Apache httpd 2.4.34, собранный с Brotli, OpenSSL 1.1.0h, ALPN и поддержкой http2 для Red Hat Enterprise Linux и CentOS

В репозиторий добавлен Apache httpd 2.4.34 с поддержкой сжатия brotli от Google, http2 для Red Hat Enterprise Linux и CentOS. Mod_ssl собран статически с OpenSSL 1.1.0h. Ссылки:

Заметим, что модуль Http2 Apache httpd с версии 2.4.27 не поддерживает prefork mpm. Если вам нужен модуль mod_http2, отключите prefork mpm, включите event mpm в /etc/httpd/conf.modules.d/00-mpm.conf

Это действите уже сделано в файле, который мы поставляем в пакете. Если вы обновляете вашу инсталляцию, обновите файл.

Для работы с SELinux установите следующий boolean:

setsebool -P httpd_execmem=1

Модуль brotli уже включён в базовый RPM. Всё, что нужно — настроить фильтр

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

Apache httpd 2.4.34, собранный с Brotli, OpenSSL 1.1.0h, ALPN и поддержкой http2 для Red Hat Enterprise Linux и CentOS: 15 комментариев

  1. Dear Friends

    You said:
    «brotli support is already included in base RPM file. All you need is to add filters like

    AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript»

    In the earlier version there was a file brotili.conf in /etc/httpd/conf.d/, there is no longer available in this new version. May you be so kind and explain, where should I add this: «AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript», to have Brotli Compression enabled?

    Thank you in advance for your help and support.

    Sincerely

      1. Thank you for the reply. I’ve had to switch back to stock Apache 2.2 as I was getting out of memory errors. I have a CentOS 7x VM running on Azure with PHP 7x from Remi and tried your Apache 2.4 packages to run a large wordpress based website without success. I’ll have to debug on a local VM to determine why memory is getting depleted.

        1. Hello Amit,

          Please share errors from your log.

          Also please note that PHP is not thread safe (at least in 7.0 and 7.1 they have bugs that cannot be fixed without ABI changes), so ensure you are using Apache httpd in prefork or event mode. Alternatively, you can use php in fpm mode (that will be default one in Fedora).

  2. Hi guys, thanks for maintaining this repo! I tried to upgrade to the latest version, but I’m getting a dependency error. I’m using your CentOS 7 binary and my OpenSSL is 1.0.2k and mod_ssl is 2.4.33-3. Any idea how to resolve this error?

    —> Running transaction check
    —> Package libbrotli.x86_64 1:1.0.3-2.codeit.el7 will be installed
    —> Package mod_ssl.x86_64 1:2.4.34-1.codeit.el7 will be an update
    —> Processing Dependency: sscg >= 2.2.0 for package: 1:mod_ssl-2.4.34-1.codeit.el7.x86_64
    —> Finished Dependency Resolution
    —> Running transaction check
    —> Package kernel.x86_64 0:3.10.0-862.2.3.el7 will be erased
    —> Package mod_ssl.x86_64 1:2.4.34-1.codeit.el7 will be an update
    —> Processing Dependency: sscg >= 2.2.0 for package: 1:mod_ssl-2.4.34-1.codeit.el7.x86_64
    —> Finished Dependency Resolution
    Error: Package: 1:mod_ssl-2.4.34-1.codeit.el7.x86_64 (CodeIT)
    Requires: sscg >= 2.2.0

  3. The original question was about brotli.conf missing now in this version

    Would an /etc/httpd/conf.modules.d/brotli.conf file like this

    # This is the Apache server configuration file for providing brotli support
    # through brotli_module
    #

    AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

    not also work — or is there a reason it was removed because it causes problems in this way of implementation above ??

    1. the post system stripped the greater than and less than command sign so I am trying to add underscores to prevent that here

      # This is the Apache server configuration file for providing brotli support
      # through brotli_module
      #
      _ _
      AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript
      _ _

      1. Hello,

        No, brotli.conf was not removed: it is now bundled to main rpm file, as Fedora does.
        No, it does not cause any problems for us.

        What do you mean by «not also work»? If you see any error message, please share it. If this configuration is silently ignored for you, please check that config file is included somewhere. We need more details to assist you 🙂

        1. I was just asking if the filter you showed could be used in a /etc/httpd/conf.modules.d/brotli.conf file to automatically launch the module.

          I did not see a brotli.conf file — so I made one but did not enable it yet — Drupal 7 — which I use — has some issues with brotli compression in such a way that a Drupal module called the «HTTP Parallel Request & Threading Library» to support brotli compression should be enabled and «Advanced CSS/JS Aggregation» also enabled and checked to make sure the code of several patches are in the proper version before enabling it on the server.

          Also while it requires PHP 5 and the following functions must also be available on the server:
          * stream_socket_client
          * stream_select
          * stream_set_blocking
          * stream_get_meta_data
          * stream_socket_get_name
          there is no way to tell how it will react with PHP-FPM but to test it — later when I have time

          The real question I have is about the static build of openssl 1.1.0h. I am considering upgrading the Bind of Centos 7 from 9.9.94 to 9.11 ( bind-9.11.1-7.P3.fc27 RPM for x86_64 ) which has a dependency of libcrypto.so.1.1(OPENSSL_1_1_0) but a —test of an rpm -Uvh of the file fails the dependency.

          If I install the Fedora version of openssl — for Fedora 27 which is also 1.1.0h, and is the last version which will work with GLIBC 2.17, it will require a small hack to force an install to ignore the conflict with the existing /etc/pki/tls/openssl.conf file

          Is there a way to expose libcrypto.so.1.1 to the bind-libs so I do not need to install it at all ??

          Once the bind-libs go on, the rest of bind 9.11 will install. BIND 9.9.4 actually anything <= 9.10 has a views directive bug which prevents IN dynamic data from being posted to both the internal and external view, which causes a certbot renewal using the dns_rfc2136_authenticator plugin for the DNS-01 challenge for a wildcard cert to fail because the TXT file written to the DNS zone is not ever seen by the challenge server.

          So . . . is there a way to expose libcrypto.so.1.1 to the bind-libs so I do not need to install it at all ??

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *