Apache httpd 2.4.27, собранный с OpenSSL 1.0.2l и поддержкой http2 для Red Hat Enterprise Linux и CentOS

В репозиторий добавлен Apache httpd 2.4.27 с поддержкой http2 для Red Hat Enterprise Linux и CentOS. Mod_ssl собран статически с OpenSSL 1.0.2l. Ссылки:

Заметим, что модуль Http2 Apache httpd с этой версии не поддерживает prefork mpm. Ранее, в версии 2.4.26, мы наблюдали крахи с prefork и решили не выкладывать наши билды из-за них.
Если вам нужен модуль mod_http2, отключите prefork mpm, включите worker mpm в /etc/httpd/conf.modules.d/00-mpm.conf

Или же воспользуйтесь нашим репозиторием. Обращаю ваше внимание на тот факт, что в зависимостях пакета присутствуют apr-util 1.5.0+ и libnghttp, которые я бы рекомендовал взять из репозитория EPEL. Таким образом, для использования Apache HTTPd проще всего подключить репозиторий EPEL: yum install -y epel-release

Apache httpd 2.4.27, собранный с OpenSSL 1.0.2l и поддержкой http2 для Red Hat Enterprise Linux и CentOS: 35 комментариев

  1. After yum update these 2.4.27 packages ( before working with 2.4.25-3 packages) on virtualmin and also repel and Remi repo the HTTP/2 is gone! ( CENTOS 7.3x)
    Do you have a hint where to look and what to change to get http/2 and alpn back?

    Packages ( yum update) seems to be installed corect version is httpd -v 2.4.27 and so on.
    Sorry if i’m asking or doing something dumb 😉

    1. John, we also see such behaviour and root of it (in our case) was prefork mpm.
      You can check if you also has this problem by looking in your apache httpd log.
      Http2 Apache httpd module no longer supports prefork mpm, we experienced crashes with it in 2.4.26 and decided to keep builds private.
      Please try disabling prefork mpm and enable worker mpm.

  2. Sorry a howto if possible.

    ON a other server DIRECTADMIN we have had some httpd 2.4.26 probs but solved them ourselves and after httpd 2.4.27 update stable and none. (all version from DA and source so no codeit)

    But want to test virtualmin and get some more knowledge also outside of panels and co, i’m (was) more windows person….

    But don’t know sure how about changing the prefork i had i mind something with event?

  3. O yea you GURU’S did very i nice job please go on … 😉

    (Crashes with the httpd2.4.26 with our server was only with httpd gracefull restarts, not with real restart after stuf as cronjobs and co. , but yes that was not so nice version the 2.4.26 🙁 )

  4. Hello after update to the new release the service won’t start through systemctl. There was a hint that the address is already in use (443). I’ve checked the ports via lsof and netstat. There was nothing listening on the mentioned SSL Port. After rebooting to ensure that the sockets are gone, nothing changed. I couldn’t figure out the root cause with the logs so I had to roll back to the previous release through yum history undo. After that the problem was gone.

    Is there sth. similar known to the new package release?

  5. did you the update http2 package of codeit also? i started the install yum install http2 codeitrepo manualy, here it was not in yum update because http2… before other..
    mod_http2-1.10.10-1.codeit.x86_64.rpm

    and the mod_ssl update with the edits from ssl.conf in ssl.confrpmnew .. ?

  6. i know but asked Martin to check himself for important changes in the ssl.conf.rpmnew don’t know could be some different config that cause.
    Also if he used copy the full ss.conf.rpmnew to ssl.conf without taking care fore the right settings of server then you have a problem. ( i tried this, just to be curiuous, cypherlist problems then therefore not starting and so on 😉 )

      1. Ok, all thanks for the support. As mentioned, the issue seemed to be caused by a stupid administration error with two «Listen https 443» in the httpd.conf and ssl.conf. Umcommenting it in the ssl.conf fixed the problem.

  7. Hello,
    Congratulations on the good work! I have the following problem after upgrading to the latest version. In the new ssl.conf there are the following two directives:
    SSLCipherSuite PROFILE=SYSTEM
    SSLProxyCipherSuite PROFILE=SYSTEM
    With them, Apache does not want to start. What is the good practice in this case?

    1. Hello Nedelin,

      Please check default ssl.conf (probably it was created as ssl.conf.rpmnew on your system).

      We would recommend to use

      SSLCipherSuite "EECDH+AES128:EECDH+AES256:+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RSA+3DES:!DSS"
      SSLProxyCipherSuite "EECDH+AES128:EECDH+AES256:+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RSA+3DES:!DSS"
      SSLHonorCipherOrder on
      
    1. I thought about this and probably you are right. In our environment, we run httpd with PHP and we still think worker MPM is not safe enough to be run with PHP.
      However, we do not see crashes in real environment on test hosts and on real websites that do not carry critical environment for two weeks, so probably we will change defaults and enable worker MPM by default.

  8. Hello again,
    I have seen the certificate on your website and I have the impression that you are using the same Let’s Encrypt certificate for several sites. I do not know if it is convenient to ask here how is this possible? As far as I know these free certificates are issued for one domain.

    1. Nedelin, yep, we are using same SAN certificate for couple of domains.
      This is easily possible with acme php client and certbot:

      If you’re getting a certificate for many domains at once, the plugin needs to know where each domain’s files are served from, which could potentially be a separate directory for each domain. When requesting a certificate for multiple domains, each domain will use the most recently specified —webroot-path. So, for instance,

      certbot certonly --webroot -w /var/www/example/ -d www.example.com -d example.com -w /var/www/other -d other.example.net -d another.other.example.net
      
  9. So the difference between version 2.4.27-1.codeit and version 2.4.27-2.codeit is only:

    Nedelin Petkov says: September 7, 2017 at 12:26 pm
    . . .
    SSLCipherSuite PROFILE=SYSTEM
    SSLProxyCipherSuite PROFILE=SYSTEM
    Is this a bug?

    Alexander Gerasimov says: September 7, 2017 at 12:29 pm
    Nedelin, thank you a lot for your report.
    Yes, this is a bug. We’ll update patch set and update release.

    Alexander Gerasimov says: September 7, 2017 at 2:48 pm
    Build updated.

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *