handlers used by h2o. I'm on h2o 1.7.0 from FreeBSD ports. This is what I'm trying right now, found at https://github.com/h2o/h2o/pull/405#issuecomment-136281330

    hosts:
      default:
        paths:
          "/":
            mruby.handler: |
              H2O.return 403, "Access Forbidden", "I will never show you this!"
    

    When I try to start h2o, I get:

    Starting h2o.
    [/usr/local/etc/h2o/h2o.conf:58] unknown command: mruby.handler
    /usr/local/etc/rc.d/h2o: WARNING: failed to start h2o
    

    What am I doing wrong?

  • support basic-authentication using .htpasswd

    support basic-authentication using .htpasswd

    Tasks:

    • [ ] bundle mruby-string-crypt
    • [ ] adjust http://lowreal.net/2015/11/17/1 to read the password file, and bundle it

    Format of htpasswd file is specified in https://httpd.apache.org/docs/2.2/misc/password_encryptions.html.

    relates to #203

  • Quic protocol support

    Quic protocol support

    Any plans for supporting QUIC?

    It seems that currently QUIC doesn't have a lot of changes over HTTP2(same HPACK, same semantics) layer, instead its main focus it's to improve upon TCP, by replacing it with UDP. I wonder if you've thought about it? I'm searching for a high performance QUIC/HTTP2 webserver.

    I guess, ideally, it would be only a matter of swapping the TCP under the current HTTP implementation, with QUIC's UDP replacement. But I guess it isn't that easy? Isn't it?

    How would you do it if you were to work on it?

    Thanks.

  • No error status code received while stress testing h2o

    No error status code received while stress testing h2o

    Hello,

    I am trying to stress test h2o using h2load. Whenever a large number of requests fails h2load doesn't report any error status codes. I suppose it is not getting the response code from h2o

     h2load -n200000 -c1 -m100 -i ~/h2o-1.5.0-beta2/SCRIPTS/all_urls.txt
    
    
    starting benchmark...
    spawning thread #0: 1 total client(s). 200000 total requests
    TLS Protocol: TLSv1.2
    Cipher: ECDHE-RSA-AES128-GCM-SHA256
    Server Temp Key: ECDH P-256 256 bits
    Application protocol: h2
    progress: 10% done
    
    finished in 4.65s, 5956.86 req/s, 30.54MB/s
    requests: 200000 total, 27826 started, 200000 done, 27726 succeeded, 172274 failed, 172274 errored, 0 timeout
    status codes: 27726 2xx, 0 3xx, 0 4xx, 0 5xx
    traffic: 149060220 bytes total, 1443027 bytes headers (space savings 71.53%), 147058038 bytes data
                         min         max         mean         sd        +/- sd
    time for request:     3.92ms    106.90ms     14.17ms     10.23ms    86.44%
    time for connect:     5.10ms      5.10ms      5.10ms         0us   100.00%
    time to 1st byte:    14.04ms     14.04ms     14.04ms         0us   100.00%
    req/s           :    5958.32     5958.32     5958.32        0.00   100.00%
    

    As You can see a lot many requests have failed but no error status code has been reported. Also, I'd like to ask is it fine that a bigger bunch of requests are getting failed?

  • Add channel class and task method for parallel processing in mruby

    Add channel class and task method for parallel processing in mruby

    This PR is for https://github.com/h2o/h2o/issues/1329

    TODO:

    • [x] add queue for when ch.push is called before ch.shift
    • [x] add tests
    • [x] use script to create embedded code
  • [http2] Server-driven priorities

    [http2] Server-driven priorities

    This PR adds an initial absolute priority header support based on draft-kazuho-httpbis-priority-04.

    This PR is an initial prototype and has several assumptions:

    • Back-end (e.g. file handler, reverse proxy origin) adds the priority header.
    • Request priorities from a client are modified based on back-end priority headers.
    • As for client-generated priorities, only assumes Chromium-style dependency tree (linear, weight-sorted list)
    • Only urgency parameter is interpreted. incremental parameter is ignored at the moment.
  • to avoid compiler warnings, use c99 flexible array member nonation

    to avoid compiler warnings, use c99 flexible array member nonation

    We have been using -std=c99 for some time though we have refrained from using all features of C99. It would be reasonable to assume that all compilers support FAM.

    We might start seeing compile errors with C++ projects using libh2o, because yoml.h included by h2o.h is now using FAM. If that turns out to be an issue, then we can fix it.

  • Uploads hang  (~16 Mo or ~22s), no data transmitted to

    Uploads hang (~16 Mo or ~22s), no data transmitted to "proxy.reverse.url"

    Hello!

    The issue is 100% reproductible on my setup so if you need more info, please tell me.

    When uploading a file (to WordPress or PhpMyAdmin), h2o stops reading data after ~15/16 MB or after ~22s.

    ssldump can't decrypt public trafic because RSA is not used. tcpdump shows that no data is transfered to Apache (proxy.reverse.url).

    h2o receives data from the browser, buffers it and then it stops.

    No errors (either HTTP or in log files), no TCP reset, no HTTP Headers sent to proxy (ie: POST), nothing: it just hangs.

    I have double-check Apache and PHP config files, everything seems fine but it does not matter because no data is transmitted to Apache.

    Have a great day. :)

    ---

    Browser -> Internet -> H2O (public IP) -> proxy.reverse.url -> Apache (internal IP)

    h2o was compiled last night using commit 7e99771.

    • limit-request-body (undefined so 1 GB)
    • handshake-timeout: 10
    • temp-buffer-threshold: 100663296 (96 MB)
    • http1-request-timeout: 30
    • http2-idle-timeout: 30
    • http2-graceful-shutdown-timeout: 30
    • proxy.timeout.first_byte: 900000 (I know, this is insane...)
    • proxy.timeout.keepalive: 30000
    • proxy.reverse.url: "http://10.31.0.8:80/"
  • build error with musl alpine

    build error with musl alpine

    try with master branch. get this error:

    h2o/lib/common/memory.c:615:12: warning: incompatible integer to pointer conversion returning 'int' from a function with result type 'char *' [-Wint-conversion]
        return strerror_r(err, buf, len);
               ^~~~~~~~~~~~~~~~~~~~~~~~~
    In file included from h2o/lib/common/redis.c:23:
    In file included from h2o/include/h2o/redis.h:25:
    In file included fromh2o/include/h2o/socket.h:32:
    /usr/include/linux/errqueue.h:57:20: error: array has incomplete element type 'struct timespec'
            struct timespec ts[3];
                              ^
    /usr/include/sys/socket.h:68:8: note: forward declaration of 'struct timespec'
    struct timespec;
    
    

    Add cmake option to allow build without hiredis or libyrmcds will be great, when use as library hredis/yrmcds is not used at many case.

  • Trying to setup PHP on H2O, but it's not working

    Trying to setup PHP on H2O, but it's not working

    Hey guys,

    I'm following the instructions on your website about how to get this done, I have h2o on an Ubuntu Server 22.04, php is installed as fpm, this is how I configured h2o:

    server-name: "h2o (Debian)" user: www-data access-log: "|rotatelogs -l -f -L /var/log/h2o/access.log -p /usr/share/h2o/compress_logs /var/log/h2o/access.log.%Y-%m-%d 86400" error-log: "|rotatelogs -l -f -L /var/log/h2o/error.log -p /usr/share/h2o/compress_logs /var/log/h2o/error.log.%Y-%m-%d 86400" pid-file: /run/h2o.pid

    listen: port: 80

    hosts: default: paths: /: file.dir: /var/www/html fastcgi.connect: port: /var/run/php/php8.1-fpm.sock type: unix /server-status: status: ON

    But it didn't work, then I added this:

    file.custom-handler: extension: .php fastcgi.spawn: "PHP_FCGI_CHILDREN=10 exec /usr/bin/php"

    But still nothing.

    I have never worked with h2o before, so I know I'm missing something, just don't know what, any ideas what I might be missing?

  • doc: Fix tls minimum protocol version

    doc: Fix tls minimum protocol version

    Fixes #3026

    It seems that we can set the min_version: TLSv1.3 in which can be found in src/main.c below. https://github.com/h2o/h2o/blob/36a23af525d2b4a2249d7a36191b6de74c71c6be/src/main.c#L1185-L1204

    The official docs says we can restrict until the TLSv1.2. It seems to be different from the actuals, I don't know obviously why incorrect is this. We prefer to be fix this doc.

    https://h2o.examp1e.net/configure/base_directives.html#listen

    minimum-version:
    minimum protocol version, should be one of: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2. Default is TLSv1
    
    
A collection of C++ HTTP libraries including an easy to use HTTP server.
A collection of C++ HTTP libraries including an easy to use HTTP server.

Proxygen: Facebook's C++ HTTP Libraries This project comprises the core C++ HTTP abstractions used at Facebook. Internally, it is used as the basis fo

Oct 2, 2022
Pushpin is a reverse proxy server written in C++ that makes it easy to implement WebSocket, HTTP streaming, and HTTP long-polling services.
Pushpin is a reverse proxy server written in C++ that makes it easy to implement WebSocket, HTTP streaming, and HTTP long-polling services.

Pushpin is a reverse proxy server written in C++ that makes it easy to implement WebSocket, HTTP streaming, and HTTP long-polling services. The project is unique among realtime push solutions in that it is designed to address the needs of API creators. Pushpin is transparent to clients and integrates easily into an API stack.

Sep 28, 2022
Gromox - Groupware server backend with MAPI/HTTP, RPC/HTTP, IMAP, POP3 and PHP-MAPI support for grommunio

Gromox is the central groupware server component of grommunio. It is capable of serving as a replacement for Microsoft Exchange and compatibles. Conne

Sep 23, 2022
LAppS - Lua Application Server for micro-services with default communication over WebSockets. The fastest and most vertically scalable WebSockets server implementation ever. Low latency C++ <-> Lua stack roundtrip.

LAppS - Lua Application Server This is an attempt to provide very easy to use Lua Application Server working over WebSockets protocol (RFC 6455). LApp

Apr 25, 2022
Windows named pipe server that forwards connections to given TCP server

PipeTcp An asynchronous Windows named pipe server that forwards connections to given TCP server. Pre-built binaries can be found in Releases. Invocati

May 23, 2022
A small data-oriented and SIMD-optimized 3D rigid body physics library.

nudge Nudge is a small data-oriented and SIMD-optimized 3D rigid body physics library. For more information, see: http://rasmusbarr.github.io/blog/dod

Sep 12, 2022
An optimized Webcash mining daemon.

Webminer An experimental vector-accelerated CPU miner for the Webcash electronic payment network. Webminer is tested and known to work on recent versi

Aug 21, 2022
Cross-platform, efficient, customizable, and robust asynchronous HTTP/WebSocket server C++14 library with the right balance between performance and ease of use

What Is RESTinio? RESTinio is a header-only C++14 library that gives you an embedded HTTP/Websocket server. It is based on standalone version of ASIO

Sep 24, 2022
A C++ header-only HTTP/HTTPS server and client library
A C++ header-only HTTP/HTTPS server and client library

cpp-httplib A C++11 single-file header-only cross platform HTTP/HTTPS library. It's extremely easy to setup. Just include the httplib.h file in your c

Sep 26, 2022
Ultra fast and low latency asynchronous socket server & client C++ library with support TCP, SSL, UDP, HTTP, HTTPS, WebSocket protocols and 10K connections problem solution
Ultra fast and low latency asynchronous socket server & client C++ library with support TCP, SSL, UDP, HTTP, HTTPS, WebSocket protocols and 10K connections problem solution

CppServer Ultra fast and low latency asynchronous socket server & client C++ library with support TCP, SSL, UDP, HTTP, HTTPS, WebSocket protocols and

Sep 28, 2022
C++ library for creating an embedded Rest HTTP server (and more)

The libhttpserver reference manual Tl;dr libhttpserver is a C++ library for building high performance RESTful web servers. libhttpserver is built upon

Sep 27, 2022
Mongoose Embedded Web Server Library - a multi-protocol embedded networking library with TCP/UDP, HTTP, WebSocket, MQTT built-in protocols, async DNS resolver, and non-blocking API.
Mongoose Embedded Web Server Library - a multi-protocol embedded networking library with TCP/UDP, HTTP, WebSocket,  MQTT built-in protocols, async DNS resolver, and non-blocking API.

Mongoose - Embedded Web Server / Embedded Networking Library Mongoose is a networking library for C/C++. It implements event-driven non-blocking APIs

Sep 28, 2022
cherry: A Minimal HTTP Server
cherry: A Minimal HTTP Server

cherry: A Minimal HTTP Server Inspired by the Capriccio project and the Zaver HTTP server, cherry started out as an experimental project trying to inc

Feb 21, 2022
http server code by c
http server code by c

Lamphttp HTTP服务 Lamphttp是使用c语言实现的http服务,目前市面上有非常多的http服务,比如大名鼎鼎的Nginx 那么对于Lamphttp存在的意义是什么呢?对于Lamphttp主要是为了理解了tcp/ip到http的中间 这一层的实现,说白了就是当作学习用的. 虽然Lam

Jul 30, 2022
Phorklift is an HTTP server and proxy daemon, with clear, powerful and dynamic configuration.

Phorklift is an HTTP server and proxy daemon, with clear, powerful and dynamic configuration.

Mar 1, 2022
kleinsHTTP: A stupid stupidly simple http server.

kleinsHTTP: A stupid stupidly simple http server. About I wanted to create an api server using C++ as it is my favorite language however i was unable

Jun 24, 2022
prometheus exporter using workflow HTTP server
prometheus exporter using workflow HTTP server

wfprometheus This is a light prometheus exporter using workflow HTTP server. This project is currently in the development stage, and the first version

Oct 23, 2021
websocket and http client and server library, coming with ws, a command line swiss army knife utility

Hello world IXWebSocket is a C++ library for WebSocket client and server development. It has minimal dependencies (no boost), is very simple to use an

Sep 18, 2022
Tiny HTTP Server on C, using only standard libraries

hell_o Linux only. Tiny HTTP Server on C, using only standard libraries. It is unfinished yet, going to add working interface and rewrite handler late

Feb 1, 2022