В репозиторий добавлен Apache httpd 2.4.39 с поддержкой сжатия brotli от Google, http2 для Red Hat Enterprise Linux и CentOS. Mod_ssl собран статически с OpenSSL 1.1.1b. Ссылки:
Заметим, что httpd 2.4.39 уже поддерживает TLS 1.3 при сборке с OpenSSL 1.1.1. Все новые шифры включены и работают.
TLS 1.3 final на сегодня работает в Google Chrome 70+ и Mozilla Firefox 63+.
Для работы с SELinux установите следующий boolean:
setsebool -P httpd_execmem=1
Модуль brotli уже включён в базовый RPM. Всё, что нужно — настроить фильтр
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript
Changes with Apache 2.4.39:
- mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend connection is recycled/reused to avoid a possible crash with some SSLProxy configurations in
or context. PR 63256. [Yann Ylavic] - mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure. [Michael Kaufmann]
- mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host PR 55348
- mod_socache_redis: Support for Redis as socache storage provider.
- core: new configuration option ‘MergeSlashes on|off’ that controls handling of multiple, consecutive slash (‘/’) characters in the path component of the request URL. [Eric Covener]
- mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is in play, the proper HTTP/2 stream reset did not trigger with H2_ERR_HTTP_1_ 1_REQUIRED. Fixed. [Michael Kaufmann]
- mod_http2: new configuration directive: `H2Padding numbits` to control padding of HTTP/2 payload frames. ‘numbits’ is a number from 0-8, controlling the range of padding bytes added to a frame. The actual number added is chosen randomly per frame. This applies to HEADERS, DATA and PUSH_PROMISE frames equally. The default continues to be 0, e.g. no padding. [Stefan Eissing]
- mod_http2: ripping out all the h2_req_engine internal features now that mod _proxy_http2 has no more need for it. Optional functions are still declared but no longer implemented. While previous mod_proxy_http2 will work with this, it is recommended to run the matching versions of both modules. [Stefan Eissing]
- mod_proxy_http2: changed mod_proxy_http2 implementation and fixed several bugs which resolve PR63170. The proxy module does now a single h2 request on the (reused) connection and returns. [Stefan Eissing]
- mod_http2/mod_proxy_http2: proxy_http2 checks correct master connection aborted status to trigger immediate shutdown of backend connections. This is now always signalled by mod_http2 when the the session is being released. proxy_http2 now only sends a PING frame to the backend when there is not already one in flight. [Stefan Eissing]
- mod_proxy_http2: fixed an issue where a proxy_http2 handler entered an infi nite loop when encountering certain errors on the backend connection. [Stefan Eissing]
- mod_http2: Configuration directives H2Push and H2Upgrade can now be specifi ed per Location/Directory, e.g. disabling PUSH for a specific set of resources. [Stefan Eissing]
- mod_http2: HEAD requests to some module such as mod_cgid caused the stream to terminate improperly and cause a HTTP/2 PROTOCOL_ERROR. [Michael Kaufmann]
- http: Fix possible empty response with mod_ratelimit for HEAD requests. PR 63192. [Yann Ylavic]
- mod_cache_socache: Avoid reallocations and be safe with outgoing data lifetime. [Yann Ylavic]
- MPMs unix: bind the bucket number of each child to its slot number, for a more efficient per bucket maintenance. [Yann Ylavic]
- mod_auth_digest: Fix a race condition. Authentication with valid credentials could be refused in case of concurrent accesses from different users. PR 63124. [Simon Kappel]
- mod_http2: enable re-use of slave connections again. Fixed slave connection keepalives counter. [Stefan Eissing]
- mod_reqtimeout: Allow to configure (TLS-)handshake timeouts. PR 61310. [Yann Ylavic]
-
mod_proxy_wstunnel: Fix websocket proxy over UDS. PR 62932
- mod_ssl: Don’t unset FIPS mode on restart unless it’s forced by configuration (SSLFIPS on) and not active by default in OpenSSL. PR 63136. [Yann Ylavic]
Alex,
I’m not sure if you have any plan to upgrade mod_http2 to 1.14.1 anytime soon?
Jeffrey,
Thank you for pointing out.
We built mod_http2 to 1.14.1 and pushed it to the repo.
We tested it and it works flawlessly with major browsers. Please provide your feedback.
Alex,
Thanks for the prompt response.
Yes, this’s working fine on my toy & latest browser which is including MS edge, IE, Google Chrome & Firefox.
One more question, regarding the `H2Padding numbits`, is it default value or ….?
Jeffrey,
Regarding H2Padding numbits this is a new configuration directive you can use. We do not set it in our default configuration files. The purpose is to keep them as close as possible to Fedora ones.
Alex,
Gotcha & thanks.
It appears that the following is a vulnerability in OpenSSL 1.1.1b:
https://www.openssl.org/news/secadv/20190306.txt
Is there a way to get 1.1.1c built into the repo?
Many thanks,
Bryan
Sure, we will build it against 1.1.1c, but it was not released yet.
«Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time».
Got it — had not seen that. Oddly, our scanning service, TrustWave, indicates that we have a vulnerability for not being on 1.1.1c. 🙂 Will wait until that is released — thanks again.
Hi Alexander,
It appears that OpenSSL 1.1.1c is now available.
Thank you,
Bryan
Afther do systemctl reload httpd.service the server no respond
systemctl status -l httpd.service
● httpd.service — The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: reloading (reload) (Result: signal) since lun 2019-04-29 12:54:28 CEST; 3min 54s ago
Docs: man:httpd.service(8)
Process: 16201 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS)
Process: 15902 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=killed, signal=SEGV)
Main PID: 15902 (code=killed, signal=SEGV)
Status: «Reading configuration…»
CGroup: /system.slice/httpd.service
├─15904 /usr/sbin/httpd -DFOREGROUND
├─15905 /usr/sbin/httpd -DFOREGROUND
└─16204 /usr/sbin/httpd -DFOREGROUND
abr 29 12:54:28 systemd[1]: Unit httpd.service entered failed state.
abr 29 12:54:28 systemd[1]: httpd.service failed.
abr 29 12:54:28 systemd[1]: Starting The Apache HTTP Server…
abr 29 12:54:28 httpd[15902]: Server configured, listening on: port 443, port 80
abr 29 12:54:28 systemd[1]: Started The Apache HTTP Server.
abr 29 12:58:16 systemd[1]: Reloading The Apache HTTP Server.
abr 29 12:58:17 systemd[1]: Reloaded The Apache HTTP Server.
abr 29 12:58:17 systemd[1]: httpd.service: main process exited, code=killed, status=11/SEGV
Howdy, after saw your great dev efforts here I went on install tryout, and surprisingly all modern stuff is compatible to install as http/2, open ssl 1.11, brtotli etc. but as server went to deploy stage it turns an explanation to me why my trusted hoster are not updating their services with above mentioned. Unpredictable subversions as with my VPS install ends with non functioning php-72 install, no error logs, blank page not parsing code. And searching here I went over thread two years before
@Apache httpd 2.4.26 built, but crashes
seems like trouble to me, could you advice somehow please, regards.
Hey Nic,
If service really crashes, you should have a record in error_log and /var/log/messages about it.
Please try static html page first, then try to use php in php-fpm mode as recommended by Fedora devs.