Alexander Gerasimov – CodeIT Technical blog

Apache httpd 2.4.54 with brotli support, TLS 1.3 final (RFC 8446) built against OpenSSL 1.1.1o with http2, mod_http2 2.0.2 and ALPN for Red Hat Enterprise Linux 7/8 and CentOS 7, Alma Linux 8, Rocky Linux 8

Apache httpd 2.4.54-1 with brotli compression library from Google, TLS 1.3 Final (RFC 8446), http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS 7/8, Alma Linux 8, Rocky Linux 8 added to repository. mod_http2 2.0.2 is built dynamically against OpenSSL 1.1.1o.

Fixed vulnerability: CVE-2022-26377: Apache HTTP Server: mod_proxy_ajp: Possible request smuggling.

We build OpenSSL+QUIC 1.1.1 separately since v2.4.53-2, installing it separately to /lib64 with .so.81.1.1 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages.

On EL8 please enable httpd module:

dnf module enable httpd:codeit

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like <pre>AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript</pre>

RHEL 8 / Alma Linux 8 / Rocky Linux 8 / CentOS 8 / Other EL8 repo is modular now

EL8 Repo is modular now:

dnf install -y https://repo.codeit.guru/codeit-repo-release.el8.rpm epel-release

QUIC stream: dnf module enable -y nginx:codeit-quic

Mainline stream (1.21.x, 1.23.x, …): dnf module enable -y nginx:codeit-mainline

Stable stream (1.20.x, 1.22.x): dnf module enable -y nginx:codeit-stable

Apache httpd stable: dnf module enable -y httpd:codeit

Please do backups and remember that repository is still testing

NGINX 1.22.0 stable with Brotli, TLS 1.3, OpenSSL 1.1.1o, HTTP/2 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux

NGINX 1.22.0 stable added to CodeIT resitory. brotli compression module from Google, http2, ngx cache purge и ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 1.1.1o. TLS 1.3 final works with Google Chrome 70+ and Mozilla Firefox 63+. We build OpenSSL+QUIC 1.1.1 separately since v1.21.6, installing it separately to /lib64 with .so.81.1.1 suffix to ensure it won’t interfere with your system libraries.

NGINX with HTTP/3 / QUIC support for CentOS 7

We test builds for nginx with http v3 (ex-QUIC) for CentOS 7. To get it, you need to install and configure our test repo:

yum install -y https://repo.codeit.guru/codeit-repo-release.el7.rpm epel-release && yum-config-manager --enable CodeIT-testing --save

The package has version 1.26.1-2, but defined nginx binary version is 1.27.1. This is a known issue. See bundled /etc/nginx/conf.d/default-ssl.conf.example for working HTTP/3 configuration example on port 443/UDP! For testing purposes only!

NGINX with HTTP/3 / QUIC support

We started test builds for nginx with http v3 (ex-QUIC) for CentOS 8 / RHEL 8/ AlmaLinux 8 / Rocky Linux 8. To get it, you need to install and configure our test repo:

yum install -y https://repo.codeit.guru/codeit-repo-release.el8.rpm epel-release && dnf module enable -y nginx:codeit-quic

The package has version 1.26.1-1, but defined nginx binary version is 1.27.1. This is a known issue. See bundled /etc/nginx/conf.d/default-ssl.conf.example for working HTTP/3 configuration example on port 443/UDP!

For testing purposes only!

OpenSSL+quic builds

We started providing builds for OpenSSL+quic project (Akamai and Microsoft initiative) for EL7/EL8. This will allow us to have NGINX HTTP/3 (ex-QUIC) support. libs package does not conflict with bundled OpenSSL libs: so-libs files version is prefixed with “81.”: libssl.81.1.1 and libcrypto.81.1.1 instead of bundled libssl.1.1 and libcrypto.1.1.

To install you can run: dnf install openssl-quic-libs

Devel package is also available: openssl-quic-devel.

Apache httpd 2.4.53 with brotli support, TLS 1.3 final (RFC 8446) built against OpenSSL 1.1.1m with http2, mod_http2 2.0.2 and ALPN for Red Hat Enterprise Linux 7/8 and CentOS 7, Alma Linux 8, Rocky Linux 8

Apache httpd 2.4.53-1 with brotli compression library from Google, TLS 1.3 Final (RFC 8446), http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS 7/8, Alma Linux 8, Rocky Linux 8 added to repository. mod_http2 2.0.2 is built dynamically against OpenSSL 1.1.1m. Links:

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Since 2.4.43-4 release we built OpenSSL as a separate package that installs to the separate directory (/opt/codeit/openssl111) and does not affects system libraries. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

Russian invasion to Ukraine started

CodeIT is a Ukrainian based company and has the office in Kharkiv that is currently under Russian attack. Missiles are in the city center. We do not guarantee quick builds/tests during this invasion.

UPD. We disabled repo access for russian IPs as we do not want to help in any way to the aggressor that kills our people.

Apache httpd 2.4.52 with brotli support, TLS 1.3 final (RFC 8446) built against OpenSSL 1.1.1l with http2, mod_http2 2.0.2 and ALPN for Red Hat Enterprise Linux 7/8 and CentOS 7, Alma Linux 8, Rocky Linux 8

Apache httpd 2.4.52-1 with brotli compression library from Google, TLS 1.3 Final (RFC 8446), http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS 7/8, Alma Linux 8, Rocky Linux 8 added to repository. mod_http2 2.0.2 is built dynamically against OpenSSL 1.1.1l. Links:

Apache httpd 2.4.52 for EL7;

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Since 2.4.43-4 release we built OpenSSL as a separate package that installs to the separate directory (/opt/codeit/openssl111) and does not affects system libraries. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

RHEL 8 / Alma Linux 8 / Rocky Linux 8 / CentOS 8 / Other EL8 repo opened for testing

EL8 repo opened for testing purposes:

cd /etc/yum.repos.d && wget https://repo.codeit.guru/codeit.el8.repo && yum install -y epel-release

Please be sure to back up your data and run packages on test nodes.