Overview of new features in Apache HTTP Server 2.4
This document describes some of the major changes between the 2.2 and 2.4 versions of the Apache HTTP Server. For new features since version 2.0, see the 2.2 new features document.
- Run-time Loadable MPMs
- Multiple MPMs can now be built
as loadable modules at compile time.
The MPM of choice can be configured at run time via
- Event MPM
- The Event MPM is no longer experimental but is now fully supported.
- Asynchronous support
- Better support for asynchronous read/write for supporting MPMs and platforms.
- Per-module and per-directory LogLevel configuration
LogLevelcan now be configured per module and per directory. New levels
trace8have been added above the
- Per-request configuration sections
<Else>sections can be used to set the configuration based on per-request criteria.
- General-purpose expression parser
- A new expression parser allows to specify
complex conditions using a common syntax
in directives like
<If>, and others.
- KeepAliveTimeout in milliseconds
- It is now possible to specify
- NameVirtualHost directive
- No longer needed and is now deprecated.
- Override Configuration
- The new
AllowOverrideListdirective allows more fine grained control which directives are allowed in
- Config file variables
- It is now possible to
Definevariables in the configuration, allowing a clearer representation if the same value is used at many places in the configuration.
- Reduced memory usage
- Despite many new features, 2.4.x tends to use less memory than 2.2.x.
- FastCGI Protocol backend for
- SCGI Protocol backend for
- Provides dynamically configured mass reverse proxies for
- Replaces the apparent client remote IP address and hostname for the request with the IP address list presented by a proxies or a load balancer via the request headers.
mod_proxy_balancerto base loadbalancing decisions on the number of active connections on the backend servers.
- Formerly a third-party module, this supports fixing of HTML links in a reverse proxy situation, where the backend generates URLs that are not valid for the proxy's clients.
- An advanced replacement of
mod_substitute, allows to edit the response body with the full power of sed.
- Enables form-based authentication.
- Enables the use of session state for clients, using cookie or database storage.
- New module to restrict certain HTTP methods without interfering with authentication or authorization.
- Embeds the Lua language into httpd, for configuration and small business logic functions. (Experimental)
- Allows the addition of customizable debug logging at different phases of the request processing.
- Provides for buffering the input and output filter stacks
- Convert response body into an RFC2397 data URL
- Provides Bandwidth Rate Limiting for Clients
- Provides Filters to handle and make available HTTP request bodies
- Provides Reflection of a request body as a response via the output filter stack.
- Provides a Slot-based shared memory provider (ala the scoreboard).
- Formerly a third-party module, this supports internationalisation in libxml2-based (markup-aware) filter modules.
mod_macro(available since 2.4.5)
- Provide macros within configuration files.
mod_proxy_wstunnel(available since 2.4.5)
- Support web-socket tunnels.
mod_authnz_fcgi(available since 2.4.10)
- Enable FastCGI authorizer applications to authenticate and/or authorize clients.
mod_http2(available since 2.4.17)
- Support for the HTTP/2 transport layer.
mod_proxy_hcheck(available since 2.4.21)
- Support independent dynamic health checks for remote proxiy backend servers.
mod_sslcan now be configured to use an OCSP server to check the validation status of a client certificate. The default responder is configurable, along with the decision on whether to prefer the responder designated in the client certificate itself.
mod_sslnow also supports OCSP stapling, where the server pro-actively obtains an OCSP verification of its certificate and transmits that to the client during the handshake.
mod_sslcan now be configured to share SSL Session data between servers through memcached
- EC keys are now supported in addition to RSA and DSA.
- Support for TLS-SRP (available in 2.4.4 and later).
ProxyPassdirective is now most optimally configured within a
LocationMatchblock, and offers a significant performance advantage over the traditional two-parameter syntax when present in large numbers.
- The source address used for proxy requests is now configurable.
- Support for Unix domain sockets to the backend (available in 2.4.7 and later).
- More runtime configuration changes for BalancerMembers via balancer-manager
- Additional BalancerMembers can be added at runtime via balancer-manager
- Runtime configuration of a subset of Balancer parameters
- BalancerMembers can be set to 'Drain' so that they only respond to existing sticky sessions, allowing them to be taken gracefully offline.
- Balancer settings can be persistent after restarts.
mod_cacheCACHE filter can be optionally inserted at a given point in the filter chain to provide fine control over caching.
mod_cachecan now cache HEAD requests.
- Where possible,
mod_cachedirectives can now be set per directory, instead of per server.
- The base URL of cached URLs can be customised, so that a cluster of caches can share the same endpoint URL prefix.
mod_cacheis now capable of serving stale cached data when a backend is unavailable (error 5xx).
mod_cachecan now insert HIT/MISS/REVALIDATE into an X-Cache header.
- Support for the 'onerror' attribute within an 'include' element, allowing an error document to be served on error instead of the default error string.
- Translation of headers to environment variables is more strict than before to mitigate some possible cross-site-scripting attacks via header injection. Headers containing invalid characters (including underscores) are now silently dropped. Environment Variables in Apache has some pointers on how to work around broken legacy clients which require such headers. (This affects all modules which use these environment variables.)
mod_authz_coreAuthorization Logic Containers
- Advanced authorization logic may now be specified using the
Requiredirective and the related container directives, such as
[QSD](Query String Discard) and
RewriteRuleto simplify common rewriting scenarios.
- Adds the possibility to use complex boolean expressions in
- Allows the use of SQL queries as
mod_authnz_ldapadds support for nested groups.
LDAPTimeout, and other improvements in the handling of timeouts. This is especially useful for setups where a stateful firewall drops idle connections to the LDAP server.
LDAPLibraryDebugto log debug information provided by the used LDAP toolkit.
mod_infocan now dump the pre-parsed configuration to stdout during server startup.
- New generic mechanism to fake basic authentication (available in 2.4.5 and later).
- New FastCGI daemon starter utility
- Current cached URLs can now be listed, with optional metadata included.
- Allow explicit deletion of individual cached URLs from the cache.
- File sizes can now be rounded up to the given block size, making the size limits map more closely to the real size on disk.
- Cache size can now be limited by the number of inodes, instead of or in addition to being limited by the size of the files on disk.
- May now create a link to the current log file.
- May now invoke a custom post-rotate script.
- Support for the bcrypt algorithm (available in 2.4.4 and later).
mod_rewritedocumentation has been rearranged and almost completely rewritten, with a focus on examples and common usage, as well as on showing you when other solutions are more appropriate. The Rewrite Guide is now a top-level section with much more detail and better organization.
mod_ssldocumentation has been greatly enhanced, with more examples at the getting started level, in addition to the previous focus on technical details.
- Caching Guide
- The Caching Guide has been rewritten
to properly distinguish between the RFC2616 HTTP/1.1 caching
features provided by
mod_cache, and the generic key/value caching provided by the socache interface, as well as to cover specialised caching provided by mechanisms such as
- Check Configuration Hook Added
- A new hook,
check_config, has been added which runs between the
open_logshooks. It also runs before the
test_confighook when the
-toption is passed to
check_confighook allows modules to review interdependent configuration directive values and adjust them while messages can still be logged to the console. The user can thus be alerted to misconfiguration problems before the core
open_logshook function redirects console output to the error log.
- Expression Parser Added
- We now have a general-purpose expression parser, whose API is
exposed in ap_expr.h. This is adapted from the
expression parser previously implemented in
- Authorization Logic Containers
- Authorization modules now register as a provider, via
ap_register_auth_provider(), to support advanced authorization logic,
- Small-Object Caching Interface
- The ap_socache.h header exposes a provider-based
interface for caching small data objects, based on the previous
implementation of the
mod_sslsession cache. Providers using a shared-memory cyclic buffer, disk-based dbm files, and a memcache distributed cache are currently supported.
- Cache Status Hook Added
mod_cachemodule now includes a new
cache_statushook, which is called when the caching decision becomes known. A default implementation is provided which adds an optional
X-Cache-Detailheader to the response.
The developer documentation contains a detailed list of API changes.