From: Jim Jagielski Date: Mon, 8 Jun 2026 18:54:53 +0000 (+0000) Subject: As we think about trunk and 2.4.x, lets better document/list/assess the X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=e4ed7e2cea705f32a65d039a16c397c49fec0251;p=thirdparty%2Fapache%2Fhttpd.git As we think about trunk and 2.4.x, lets better document/list/assess the diffs between these 2 branches, using LLMs as an aid in this analysis git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1935151 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/new_features_2_6.xml b/docs/manual/new_features_2_6.xml index d11c6251bc..808e2f034b 100644 --- a/docs/manual/new_features_2_6.xml +++ b/docs/manual/new_features_2_6.xml @@ -45,7 +45,30 @@
The Listen directive now supports an optional options=... argument, allowing per-listener socket options to be - configured.
+ configured, including the multipathtcp option to + enable Multipath TCP where supported by the platform. + +
Asynchronous filtering and write completion
+
The new AsyncFilter + directive declares which filter types support asynchronous + handling, and support for asynchronous write completion has been + extended throughout the core. This underpins the asynchronous + proxying and WebSocket handling described below.
+ +
HTTP/1.1 strictness controls
+
New core directives give finer control over HTTP/1.1 + conformance: HttpExpectStrict + controls whether a 417 is returned when a client + omits a 100-Continue expectation, and + HttpContentLengthHeadZero + controls Content-Length handling for + HEAD requests.
+ +
Per-context log level overrides
+
The new LogLevelOverride + directive allows the log level to be overridden for individual + client IP addresses, easing targeted debugging on a live + server.
systemd socket activation
httpd can now be configured to start via @@ -71,13 +94,39 @@
New Modules
- +
mod_auth_bearer, mod_autht_core, + mod_autht_jwt
+
A new authentication-token (autht) provider framework + has been added alongside the existing authn/authz provider stacks. + mod_auth_bearer implements + 6750 Bearer token authentication as a + front-end (analogous to mod_auth_basic), + mod_autht_core hosts the autht provider registry, + and mod_autht_jwt provides JSON Web Token + signing and verification.
+ +
mod_crypto
+
This new module can encrypt and decrypt request and response + bodies via input and output filters, using the APR crypto + drivers.
mod_journald, mod_syslog
These new modules provide support for logging to syslog or journald.
+
mod_log_json
+
This new module provides structured access logging in JSON + format.
+ +
mod_proxy_beacon
+
This new module lets back-end reverse-proxy servers announce + themselves over a UDP datagram channel so that they are + automatically added to their front-end proxy balancer.
+ +
mod_allowhandlers
+
This new module restricts which handlers may run in a given + context, providing an additional layer of access control.
+
@@ -93,14 +142,50 @@
  • The SSLKEYLOGFILE environment variable can now be set to log private key material for off-line decryption of SSL/TLS protocol dumps using third-party tools.
    • +
  • The new SSLPolicy + directive allows a named bundle of SSL settings to be defined + once and applied to multiple virtual hosts.
    • +
    mod_proxy, mod_proxy_wstunnel
    +
    Proxying can now run asynchronously under the event MPM, + freeing worker threads while waiting on slow back-ends. This + includes asynchronous handling of Upgraded + protocols and WebSockets, tuned by the new + ProxyAsyncDelay, + ProxyAsyncIdleTimeout, + ProxyWebsocketAsyncDelay and + ProxyWebsocketIdleTimeout directives.
    + +
    mod_http2
    +
    HTTP/2 gains support for bootstrapping WebSockets as described + in 8441 (enabled with the new H2WebSockets + directive), the new H2EarlyHint directive for adding + headers carried in a 103 Early Hints response, and + accurate accounting of bytes sent for the %O log + format.
    + +
    mod_dav
    +
    WebDAV gains directory quota support + (DAVquota), Microsoft + WebDAV protocol extensions + (DAVMSext), the + DAVHonorMtimeHeader and DAVLockDBType + directives, and improved strong-ETag compliance.
    + +
    Other module enhancements
    +
    mod_autoindex adds + IndexForbiddenReturn404; + mod_mime adds MimeOptions; and + mod_session_cookie adds + SessionCookieMaxAge.
    +
    mod_cgid
    If configured with --enable-cgid-fdpassing, the CGI daemon will set up stderr handling in the same way as mod_cgi.
    - + @@ -114,18 +199,43 @@ -
    - Documentation -
    -
    Fill me in
    -
    The mod_example documentation fill me in.
    - -
    -
    -
    Module Developer Changes
    +
    Core / HTTP module separation
    + +
    A large amount of code has been moved out of the + http module into the core server — including the + default handler, the default input and output filters, and the + core configuration directives — so that the server can run + with or without the HTTP module loaded. As part of this work + ap_set_etag() moved from the http module + into the core.
    + +
    New metadata bucket types and HTTP filter split
    + +
    New REQUEST, RESPONSE and + HEADERS metadata bucket types have been added to the + API, along with a new method for setting the standard + Date and Server response headers and + helpers for formatting parts of HTTP/1.x (headers, end chunks) for + reuse outside the core, e.g. in mod_proxy. The + HTTP_IN filter has been split into a generic-HTTP + filter and an HTTP/1.x-specific HTTP1_BODY_IN filter, + and a new body_indeterminate flag on + request_rec indicates that a request body may be + present and must be read or discarded.
    + +
    Strong ETag support and request binary notes
    + +
    A concept of "binary notes" has been added to + request_rec, allowing packed bit flags to be set on a + request. The first such note, AP_REQUEST_STRONG_ETAG, + lets modules force a strong ETag to comply with RFC requirements + such as those mandated by various WebDAV extensions. New functions + ap_make_etag_ex() and ap_set_etag_fd() + give full control over ETag generation.
    +
    New type ap_method_mask_t.
    The ap_method_mask_t type has been added and is @@ -140,6 +250,12 @@ returns a const char * string value. The pool argument must now be non-NULL.
    +
    Removed APIs
    + +
    Corresponding with the removal of the Content-MD5 + header, the ap_md5digest() and + ap_md5contextTo64() functions have been removed.
    +

    The developer documentation contains a detailed list of API changes.

    diff --git a/httpd-trunk.md b/httpd-trunk.md new file mode 100644 index 0000000000..9a1bfe9c37 --- /dev/null +++ b/httpd-trunk.md @@ -0,0 +1,167 @@ +# Apache httpd — `trunk` (2.5.x/2.6) vs `2.4.x`: Functional Difference Analysis + +**Date:** 2026-06-08 +**Repository:** `apache/httpd` git mirror (local clone) +**Branches compared:** `trunk` (`2.5.1-dev`, MMN `20211221:31`) vs `2.4.x` (`2.4.68-dev`, MMN `20120211:142`) +**Merge base:** r-level divergence at commit `5405226ae2` (2011-11-10). Since divergence: +~12,560 commits trunk-only, ~11,446 commits 2.4.x-only. The vast majority of 2.4.x work is +back-ported trunk work; this document isolates what is genuinely *new in trunk only*. + +> Note: trunk is the development line that will become **2.6 / 2.5.x**. The bundled APR (1.7.x in +> `srclib/`) is the other big structural difference but is a build-time matter, not a runtime +> feature, so it is noted only where it gates a feature. + +--- + +## Methodology + +Differences were derived mechanically from the two branches, not from CHANGES prose (CHANGES is an +unreliable signal because most entries are later back-ported): + +1. **Module/file set diff** — `git ls-tree` of `modules/`, `server/`, `include/` across both branches. +2. **Directive diff** — every `AP_INIT_*` directive name extracted from all `.c` files in each branch + and compared (`trunk` 709 directives vs `2.4.x` 637). +3. **Reverse check** — directives/modules present in **2.4.x but absent in trunk** were individually + investigated to prove they are intentional removals, not regressions. +4. **Maturity dating** — last-commit date per trunk-only module as a back-port-readiness signal. + +--- + +## Part 1 — Confirmation: nothing in 2.4.x is missing from trunk + +The directive reverse-diff surfaced exactly **three** names present in 2.4.x but not trunk. All three +are **deliberate removals or obsolete code in trunk**, not regressions or missing capabilities: + +| 2.4.x-only item | Verdict | Evidence | +|-----------------|---------|----------| +| `ContentDigest` directive (+ `Content-MD5` header, `ap_md5digest()`, `ap_md5contextTo64()`) | **Intentionally removed** in trunk | trunk commit `6bf5bd6cb2`: *"core: Remove support for the Content-MD5 header, removed in RFC 7231 … and ContentDigest directive."* | +| `AuthDigestNonceFormat` (`mod_auth_digest`) | **Intentionally removed** in trunk | trunk commit `29b83f42e6`: *"Remove undocumented and unimplemented AuthDigestNonceFormat directive."* In 2.4.x it is a stub that returns `"AuthDigestNonceFormat is not implemented"`. | +| `DAVGenericLockDB` / `mod_dav_lock` module (`modules/dav/lock/`) | **Module removed** in trunk | trunk commit `f9ea103580`: *"Remove mod_dav_lock, which was useful only to provide drop-in locking for mod_dav_svn from Subversion older than 1.2.0."* Generic FS locking lives in `modules/dav/fs/` (`DAVLockDB`/`DAVLockDBType`) on both branches. | + +**Conclusion:** There is **no feature, module, directive, or capability in 2.4.x that is absent from +trunk** except by design. Trunk is a strict functional superset of 2.4.x modulo these three +deliberate deprecations. ✅ + +--- + +## Part 2 — New in trunk, NOT in 2.4.x + +### 2A. New modules (source files present only in trunk) + +| Module | Area | Purpose | Last touched | Back-port suitability | +|--------|------|---------|--------------|------------------------| +| `mod_proxy_beacon` | proxy | UDP datagram channel: backend reverse-proxy servers announce themselves and are auto-added to a front-end balancer (`ProxyBeacon*` directives). | 2026-06 | **Candidate** (actively developed; self-contained, new directives only — low ABI risk). The author is the local committer. | +| `mod_autht_jwt` + `mod_autht_core` | aaa | New **"authentication token" (autht) provider framework** — JWT signing/verification (`AuthtJwt*`) sitting alongside the existing authn/authz provider stacks. | 2024-03 | **Candidate, with care** — introduces a new provider category; needs the autht hook infrastructure. Pairs with `mod_auth_bearer`. | +| `mod_auth_bearer` | aaa | RFC 6750 **Bearer token** auth front-end (`AuthBearer*`), analogous to `mod_auth_basic`/`_form`. | 2023-12 | **Candidate, with care** — depends on the autht framework above. | +| `mod_crypto` | filters | Encrypt/decrypt request & response bodies as input/output filters (`Crypto*` directives). | 2024-07 | **Candidate** — self-contained filter; needs APR crypto driver (build-gated). | +| `mod_log_json` | loggers | Structured JSON access logging. | 2021-03 | **Candidate** — self-contained logger. | +| `mod_journald` | loggers | Log to systemd `journald`. | 2020-04 | **Candidate** (Linux-only; already advertised in the 2.6 new-features doc). | +| `mod_syslog` | loggers | Log to syslog as a provider. | 2017-02 | **Candidate** (already advertised in the 2.6 new-features doc). | +| `mod_allowhandlers` | aaa | Restrict which handlers may run in a context (`AllowHandlers`). | 2012-11 | **Candidate** — small, stable, self-contained. | +| `mod_policy` (`modules/test/`) | test | Enforce outgoing-request policies / cache-correctness (`Policy*` directives). | 2026-06 | **Hold** — lives under `modules/test/`; experimental. | +| `mod_noloris` (`modules/experimental/`) | experimental | Slowloris mitigation (`MaxClientConnections`, `TrustedProxy`, `ClientRecheckTime`). | 2018-08 | **Hold** — experimental tree; not maintained recently. | +| `mod_ssl_ct` + `ssl_ct_*` | ssl | Certificate Transparency (RFC 6962) — SCT handling (`CT*` directives). | 2024-04 | **Hold / do-not-backport** — rejects OpenSSL 3.x (must be `--disable`d on modern builds); largely superseded by CA-side CT. | +| `mod_serf` | proxy | Proxy backend built on the Apache Serf library (`SerfCluster`, `SerfPass`). | 2020-04 | **Hold** — niche; external libserf dependency. | +| `mod_firehose` (`modules/debugging/`) | debugging | Capture full connection/request I/O streams to fifos for debugging (`Firehose*`). | 2016-01 | **Optional** — debugging aid; stable but rarely needed. | +| `mod_lbmethod_rr` (`modules/proxy/examples/`) | proxy | Round-robin LB method **example**. | 2017-07 | **Do-not-backport** — sample code. | +| `dav/fs/quota.c` (`DAVquota`) + `dav/main/ms_wdv.c` (`DAVMSext`) | dav | WebDAV quota support and Microsoft WebDAV extensions / `DAVHonorMtimeHeader`. | 2026-02 / 2026-04 | **Candidate** — actively developed; adds DAV directives. | + +### 2B. New MPMs (trunk-only) + +| MPM | Status | Notes | +|-----|--------|-------| +| `mpm_motorz` (`server/mpm/motorz/`) | **Actively reworked** (2026-06) | Single-process async event MPM; recently given multi-poller scale-out (`PollersPerChild`) and async keep-alive / HTTP/2 hand-off. **Good** for backport. | +| `mpm_simple` (`server/mpm/simple/`) | Experimental | `SimpleProcCount`, `SimpleThreadCount`. **Do-not-backport** — long-dormant proof-of-concept. | + +### 2C. Core architectural changes (trunk-only, structural — NOT simple backports) + +These are deep refactors that change the engine. They are the reason trunk's MMN major number is +different and are generally **not cherry-pick candidates** — they would have to be ported as a +coordinated effort and would break module ABI. + +1. **Core / HTTP module split.** Large bodies of code were moved out of `modules/http/` into the + core server so the server can run "closer to working without the HTTP module" (commit + `3eeeb76fb4` and follow-ups). The default handler, default input/output filters, and all core + config directives now live in core. + - `ap_set_etag()` moved from `mod_http` to core → **new `server/util_etag.c`** (2.4.x still has + `modules/http/http_etag.c`). +2. **Generic HTTP vs HTTP/1.x filter split** (commit `4442201e61`): + - New metadata **bucket types `REQUEST`, `RESPONSE`, `HEADERS`** in the API → new + **`server/headers_bucket.c`**. + - `HTTP_IN` filter split into a generic-HTTP filter and an HTTP/1.x-specific `HTTP1_BODY_IN`. + - Chunked-input simulation removed from `mod_http2`. + - New `body_indeterminate` flag on `request_rec`; new helper methods for formatting HTTP/1.x + headers/chunks reusable by `mod_proxy`; new method for setting standard `Date`/`Server` + response headers. +3. **`ap_method_mask_t`** — method bitmasks widened to a dedicated type (was a fixed-width int), + touching `ap_method_list_t`, `AP_METHOD_BIT`, `request_rec.allowed`, `cmd_parms.limited`. **ABI + break** — cannot be back-ported without an MMN bump 2.4.x will not take. +4. **`mod_ssl.h` optional-function API change** — `ssl_var_lookup` now takes `const char *name` and + returns `const char *`, and requires a non-NULL pool. **ABI/source break for consumers.** +5. **New request_rec "binary notes"** (`AP_REQUEST_STRONG_ETAG`) — lets modules force a strong ETag + (needed for WebDAV RFC compliance); `ap_make_etag_ex()` / `ap_set_etag_fd()` added. + +### 2D. New directives in trunk (selected, grouped by subsystem) + +Full set: 72 directive names exist in trunk but not 2.4.x. The non-experimental, user-facing ones +most worth tracking for backport: + +**Core (`server/core.c`)** +- `AsyncFilter` — declare which filter types support asynchronous handling. +- `LogLevelOverride` — per-client-IP loglevel override. +- `HttpExpectStrict` — return 417 if client omits 100-Continue. +- `HttpContentLengthHeadZero` — HEAD `Content-Length` compatibility control. +- `DefaultStateDir` — common directory for persistent state (already in the 2.6 doc). + +**Async proxy / websockets (`mod_proxy`, `mod_proxy_wstunnel`)** +- `ProxyAsyncDelay`, `ProxyAsyncIdleTimeout`, `ProxyWebsocketAsyncDelay`, `ProxyWebsocketIdleTimeout` + — asynchronous write-completion / Upgrade(d)-protocol handling under async MPMs. + +**mod_ssl** — `SSLPolicy` (apply a named bundle of SSL settings; `SSLPolicy*` family). + +**Other modules** +- `mod_mime`: `MimeOptions`. +- `mod_mime_magic`: `MimeMagicDecompression` (explicitly NOT RFC-compliant; off by default). +- `mod_autoindex`: `IndexForbiddenReturn404`. +- `mod_session_cookie`: `SessionCookieMaxAge`. +- `mod_dav_fs`: `DAVLockDBType`, `DAVHonorMtimeHeader`; `mod_dav` MS ext: `DAVMSext`, `DAVquota`. +- `mod_cache`: `Warning` handling. + +### 2E. Other trunk-only core/build features (already on the live 2.6 page) + +- `Listen options=...` per-listener socket options (incl. `multipathtcp`, PR 69292). +- **systemd socket activation** (build-time enable, run-time toggle via `mod_systemd`). +- **IPv6 zone/scope** support in `Listen`/`VirtualHost` (requires APR ≥ 1.7.0 — gated by trunk's + bundled APR). +- `mod_cgid`: `--enable-cgid-fdpassing` stderr handling parity with `mod_cgi`. +- `htpasswd`: SHA-256/SHA-512 `crypt()` hashes. +- New Python support scripts: `apxs-ng`, `dbmmanage-ng`, `log_server_status-ng`, `logresolve.py`, + `phf_abuse_log-ng.cgi`, `split-logfile-ng`. + +--- + +## Part 3 — Back-port / cherry-pick recommendation summary + +**Tier 1 — good cherry-pick candidates (self-contained, new directives/modules only, low ABI risk):** +- `mod_log_json`, `mod_syslog`, `mod_journald` (loggers — additive) +- `mod_allowhandlers` (small, stable) +- `mod_crypto` (filter; build-gated on APR crypto) +- `mod_proxy_beacon` (actively developed; new directives only) +- Discrete core directives that don't depend on the engine refactor: `LogLevelOverride`, + `HttpExpectStrict`, `HttpContentLengthHeadZero`, `IndexForbiddenReturn404`, `SessionCookieMaxAge`, + `MimeOptions`, `MimeMagicDecompression`, `SSLPolicy`, DAV `DAVLockDBType`/`DAVHonorMtimeHeader`. + +**Tier 2 — feasible but bundled (need a small framework or careful dependency ordering):** +- `mod_autht_core` + `mod_autht_jwt` + `mod_auth_bearer` (the new "autht" provider category — port + as a set). +- Async proxy / websocket directives (`ProxyAsync*`, `ProxyWebsocket*`) — depend on async + write-completion plumbing; verify the underlying core support exists in 2.4.x first. +- `mod_dav` quota / MS extensions (`DAVquota`, `DAVMSext`). + +**Tier 3 — do NOT back-port (experimental, obsolete, ABI-breaking, or sample code):** +- The engine refactors in §2C (core/http split, generic-HTTP filter split, `ap_method_mask_t`, + bucket REQUEST/RESPONSE/HEADERS types, `ssl_var_lookup` signature change) — these are the *defining* + 2.6 ABI changes and intentionally cannot go to a stable line. +- Experimental MPMs `motorz`, `simple`. +- `mod_noloris`, `mod_policy` (experimental/test trees), `mod_ssl_ct` (OpenSSL-3-incompatible), + `mod_serf`, `mod_lbmethod_rr` (example).