NGINX 1.17.7 mainline built against OpenSSL 1.1.1d with TLS 1.3 Final (RFC 8446) and brotli for Red Hat Enterprise Linux and CentOS

NGINX 1.17.7 mainline-version, built statically against OpenSSL 1.1.1d with ngx cache purge, brotli (v1.0.7),  TLS 1.3 final and ngx http geoip2 module support added to repository. TLS 1.3 works with Google Chrome versions 70. To enable TLS 1.3, you must specify: ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; Links:

Alternatively, feel free to use our CentOS/RHEL repository.

NGINX 1.17.6 mainline built against OpenSSL 1.1.1d with TLS 1.3 Final (RFC 8446) and brotli for Red Hat Enterprise Linux and CentOS

NGINX 1.17.6 mainline-version, built statically against OpenSSL 1.1.1d with ngx cache purge, brotli (v1.0.7),  TLS 1.3 final and ngx http geoip2 module support added to repository. TLS 1.3 works with Google Chrome versions 70. To enable TLS 1.3, you must specify: ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; Links:

Alternatively, feel free to use our CentOS/RHEL repository.

NGINX 1.17.5 mainline built against OpenSSL 1.1.1d with TLS 1.3 Final (RFC 8446) and brotli for Red Hat Enterprise Linux and CentOS

NGINX 1.17.5 mainline-version, built statically against OpenSSL 1.1.1d with ngx cache purge, brotli (v1.0.7),  TLS 1.3 final and ngx http geoip2 module support added to repository. TLS 1.3 works with Google Chrome versions 70. To enable TLS 1.3, you must specify: ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; Links:

Alternatively, feel free to use our CentOS/RHEL repository.

NGINX 1.16.1-1 stable built against OpenSSL 1.1.1d with TLS 1.3 Final (RFC 8446) and brotli for Red Hat Enterprise Linux and CentOS

NGINX 1.16.1-1 stable-version, built statically against OpenSSL 1.1.1d with ngx cache purge,  TLS 1.3 final and ngx http geoip2 module support added to repository. TLS 1.3 works with Google Chrome versions 70. To enable TLS 1.3, you must specify:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

Links:

Alternatively, feel free to use our CentOS/RHEL repository

Apache httpd 2.4.41 with brotli support, TLS 1.3 final (RFC 8446) built against OpenSSL 1.1.1c with http2 and ALPN for Red Hat Enterprise Linux 7 and CentOS 7

Apache httpd 2.4.41 with brotli compression library from Google, TLS 1.3 Final (RFC 8446), http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS added to repository. Mod_ssl is built statically against OpenSSL 1.1.1c.

Links:

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default.

Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+.

brotli support is already included in base RPM file. All you need is to add filters like

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

Http2 Apache httpd module no longer supports prefork mpm from version 2.4.27. If you need http2 module, please disable prefork mpm and enable evemt mpm in /etc/httpd/conf.modules.d/00-mpm.conf. We already made this in 00-mpm.conf in our packages. If you are updating other vendor installation, please update this file.

For correct work with SELinux please update the following boolean:

setsebool -P httpd_execmem=1

Feel free to use our CentOS/RHEL repository. Please also note that this package depends on apr-util 1.5.0+ and libnghttp, which you can found in EPEL repository. So, the easiest way to use our builds of Apache HTTPd is to add EPEL repository, if you still do not have it: yum install -y epel-release

Changes with Apache 2.4.41:

  *) mod_proxy_balancer: Improve balancer-manager protection against 
     XSS/XSRF attacks from trusted users.  [Joe Orton,
     Niels Heinen ]

  *) mod_session: Introduce SessionExpiryUpdateInterval which allows to
     configure the session/cookie expiry's update interval. PR 57300.
     [Paul Spangler ]

  *) modules/filters: Fix broken compilation when using old GCC (<4.2.x).
     PR 63633.  [Rainer Jung, Joe Orton]

  *) mod_ssl: Fix startup failure in 2.4.40 with SSLCertificateChainFile
     configured for a domain managed by mod_md.  [Stefan Eissing]

Changes with Apache 2.4.40

  *) core, mod_rewrite: Set PCRE_DOTALL by default. Revert via 
     RegexDefaultOptions -DOTALL [Yann Ylavic]

  *) core: Remove request details from built-in error documents [Eric Covener]

  *) mod_http2: core setting "LimitRequestFieldSize" is not additionally checked on
     merged header fields, just as HTTP/1.1 does. [Stefan Eissing, Michael Kaufmann]

  *) mod_http2: fixed a bug that prevented proper stream cleanup when connection
     throttling was in place. Stream resets by clients on streams initiated by them
     are counted as possible trigger for throttling. [Stefan Eissing]

  *) mod_http2/mpm_event: Fixes the behaviour when a HTTP/2 connection has nothing
     more to write with streams ongoing (flow control block). The timeout waiting
     for the client to send WINODW_UPDATE was incorrectly KeepAliveTimeout and not
     Timeout as it should be. Fixes PR 63534. [Yann Ylavic, Stefan Eissing]

  *) mod_proxy_balancer: Load balancer required byrequests when bytraffic chosen.
     PR 62372. [Jim Jagielski]

  *) mod_proxy_hcheck: Create the configuration for mod_proxy_hcheck
     when used in BalancerMember. PR 60757. [Jean-Frederic Clere]

  *) mod_proxy_hcheck: Mute extremely frequent debug message. [Yann Ylavic]

  *) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for
     adding certificates and keys to a virtual host. An additional hook allows
     answering special TLS connections as used in ACME challenges.
     Adding 2 new hooks for init/get of OCSP stapling status information when
     other modules want to provide those. Falls back to own implementation with
     same behaviour as before.
     [Stefan Eissing]
  
  *) mod_md: new features
     - protocol
       - supports the ACMEv2 protocol. It is the default and will be used on the next
         certificate renewal, unless another "MDCertificateAuthority" is configured
       - ACMEv2 endpoints use the GET via empty POST way of accessing resources, see
         announcement by Let's Encrypt:       
         https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380
     - challenges
       - new challenge method 'tls-alpn-01' implemented
       - challenge type 'tls-sni-01' has been removed as CAs do not offer this any longer
       - supports command configuration to setup/teardown 'dns-01' challenges
       - supports wildcard certificates when dns challenges are configured
     - status information and monitoring
       - a domain exposes its status at https:///.httpd/certificate-status
       - Managed Domains are now in Apache's 'server-status' page
       - A new handler 'md-status' exposes verbose status information in JSON format
     - new directives
       - "MDCertificateFile" and "MDCertificateKeyFile" to configure a
         Managed Domain that uses static files. Auto-renewal is turned off for those.
       - "MDMessageCmd" that is invoked on several events: 'renewed', 'expiring' and
         'errored'.
       - "MDWarnWindow" directive to configure when expiration warnings shall be issued.
     [Stefan Eissing]

  *) mod_mime_magic: Fix possible corruption of returned strings.
     [Christophe Jaillet]

  *) Default "conf/magic": Fix pattern for "audio/x-wav" for WAV files,
     remove "audio/unknown" pattern for other RIFF files.
     [ГЂngel OllГ© BlГЎzquez ]

  *) mod_proxy_http2: fixing a potential NULL pointer use in logging.
     [Christophe Jaillet, Dr Silvio Cesare InfoSect]

  *) mod_dav: Reduce the amount of memory needed when doing PROPFIND's on large
     collections by improving the memory management. [Joe Orton, Ruediger Pluem]

  *) mod_proxy_http2: adding support for handling trailers in both directions.
     PR 63502. [Stefan Eissing]

  *) mod_proxy_http: forward 100-continue, and minimize race conditions when
     reusing backend connections. PR 60330. [Yann Ylavic, Jean-Frederic Clere]

  *) mod_proxy_balancer: Fix some HTML syntax issues.  [Christophe Jaillet]

  *) When using mod_status with the Event MPM, report the number of requests
     associated with an active connection in the "ACC" field. Previously
     zero was always reported with this MPM.  PR60647. [Eric Covener]

  *) mod_http2: remove the no longer existing h2_ngn_shed.c from Cmake.
     [Stefan Eissing]

  *) mod_proxy/ssl: Proxy SSL client certificate configuration and other proxy
     SSL configurations broken inside  context.  PR 63430.
     [Ruediger Pluem, Yann Ylavic]

  *) mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules.
     PR 61857.  [Markus Gausling , Yann Ylavic]

  *) mod_reqtimeout: Fix default rates missing (not applied) in 2.4.39.
     PR 63325. [Yann Ylavic]

  *) mod_info: Fix output of server settings for PIPE_BUF in mod_info in
     the rare case that PIPE_BUF is defined. [Rainer Jung]

  *) mod_md: Store permissions are enforced on file creation, enforcing restrictions in
     spite of umask. Fixes . [Stefan Eissing]

NGINX 1.17.1 -1.17.2 mainline built against OpenSSL 1.1.1c with TLS 1.3 Final (RFC 8446) and brotli for Red Hat Enterprise Linux and CentOS

NGINX 1.17.1 -1.17.2 mainline-version, built statically against OpenSSL 1.1.1c with ngx cache purge, brotli (v1.0.7),  TLS 1.3 final and ngx http geoip2 module support added to repository. TLS 1.3 works with Google Chrome versions 70. To enable TLS 1.3, you must specify:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

Links:

Alternatively, feel free to use our CentOS/RHEL repository.

Apache httpd 2.4.39 with brotli support, TLS 1.3 final (RFC 8446) built against OpenSSL 1.1.1c with http2 and ALPN for Red Hat Enterprise Linux and CentOS

Apache httpd 2.4.39 with brotli compression library from Google, TLS 1.3 Final (RFC 8446), http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS added to repository. Mod_ssl is built statically against OpenSSL 1.1.1c.

Links:

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default.

Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+.

brotli support is already included in base RPM file. All you need is to add filters like

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

Http2 Apache httpd module no longer supports prefork mpm from version 2.4.27. If you need http2 module, please disable prefork mpm and enable evemt mpm in /etc/httpd/conf.modules.d/00-mpm.conf. We already made this in 00-mpm.conf in our packages. If you are updating other vendor installation, please update this file.

For correct work with SELinux please update the following boolean:

setsebool -P httpd_execmem=1

Feel free to use our CentOS/RHEL repository. Please also note that this package depends on apr-util 1.5.0+ and libnghttp, which you can found in EPEL repository. So, the easiest way to use our builds of Apache HTTPd is to add EPEL repository, if you still do not have it: yum install -y epel-release

Changes with Apache 2.4.39:

  • mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend connection is recycled/reused to avoid a possible crash with some SSLProxy configurations in or context. PR 63256. [Yann Ylavic]
  • mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure. [Michael Kaufmann]
  • mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host PR 55348
  • mod_socache_redis: Support for Redis as socache storage provider.
  • core: new configuration option ‘MergeSlashes on|off’ that controls handling of multiple, consecutive slash (‘/’) characters in the path component of the request URL. [Eric Covener]
  • mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is in play, the proper HTTP/2 stream reset did not trigger with H2_ERR_HTTP_1_ 1_REQUIRED. Fixed. [Michael Kaufmann]
  • mod_http2: new configuration directive: `H2Padding numbits` to control padding of HTTP/2 payload frames. ‘numbits’ is a number from 0-8, controlling the range of padding bytes added to a frame. The actual number added is chosen randomly per frame. This applies to HEADERS, DATA and PUSH_PROMISE frames equally. The default continues to be 0, e.g. no padding. [Stefan Eissing]
  • mod_http2: ripping out all the h2_req_engine internal features now that mod _proxy_http2 has no more need for it. Optional functions are still declared but no longer implemented. While previous mod_proxy_http2 will work with this, it is recommended to run the matching versions of both modules. [Stefan Eissing]
  • mod_proxy_http2: changed mod_proxy_http2 implementation and fixed several bugs which resolve PR63170. The proxy module does now a single h2 request on the (reused) connection and returns. [Stefan Eissing]
  • mod_http2/mod_proxy_http2: proxy_http2 checks correct master connection aborted status to trigger immediate shutdown of backend connections. This is now always signalled by mod_http2 when the the session is being released. proxy_http2 now only sends a PING frame to the backend when there is not already one in flight. [Stefan Eissing]
  • mod_proxy_http2: fixed an issue where a proxy_http2 handler entered an infi nite loop when encountering certain errors on the backend connection. [Stefan Eissing]
  • mod_http2: Configuration directives H2Push and H2Upgrade can now be specifi ed per Location/Directory, e.g. disabling PUSH for a specific set of resources. [Stefan Eissing]
  • mod_http2: HEAD requests to some module such as mod_cgid caused the stream to terminate improperly and cause a HTTP/2 PROTOCOL_ERROR. [Michael Kaufmann]
  • http: Fix possible empty response with mod_ratelimit for HEAD requests. PR 63192. [Yann Ylavic]
  • mod_cache_socache: Avoid reallocations and be safe with outgoing data lifetime. [Yann Ylavic]
  • MPMs unix: bind the bucket number of each child to its slot number, for a more efficient per bucket maintenance. [Yann Ylavic]
  • mod_auth_digest: Fix a race condition. Authentication with valid credentials could be refused in case of concurrent accesses from different users. PR 63124. [Simon Kappel]
  • mod_http2: enable re-use of slave connections again. Fixed slave connection keepalives counter. [Stefan Eissing]
  • mod_reqtimeout: Allow to configure (TLS-)handshake timeouts. PR 61310. [Yann Ylavic]
  • mod_proxy_wstunnel: Fix websocket proxy over UDS. PR 62932
  • mod_ssl: Don’t unset FIPS mode on restart unless it’s forced by configuration (SSLFIPS on) and not active by default in OpenSSL. PR 63136. [Yann Ylavic]

NGINX 1.17.0 mainline built against OpenSSL 1.1.1b with TLS 1.3 Final (RFC 8446) and brotli for Red Hat Enterprise Linux and CentOS

NGINX 1.17.0 mainline-version, built statically against OpenSSL 1.1.1b with ngx cache purge, TLS 1.3 final and ngx http geoip2 module support added to repository. TLS 1.3 works with Google Chrome versions 70. To enable TLS 1.3, you must specify:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

Links:

Alternatively, feel free to use our CentOS/RHEL repository.

NGINX 1.16.0-1 stable built against OpenSSL 1.1.1b with TLS 1.3 Final (RFC 8446) and brotli for Red Hat Enterprise Linux and CentOS

NGINX 1.16.0-1 stable-version, built statically against OpenSSL 1.1.1b with ngx cache purge and TLS 1.3 final support added to repository. TLS 1.3 works with Google Chrome versions 70. To enable TLS 1.3, you must specify: ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

Links:

Alternatively, feel free to use our CentOS/RHEL repository.

NGINX 1.15.12-1 mainline built against OpenSSL 1.1.1b with TLS 1.3 Final (RFC 8446) and brotli for Red Hat Enterprise Linux and CentOS

NGINX 1.15.12-1 mainline-version, built statically against OpenSSL 1.1.1b with ngx cache purge and TLS 1.3 final support added to repository. TLS 1.3 works with Google Chrome versions 70. To enable TLS 1.3, you must specify: ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

Links:

Alternatively, feel free to use our CentOS/RHEL repository.