From owner-svn-ports-all@freebsd.org  Sat Dec 16 00:41:01 2017
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 49596E912A1;
 Sat, 16 Dec 2017 00:41:01 +0000 (UTC) (envelope-from dch@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 09EA66D471;
 Sat, 16 Dec 2017 00:41:00 +0000 (UTC) (envelope-from dch@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vBG0f0e3078334;
 Sat, 16 Dec 2017 00:41:00 GMT (envelope-from dch@FreeBSD.org)
Received: (from dch@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id vBG0exY8078325;
 Sat, 16 Dec 2017 00:40:59 GMT (envelope-from dch@FreeBSD.org)
Message-Id: <201712160040.vBG0exY8078325@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: dch set sender to dch@FreeBSD.org
 using -f
From: Dave Cottlehuber <dch@FreeBSD.org>
Date: Sat, 16 Dec 2017 00:40:59 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r456453 - in head/www/h2o: . files
X-SVN-Group: ports-head
X-SVN-Commit-Author: dch
X-SVN-Commit-Paths: in head/www/h2o: . files
X-SVN-Commit-Revision: 456453
X-SVN-Commit-Repository: ports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Dec 2017 00:41:01 -0000

Author: dch
Date: Sat Dec 16 00:40:59 2017
New Revision: 456453
URL: https://svnweb.freebsd.org/changeset/ports/456453

Log:
  www/h2o: update to 2.2.4
  
  Approved by:	jrm (mentor)
  Sponsored by:	https://iwantmyname.com/
  Differential Revision:	https://reviews.freebsd.org/D13077

Added:
  head/www/h2o/files/h2o.conf.sample.in   (contents, props changed)
Deleted:
  head/www/h2o/files/h2o.conf.sample
  head/www/h2o/files/patch-CMakeLists.txt
Modified:
  head/www/h2o/Makefile
  head/www/h2o/distinfo
  head/www/h2o/pkg-descr
  head/www/h2o/pkg-plist

Modified: head/www/h2o/Makefile
==============================================================================
--- head/www/h2o/Makefile	Fri Dec 15 23:54:09 2017	(r456452)
+++ head/www/h2o/Makefile	Sat Dec 16 00:40:59 2017	(r456453)
@@ -1,20 +1,21 @@
-# Created by: Dave Cottlehuber <dch@skunkwerks.at>
+# Created by: Dave Cottlehuber <dch@FreeBSD.org>
 # $FreeBSD$
 
 PORTNAME=	h2o
 DISTVERSIONPREFIX=	v
-DISTVERSION=	2.2.3
+DISTVERSION=	2.2.4
 CATEGORIES=	www
 
-MAINTAINER=	dch@skunkwerks.at
+MAINTAINER=	dch@FreeBSD.org
 COMMENT=	Optimized HTTP/2 server including support for TLS 1.3 and HTTP/1.x
 
-LICENSE=	MIT
+LICENSE=	MIT BSD2CLAUSE
+LICENSE_COMB=	multi
 
 BROKEN_armv6=		fails to compile: asm_arm.inc:139:36: '.syntax divided' arm assembly not supported
 BROKEN_armv7=		fails to compile: asm_arm.inc:139:36: '.syntax divided' arm assembly not supported
 
-USES=		cmake:noninja compiler:c11 cpe perl5 shebangfix ssl
+USES=		cmake:noninja compiler:c11 cpe perl5 shebangfix ssl pkgconfig
 CPE_VENDOR=	h2o_project
 USE_GITHUB=	yes
 USE_PERL5=	run
@@ -23,7 +24,7 @@ SHEBANG_FILES=	share/h2o/start_server
 
 PORTDOCS=	README.md
 
-SUB_FILES=	${PORTNAME}
+SUB_FILES=	${PORTNAME} ${PORTNAME}.conf.sample
 SUB_LIST+=	H2O_USER=${H2O_USER} \
 		H2O_GROUP=${H2O_GROUP} \
 		H2O_LOGDIR=${H2O_LOGDIR}
@@ -55,15 +56,17 @@ MRUBY_VARS=		RUBY_NO_RUN_DEPENDS=yes
 post-patch:
 	@${REINPLACE_CMD} -e 's|exec perl|exec ${LOCALBASE}/bin/perl|' \
 		${WRKSRC}/share/h2o/annotate-backtrace-symbols \
+		${WRKSRC}/share/h2o/fastcgi-cgi \
 		${WRKSRC}/share/h2o/fetch-ocsp-response \
 		${WRKSRC}/share/h2o/kill-on-close \
+		${WRKSRC}/share/h2o/setuidgid \
 		${WRKSRC}/share/h2o/start_server
 
 post-install:
 	${MKDIR} ${STAGEDIR}${ETCDIR} \
 		${STAGEDIR}${H2O_LOGDIR}
 	${INSTALL_DATA} \
-		${FILESDIR}/${PORTNAME}.conf.sample \
+		${WRKDIR}/${PORTNAME}.conf.sample \
 		${STAGEDIR}${ETCDIR}/${PORTNAME}.conf.sample
 
 post-install-DOCS-on:

Modified: head/www/h2o/distinfo
==============================================================================
--- head/www/h2o/distinfo	Fri Dec 15 23:54:09 2017	(r456452)
+++ head/www/h2o/distinfo	Sat Dec 16 00:40:59 2017	(r456453)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1508527966
-SHA256 (h2o-h2o-v2.2.3_GH0.tar.gz) = d40401ca714d00ca5204e8d22148dbaa9cae3407e3b4b6b62bd208543901ea51
-SIZE (h2o-h2o-v2.2.3_GH0.tar.gz) = 16207150
+TIMESTAMP = 1513347798
+SHA256 (h2o-h2o-v2.2.4_GH0.tar.gz) = ebacf3b15f40958c950e18e79ad5a647f61e989c6dbfdeea858ce943ef5e3cd8
+SIZE (h2o-h2o-v2.2.4_GH0.tar.gz) = 16212596

Added: head/www/h2o/files/h2o.conf.sample.in
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/www/h2o/files/h2o.conf.sample.in	Sat Dec 16 00:40:59 2017	(r456453)
@@ -0,0 +1,104 @@
+# this sample config gives you a feel for how h2o can be used
+# and a high-security configuration for TLS and HTTP headers
+# see https://h2o.examp1e.net/ for detailed documentation
+# and h2o --help for command-line options and settings
+user: www
+pid-file: /var/run/h2o.pid
+# log normal access to file
+access-log: /var/log/h2o/access.log
+# send errors to syslog
+error-log:  "| logger -i -p daemon.err -t h2o"
+
+# as of 2017-12-01 the following TLS config and headers, with
+# DNS CAA records and custom diffie-hellmann parameters via
+# `openssl dhparam -out %%PREFIX%%/etc/ssl/dhparam.pem 4096`
+# will get you:
+
+# A+ on https://www.ssllabs.com/ssltest/
+listen: 80
+listen:
+  port: 443
+  ssl:
+    # using at least TLS1.2 restricts many older devices
+    minimum-version: TLSv1.1
+    dh-file: %%PREFIX%%/etc/ssl/dhparam.pem
+    # generate your own certificates with security/acme-client
+    certificate-file: %%PREFIX%%/etc/ssl/acme/example.org/fullchain.pem
+    key-file: %%PREFIX%%/etc/ssl/acme/private/example.org/privkey.pem
+    cipher-preference: server
+    cipher-suite: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+
+# A+ on https://securityheaders.io/
+header.add: "x-frame-options: deny"
+header.add: "X-XSS-Protection: 1; mode=block"
+header.add: "X-Content-Type-Options: nosniff"
+header.add: "X-UA-Compatible: IE=Edge"
+header.add: "Referrer-Policy: strict-origin"
+header.add: "Cache-Control: no-transform"
+header.add: "Content-Security-Policy: default-src https:"
+# 6 months HSTS pinning
+header.add: "Strict-Transport-Security: max-age=16000000"
+
+# no patience for slow users
+http1-request-timeout: 10
+http2-idle-timeout: 10
+# limit POST bodies
+limit-request-body: 10485760 # 10MiB
+max-connections: 1024
+
+file.mime.addtypes:
+  image/svg+xml: .svg
+  text/plain: .log
+  text/css: .css
+  application/atom+xml: .xml
+  application/zip: .zip
+  application/json: .json
+  "text/html; charset=utf-8": .html
+
+# per-host configurations
+hosts:
+  # a basic fileserver
+  www.example.org:
+    # enable Apache-style directory listings
+    file.dirlisting: on
+    file.send-gzip: on
+    paths:
+      "/":
+        file.dir: "/var/www/www.example.org"
+      # a simple permanent URL redirect
+      "/blog":
+        redirect:
+          status: 301
+          url: https://blog.example.org/
+      # a password-restricted url
+      "/server-status":
+        mruby.handler: |
+          require "htpasswd.rb"
+          Htpasswd.new("%%ETCDIR%%/private/htpasswd", "example.org")
+        status: ON
+      # redireect Lets Encrypt ACME protocol to a specific challenge directory
+      "/.well-known/acme-challenge":
+        file.dir: "/var/www/acme"
+  # virtual directory layout to support serving FreeBSD packages built by poudriere
+  pkg.example.org:
+    paths:
+      "/poudriere":
+        file.dir: "%%PREFIX%%/poudriere/data/logs/bulk"
+      "/FreeBSD:10:amd64":
+        file.dir: "%%PREFIX%%/poudriere/data/packages/10_amd64-default/"
+      "/FreeBSD:11:amd64":
+        file.dir: "%%PREFIX%%/poudriere/data/packages/11_amd64-default/"
+  # a simple ruby-powered embedded JSON API
+  api.example.net:
+    paths:
+      "/ok.json":
+        mruby.handler: |
+          Proc.new do |env|
+            [200, {'content-type' => 'application/json'}, ['{"status":"ok"}']]
+          end
+  # a websockets-aware reverse proxy
+  ws.example.net:
+    paths:
+      "/":
+        proxy.websocket: ON
+        proxy.reverse.url: "http://localhost:1080/"

Modified: head/www/h2o/pkg-descr
==============================================================================
--- head/www/h2o/pkg-descr	Fri Dec 15 23:54:09 2017	(r456452)
+++ head/www/h2o/pkg-descr	Sat Dec 16 00:40:59 2017	(r456453)
@@ -1,16 +1,16 @@
 H2O is a very fast HTTP server written in C. It can also be used as a library.
+
 It supports:
 
 - HTTP/1.0, HTTP/1.1
-- [HTTP/2](http://http2.github.io/)
-- draft 16 (and draft 14 to support older clients)
+- HTTP/2
 - persistent connections
 - chunked encoding
 - negotiation methods: NPN, ALPN, Upgrade, direct
 - dependency and weight-based prioritization
 - server push
 - TLS up to 1.3
-- uses [OpenSSL](https://www.openssl.org/)
+- support OpenSSL and LibreSSL
 - forward secrecy
 - AEAD ciphers
 - OCSP stapling (automatically enabled)
@@ -18,6 +18,7 @@ It supports:
 - conditional GET using last-modified / etag
 - mime-type configuration
 - reverse proxy
-- persistent upstream connection
+- websocket support
+- embedded mruby interpreter for high speed custom functions
 
 WWW: https://github.com/h2o/h2o

Modified: head/www/h2o/pkg-plist
==============================================================================
--- head/www/h2o/pkg-plist	Fri Dec 15 23:54:09 2017	(r456452)
+++ head/www/h2o/pkg-plist	Sat Dec 16 00:40:59 2017	(r456453)
@@ -1,8 +1,8 @@
 bin/h2o
-share/h2o/annotate-backtrace-symbols
-share/h2o/fetch-ocsp-response
-share/h2o/kill-on-close
-share/h2o/start_server
+%%DATADIR%%/annotate-backtrace-symbols
+%%DATADIR%%/fetch-ocsp-response
+%%DATADIR%%/kill-on-close
+%%DATADIR%%/start_server
 %%DATADIR%%/ca-bundle.crt
 %%DATADIR%%/fastcgi-cgi
 %%DATADIR%%/setuidgid