Apache httpd 2.4.34 with brotli support, built against OpenSSL 1.1.0h with http2 and ALPN for Red Hat Enterprise Linux and CentOS

Apache httpd 2.4.34 with brotli compression library from Google, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS added to repository. Mod_ssl is built statically against OpenSSL 1.1.0h.

Links:

Since 2.4.29-2 release we start building Apache httpd against OpenSSL 1.1.0. Since 2.4.33 we added brotli compression library.

brotli support is already included in base RPM file. All you need is to add filters like

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

Http2 Apache httpd module no longer supports prefork mpm from version 2.4.27. If you need http2 module, please disable prefork mpm and enable evemt mpm in /etc/httpd/conf.modules.d/00-mpm.conf. We already made this in 00-mpm.conf in our packages. If you are updating other vendor installation, please update this file.

For correct work with SELinux please update the following boolean:

setsebool -P httpd_execmem=1

Feel free to use our CentOS/RHEL repository. Please also note that this package depends on apr-util 1.5.0+ and libnghttp, which you can found in EPEL repository. So, the easiest way to use our builds of Apache HTTPd is to add EPEL repository, if you still do not have it: yum install -y epel-release

19 thoughts on “Apache httpd 2.4.34 with brotli support, built against OpenSSL 1.1.0h with http2 and ALPN for Red Hat Enterprise Linux and CentOS”

  1. Dear Friends

    You said:
    “brotli support is already included in base RPM file. All you need is to add filters like

    AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript”

    In the earlier version there was a file brotili.conf in /etc/httpd/conf.d/, there is no longer available in this new version. May you be so kind and explain, where should I add this: “AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript”, to have Brotli Compression enabled?

    Thank you in advance for your help and support.

    Sincerely

    1. Hello Amit,

      I think HTTP/2 and ALPN do really work on your site. ALPN is the only supported way for HTTP/2 negotiation in Chrome, so if you see h2 protocol in dev tools, APLN and HTTP/2 really work.

      1. Thank you for the reply. I’ve had to switch back to stock Apache 2.2 as I was getting out of memory errors. I have a CentOS 7x VM running on Azure with PHP 7x from Remi and tried your Apache 2.4 packages to run a large wordpress based website without success. I’ll have to debug on a local VM to determine why memory is getting depleted.

        1. Hello Amit,

          Please share errors from your log.

          Also please note that PHP is not thread safe (at least in 7.0 and 7.1 they have bugs that cannot be fixed without ABI changes), so ensure you are using Apache httpd in prefork or event mode. Alternatively, you can use php in fpm mode (that will be default one in Fedora).

  2. Hi guys, thanks for maintaining this repo! I tried to upgrade to the latest version, but I’m getting a dependency error. I’m using your CentOS 7 binary and my OpenSSL is 1.0.2k and mod_ssl is 2.4.33-3. Any idea how to resolve this error?

    –> Running transaction check
    —> Package libbrotli.x86_64 1:1.0.3-2.codeit.el7 will be installed
    —> Package mod_ssl.x86_64 1:2.4.34-1.codeit.el7 will be an update
    –> Processing Dependency: sscg >= 2.2.0 for package: 1:mod_ssl-2.4.34-1.codeit.el7.x86_64
    –> Finished Dependency Resolution
    –> Running transaction check
    —> Package kernel.x86_64 0:3.10.0-862.2.3.el7 will be erased
    —> Package mod_ssl.x86_64 1:2.4.34-1.codeit.el7 will be an update
    –> Processing Dependency: sscg >= 2.2.0 for package: 1:mod_ssl-2.4.34-1.codeit.el7.x86_64
    –> Finished Dependency Resolution
    Error: Package: 1:mod_ssl-2.4.34-1.codeit.el7.x86_64 (CodeIT)
    Requires: sscg >= 2.2.0

    1. Sorry, but installing the epel-release generates this:

      Error: Package: 1:mod_ssl-2.4.39-2.codeit.el7.x86_64 (CodeIT)
      Requires: sscg >= 2.2.0
      Available: sscg-0.4.1-4.el7.noarch (epel)
      sscg = 0.4.1-4.el7
      You could try using –skip-broken to work around the problem

    2. —> Package mod_ssl.x86_64 1:2.4.53-2.codeit.el7 will be an update
      –> Processing Dependency: sscg >= 2.2.0 for package: 1:mod_ssl-2.4.53-2.codeit.el7.x86_64
      —> Package openssl-quic-libs.x86_64 0:1.1.1n-2.codeit.el7 will be installed
      –> Finished Dependency Resolution
      Error: Package: 1:mod_ssl-2.4.53-2.codeit.el7.x86_64 (CodeIT)
      Requires: sscg >= 2.2.0
      You could try using –skip-broken to work around the problem
      You could try running: rpm -Va –nofiles –nodigest
      [root@ip-10-49-83-228 tmp]# sudo yum install epel-release
      Loaded plugins: changelog, versionlock
      Package matching epel-release-7-11.noarch already installed. Checking for update.
      Nothing to do
      [root@ip-10-49-83-228 tmp]# yum list epel-release
      Loaded plugins: changelog, versionlock
      Installed Packages

      even after installing epel-release-latest-7.noarch.rpm, please help

  3. The original question was about brotli.conf missing now in this version

    Would an /etc/httpd/conf.modules.d/brotli.conf file like this

    # This is the Apache server configuration file for providing brotli support
    # through brotli_module
    #

    AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

    not also work – or is there a reason it was removed because it causes problems in this way of implementation above ??

    1. the post system stripped the greater than and less than command sign so I am trying to add underscores to prevent that here

      # This is the Apache server configuration file for providing brotli support
      # through brotli_module
      #
      _ _
      AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript
      _ _

      1. Hello,

        No, brotli.conf was not removed: it is now bundled to main rpm file, as Fedora does.
        No, it does not cause any problems for us.

        What do you mean by “not also work”? If you see any error message, please share it. If this configuration is silently ignored for you, please check that config file is included somewhere. We need more details to assist you 🙂

        1. I was just asking if the filter you showed could be used in a /etc/httpd/conf.modules.d/brotli.conf file to automatically launch the module.

          I did not see a brotli.conf file – so I made one but did not enable it yet – Drupal 7 – which I use – has some issues with brotli compression in such a way that a Drupal module called the “HTTP Parallel Request & Threading Library” to support brotli compression should be enabled and “Advanced CSS/JS Aggregation” also enabled and checked to make sure the code of several patches are in the proper version before enabling it on the server.

          Also while it requires PHP 5 and the following functions must also be available on the server:
          * stream_socket_client
          * stream_select
          * stream_set_blocking
          * stream_get_meta_data
          * stream_socket_get_name
          there is no way to tell how it will react with PHP-FPM but to test it – later when I have time

          The real question I have is about the static build of openssl 1.1.0h. I am considering upgrading the Bind of Centos 7 from 9.9.94 to 9.11 ( bind-9.11.1-7.P3.fc27 RPM for x86_64 ) which has a dependency of libcrypto.so.1.1(OPENSSL_1_1_0) but a –test of an rpm -Uvh of the file fails the dependency.

          If I install the Fedora version of openssl – for Fedora 27 which is also 1.1.0h, and is the last version which will work with GLIBC 2.17, it will require a small hack to force an install to ignore the conflict with the existing /etc/pki/tls/openssl.conf file

          Is there a way to expose libcrypto.so.1.1 to the bind-libs so I do not need to install it at all ??

          Once the bind-libs go on, the rest of bind 9.11 will install. BIND 9.9.4 actually anything <= 9.10 has a views directive bug which prevents IN dynamic data from being posted to both the internal and external view, which causes a certbot renewal using the dns_rfc2136_authenticator plugin for the DNS-01 challenge for a wildcard cert to fail because the TXT file written to the DNS zone is not ever seen by the challenge server.

          So . . . is there a way to expose libcrypto.so.1.1 to the bind-libs so I do not need to install it at all ??

          1. You can upgrade bind, as soon as openssl is built into mod_ssl.so file from mod_ssl rpm file. We do not install separate openssl files to your system, so you won’t have any problems with other packages.

Leave a Reply

Your email address will not be published. Required fields are marked *