www/h2o: update to 2.2.4

Approved by: jrm (mentor) Sponsored by: https://iwantmyname.com/ Differential Revision: https://reviews.freebsd.org/D13077
svn path=/head/; revision=456453
2024-12-15 03:14:23 +00:00 · 2017-12-16 00:40:59 +00:00 · 2017-12-16 00:40:59 +00:00 · 22c7962619 · 2021-03-31 03:12:20 +00:00
commit 22c7962619
parent e83bce8141
7 changed files with 126 additions and 62 deletions
--- a/www/h2o/Makefile
+++ b/www/h2o/Makefile
@ -1,20 +1,21 @@
-# Created by: Dave Cottlehuber <dch@skunkwerks.at>
+# Created by: Dave Cottlehuber <dch@FreeBSD.org>
 # $FreeBSD$

 PORTNAME=	h2o
 DISTVERSIONPREFIX=	v
-DISTVERSION=	2.2.3
+DISTVERSION=	2.2.4
 CATEGORIES=	www

-MAINTAINER=	dch@skunkwerks.at
+MAINTAINER=	dch@FreeBSD.org
 COMMENT=	Optimized HTTP/2 server including support for TLS 1.3 and HTTP/1.x

-LICENSE=	MIT
+LICENSE=	MIT BSD2CLAUSE
+LICENSE_COMB=	multi

 BROKEN_armv6=		fails to compile: asm_arm.inc:139:36: '.syntax divided' arm assembly not supported
 BROKEN_armv7=		fails to compile: asm_arm.inc:139:36: '.syntax divided' arm assembly not supported

-USES=		cmake:noninja compiler:c11 cpe perl5 shebangfix ssl
+USES=		cmake:noninja compiler:c11 cpe perl5 shebangfix ssl pkgconfig
 CPE_VENDOR=	h2o_project
 USE_GITHUB=	yes
 USE_PERL5=	run
@ -23,7 +24,7 @@ SHEBANG_FILES=	share/h2o/start_server

 PORTDOCS=	README.md

-SUB_FILES=	${PORTNAME}
+SUB_FILES=	${PORTNAME} ${PORTNAME}.conf.sample
 SUB_LIST+=	H2O_USER=${H2O_USER} \
 		H2O_GROUP=${H2O_GROUP} \
 		H2O_LOGDIR=${H2O_LOGDIR}
@ -55,15 +56,17 @@ MRUBY_VARS=		RUBY_NO_RUN_DEPENDS=yes
 post-patch:
 	@${REINPLACE_CMD} -e 's|exec perl|exec ${LOCALBASE}/bin/perl|' \
 		${WRKSRC}/share/h2o/annotate-backtrace-symbols \
+		${WRKSRC}/share/h2o/fastcgi-cgi \
 		${WRKSRC}/share/h2o/fetch-ocsp-response \
 		${WRKSRC}/share/h2o/kill-on-close \
+		${WRKSRC}/share/h2o/setuidgid \
 		${WRKSRC}/share/h2o/start_server

 post-install:
 	${MKDIR} ${STAGEDIR}${ETCDIR} \
 		${STAGEDIR}${H2O_LOGDIR}
 	${INSTALL_DATA} \
-		${FILESDIR}/${PORTNAME}.conf.sample \
+		${WRKDIR}/${PORTNAME}.conf.sample \
 		${STAGEDIR}${ETCDIR}/${PORTNAME}.conf.sample

 post-install-DOCS-on:
--- a/www/h2o/distinfo
+++ b/www/h2o/distinfo
@ -1,3 +1,3 @@
-TIMESTAMP = 1508527966
-SHA256 (h2o-h2o-v2.2.3_GH0.tar.gz) = d40401ca714d00ca5204e8d22148dbaa9cae3407e3b4b6b62bd208543901ea51
-SIZE (h2o-h2o-v2.2.3_GH0.tar.gz) = 16207150
+TIMESTAMP = 1513347798
+SHA256 (h2o-h2o-v2.2.4_GH0.tar.gz) = ebacf3b15f40958c950e18e79ad5a647f61e989c6dbfdeea858ce943ef5e3cd8
+SIZE (h2o-h2o-v2.2.4_GH0.tar.gz) = 16212596
--- a/www/h2o/files/h2o.conf.sample
+++ b/www/h2o/files/h2o.conf.sample
@ -1,32 +0,0 @@
-# vi: ft=yaml
-# see https://h2o.examp1e.net/ for detailed documentation
-# see h2o --help for command-line options and settings
-user: www
-pid-file: /var/run/h2o.pid
-access-log: /var/log/h2o/h2o-access.log
-error-log: /var/log/h2o/h2o-error.log
-listen: 80
-listen:
-    port: 443
-    ssl:
-        minimum-version: TLSv1.2
-        # generate your own certificates
-        certificate-file: /usr/local/etc/h2o/server.crt
-        key-file: /usr/local/etc/h2o/server.key
-# enable Apache-style directory listings
-# file.dirlisting: on
-# per-host configuration
-hosts:
-    my.example.org:
-        paths:
-            "/":
-                file.dir: "/usr/local/www/data/my.example.org"
-    pkg.example.org:
-        # virtual directory layout
-        paths:
-            "/poudriere":
-                file.dir: "/usr/local/poudriere/data/logs/bulk"
-            "/FreeBSD:10:amd64":
-                file.dir: "/usr/local/poudriere/data/packages/10_2_amd64-default/"
-            "/FreeBSD:11:amd64":
-                file.dir: "/usr/local/poudriere/data/packages/current_amd64-default/"
--- a/www/h2o/files/h2o.conf.sample.in
+++ b/www/h2o/files/h2o.conf.sample.in
@ -0,0 +1,104 @@
+# this sample config gives you a feel for how h2o can be used
+# and a high-security configuration for TLS and HTTP headers
+# see https://h2o.examp1e.net/ for detailed documentation
+# and h2o --help for command-line options and settings
+user: www
+pid-file: /var/run/h2o.pid
+# log normal access to file
+access-log: /var/log/h2o/access.log
+# send errors to syslog
+error-log:  "| logger -i -p daemon.err -t h2o"
+
+# as of 2017-12-01 the following TLS config and headers, with
+# DNS CAA records and custom diffie-hellmann parameters via
+# `openssl dhparam -out %%PREFIX%%/etc/ssl/dhparam.pem 4096`
+# will get you:
+
+# A+ on https://www.ssllabs.com/ssltest/
+listen: 80
+listen:
+  port: 443
+  ssl:
+    # using at least TLS1.2 restricts many older devices
+    minimum-version: TLSv1.1
+    dh-file: %%PREFIX%%/etc/ssl/dhparam.pem
+    # generate your own certificates with security/acme-client
+    certificate-file: %%PREFIX%%/etc/ssl/acme/example.org/fullchain.pem
+    key-file: %%PREFIX%%/etc/ssl/acme/private/example.org/privkey.pem
+    cipher-preference: server
+    cipher-suite: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+
+# A+ on https://securityheaders.io/
+header.add: "x-frame-options: deny"
+header.add: "X-XSS-Protection: 1; mode=block"
+header.add: "X-Content-Type-Options: nosniff"
+header.add: "X-UA-Compatible: IE=Edge"
+header.add: "Referrer-Policy: strict-origin"
+header.add: "Cache-Control: no-transform"
+header.add: "Content-Security-Policy: default-src https:"
+# 6 months HSTS pinning
+header.add: "Strict-Transport-Security: max-age=16000000"
+
+# no patience for slow users
+http1-request-timeout: 10
+http2-idle-timeout: 10
+# limit POST bodies
+limit-request-body: 10485760 # 10MiB
+max-connections: 1024
+
+file.mime.addtypes:
+  image/svg+xml: .svg
+  text/plain: .log
+  text/css: .css
+  application/atom+xml: .xml
+  application/zip: .zip
+  application/json: .json
+  "text/html; charset=utf-8": .html
+
+# per-host configurations
+hosts:
+  # a basic fileserver
+  www.example.org:
+    # enable Apache-style directory listings
+    file.dirlisting: on
+    file.send-gzip: on
+    paths:
+      "/":
+        file.dir: "/var/www/www.example.org"
+      # a simple permanent URL redirect
+      "/blog":
+        redirect:
+          status: 301
+          url: https://blog.example.org/
+      # a password-restricted url
+      "/server-status":
+        mruby.handler: |
+          require "htpasswd.rb"
+          Htpasswd.new("%%ETCDIR%%/private/htpasswd", "example.org")
+        status: ON
+      # redireect Lets Encrypt ACME protocol to a specific challenge directory
+      "/.well-known/acme-challenge":
+        file.dir: "/var/www/acme"
+  # virtual directory layout to support serving FreeBSD packages built by poudriere
+  pkg.example.org:
+    paths:
+      "/poudriere":
+        file.dir: "%%PREFIX%%/poudriere/data/logs/bulk"
+      "/FreeBSD:10:amd64":
+        file.dir: "%%PREFIX%%/poudriere/data/packages/10_amd64-default/"
+      "/FreeBSD:11:amd64":
+        file.dir: "%%PREFIX%%/poudriere/data/packages/11_amd64-default/"
+  # a simple ruby-powered embedded JSON API
+  api.example.net:
+    paths:
+      "/ok.json":
+        mruby.handler: |
+          Proc.new do |env|
+            [200, {'content-type' => 'application/json'}, ['{"status":"ok"}']]
+          end
+  # a websockets-aware reverse proxy
+  ws.example.net:
+    paths:
+      "/":
+        proxy.websocket: ON
+        proxy.reverse.url: "http://localhost:1080/"
--- a/www/h2o/files/patch-CMakeLists.txt
+++ b/www/h2o/files/patch-CMakeLists.txt
@ -1,12 +0,0 @@
--- CMakeLists.txt.orig	2017-01-17 23:43:27 UTC
-+++ CMakeLists.txt
-@@ -462,7 +462,8 @@ INSTALL(TARGETS h2o
-     LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR})
- 
- IF (NOT WITHOUT_LIBS)
-    INSTALL(DIRECTORY include/ DESTINATION ${CMAKE_INSTALL_INCLUDEDIR} FILES_MATCHING PATTERN "*.h")
-+    INSTALL(DIRECTORY include/ DESTINATION ${CMAKE_INSTALL_INCLUDEDIR} FILES_MATCHING PATTERN "*.h"
-+        EXCLUDE PATTERN "h2o" EXCLUDE PATTERN "h2o/socket")
-     IF (LIBUV_FOUND)
-         INSTALL(FILES "${CMAKE_BINARY_DIR}/libh2o.pc" DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig)
-     ENDIF ()
--- a/www/h2o/pkg-descr
+++ b/www/h2o/pkg-descr
@ -1,16 +1,16 @@
 H2O is a very fast HTTP server written in C. It can also be used as a library.
+
 It supports:

 - HTTP/1.0, HTTP/1.1
- [HTTP/2](http://http2.github.io/)
- draft 16 (and draft 14 to support older clients)
+- HTTP/2
 - persistent connections
 - chunked encoding
 - negotiation methods: NPN, ALPN, Upgrade, direct
 - dependency and weight-based prioritization
 - server push
 - TLS up to 1.3
- uses [OpenSSL](https://www.openssl.org/)
+- support OpenSSL and LibreSSL
 - forward secrecy
 - AEAD ciphers
 - OCSP stapling (automatically enabled)
@ -18,6 +18,7 @@ It supports:
 - conditional GET using last-modified / etag
 - mime-type configuration
 - reverse proxy
- persistent upstream connection
+- websocket support
+- embedded mruby interpreter for high speed custom functions

 WWW: https://github.com/h2o/h2o
--- a/www/h2o/pkg-plist
+++ b/www/h2o/pkg-plist
@ -1,8 +1,8 @@
 bin/h2o
-share/h2o/annotate-backtrace-symbols
-share/h2o/fetch-ocsp-response
-share/h2o/kill-on-close
-share/h2o/start_server
+%%DATADIR%%/annotate-backtrace-symbols
+%%DATADIR%%/fetch-ocsp-response
+%%DATADIR%%/kill-on-close
+%%DATADIR%%/start_server
 %%DATADIR%%/ca-bundle.crt
 %%DATADIR%%/fastcgi-cgi
 %%DATADIR%%/setuidgid