We have upgraded IBM HTTP Server on i 7.4 from Apache 2.4.20 to Apache 2.4.34 to include the new enhancements and features of Apache 2.4. This is not a major version change for HTTP Server on i 7.4 so:

1) No configuration related changes that require user to modify existing httpd.conf after moving to Apache 2.4.34.

2) HTTP Server module APIs are updated in Apache 2.4.34 but that does not affect user plug-in modules (IBM and 3rd party) which means existing plug-in modules are not required to be recompiled when moving to Apache 2.4.34.

3) No updates to IBM i provided HTTP Server APIs

    Configuration APIs - QHTTPSVR/H (QZHBCONF)

    CGI APIs - QSYSINC/H (QZHBCGI)

Module Enhancements

Apache 2.4.34 has some updates and enhancements to existing Apache 2.4 modules. Below are some major enhancements in our HTTP server for IBM i 7.4.  

Core module

• (1) Add -DDUMP_INCLUDES configtest option to show the tree of Included configuration files.
• (2) New CGIVar directive can configure REQUEST_URI to represent the current URI being processed instead of always the original request.
• (3) Add %{REMOTE_PORT} to the expression parser.
• (4) Evaluate nested If/ElseIf/Else configuration blocks.
• (5) %{DOCUMENT_URI} used in nested SSI expressions should point to the URI originally requested by the user, not the nested documents URI. This restores the behavior of this variable to match the "legacy" SSI parser.
• (6) Silently ignore a nonexistent file path when IncludeOptional is used.
• (7) Preserve the original HTTP request method in the '%<m' LogFormat when an path-based ErrorDocument is used.
• (8) Add <IfFile>, <IfDirective> and <IfSection> conditional section containers.  
   

mod_access_compat

Fail if a comment is found in an Allow or Deny directive.

mod_autoindex
Add IndexOptions UseOldDateFormat to allow the date format from Apache 2.2 in the Last Modified column.

mod_authz_host
Ignore comments after "Require host", logging a warning, or logging an error if the line is otherwise empty.

mod_env
When processing a 'SetEnv' directive, warn if the environment variable name includes a '='. It is likely a configuration error.

mod_filter
Fix AddOutputFilterByType with non-content-level filters.

mod_http2
Accurate reporting of h2 data input/output per request via mod_logio. Fixes an issue where output sizes where counted n-times on reused connections.     
See github issue: https://github.com/icing/mod_h2/issues/158
 

mod_proxy

• (1) Allow the per-request environment variable "no-proxy" to be used as an alternative to ProxyPass /path !. This is primarily to set exceptions for ProxyPass specified in <Location> context. Use SetEnvIf, not SetEnv.
• (2) loadfactor parameter can now be a decimal number (eg: 1.25).

mod_proxy_balancer
Add hot spare member type and corresponding flag (R). Hot spare members are used as drop-in replacements for unusable workers in the same load balancer set. This differs from hot standbys which are only used when all workers in a set are unusable.

mod_proxy_http
Add new worker parameter 'responsefieldsize' to allow maximum HTTP response header size to be increased past 8192 bytes.

mod_proxy_wstunnel
Add "upgrade" parameter to allow upgrade to other protocols.

mod_remoteip
Add support for PROXY protocol (code donated by Cloudzilla). Add ability for PROXY protocol processing to be optional to donated code. See also: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt

mod_rewrite

• (1)    Add 'BNP' (backreferences-no-plus) flag to RewriteRule to allow spaces in backreferences to be encoded as %20 instead of '+'.
• (2)    Add the possibility to limit the escaping to specific characters in backreferences by listing them in the B flag.

mod_include
Add the <!--#comment ...> syntax in order to include comments in a SSI file. 

mod_ibm_ssl

(1)  Remove SSLv2 support.

(2)  Add TLSv1.3 support. 

(3)  TLSv1.3 supports ciphers:  TLS_AES_128_GCM_SHA256,  TLS_AES_256_GCM_SHA384 and TLS_CHACHA20_POLY1305_SHA256.

(4)  TLSv1.3 and TLSv1.2 are enabled by default while SSLv3, TLSv1.0 and TLSv1.1 are disabled by default.

(5)  TLSv1.3 & SSLv3 are not allowed to be enabled together by system TLS.

(6)  SSLV3Timeout directive now defaults to 43200s(12 hours) to be consistent with system TLS change.

(7)  SSLUpdate directive has been deprecated since it only can be upgraded to TLSv1.0 and at this time no web browsers support RFC 2817.

(8)  0-RTT data for TLSv1.3 is not supported due to security reasons(no Forward secrecy and replay attack).

New modules

There are some new modules with useful functions in Apache 2.4.34, below are some basic introduction to the new modules supported in HTTP server on IBM i 7.4. For more detail information about those modules, refer to IBM i 7.4 knowledge Center and Apache website.

mod_brotli
The module provides the BROTLI_COMPRESS output filter that allows output from your server to be compressed using the brotli compression format before being sent to the client over the network. Brotli is an open source data compression library formally specified by IETF draft. It can be used to compress HTTPS responses sent to a browser, in place of gzip or deflate. From the below article, it seems Brotli has some advantages than deflate. Add below directive to your httpd.conf when you want to use this module:

LoadModule brotli_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM

mod_proxy_hcheck
This module provides for dynamic health checking of balancer members (workers). This can be enabled on a worker-by-worker basis. The health check is done independently of the actual reverse proxy requests.
This module requires the service of mod_watchdog. See http://httpd.apache.org/docs/2.4/mod/mod_proxy_hcheck.html for examples.
 

PTF support for Apache 2.4.34

IBM i 7.4: IBM HTTP Server for i Group SF99662 - level 1  

References

http://httpd.apache.org/docs/2.4/new_features_2_4.html

http://httpd.apache.org/security/vulnerabilities_24.html

https://tools.ietf.org/html/rfc7507

https://tools.ietf.org/html/rfc7540