Hello Henrik, Thank you for the heads up and the fine release.
On question regarding the following point from the release notes: > * Protocol Cache: Assume that vary is supported by all. Does this mean, that within the response header "Vary:*" is set automagically? I'm asking because last week we ran into a problem with a service worker implementation and "Vary:*". The service worker complained: > Uncaught (in promise) TypeError: Vary header contains * and refused working. After some research we found an article stating: > Vary: * > > Don't use this, period. > > The HTTP RFC says that if a Vary header contains the special > header name *, each request for said URL is supposed to be > treated as a unique (and uncacheable) request. > > This is much better indicated by using Cache-Control: > private, which is clearer to anyone reading the response > headers. It also signifies that the object shouldn't ever > be stored, which is much more secure. Source: https://www.fastly.com/blog/best-practices-for-using-the-vary-header So we did some testing and after suppressing the vary header via our Apache proxy, the service worker stopped complaining and worked like a charm. So if this really is related to Roxen, is there a way to influence the vary header on Roxen level? Cheers, Sascha Am 2017-03-09 um 11:53 schrieb Henrik Grubbström: > Roxen WebServer 6.1.200 is now available from http://download.roxen.com/. > > Note: This is a major release, and as such there are more structural > changes than usual which have larger effects on compatibility. > > WebServer-specific changes > > Core improvments: > > o Moved to Pike version 8.0, which among other things gives > a much improved SSL/TLS implementation, with support for > eg elliptic curves. > COMPAT NOTE: There are a number of incompatibilities between Pike > 7.8 and 8.0, but that is of no concern if you do not have your > own custom modules. Roxen module developers should take a look > at the Pike release notes for Pike 8.0. Many incompatibilities > may be mitigated by running in 7.8 compatibility mode, which is > enabled by simply putting "#pike 7.8" at the top of each pike > (and pmod) file. Note also that the compatibility layers for > pike 7.4 and earlier have been removed (it's been ~8 years > since the switch to Pike 7.8). > > o Changed database from MySQL to MariaDB 10.1.12. > > o Changed MySQL/MariaDB client library from mysql 3.23.49 to > mariadb-connector-c 2.2. > > o Updated Nettle version to Nettle 3.0 or later. > > o Speed up scanning for module and pike-module directories by > excluding some more items (e.g. ".git" and "node_modules"). > > o Core: Load demand-loaded modules from handler threads. [bug 7782] > > o Threads: Improved robustness for describe_all_threads(). [bug 7642] > > o Start: Added --without-daemon. [bug 7488] > > o Config: If the primary configuration file is lost, try the backups. > > o Config: Flush configuration files to disc before renaming them. > > o Logging: Modify debug log timestamps to always print absolute time, > and to display uptime every 5 lines. > > o Logging: Default to dated access logfiles. > > o Logging: Default to compressing log files. > > o DBManager: Add an innodb-data-file-path entry to my.cfg. > > o MySQL: Detect and support MariaDB. > > o MySQL: Bump the required MySQL version to 5.5. > > o Site-Templates: Added support for packages. > > o Pike 8.0: Upgrade old automatic X.509v1 certs to X.509v3. > > APIs improvements: > > o DBManager.SqlFileSplitIterator: Improved performance. > > o Add language-aware imploding of string lists. > > o New module: HTTPClient. > > o Variable.MultipleChoice: Added multiselect mode. > > o Variable.MultipleChoice: Support conversion to/from multiselect. > > o Added ROXEN.basename(). > > o ImageCache: Cast atime as SIGNED to avoid errors with some MySQL > versions. > > o JS-support: Added deepCompare() that checks two JavaScript values > recursively for equality. > > o JS-support: Added ROXEN.arrayUnique(). > > o JS-support: Added ROXEN.AFS.post_files() which can send FileList > objects directly to the server. > > o JS-support: Added ROXEN.dirname(). > > o JS-support: Added simple YUI style combo loader > > o JS-support: Allow ROXEN.AFS.post() to send a form ID to YUI for > encoding. > > o JS-support: AFS: Add code for throttling and duplicate removal, > > o JS-support: AFS: Added function to detect if init() has been called. > > o JS-Support: Improve protocol caching for static resources. > > o New logging feature: JSON logging. > > o New module: REST API for Administration Interface. > > o Add a few (custom and glibc-inspired) modifiers to strftime. > > o Protocol Cache: Assume that vary is supported by all. > > o Protocols: Added StartTLSProtocol. > > o ImageCache: Add an expires header. > > Administation Interface improvements: > > o Compat: Add compat level for Roxen 6.1 > > o Only show the selected SNMP sub-tree > > o RoxenPatch: New files may now force overwrites > > o FSGC: Added support for quarantining instead of deleting > > o Make various input fields larger. > > o Logging: Added log pattern $cipher-suite. > > o Logging: Added log pattern $link-layer. > > o Logging: Remove log notices after 7 days. Fixes [bug 6950]. > > o Logging: Don't use <imgs> for site/module log entry icons since that > scales badly with long logs. > > o Include protocol cache stats in Cache Status wizard. Improve wizard > presentation to make it easier to interpret data. > > o Config IF: Fixed a redirect loop. > > o Config IF: Join the tabs "Auto {Restart,Patching}" to "Auto > Maintenance". > > o SSL: Generate RSA/SHA256 certificates. > > o Display (direct) object memory usage on memory usage page. > > o DB-browser: Support queries returning multiple result sets. > > o DB-browser: Default the copy or rename action to rename. > > o DB-browser: Reorder Ok/Cancel buttons. > > Modules improvements: > > o New module: Filesystem Proxy. > > o XML DB Mirror: Now also a feed import backend. > > o UserDB: Support UTF8 in the user database. > > o UserDB: Cache user name lookups for 60 seconds. > > o Relay2: Added the possibillity to add additional response headers. > > o auth_httpcookie: Support year 2037 and beyond. > > o auth_httpcookie: Timeout cookies after a year. > > o auth_httpcookie: Use SHA1 to generate the cookie. > > o CGI: Send Connection: close. > > o CGI: Support HEAD. Fixes [bug 4616]. > > o Email: Improved support for Unicode attachments. > > o Perform negative caching of (typically) htaccess files for > 5 seconds. > > Patch system improvements: > > o Complain but proceed when the CA list is empty. > > o Use HTTPS to fetch the patch cluster. > > o Rename the "Update Client" permission to "Apply Patches". > > o Added option to automatically install patches on restart. > > o Added support for automatic fetch of patch clusters. > > Protocols improvements: > > o Extensions: *.gz and *.bz2 et al are content-types. [bug 7691] > > o Attempt to use protocol cache for certain authenticated resources > as well. > > o Init: Make sure that the default certificates don't use SHA1. > > o Init: Create the default certificates in the correct place. > > o SSL: Hide the "SSL key file" variable if empty. > > o SSL: Change default minimum suite to TLS 1.0. > > o Pike 8.0 [SSL]: Support ipless with https. > > o Pike 8.0 [SSL]: Support multiple certificates with the same key. > > o SSL: Updated estimated cipher strengths. > > o FTP: Enable handler threads by default. > > o FTP: Allow anonymous ftp without TLS even when TLS required. > > o FTP: Added support for the CCC command. > > o FTP: Default to PROT P for FTPS. > > o FTP: Allow FEAT before login. > > o FTP: Extended AUTH TLS config option. > > o FTP: Support ending the TLS control connection with REIN. > > o FTP: Added configuration flag to require AUTH TLS. > > o FTP: Support AUTH TLS (RFC 4217). > > RXML improvements: > > o Session tag: Fixed failure to set session cookie > > o Add :base64url and :-base64url RXML encoding/decoding. > > o <force-session-id/> now supports httponly and secure flags. > > o Wizards: Added RoxenWizardId cookie to protect against CSRF. > > o <expire-time/>: Set Cache-Control: max-age. [bug 7535] > > o Added quite a few predicate functions to sexpr. > > o SqlTags: Support queries returning multiple result sets. > > o <emit#values>: Use a stable output order. > > o <insert#href>: Added support for PUT and DELETE [bug 7179]. > > o Allow RXML expressions to call basename() and dirname() for faster > path manipulation. > > > Enjoy!
