⚠️ IMPORTANT: Version Policy Change
As of January 2020, H2O no longer uses version tagging. The master branch is considered stable and ready for production. Each commit is treated as a release. For the latest features and security patches, build from the master branch.
⚠️ Debian Package Removal (May 2025)
H2O has been removed from Debian testing/unstable due to lack of a maintainer. The package in Debian Bookworm (2.2.5) has 5 unpatched CVEs. For secure deployments, build from source or use community Docker images.
H2O is a high-performance HTTP server that provides quicker response to users with less CPU utilization compared to older generation web servers. It features native support for HTTP/1.x, HTTP/2, and HTTP/3 (QUIC), making it one of the most modern web servers available.
⚠️ Package Availability Warning
Debian/Ubuntu: H2O was removed from Debian testing/unstable in May 2025. The Debian Bookworm package (2.2.5) has unpatched security vulnerabilities:
- CVE-2025-8671 (HTTP/2 DoS)
- CVE-2024-45397 (TLS 1.3 + QUIC bypass)
- CVE-2024-25622 (Header directive bug)
- CVE-2023-44487 (HTTP/2 rapid reset)
- CVE-2023-41337 (TLS session misdirection)
RHEL/CentOS: Available from OKey repository (v2.2.6), not from EPEL.
Recommended: Build from source for latest security patches.
# Install dependencies
sudo apt update
sudo apt install build-essential cmake pkg-config libssl-dev zlib1g-dev
# Clone repository with submodules
git clone --recurse-submodules https://github.com/h2o/h2o.git
cd h2o
# Build using CMake
mkdir -p build
cd build
cmake ..
make
sudo make install
H2O will be installed to /usr/local by default.
# Debian Bookworm (contains unpatched CVEs)
sudo apt update
sudo apt install h2o
# Verify installation
h2o --version
⚠️ Warning: Debian package has known unpatched vulnerabilities. Use only in isolated environments.
# Enable OKey repository and install
sudo dnf install h2o
brew install h2o
H2O uses a YAML-based configuration file. The default configuration file is located at /etc/h2o/h2o.conf. Below is an example of a basic configuration:
# /etc/h2o/h2o.conf
listen:
port: 80
hosts:
"example.com":
paths:
/:
file.dir: /var/www/html
In this example, H2O is configured to listen on port 80 and serve files from the /var/www/html directory for the domain example.com.
To start the H2O service, use the following command:
sudo systemctl start h2o
To stop the H2O service, use the following command:
sudo systemctl stop h2o
To enable H2O to start on boot, use the following command:
sudo systemctl enable h2o
See the links page for official resources.
See h2o Security for detailed security guidance.