We have upgraded IBM HTTP Server on i 7.2 & 7.3 from Apache 2.4.12 to Apache 2.4.20 to include the new enhancements and features of Apache 2.4. This is not a major version change for HTTP Server on i 7.2 & 7.3 so:

1) No configuration related changes that require user to modify existing httpd.conf after moving to Apache 2.4.20.

2) HTTP Server module APIs are updated in Apache 2.4.20 but that does not affect user plug-in modules (IBM and 3rd party) which means existing plug-in modules are not required to be recompiled when moving to Apache 2.4.20.

3) No updates to IBM i provided HTTP Server APIs

         Configuration APIs - QHTTPSVR/H (QZHBCONF)

         CGI APIs - QSYSINC/H (QZHBCGI)

Module Enhancements

Apache 2.4.20 has some updates and enhancements to existing Apache 2.4 modules. Below are some major enhancements in our HTTP server for IBM i 7.2 & 7.3.  

Core module

(1) Add expression support to ErrorDocument. 

(2) If explicitly configured, use the KeepAliveTimeout value of the virtual host which handled the latest request on the connection, or by default the one of the first virtual host bound to the same IP:port.

(3) Add CGIPassAuth directive to control whether HTTP authorization headers are passed to scripts as CGI variables.

(4) Avoid a possible truncation of the faulty header included in the HTML response when LimitRequestFieldSize is reached.

(5) Add QualifyRedirectURL directive to control whether the REDIRECT_URL environent variable is fully qualified.

(6) Add expression support to SetHandler.

mod_authz_host

Add a new "forward-dns" authorization type, not relying on reverse DNS lookups.

mod_cache

Accept HT (Horizontal Tab) when parsing cache related header fields as described in RFC7230.

mod_dir

Allow FallbackResource to work when a directory is requested and there is no autoindex nor DirectoryIndex.

mod_logio

Add LogIOTrackTTFB directive and %^FB logformat to log the time taken to start writing response headers.

mod_log_config

(1) Add "%{UNIT}T" format to output request duration in seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us").

(2) Add GlobalLog directive  to allow a globally defined log to be inherited by virtual hosts that define a CustomLog.

mod_proxy

Don't put the worker in error state for 500 or 503 errors returned by the backend unless failonstatus is configured to.

mod_rewrite

(1) Improve relative substitutions in per-directory/htaccess context for directories found by mod_userdir and mod_alias. These no longer require RewriteBase to be specified.

(2) Allow cookies set by mod_rewrite to contain ':' by accepting ';' as an alternate separator.

(3) Add QSL|qslast flag to allow rewrites to files with literal question marks in their names.

mod_include

Add variable DOCUMENT_ARGS, with the arguments to the request for the SSI document. 

DOCUMENT_ARGS

This variable contains the query string of the active SSI document, or the empty string if a query string is not included. For subrequests invoked through the include SSI directive, QUERY_STRING will represent the query string of the subrequest and DOCUMENT_ARGS will represent the query string of the SSI document. 

mod_ibm_ssl (IBM i 7.3 and later)

Add SSLFallbackProtection directive to  enable/disable TLS_FALLBACK_SCSV as currently defined by RFC7507(https://tools.ietf.org/html/rfc7507).

ON (default)

TLS_FALLBACK_SCSV is permitted.

OFF

TLS_FALLBACK_SCSV is NOT permitted.

New modules 

No new modules are added to HTTP server for i.

Note: there is a new module mod_http2 which provides HTTP/2 (RFC 7540) support was added to the Apache HTTP Server since 2.4.16. This module is still experimental. Its behaviors, directives, and defaults are subject to more change from release to release relative to other standard modules. This module is not supported in HTTP server for i because it is experimental module. We will support it in future when it becomes a standard stable module.

PTF support for Apache 2.4.20

i 7.2: IBM HTTP Server for i Group SF99713 - level 18

i 7.3: IBM HTTP Server for i Group SF99722 - level 5  

References

http://httpd.apache.org/docs/2.4/new_features_2_4.html

http://httpd.apache.org/security/vulnerabilities_24.html

https://tools.ietf.org/html/rfc7507

https://tools.ietf.org/html/rfc7540