Apache httpd 2.4.27, собранный с OpenSSL 1.0.2l и поддержкой http2 для Red Hat Enterprise Linux и CentOS

В репозиторий добавлен Apache httpd 2.4.27 с поддержкой http2 для Red Hat Enterprise Linux и CentOS. Mod_ssl собран статически с OpenSSL 1.0.2l. Ссылки:

Заметим, что модуль Http2 Apache httpd с этой версии не поддерживает prefork mpm. Ранее, в версии 2.4.26, мы наблюдали крахи с prefork и решили не выкладывать наши билды из-за них.
Если вам нужен модуль mod_http2, отключите prefork mpm, включите worker mpm в /etc/httpd/conf.modules.d/00-mpm.conf

Или же воспользуйтесь нашим репозиторием. Обращаю ваше внимание на тот факт, что в зависимостях пакета присутствуют apr-util 1.5.0+ и libnghttp, которые я бы рекомендовал взять из репозитория EPEL. Таким образом, для использования Apache HTTPd проще всего подключить репозиторий EPEL: yum install -y epel-release

Apache httpd 2.4.27, собранный с OpenSSL 1.0.2l и поддержкой http2 для Red Hat Enterprise Linux и CentOS: 46 комментариев

  1. After yum update these 2.4.27 packages ( before working with 2.4.25-3 packages) on virtualmin and also repel and Remi repo the HTTP/2 is gone! ( CENTOS 7.3x)
    Do you have a hint where to look and what to change to get http/2 and alpn back?

    Packages ( yum update) seems to be installed corect version is httpd -v 2.4.27 and so on.
    Sorry if i’m asking or doing something dumb 😉

    1. John, we also see such behaviour and root of it (in our case) was prefork mpm.
      You can check if you also has this problem by looking in your apache httpd log.
      Http2 Apache httpd module no longer supports prefork mpm, we experienced crashes with it in 2.4.26 and decided to keep builds private.
      Please try disabling prefork mpm and enable worker mpm.

  2. Sorry a howto if possible.

    ON a other server DIRECTADMIN we have had some httpd 2.4.26 probs but solved them ourselves and after httpd 2.4.27 update stable and none. (all version from DA and source so no codeit)

    But want to test virtualmin and get some more knowledge also outside of panels and co, i’m (was) more windows person….

    But don’t know sure how about changing the prefork i had i mind something with event?

  3. O yea you GURU’S did very i nice job please go on … 😉

    (Crashes with the httpd2.4.26 with our server was only with httpd gracefull restarts, not with real restart after stuf as cronjobs and co. , but yes that was not so nice version the 2.4.26 🙁 )

  4. Hello after update to the new release the service won’t start through systemctl. There was a hint that the address is already in use (443). I’ve checked the ports via lsof and netstat. There was nothing listening on the mentioned SSL Port. After rebooting to ensure that the sockets are gone, nothing changed. I couldn’t figure out the root cause with the logs so I had to roll back to the previous release through yum history undo. After that the problem was gone.

    Is there sth. similar known to the new package release?

  5. did you the update http2 package of codeit also? i started the install yum install http2 codeitrepo manualy, here it was not in yum update because http2… before other..
    mod_http2-1.10.10-1.codeit.x86_64.rpm

    and the mod_ssl update with the edits from ssl.conf in ssl.confrpmnew .. ?

  6. i know but asked Martin to check himself for important changes in the ssl.conf.rpmnew don’t know could be some different config that cause.
    Also if he used copy the full ss.conf.rpmnew to ssl.conf without taking care fore the right settings of server then you have a problem. ( i tried this, just to be curiuous, cypherlist problems then therefore not starting and so on 😉 )

      1. Ok, all thanks for the support. As mentioned, the issue seemed to be caused by a stupid administration error with two «Listen https 443» in the httpd.conf and ssl.conf. Umcommenting it in the ssl.conf fixed the problem.

  7. Hello,
    Congratulations on the good work! I have the following problem after upgrading to the latest version. In the new ssl.conf there are the following two directives:
    SSLCipherSuite PROFILE=SYSTEM
    SSLProxyCipherSuite PROFILE=SYSTEM
    With them, Apache does not want to start. What is the good practice in this case?

    1. Hello Nedelin,

      Please check default ssl.conf (probably it was created as ssl.conf.rpmnew on your system).

      We would recommend to use

      SSLCipherSuite "EECDH+AES128:EECDH+AES256:+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RSA+3DES:!DSS"
      SSLProxyCipherSuite "EECDH+AES128:EECDH+AES256:+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RSA+3DES:!DSS"
      SSLHonorCipherOrder on
      
    1. I thought about this and probably you are right. In our environment, we run httpd with PHP and we still think worker MPM is not safe enough to be run with PHP.
      However, we do not see crashes in real environment on test hosts and on real websites that do not carry critical environment for two weeks, so probably we will change defaults and enable worker MPM by default.

  8. Hello again,
    I have seen the certificate on your website and I have the impression that you are using the same Let’s Encrypt certificate for several sites. I do not know if it is convenient to ask here how is this possible? As far as I know these free certificates are issued for one domain.

    1. Nedelin, yep, we are using same SAN certificate for couple of domains.
      This is easily possible with acme php client and certbot:

      If you’re getting a certificate for many domains at once, the plugin needs to know where each domain’s files are served from, which could potentially be a separate directory for each domain. When requesting a certificate for multiple domains, each domain will use the most recently specified —webroot-path. So, for instance,

      certbot certonly --webroot -w /var/www/example/ -d www.example.com -d example.com -w /var/www/other -d other.example.net -d another.other.example.net
      
  9. So the difference between version 2.4.27-1.codeit and version 2.4.27-2.codeit is only:

    Nedelin Petkov says: September 7, 2017 at 12:26 pm
    . . .
    SSLCipherSuite PROFILE=SYSTEM
    SSLProxyCipherSuite PROFILE=SYSTEM
    Is this a bug?

    Alexander Gerasimov says: September 7, 2017 at 12:29 pm
    Nedelin, thank you a lot for your report.
    Yes, this is a bug. We’ll update patch set and update release.

    Alexander Gerasimov says: September 7, 2017 at 2:48 pm
    Build updated.

  10. Hi,

    Trying to bump my httpd version from 2.4.6 to 2.4.27

    I did the following:

    $ cd /etc/yum.repos.d; wget https://repo.codeit.guru/codeit.el`rpm -q —qf «%{VERSION}» $(rpm -q —whatprovides redhat-release)`.repo

    and confirmed the epel-release repo was there by doing:

    $ yum install -y epel-release

    and that said it was already installed.

    I then tried doing a:

    $ yum update httpd

    And it said there was nothing to update. I currently have Centos 7.3 and httpd 2.4.6 and was hoping to bump httpd up to 2.4.27 as I want to make use of http/2

    Do I also need to do anything else to make sure that the codeit repo is picked up by yum ?
    Should I have also done a $ yum install codeit ?

    I should also check, before I do this. What suexec_docroot do you set in your build for httpd? I’m using virtualmin and I think they have a custom requirement of setting «suexec_docroot» to «/home»

    Thanks

      1. Its at the top of the list.

        repo id repo name status
        CodeIT/x86_64 CodeIT repo. 141

        and

        $ yum update
        reports «No packages marked for update»

        I’ve had a chat with the Virtualmin guys and given the need to have a build with ‘suexec_docroot = /home’ and the fact that my current httpd install comes from their repo (I think) it might not be a good idea for me to proceed. I’m guessing that your build doesn’t doesn’t have the Virtualmin customisations..

        Thanks for responding.

  11. Ok I will, but I won’t be able to use it unfortunately anyway. It could well be as you say that the fact that I am using a Virtualmin specific 2.4.6 from a Virtualmin repo is the thing thats stopping an update from yours being recognised.

    I’m told by the Virtualmin support that I can’t use a generic 2.4.* build. Virtualmin uses SuEXEC and specifies that the suxec_docroot points to /home. I doubt yours does the same and I’m not prepared to lose Virtualmin just to have http/2.

    I’m trying to persuade Virtualmin now to to update their repo from the RH SCL repo but with their customisations. Or at least provide it as an option.

    I’m told that if I install yours it will break Virtualmin’s support for apache.

    Thanks for responding.

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *