diff --git a/.gitignore b/.gitignore
index 09a5a07..ea4148c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -38,3 +38,4 @@ x86_64
/httpd-2.4.43.tar.bz2.asc
/KEYS
/httpd-2.4.46.tar.bz2.asc
+/httpd-2.4.48.tar.bz2.asc
diff --git a/httpd-2.4.43-r1870095+.patch b/httpd-2.4.43-r1870095+.patch
deleted file mode 100644
index 3fc8dfb..0000000
--- a/httpd-2.4.43-r1870095+.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
-index cbab6a3..765aa4b 100644
---- a/modules/ssl/ssl_engine_kernel.c
-+++ b/modules/ssl/ssl_engine_kernel.c
-@@ -114,6 +114,45 @@ static int has_buffered_data(request_rec *r)
- return result;
- }
-
-+/* If a renegotiation is required for the location, and the request
-+ * includes a message body (and the client has not requested a "100
-+ * Continue" response), then the client will be streaming the request
-+ * body over the wire already. In that case, it is not possible to
-+ * stop and perform a new SSL handshake immediately; once the SSL
-+ * library moves to the "accept" state, it will reject the SSL packets
-+ * which the client is sending for the request body.
-+ *
-+ * To allow authentication to complete in the hook, the solution used
-+ * here is to fill a (bounded) buffer with the request body, and then
-+ * to reinject that request body later.
-+ *
-+ * This function is called to fill the renegotiation buffer for the
-+ * location as required, or fail. Returns zero on success or HTTP_
-+ * error code on failure.
-+ */
-+static int fill_reneg_buffer(request_rec *r, SSLDirConfigRec *dc)
-+{
-+ int rv;
-+ apr_size_t rsize;
-+
-+ /* ### this is HTTP/1.1 specific, special case for protocol? */
-+ if (r->expecting_100 || !ap_request_has_body(r)) {
-+ return 0;
-+ }
-+
-+ rsize = dc->nRenegBufferSize == UNSET ? DEFAULT_RENEG_BUFFER_SIZE : dc->nRenegBufferSize;
-+ if (rsize > 0) {
-+ /* Fill the I/O buffer with the request body if possible. */
-+ rv = ssl_io_buffer_fill(r, rsize);
-+ }
-+ else {
-+ /* If the reneg buffer size is set to zero, just fail. */
-+ rv = HTTP_REQUEST_ENTITY_TOO_LARGE;
-+ }
-+
-+ return rv;
-+}
-+
- #ifdef HAVE_TLSEXT
- static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2)
- {
-@@ -814,41 +853,14 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo
- }
- }
-
-- /* If a renegotiation is now required for this location, and the
-- * request includes a message body (and the client has not
-- * requested a "100 Continue" response), then the client will be
-- * streaming the request body over the wire already. In that
-- * case, it is not possible to stop and perform a new SSL
-- * handshake immediately; once the SSL library moves to the
-- * "accept" state, it will reject the SSL packets which the client
-- * is sending for the request body.
-- *
-- * To allow authentication to complete in this auth hook, the
-- * solution used here is to fill a (bounded) buffer with the
-- * request body, and then to reinject that request body later.
-- */
-- if (renegotiate && !renegotiate_quick
-- && !r->expecting_100
-- && ap_request_has_body(r)) {
-- int rv;
-- apr_size_t rsize;
--
-- rsize = dc->nRenegBufferSize == UNSET ? DEFAULT_RENEG_BUFFER_SIZE :
-- dc->nRenegBufferSize;
-- if (rsize > 0) {
-- /* Fill the I/O buffer with the request body if possible. */
-- rv = ssl_io_buffer_fill(r, rsize);
-- }
-- else {
-- /* If the reneg buffer size is set to zero, just fail. */
-- rv = HTTP_REQUEST_ENTITY_TOO_LARGE;
-- }
--
-- if (rv) {
-+ /* Fill reneg buffer if required. */
-+ if (renegotiate && !renegotiate_quick) {
-+ rc = fill_reneg_buffer(r, dc);
-+ if (rc) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02257)
- "could not buffer message body to allow "
- "SSL renegotiation to proceed");
-- return rv;
-+ return rc;
- }
- }
-
-@@ -1132,6 +1144,17 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
- }
- }
-
-+ /* Fill reneg buffer if required. */
-+ if (change_vmode) {
-+ rc = fill_reneg_buffer(r, dc);
-+ if (rc) {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10228)
-+ "could not buffer message body to allow "
-+ "TLS Post-Handshake Authentication to proceed");
-+ return rc;
-+ }
-+ }
-+
- if (change_vmode) {
- char peekbuf[1];
-
diff --git a/httpd-2.4.43-sslcoalesce.patch b/httpd-2.4.43-sslcoalesce.patch
deleted file mode 100644
index ef1f728..0000000
--- a/httpd-2.4.43-sslcoalesce.patch
+++ /dev/null
@@ -1,192 +0,0 @@
-
-http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_io.c?r1=1836237&r2=1836236&pathrev=1836237&view=patch
-http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_io.c?r1=1873985&r2=1876037&view=patch
-
---- httpd-2.4.43/modules/ssl/ssl_engine_io.c.sslcoalesce
-+++ httpd-2.4.43/modules/ssl/ssl_engine_io.c
-@@ -1585,18 +1585,32 @@
- }
-
-
--/* ssl_io_filter_output() produces one SSL/TLS message per bucket
-+/* ssl_io_filter_output() produces one SSL/TLS record per bucket
- * passed down the output filter stack. This results in a high
-- * overhead (network packets) for any output comprising many small
-- * buckets. SSI page applied through the HTTP chunk filter, for
-- * example, may produce many brigades containing small buckets -
-- * [chunk-size CRLF] [chunk-data] [CRLF].
-+ * overhead (more network packets & TLS processing) for any output
-+ * comprising many small buckets. SSI output passed through the HTTP
-+ * chunk filter, for example, may produce many brigades containing
-+ * small buckets - [chunk-size CRLF] [chunk-data] [CRLF].
- *
-- * The coalescing filter merges many small buckets into larger buckets
-- * where possible, allowing the SSL I/O output filter to handle them
-- * more efficiently. */
-+ * Sending HTTP response headers as a separate TLS record to the
-+ * response body also reveals information to a network observer (the
-+ * size of headers) which can be significant.
-+ *
-+ * The coalescing filter merges data buckets with the aim of producing
-+ * fewer, larger TLS records - without copying/buffering all content
-+ * and introducing unnecessary overhead.
-+ *
-+ * ### This buffering could be probably be done more comprehensively
-+ * ### in ssl_io_filter_output itself.
-+ *
-+ * ### Another possible performance optimisation in particular for the
-+ * ### [HEAP] [FILE] HTTP response case is using a brigade rather than
-+ * ### a char array to buffer; using apr_brigade_write() to append
-+ * ### will use already-allocated memory from the HEAP, reducing # of
-+ * ### copies.
-+ */
-
--#define COALESCE_BYTES (2048)
-+#define COALESCE_BYTES (AP_IOBUFSIZE)
-
- struct coalesce_ctx {
- char buffer[COALESCE_BYTES];
-@@ -1609,11 +1623,12 @@
- apr_bucket *e, *upto;
- apr_size_t bytes = 0;
- struct coalesce_ctx *ctx = f->ctx;
-+ apr_size_t buffered = ctx ? ctx->bytes : 0; /* space used on entry */
- unsigned count = 0;
-
- /* The brigade consists of zero-or-more small data buckets which
-- * can be coalesced (the prefix), followed by the remainder of the
-- * brigade.
-+ * can be coalesced (referred to as the "prefix"), followed by the
-+ * remainder of the brigade.
- *
- * Find the last bucket - if any - of that prefix. count gives
- * the number of buckets in the prefix. The "prefix" must contain
-@@ -1628,24 +1643,97 @@
- e != APR_BRIGADE_SENTINEL(bb)
- && !APR_BUCKET_IS_METADATA(e)
- && e->length != (apr_size_t)-1
-- && e->length < COALESCE_BYTES
-- && (bytes + e->length) < COALESCE_BYTES
-- && (ctx == NULL
-- || bytes + ctx->bytes + e->length < COALESCE_BYTES);
-+ && e->length <= COALESCE_BYTES
-+ && (buffered + bytes + e->length) <= COALESCE_BYTES;
- e = APR_BUCKET_NEXT(e)) {
-- if (e->length) count++; /* don't count zero-length buckets */
-- bytes += e->length;
-+ /* don't count zero-length buckets */
-+ if (e->length) {
-+ bytes += e->length;
-+ count++;
-+ }
- }
-+
-+ /* If there is room remaining and the next bucket is a data
-+ * bucket, try to include it in the prefix to coalesce. For a
-+ * typical [HEAP] [FILE] HTTP response brigade, this handles
-+ * merging the headers and the start of the body into a single TLS
-+ * record. */
-+ if (bytes + buffered > 0
-+ && bytes + buffered < COALESCE_BYTES
-+ && e != APR_BRIGADE_SENTINEL(bb)
-+ && !APR_BUCKET_IS_METADATA(e)) {
-+ apr_status_t rv = APR_SUCCESS;
-+
-+ /* For an indeterminate length bucket (PIPE/CGI/...), try a
-+ * non-blocking read to have it morph into a HEAP. If the
-+ * read fails with EAGAIN, it is harmless to try a split
-+ * anyway, split is ENOTIMPL for most PIPE-like buckets. */
-+ if (e->length == (apr_size_t)-1) {
-+ const char *discard;
-+ apr_size_t ignore;
-+
-+ rv = apr_bucket_read(e, &discard, &ignore, APR_NONBLOCK_READ);
-+ if (rv != APR_SUCCESS && !APR_STATUS_IS_EAGAIN(rv)) {
-+ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, f->c, APLOGNO(10232)
-+ "coalesce failed to read from %s bucket",
-+ e->type->name);
-+ return AP_FILTER_ERROR;
-+ }
-+ }
-+
-+ if (rv == APR_SUCCESS) {
-+ /* If the read above made the bucket morph, it may now fit
-+ * entirely within the buffer. Otherwise, split it so it does
-+ * fit. */
-+ if (e->length > COALESCE_BYTES
-+ || e->length + buffered + bytes > COALESCE_BYTES) {
-+ rv = apr_bucket_split(e, COALESCE_BYTES - (buffered + bytes));
-+ }
-+
-+ if (rv == APR_SUCCESS && e->length == 0) {
-+ /* As above, don't count in the prefix if the bucket is
-+ * now zero-length. */
-+ }
-+ else if (rv == APR_SUCCESS) {
-+ ap_log_cerror(APLOG_MARK, APLOG_TRACE4, 0, f->c,
-+ "coalesce: adding %" APR_SIZE_T_FMT " bytes "
-+ "from split %s bucket, total %" APR_SIZE_T_FMT,
-+ e->length, e->type->name, bytes + buffered);
-+
-+ count++;
-+ bytes += e->length;
-+ e = APR_BUCKET_NEXT(e);
-+ }
-+ else if (rv != APR_ENOTIMPL) {
-+ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, f->c, APLOGNO(10233)
-+ "coalesce: failed to split data bucket");
-+ return AP_FILTER_ERROR;
-+ }
-+ }
-+ }
-+
- upto = e;
-
-- /* Coalesce the prefix, if:
-- * a) more than one bucket is found to coalesce, or
-- * b) the brigade contains only a single data bucket, or
-- * c) the data bucket is not last but we have buffered data already.
-+ /* Coalesce the prefix, if any of the following are true:
-+ *
-+ * a) the prefix is more than one bucket
-+ * OR
-+ * b) the prefix is the entire brigade, which is a single bucket
-+ * AND the prefix length is smaller than the buffer size,
-+ * OR
-+ * c) the prefix is a single bucket
-+ * AND there is buffered data from a previous pass.
-+ *
-+ * The aim with (b) is to buffer a small bucket so it can be
-+ * coalesced with future invocations of this filter. e.g. three
-+ * calls each with a single 100 byte HEAP bucket should get
-+ * coalesced together. But an invocation with a 8192 byte HEAP
-+ * should pass through untouched.
- */
- if (bytes > 0
- && (count > 1
-- || (upto == APR_BRIGADE_SENTINEL(bb))
-+ || (upto == APR_BRIGADE_SENTINEL(bb)
-+ && bytes < COALESCE_BYTES)
- || (ctx && ctx->bytes > 0))) {
- /* If coalescing some bytes, ensure a context has been
- * created. */
-@@ -1656,7 +1744,8 @@
-
- ap_log_cerror(APLOG_MARK, APLOG_TRACE4, 0, f->c,
- "coalesce: have %" APR_SIZE_T_FMT " bytes, "
-- "adding %" APR_SIZE_T_FMT " more", ctx->bytes, bytes);
-+ "adding %" APR_SIZE_T_FMT " more (buckets=%u)",
-+ ctx->bytes, bytes, count);
-
- /* Iterate through the prefix segment. For non-fatal errors
- * in this loop it is safe to break out and fall back to the
-@@ -1671,7 +1760,8 @@
- if (APR_BUCKET_IS_METADATA(e)
- || e->length == (apr_size_t)-1) {
- ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, f->c, APLOGNO(02012)
-- "unexpected bucket type during coalesce");
-+ "unexpected %s bucket during coalesce",
-+ e->type->name);
- break; /* non-fatal error; break out */
- }
-
diff --git a/httpd-2.4.46-lua-resume.patch b/httpd-2.4.46-lua-resume.patch
deleted file mode 100644
index 1a22008..0000000
--- a/httpd-2.4.46-lua-resume.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-diff --git a/modules/lua/config.m4 b/modules/lua/config.m4
-index 29fd563..abeba1c 100644
---- a/modules/lua/config.m4
-+++ b/modules/lua/config.m4
-@@ -34,7 +34,7 @@ AC_DEFUN([CHECK_LUA_PATH], [dnl
- fi
- ])
-
--dnl Check for Lua 5.3/5.2/5.1 Libraries
-+dnl Check for Lua Libraries
- dnl CHECK_LUA(ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND])
- dnl Sets:
- dnl LUA_CFLAGS
-@@ -44,7 +44,7 @@ AC_DEFUN([CHECK_LUA],
-
- AC_ARG_WITH(
- lua,
-- [AC_HELP_STRING([--with-lua=PATH],[Path to the Lua 5.3/5.2/5.1 prefix])],
-+ [AC_HELP_STRING([--with-lua=PATH],[Path to the Lua installation prefix])],
- lua_path="$withval",
- :)
-
-diff --git a/modules/lua/mod_lua.c b/modules/lua/mod_lua.c
-index 05f1e44..18b628c 100644
---- a/modules/lua/mod_lua.c
-+++ b/modules/lua/mod_lua.c
-@@ -342,7 +342,7 @@ static apr_status_t lua_setup_filter_ctx(ap_filter_t* f, request_rec* r, lua_fil
- {
- apr_pool_t *pool;
- ap_lua_vm_spec *spec;
-- int n, rc;
-+ int n, rc, nres;
- lua_State *L;
- lua_filter_ctx *ctx;
- ap_lua_server_cfg *server_cfg = ap_get_module_config(r->server->module_config,
-@@ -410,7 +410,7 @@ static apr_status_t lua_setup_filter_ctx(ap_filter_t* f, request_rec* r, lua_fil
- /* If a Lua filter is interested in filtering a request, it must first do a yield,
- * otherwise we'll assume that it's not interested and pretend we didn't find it.
- */
-- rc = lua_resume(L, 1);
-+ rc = lua_resume(L, 1, &nres);
- if (rc == LUA_YIELD) {
- if (f->frec->providers == NULL) {
- /* Not wired by mod_filter */
-@@ -432,7 +432,7 @@ static apr_status_t lua_setup_filter_ctx(ap_filter_t* f, request_rec* r, lua_fil
- static apr_status_t lua_output_filter_handle(ap_filter_t *f, apr_bucket_brigade *pbbIn)
- {
- request_rec *r = f->r;
-- int rc;
-+ int rc, nres;
- lua_State *L;
- lua_filter_ctx* ctx;
- conn_rec *c = r->connection;
-@@ -492,7 +492,7 @@ static apr_status_t lua_output_filter_handle(ap_filter_t *f, apr_bucket_brigade
- lua_setglobal(L, "bucket");
-
- /* If Lua yielded, it means we have something to pass on */
-- if (lua_resume(L, 0) == LUA_YIELD) {
-+ if (lua_resume(L, 0, &nres) == LUA_YIELD && nres == 1) {
- size_t olen;
- const char* output = lua_tolstring(L, 1, &olen);
- if (olen > 0) {
-@@ -524,7 +524,7 @@ static apr_status_t lua_output_filter_handle(ap_filter_t *f, apr_bucket_brigade
- apr_bucket *pbktEOS;
- lua_pushnil(L);
- lua_setglobal(L, "bucket");
-- if (lua_resume(L, 0) == LUA_YIELD) {
-+ if (lua_resume(L, 0, &nres) == LUA_YIELD && nres == 1) {
- apr_bucket *pbktOut;
- size_t olen;
- const char* output = lua_tolstring(L, 1, &olen);
-@@ -558,7 +558,7 @@ static apr_status_t lua_input_filter_handle(ap_filter_t *f,
- apr_off_t nBytes)
- {
- request_rec *r = f->r;
-- int rc, lastCall = 0;
-+ int rc, lastCall = 0, nres;
- lua_State *L;
- lua_filter_ctx* ctx;
- conn_rec *c = r->connection;
-@@ -621,7 +621,7 @@ static apr_status_t lua_input_filter_handle(ap_filter_t *f,
- lua_setglobal(L, "bucket");
-
- /* If Lua yielded, it means we have something to pass on */
-- if (lua_resume(L, 0) == LUA_YIELD) {
-+ if (lua_resume(L, 0, &nres) == LUA_YIELD && nres == 1) {
- size_t olen;
- const char* output = lua_tolstring(L, 1, &olen);
- pbktOut = apr_bucket_heap_create(output, olen, 0, c->bucket_alloc);
-@@ -643,7 +643,7 @@ static apr_status_t lua_input_filter_handle(ap_filter_t *f,
- apr_bucket *pbktEOS = apr_bucket_eos_create(c->bucket_alloc);
- lua_pushnil(L);
- lua_setglobal(L, "bucket");
-- if (lua_resume(L, 0) == LUA_YIELD) {
-+ if (lua_resume(L, 0, &nres) == LUA_YIELD && nres == 1) {
- apr_bucket *pbktOut;
- size_t olen;
- const char* output = lua_tolstring(L, 1, &olen);
-diff --git a/modules/lua/mod_lua.h b/modules/lua/mod_lua.h
-index 0e49cdc..72b4de7 100644
---- a/modules/lua/mod_lua.h
-+++ b/modules/lua/mod_lua.h
-@@ -48,7 +48,15 @@
- #if LUA_VERSION_NUM > 501
- /* Load mode for lua_load() */
- #define lua_load(a,b,c,d) lua_load(a,b,c,d,NULL)
--#define lua_resume(a,b) lua_resume(a, NULL, b)
-+
-+#if LUA_VERSION_NUM > 503
-+#define lua_resume(a,b,c) lua_resume(a, NULL, b, c)
-+#else
-+/* ### For version < 5.4, assume that exactly one stack item is on the
-+ * stack, which is what the code did before but seems dubious. */
-+#define lua_resume(a,b,c) (*(c) = 1, lua_resume(a, NULL, b))
-+#endif
-+
- #define luaL_setfuncs_compat(a,b) luaL_setfuncs(a,b,0)
- #else
- #define lua_rawlen(L,i) lua_objlen(L, (i))
diff --git a/httpd-2.4.43-export.patch b/httpd-2.4.48-export.patch
similarity index 93%
rename from httpd-2.4.43-export.patch
rename to httpd-2.4.48-export.patch
index 0d9fd72..439f768 100644
--- a/httpd-2.4.43-export.patch
+++ b/httpd-2.4.48-export.patch
@@ -6,7 +6,7 @@ to do so indirectly.
Upstream: https://svn.apache.org/r1861685 (as new default-off configure option)
diff --git a/Makefile.in b/Makefile.in
-index 9eeb5c7..8746a10 100644
+index 40c7076..ac98e5f 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -4,8 +4,15 @@ CLEAN_SUBDIRS = test
@@ -27,7 +27,7 @@ index 9eeb5c7..8746a10 100644
server/libmain.la \
$(BUILTIN_LIBS) \
diff --git a/server/Makefile.in b/server/Makefile.in
-index 1fa3344..116850b 100644
+index 8111877..f00bb3f 100644
--- a/server/Makefile.in
+++ b/server/Makefile.in
@@ -12,7 +12,7 @@ LTLIBRARY_SOURCES = \
@@ -36,7 +36,7 @@ index 1fa3344..116850b 100644
util_charset.c util_cookies.c util_debug.c util_xml.c \
- util_filter.c util_pcre.c util_regex.c exports.c \
+ util_filter.c util_pcre.c util_regex.c \
- scoreboard.c error_bucket.c protocol.c core.c request.c provider.c \
+ scoreboard.c error_bucket.c protocol.c core.c request.c ssl.c provider.c \
eoc_bucket.c eor_bucket.c core_filters.c \
util_expr_parse.c util_expr_scan.c util_expr_eval.c
diff --git a/server/main.c b/server/main.c
diff --git a/httpd-2.4.46-proxy-ws-idle-timeout.patch b/httpd-2.4.48-proxy-ws-idle-timeout.patch
similarity index 68%
rename from httpd-2.4.46-proxy-ws-idle-timeout.patch
rename to httpd-2.4.48-proxy-ws-idle-timeout.patch
index e9f9d40..d04dc68 100644
--- a/httpd-2.4.46-proxy-ws-idle-timeout.patch
+++ b/httpd-2.4.48-proxy-ws-idle-timeout.patch
@@ -1,25 +1,20 @@
diff --git a/docs/manual/mod/mod_proxy_wstunnel.html.en b/docs/manual/mod/mod_proxy_wstunnel.html.en
-index 7506ccb..8867578 100644
+index 9f2c120..61ff7de 100644
--- a/docs/manual/mod/mod_proxy_wstunnel.html.en
+++ b/docs/manual/mod/mod_proxy_wstunnel.html.en
-@@ -60,14 +60,33 @@ NONE means you bypass the check for the header but still upgrade to WebSocket.
- ANY means that Upgrade
will read in the request headers and use
- in the response Upgrade
This module provides no -- directives.
-+Upgrade
+
+@@ -108,6 +109,23 @@ in the response Upgrade
+ WebSocket requests as in httpd 2.4.46 and earlier.
-+
+ Description: | Sets the maximum amount of time to wait for data on the websockets tunnel |
---|