Date: Sat, 16 Dec 2017 00:40:59 +0000 (UTC) From: Dave Cottlehuber <dch@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r456453 - in head/www/h2o: . files Message-ID: <201712160040.vBG0exY8078325@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dch Date: Sat Dec 16 00:40:59 2017 New Revision: 456453 URL: https://svnweb.freebsd.org/changeset/ports/456453 Log: www/h2o: update to 2.2.4 Approved by: jrm (mentor) Sponsored by: https://iwantmyname.com/ Differential Revision: https://reviews.freebsd.org/D13077 Added: head/www/h2o/files/h2o.conf.sample.in (contents, props changed) Deleted: head/www/h2o/files/h2o.conf.sample head/www/h2o/files/patch-CMakeLists.txt Modified: head/www/h2o/Makefile head/www/h2o/distinfo head/www/h2o/pkg-descr head/www/h2o/pkg-plist Modified: head/www/h2o/Makefile ============================================================================== --- head/www/h2o/Makefile Fri Dec 15 23:54:09 2017 (r456452) +++ head/www/h2o/Makefile Sat Dec 16 00:40:59 2017 (r456453) @@ -1,20 +1,21 @@ -# Created by: Dave Cottlehuber <dch@skunkwerks.at> +# Created by: Dave Cottlehuber <dch@FreeBSD.org> # $FreeBSD$ PORTNAME= h2o DISTVERSIONPREFIX= v -DISTVERSION= 2.2.3 +DISTVERSION= 2.2.4 CATEGORIES= www -MAINTAINER= dch@skunkwerks.at +MAINTAINER= dch@FreeBSD.org COMMENT= Optimized HTTP/2 server including support for TLS 1.3 and HTTP/1.x -LICENSE= MIT +LICENSE= MIT BSD2CLAUSE +LICENSE_COMB= multi BROKEN_armv6= fails to compile: asm_arm.inc:139:36: '.syntax divided' arm assembly not supported BROKEN_armv7= fails to compile: asm_arm.inc:139:36: '.syntax divided' arm assembly not supported -USES= cmake:noninja compiler:c11 cpe perl5 shebangfix ssl +USES= cmake:noninja compiler:c11 cpe perl5 shebangfix ssl pkgconfig CPE_VENDOR= h2o_project USE_GITHUB= yes USE_PERL5= run @@ -23,7 +24,7 @@ SHEBANG_FILES= share/h2o/start_server PORTDOCS= README.md -SUB_FILES= ${PORTNAME} +SUB_FILES= ${PORTNAME} ${PORTNAME}.conf.sample SUB_LIST+= H2O_USER=${H2O_USER} \ H2O_GROUP=${H2O_GROUP} \ H2O_LOGDIR=${H2O_LOGDIR} @@ -55,15 +56,17 @@ MRUBY_VARS= RUBY_NO_RUN_DEPENDS=yes post-patch: @${REINPLACE_CMD} -e 's|exec perl|exec ${LOCALBASE}/bin/perl|' \ ${WRKSRC}/share/h2o/annotate-backtrace-symbols \ + ${WRKSRC}/share/h2o/fastcgi-cgi \ ${WRKSRC}/share/h2o/fetch-ocsp-response \ ${WRKSRC}/share/h2o/kill-on-close \ + ${WRKSRC}/share/h2o/setuidgid \ ${WRKSRC}/share/h2o/start_server post-install: ${MKDIR} ${STAGEDIR}${ETCDIR} \ ${STAGEDIR}${H2O_LOGDIR} ${INSTALL_DATA} \ - ${FILESDIR}/${PORTNAME}.conf.sample \ + ${WRKDIR}/${PORTNAME}.conf.sample \ ${STAGEDIR}${ETCDIR}/${PORTNAME}.conf.sample post-install-DOCS-on: Modified: head/www/h2o/distinfo ============================================================================== --- head/www/h2o/distinfo Fri Dec 15 23:54:09 2017 (r456452) +++ head/www/h2o/distinfo Sat Dec 16 00:40:59 2017 (r456453) @@ -1,3 +1,3 @@ -TIMESTAMP = 1508527966 -SHA256 (h2o-h2o-v2.2.3_GH0.tar.gz) = d40401ca714d00ca5204e8d22148dbaa9cae3407e3b4b6b62bd208543901ea51 -SIZE (h2o-h2o-v2.2.3_GH0.tar.gz) = 16207150 +TIMESTAMP = 1513347798 +SHA256 (h2o-h2o-v2.2.4_GH0.tar.gz) = ebacf3b15f40958c950e18e79ad5a647f61e989c6dbfdeea858ce943ef5e3cd8 +SIZE (h2o-h2o-v2.2.4_GH0.tar.gz) = 16212596 Added: head/www/h2o/files/h2o.conf.sample.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/h2o/files/h2o.conf.sample.in Sat Dec 16 00:40:59 2017 (r456453) @@ -0,0 +1,104 @@ +# this sample config gives you a feel for how h2o can be used +# and a high-security configuration for TLS and HTTP headers +# see https://h2o.examp1e.net/ for detailed documentation +# and h2o --help for command-line options and settings +user: www +pid-file: /var/run/h2o.pid +# log normal access to file +access-log: /var/log/h2o/access.log +# send errors to syslog +error-log: "| logger -i -p daemon.err -t h2o" + +# as of 2017-12-01 the following TLS config and headers, with +# DNS CAA records and custom diffie-hellmann parameters via +# `openssl dhparam -out %%PREFIX%%/etc/ssl/dhparam.pem 4096` +# will get you: + +# A+ on https://www.ssllabs.com/ssltest/ +listen: 80 +listen: + port: 443 + ssl: + # using at least TLS1.2 restricts many older devices + minimum-version: TLSv1.1 + dh-file: %%PREFIX%%/etc/ssl/dhparam.pem + # generate your own certificates with security/acme-client + certificate-file: %%PREFIX%%/etc/ssl/acme/example.org/fullchain.pem + key-file: %%PREFIX%%/etc/ssl/acme/private/example.org/privkey.pem + cipher-preference: server + cipher-suite: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS + +# A+ on https://securityheaders.io/ +header.add: "x-frame-options: deny" +header.add: "X-XSS-Protection: 1; mode=block" +header.add: "X-Content-Type-Options: nosniff" +header.add: "X-UA-Compatible: IE=Edge" +header.add: "Referrer-Policy: strict-origin" +header.add: "Cache-Control: no-transform" +header.add: "Content-Security-Policy: default-src https:" +# 6 months HSTS pinning +header.add: "Strict-Transport-Security: max-age=16000000" + +# no patience for slow users +http1-request-timeout: 10 +http2-idle-timeout: 10 +# limit POST bodies +limit-request-body: 10485760 # 10MiB +max-connections: 1024 + +file.mime.addtypes: + image/svg+xml: .svg + text/plain: .log + text/css: .css + application/atom+xml: .xml + application/zip: .zip + application/json: .json + "text/html; charset=utf-8": .html + +# per-host configurations +hosts: + # a basic fileserver + www.example.org: + # enable Apache-style directory listings + file.dirlisting: on + file.send-gzip: on + paths: + "/": + file.dir: "/var/www/www.example.org" + # a simple permanent URL redirect + "/blog": + redirect: + status: 301 + url: https://blog.example.org/ + # a password-restricted url + "/server-status": + mruby.handler: | + require "htpasswd.rb" + Htpasswd.new("%%ETCDIR%%/private/htpasswd", "example.org") + status: ON + # redireect Lets Encrypt ACME protocol to a specific challenge directory + "/.well-known/acme-challenge": + file.dir: "/var/www/acme" + # virtual directory layout to support serving FreeBSD packages built by poudriere + pkg.example.org: + paths: + "/poudriere": + file.dir: "%%PREFIX%%/poudriere/data/logs/bulk" + "/FreeBSD:10:amd64": + file.dir: "%%PREFIX%%/poudriere/data/packages/10_amd64-default/" + "/FreeBSD:11:amd64": + file.dir: "%%PREFIX%%/poudriere/data/packages/11_amd64-default/" + # a simple ruby-powered embedded JSON API + api.example.net: + paths: + "/ok.json": + mruby.handler: | + Proc.new do |env| + [200, {'content-type' => 'application/json'}, ['{"status":"ok"}']] + end + # a websockets-aware reverse proxy + ws.example.net: + paths: + "/": + proxy.websocket: ON + proxy.reverse.url: "http://localhost:1080/" Modified: head/www/h2o/pkg-descr ============================================================================== --- head/www/h2o/pkg-descr Fri Dec 15 23:54:09 2017 (r456452) +++ head/www/h2o/pkg-descr Sat Dec 16 00:40:59 2017 (r456453) @@ -1,16 +1,16 @@ H2O is a very fast HTTP server written in C. It can also be used as a library. + It supports: - HTTP/1.0, HTTP/1.1 -- [HTTP/2](http://http2.github.io/) -- draft 16 (and draft 14 to support older clients) +- HTTP/2 - persistent connections - chunked encoding - negotiation methods: NPN, ALPN, Upgrade, direct - dependency and weight-based prioritization - server push - TLS up to 1.3 -- uses [OpenSSL](https://www.openssl.org/) +- support OpenSSL and LibreSSL - forward secrecy - AEAD ciphers - OCSP stapling (automatically enabled) @@ -18,6 +18,7 @@ It supports: - conditional GET using last-modified / etag - mime-type configuration - reverse proxy -- persistent upstream connection +- websocket support +- embedded mruby interpreter for high speed custom functions WWW: https://github.com/h2o/h2o Modified: head/www/h2o/pkg-plist ============================================================================== --- head/www/h2o/pkg-plist Fri Dec 15 23:54:09 2017 (r456452) +++ head/www/h2o/pkg-plist Sat Dec 16 00:40:59 2017 (r456453) @@ -1,8 +1,8 @@ bin/h2o -share/h2o/annotate-backtrace-symbols -share/h2o/fetch-ocsp-response -share/h2o/kill-on-close -share/h2o/start_server +%%DATADIR%%/annotate-backtrace-symbols +%%DATADIR%%/fetch-ocsp-response +%%DATADIR%%/kill-on-close +%%DATADIR%%/start_server %%DATADIR%%/ca-bundle.crt %%DATADIR%%/fastcgi-cgi %%DATADIR%%/setuidgid
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201712160040.vBG0exY8078325>