Apache httpd 2.4.33 with brotli compression library from Google, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS added to repository. Mod_ssl is built statically against OpenSSL 1.1.0h.
Links:
Since 2.4.29-2 release we start building Apache httpd against OpenSSL 1.1.0. Since 2.4.33 we added brotli compression library.
To install brotli support, please run:
yum install mod_brotli libbrotli-1.0.3
Http2 Apache httpd module no longer supports prefork mpm from version 2.4.27, we experienced crashes with it in 2.4.26 and decided to keep builds private. If you need http2 module, please disable prefork mpm and enable worker mpm in /etc/httpd/conf.modules.d/00-mpm.conf.
We already made this in 00-mpm.conf in our packages. If you are updating other vendor installation, please update this file.
For correct work with SELinux please update the following boolean:
setsebool -P httpd_execmem=1
Feel free to use our CentOS/RHEL repository. Please also note that this package depends on apr-util 1.5.0+ and libnghttp, which you can found in EPEL repository. So, the easiest way to use our builds of Apache HTTPd is to add EPEL repository, if you still do not have it: yum install -y epel-release
mod_ssl-2.4.33-2 version was linked against OpenSSL 1.1.0g. mod_ssl-2.4.33-3 version linked against OpenSSL 1.1.0h that was released today.
file /var/www/html from install of httpd-filesystem-2.4.33-2.codeit.el7.noarch conflicts with file from package php-pear-1:1.9.4-21.el7.noarch
Directory permissions updated to match those in pear package, thank you.
Fixed in httpd-2.4.33-3.
failed to restart apache after upgrading to 2.4.33
What is error message in error_log?
[Tue Mar 27 22:48:22.063423 2018] [suexec:notice] [pid 2242:tid 139825080944832] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Mar 27 22:48:22.063698 2018] [ssl:emerg] [pid 2242:tid 139825080944832] AH02572: Failed to configure at least one certificate and key for xxxx.xxxx.com:80
[Tue Mar 27 22:48:22.063715 2018] [ssl:emerg] [pid 2242:tid 139825080944832] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Tue Mar 27 22:48:22.063718 2018] [ssl:emerg] [pid 2242:tid 139825080944832] AH02312: Fatal error initialising mod_ssl, exiting.
AH00016: Configuration Failed
Looks like you have SSL enabled for your host listening on port 80. Please disable SSL Engine for it: this is definitely seems like error in your configuration.
apachectl configtest is fine & ssl.conf is the other file, right? Rolled back to 2.4.29 everything is fine.
Problem solved by add cert, key, chain into virtual host & re-install update.
Dear Friends
I have tried to install via: yum install mod_brotli libbrotli-1.0.3 and everything is OK, but after that I enter: yum -y update and have below errors (Polish CentOS 7.4, but you should understand):
——-
–> Wykonywanie sprawdzania transakcji
—> Pakiet libbrotli.x86_64 0:1.0.3-1.codeit.el7 zostanie zaktualizowany
–> Przetwarzanie zależności: libbrotlicommon.so.1()(64bit) dla pakietu: mod_brotli-2.4.33-3.codeit.el7.x86_64
–> Przetwarzanie zależności: libbrotlienc.so.1()(64bit) dla pakietu: mod_brotli-2.4.33-3.codeit.el7.x86_64
—> Pakiet libbrotli.x86_64 0:1.0.20171011.git.805fd3b-1.el7.centos.codeit zostanie zaktualizowany
–> Ukończono rozwiązywanie zależności
Błąd: Pakiet: mod_brotli-2.4.33-3.codeit.el7.x86_64 (@CodeIT)
Wymaga: libbrotlienc.so.1()(64bit)
Usuwanie: libbrotli-1.0.3-1.codeit.el7.x86_64 (@CodeIT)
libbrotlienc.so.1()(64bit)
Zaktualizowano przez: libbrotli-1.0.20171011.git.805fd3b-1.el7.centos.codeit.x86_64 (CodeIT)
~libbrotlienc.so.0()(64bit)
Dostępne: libbrotli-1.0.20160607.git.3f46e28-1.el7.codeit.x86_64 (CodeIT)
libbrotlienc.so.1()(64bit)
Dostępne: libbrotli-1.0.20160706.git.77a0db1-1.el7.codeit.x86_64 (CodeIT)
libbrotlienc.so.1()(64bit)
Dostępne: libbrotli-1.0.20160818.git.ccb89e1-1.el7.codeit.x86_64 (CodeIT)
libbrotlienc.so.1()(64bit)
Dostępne: libbrotli-1.0.20160907.git.6b12316-1.el7.codeit.x86_64 (CodeIT)
libbrotlienc.so.1()(64bit)
Dostępne: libbrotli-1.0.20160926.git.6b12316-1.el7.codeit.x86_64 (CodeIT)
libbrotlienc.so.1()(64bit)
Dostępne: libbrotli-1.0.20161013.git.6b12316-1.el7.codeit.x86_64 (CodeIT)
libbrotlienc.so.1()(64bit)
Dostępne: libbrotli-1.0.20161021.git.a258234-1.el7.codeit.x86_64 (CodeIT)
libbrotlienc.so.1()(64bit)
Dostępne: libbrotli-1.0.20161108.git.a258234-1.el7.codeit.x86_64 (CodeIT)
libbrotlienc.so.1()(64bit)
Dostępne: libbrotli-1.0.20170201.git.a258234-1.el7.codeit.x86_64 (CodeIT)
libbrotlienc.so.1()(64bit)
Dostępne: libbrotli-1.0.20170227.git.a258234-1.el7.codeit.x86_64 (CodeIT)
libbrotlienc.so.1()(64bit)
Dostępne: libbrotli-1.0.20170418.git.a258234-1.el7.codeit.x86_64 (CodeIT)
libbrotlienc.so.1()(64bit)
Dostępne: libbrotli-1.0.20170828.git.a258234-1.el7.codeit.x86_64 (CodeIT)
libbrotlienc.so.1()(64bit)
Błąd: Pakiet: mod_brotli-2.4.33-3.codeit.el7.x86_64 (@CodeIT)
Wymaga: libbrotlicommon.so.1()(64bit)
Usuwanie: libbrotli-1.0.3-1.codeit.el7.x86_64 (@CodeIT)
libbrotlicommon.so.1()(64bit)
Zaktualizowano przez: libbrotli-1.0.20171011.git.805fd3b-1.el7.centos.codeit.x86_64 (CodeIT)
Nie odnaleziono
Można spróbować użyć –skip-broken, aby obejść problem
Można spróbować wykonać polecenie: rpm -Va –nofiles –nodigest
——-
Sincerely
Dear Mateusz,
You are right, we have a mess now with libbrotli versioning. Previously we used badger scripts to build library with 1.0.201X version. Now we switched to our own .spec file for native Google library.
We are preparing new builds for nginx against Google library and then will remove older libbrotli-1.0.201X files from repo.
Sorry for inconvenience and thanks for report!
just want to say you saved my life thank you
I would like to install version 2.4.29 instead of 2.4.33 because of personal circumstances, how can I install it using yum?
I do not know anything about Linux ㅠㅠ
Then don’t do this.
Please first do some more reading and knowledge about YUM and LINUX CENTOS.
Then you can use the options yum repos and so on to choose wich ones manually and how to config because of updates and so on, but not having knowledge this make no sense !
Update looks OK sofar thanks again.
The yum install mod_brotli libbrotli-1.0.3 i didn’t do this
( APACHE only here) do you post when you are ready with the change “We are preparing new builds”, or is this not involving the apache only?
Hello. We have already rebuilt nginx 1.12.2 against libbrotli-1.0.3.
HI,
do you maybe plan to build the latest apache with openssl “n”
or maybe “o” ?
Believe me or not but I need openssl > n for PCI compliance.
Also, is it a problem if I run OpenSSL 1.0.2k-fips (official centos) and your static openssl 1.0.2.n built with httpd ?
Hi Milan,
We already build httpd with latest OpenSSL 1.1.0h (do not be confused with 1.0.2o).
I think you won’t have any problems running our httpd builds (that are linked statically) and other versions of OpenSSL.
Hi Alex, any change you could lend me a hand on this?
Error: Package: mod_http2-1.10.12-1.codeit.x86_64 (CodeIT)
Requires: libnghttp2.so.14()(64bit)
Error: Package: mod_http2-1.10.12-1.codeit.x86_64 (CodeIT)
Requires: libnghttp2 >= 1.21.1
I googled and unable to find a installable package for libnghttp2 for Cent OS 7 in many repos.. Thank you!
He’s right – PCI compliance requires the resolution of CVE-2018-0737, which is only found in versions of OpenSSL greater than or equal to 1.1.0i. Any plans to release a new version in the near future? I’d rather not have to manually compile.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0737
https://www.openssl.org/news/secadv/20180416.txt
Hi Daniel,
We will definitely build a new version after OpenSSL 1.1.0i will be released.
I don’t like idea to build Apache httpd against dev version.
Severity of cache timing attack you mentioned is low, so I think users are safe.
Hi. I tried to install CodeIt repo’s httpd but no luck: Centos 7
Error: Package: mod_http2-1.10.12-1.codeit.x86_64 (CodeIT)
Requires: libnghttp2.so.14()(64bit)
Error: Package: mod_http2-1.10.12-1.codeit.x86_64 (CodeIT)
Requires: libnghttp2 >= 1.21.1
Highly appreciate if someone can lend me a hand. Thank you!
REPEL?
then
yum install libnghttp2
was what i did as i trie to remember.
Sorry is in the docs first the EPEL repo needed!
( TYpo REPEL hihi )
Hi John,
Sorry, a bit busy these days.
Please install EPEL repository that contains libnghttp2.
HI ,
Am getting the below error in http 2.4.33 and the pages are not loading. how to solve this issue ?
protocol.c(860): AH02418: HTTP Request Line; Unrecognized protocol ‘HTTP/0.9’ (perhaps whitespace was injected?)
Hello,
I am testing Apache httpd 2.4.33 version for a mod_jk-based SSL reverse proxy on Tomcat application server.
mod_jk (version 1.2.43) is load-balancing two Tomcat 8 nodes using AJP protocol.
Brotli compression is working correctly but Apache seems to throws some errors frequently causing HTML pages not loading.
It happens when HTTP2 protocol is enable. All things are working correctly if I force older HTTP1.1 protocol.
I am glad If I can contribute in debugging to sort this issue.
Thank you.
Hi,
Am compiled httpd2.4.33 with apr-1.63, apr-util-1.6.1 and pcre8.42. the below error is shown while querying . please let me know whether anything I need to include ?
[core:debug] [pid 1181] protocol.c(860): [client 10.155.52.193:35486] AH02418: HTTP Request Line; Unrecognized protocol ‘HTTP/0.9’ (perhaps whitespace was injected?)
Hi.
I think that your or some other http client (maybe proxy?) sends wrong request with HTTP/0.9.
HTTP/0.9 is first HTTP version developed in 1990. I think there are no live implementations of it, so please check your clients instead of server: it really does not support HTTP/0.9. HTTP 1.0, 1.1 and 2 are supported.
Hi Alexander,
Thanks for your reply. Have enabled the trace log in apache and checked the request send by client, the request is correct . even apache throwing the error. i don’t know what is the problem in parsing the request.
[Wed Jun 20 12:16:51.064250 2018] [core:trace5] [pid 8145] protocol.c(653): Request received from client: GET /index.html HTTP/1.1
[Wed Jun 20 12:16:51.064413 2018] [core:debug] [pid 8145] protocol.c(860): AH02418: HTTP Request Line; Unrecognized protocol ‘HTTP/0.9’ (perhaps whitespace was injected?)
Hi,
As far as I can understand, you have your own Apache httpd build and it shows you this error on every HTTP/1.1 request. Just for clarification: we never faced similar problems in our builds (but we use them on many hosts).
Or do you mean you face this problem with our builds on supported OS?
How to use this upgrade to httpd 2.4.33?