Apache httpd 2.4.33, собранный с Brotli, OpenSSL 1.1.0h, ALPN и поддержкой http2 для Red Hat Enterprise Linux и CentOS

В репозиторий добавлен Apache httpd 2.4.33 с поддержкой сжатия brotli от Google, http2 для Red Hat Enterprise Linux и CentOS. Mod_ssl собран статически с OpenSSL 1.1.0h.

Ссылки:

Заметим, что модуль Http2 Apache httpd с версии 2.4.27 не поддерживает prefork mpm. Ранее, в версии 2.4.26, мы наблюдали крахи с prefork и решили не выкладывать наши билды из-за них. Если вам нужен модуль mod_http2, отключите prefork mpm, включите worker mpm в /etc/httpd/conf.modules.d/00-mpm.conf

Это действите уже сделано в файле, который мы поставляем в пакете. Если вы обновляете вашу инсталляцию, обновите файл.

Для работы с SELinux установите следующий boolean:

setsebool -P httpd_execmem=1

Для включения brotli установите модуль и библиотеку:

yum install mod_brotli libbrotli-1.0.3

Для инсталляции проще воспользоваться нашим репозиторием. Обращаю ваше внимание на тот факт, что в зависимостях пакета присутствуют apr-util 1.5.0+ и libnghttp, которые я бы рекомендовал взять из репозитория EPEL. Таким образом, для использования Apache HTTPd проще всего подключить репозиторий EPEL:

yum install -y epel-release

Версия mod_ssl-2.4.33-2 была собрана с OpenSSL 1.1.0g. Версия mod_ssl-2.4.33-3 собрана с вышедшим сегодня OpenSSL 1.1.0h.

Apache httpd 2.4.33, собранный с Brotli, OpenSSL 1.1.0h, ALPN и поддержкой http2 для Red Hat Enterprise Linux и CentOS: 31 комментарий

      1. [Tue Mar 27 22:48:22.063423 2018] [suexec:notice] [pid 2242:tid 139825080944832] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
        [Tue Mar 27 22:48:22.063698 2018] [ssl:emerg] [pid 2242:tid 139825080944832] AH02572: Failed to configure at least one certificate and key for xxxx.xxxx.com:80
        [Tue Mar 27 22:48:22.063715 2018] [ssl:emerg] [pid 2242:tid 139825080944832] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
        [Tue Mar 27 22:48:22.063718 2018] [ssl:emerg] [pid 2242:tid 139825080944832] AH02312: Fatal error initialising mod_ssl, exiting.
        AH00016: Configuration Failed

  1. Dear Friends

    I have tried to install via: yum install mod_brotli libbrotli-1.0.3 and everything is OK, but after that I enter: yum -y update and have below errors (Polish CentOS 7.4, but you should understand):

    ——-
    —> Wykonywanie sprawdzania transakcji
    —> Pakiet libbrotli.x86_64 0:1.0.3-1.codeit.el7 zostanie zaktualizowany
    —> Przetwarzanie zależności: libbrotlicommon.so.1()(64bit) dla pakietu: mod_brotli-2.4.33-3.codeit.el7.x86_64
    —> Przetwarzanie zależności: libbrotlienc.so.1()(64bit) dla pakietu: mod_brotli-2.4.33-3.codeit.el7.x86_64
    —> Pakiet libbrotli.x86_64 0:1.0.20171011.git.805fd3b-1.el7.centos.codeit zostanie zaktualizowany
    —> Ukończono rozwiązywanie zależności
    Błąd: Pakiet: mod_brotli-2.4.33-3.codeit.el7.x86_64 (@CodeIT)
    Wymaga: libbrotlienc.so.1()(64bit)
    Usuwanie: libbrotli-1.0.3-1.codeit.el7.x86_64 (@CodeIT)
    libbrotlienc.so.1()(64bit)
    Zaktualizowano przez: libbrotli-1.0.20171011.git.805fd3b-1.el7.centos.codeit.x86_64 (CodeIT)
    ~libbrotlienc.so.0()(64bit)
    Dostępne: libbrotli-1.0.20160607.git.3f46e28-1.el7.codeit.x86_64 (CodeIT)
    libbrotlienc.so.1()(64bit)
    Dostępne: libbrotli-1.0.20160706.git.77a0db1-1.el7.codeit.x86_64 (CodeIT)
    libbrotlienc.so.1()(64bit)
    Dostępne: libbrotli-1.0.20160818.git.ccb89e1-1.el7.codeit.x86_64 (CodeIT)
    libbrotlienc.so.1()(64bit)
    Dostępne: libbrotli-1.0.20160907.git.6b12316-1.el7.codeit.x86_64 (CodeIT)
    libbrotlienc.so.1()(64bit)
    Dostępne: libbrotli-1.0.20160926.git.6b12316-1.el7.codeit.x86_64 (CodeIT)
    libbrotlienc.so.1()(64bit)
    Dostępne: libbrotli-1.0.20161013.git.6b12316-1.el7.codeit.x86_64 (CodeIT)
    libbrotlienc.so.1()(64bit)
    Dostępne: libbrotli-1.0.20161021.git.a258234-1.el7.codeit.x86_64 (CodeIT)
    libbrotlienc.so.1()(64bit)
    Dostępne: libbrotli-1.0.20161108.git.a258234-1.el7.codeit.x86_64 (CodeIT)
    libbrotlienc.so.1()(64bit)
    Dostępne: libbrotli-1.0.20170201.git.a258234-1.el7.codeit.x86_64 (CodeIT)
    libbrotlienc.so.1()(64bit)
    Dostępne: libbrotli-1.0.20170227.git.a258234-1.el7.codeit.x86_64 (CodeIT)
    libbrotlienc.so.1()(64bit)
    Dostępne: libbrotli-1.0.20170418.git.a258234-1.el7.codeit.x86_64 (CodeIT)
    libbrotlienc.so.1()(64bit)
    Dostępne: libbrotli-1.0.20170828.git.a258234-1.el7.codeit.x86_64 (CodeIT)
    libbrotlienc.so.1()(64bit)
    Błąd: Pakiet: mod_brotli-2.4.33-3.codeit.el7.x86_64 (@CodeIT)
    Wymaga: libbrotlicommon.so.1()(64bit)
    Usuwanie: libbrotli-1.0.3-1.codeit.el7.x86_64 (@CodeIT)
    libbrotlicommon.so.1()(64bit)
    Zaktualizowano przez: libbrotli-1.0.20171011.git.805fd3b-1.el7.centos.codeit.x86_64 (CodeIT)
    Nie odnaleziono
    Można spróbować użyć —skip-broken, aby obejść problem
    Można spróbować wykonać polecenie: rpm -Va —nofiles —nodigest
    ——-

    Sincerely

    1. Dear Mateusz,

      You are right, we have a mess now with libbrotli versioning. Previously we used badger scripts to build library with 1.0.201X version. Now we switched to our own .spec file for native Google library.
      We are preparing new builds for nginx against Google library and then will remove older libbrotli-1.0.201X files from repo.

      Sorry for inconvenience and thanks for report!

    1. Then don’t do this.

      Please first do some more reading and knowledge about YUM and LINUX CENTOS.
      Then you can use the options yum repos and so on to choose wich ones manually and how to config because of updates and so on, but not having knowledge this make no sense !

  2. Update looks OK sofar thanks again.

    The yum install mod_brotli libbrotli-1.0.3 i didn’t do this

    ( APACHE only here) do you post when you are ready with the change «We are preparing new builds», or is this not involving the apache only?

  3. HI,
    do you maybe plan to build the latest apache with openssl «n»
    or maybe «o» ?
    Believe me or not but I need openssl > n for PCI compliance.

    Also, is it a problem if I run OpenSSL 1.0.2k-fips (official centos) and your static openssl 1.0.2.n built with httpd ?

      1. Hi Alex, any change you could lend me a hand on this?

        Error: Package: mod_http2-1.10.12-1.codeit.x86_64 (CodeIT)
        Requires: libnghttp2.so.14()(64bit)
        Error: Package: mod_http2-1.10.12-1.codeit.x86_64 (CodeIT)
        Requires: libnghttp2 >= 1.21.1

        I googled and unable to find a installable package for libnghttp2 for Cent OS 7 in many repos.. Thank you!

  4. Hi. I tried to install CodeIt repo’s httpd but no luck: Centos 7

    Error: Package: mod_http2-1.10.12-1.codeit.x86_64 (CodeIT)
    Requires: libnghttp2.so.14()(64bit)
    Error: Package: mod_http2-1.10.12-1.codeit.x86_64 (CodeIT)
    Requires: libnghttp2 >= 1.21.1

    Highly appreciate if someone can lend me a hand. Thank you!

      1. HI ,
        Am getting the below error in http 2.4.33 and the pages are not loading. how to solve this issue ?

        protocol.c(860): AH02418: HTTP Request Line; Unrecognized protocol ‘HTTP/0.9’ (perhaps whitespace was injected?)

  5. Hello,

    I am testing Apache httpd 2.4.33 version for a mod_jk-based SSL reverse proxy on Tomcat application server.

    mod_jk (version 1.2.43) is load-balancing two Tomcat 8 nodes using AJP protocol.

    Brotli compression is working correctly but Apache seems to throws some errors frequently causing HTML pages not loading.
    It happens when HTTP2 protocol is enable. All things are working correctly if I force older HTTP1.1 protocol.

    I am glad If I can contribute in debugging to sort this issue.

    Thank you.

  6. Hi,
    Am compiled httpd2.4.33 with apr-1.63, apr-util-1.6.1 and pcre8.42. the below error is shown while querying . please let me know whether anything I need to include ?

    [core:debug] [pid 1181] protocol.c(860): [client 10.155.52.193:35486] AH02418: HTTP Request Line; Unrecognized protocol ‘HTTP/0.9’ (perhaps whitespace was injected?)

    1. Hi.

      I think that your or some other http client (maybe proxy?) sends wrong request with HTTP/0.9.
      HTTP/0.9 is first HTTP version developed in 1990. I think there are no live implementations of it, so please check your clients instead of server: it really does not support HTTP/0.9. HTTP 1.0, 1.1 and 2 are supported.

      1. Hi Alexander,

        Thanks for your reply. Have enabled the trace log in apache and checked the request send by client, the request is correct . even apache throwing the error. i don’t know what is the problem in parsing the request.

        [Wed Jun 20 12:16:51.064250 2018] [core:trace5] [pid 8145] protocol.c(653): Request received from client: GET /index.html HTTP/1.1
        [Wed Jun 20 12:16:51.064413 2018] [core:debug] [pid 8145] protocol.c(860): AH02418: HTTP Request Line; Unrecognized protocol ‘HTTP/0.9’ (perhaps whitespace was injected?)

        1. Hi,

          As far as I can understand, you have your own Apache httpd build and it shows you this error on every HTTP/1.1 request. Just for clarification: we never faced similar problems in our builds (but we use them on many hosts).
          Or do you mean you face this problem with our builds on supported OS?

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *