Apache httpd 2.4.41, собранный с Brotli, TLS 1.3 final (RFC 8446), OpenSSL 1.1.1c, ALPN и поддержкой http2 для Red Hat Enterprise Linux и CentOS

В репозиторий добавлен Apache httpd 2.4.41 с поддержкой сжатия brotli от Google, http2 для Red Hat Enterprise Linux и CentOS. Mod_ssl собран статически с OpenSSL 1.1.1c. Ссылки:

Заметим, что httpd 2.4.41 поддерживает TLS 1.3 при сборке с OpenSSL 1.1.1. Все новые шифры включены и работают.

TLS 1.3 final на сегодня работает в Google Chrome 70+ и Mozilla Firefox 63+.

Для работы с SELinux установите следующий boolean:

setsebool -P httpd_execmem=1

Модуль brotli уже включён в базовый RPM. Всё, что нужно — настроить фильтр

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

Changes with Apache 2.4.41:

  *) mod_proxy_balancer: Improve balancer-manager protection against 
     XSS/XSRF attacks from trusted users.  [Joe Orton,
     Niels Heinen ]

  *) mod_session: Introduce SessionExpiryUpdateInterval which allows to
     configure the session/cookie expiry's update interval. PR 57300.
     [Paul Spangler ]

  *) modules/filters: Fix broken compilation when using old GCC (<4.2.x).
     PR 63633.  [Rainer Jung, Joe Orton]

  *) mod_ssl: Fix startup failure in 2.4.40 with SSLCertificateChainFile
     configured for a domain managed by mod_md.  [Stefan Eissing]

Changes with Apache 2.4.40

  *) core, mod_rewrite: Set PCRE_DOTALL by default. Revert via 
     RegexDefaultOptions -DOTALL [Yann Ylavic]

  *) core: Remove request details from built-in error documents [Eric Covener]

  *) mod_http2: core setting "LimitRequestFieldSize" is not additionally checked on
     merged header fields, just as HTTP/1.1 does. [Stefan Eissing, Michael Kaufmann]

  *) mod_http2: fixed a bug that prevented proper stream cleanup when connection
     throttling was in place. Stream resets by clients on streams initiated by them
     are counted as possible trigger for throttling. [Stefan Eissing]

  *) mod_http2/mpm_event: Fixes the behaviour when a HTTP/2 connection has nothing
     more to write with streams ongoing (flow control block). The timeout waiting
     for the client to send WINODW_UPDATE was incorrectly KeepAliveTimeout and not
     Timeout as it should be. Fixes PR 63534. [Yann Ylavic, Stefan Eissing]

  *) mod_proxy_balancer: Load balancer required byrequests when bytraffic chosen.
     PR 62372. [Jim Jagielski]

  *) mod_proxy_hcheck: Create the configuration for mod_proxy_hcheck
     when used in BalancerMember. PR 60757. [Jean-Frederic Clere]

  *) mod_proxy_hcheck: Mute extremely frequent debug message. [Yann Ylavic]

  *) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for
     adding certificates and keys to a virtual host. An additional hook allows
     answering special TLS connections as used in ACME challenges.
     Adding 2 new hooks for init/get of OCSP stapling status information when
     other modules want to provide those. Falls back to own implementation with
     same behaviour as before.
     [Stefan Eissing]
  
  *) mod_md: new features
     - protocol
       - supports the ACMEv2 protocol. It is the default and will be used on the next
         certificate renewal, unless another "MDCertificateAuthority" is configured
       - ACMEv2 endpoints use the GET via empty POST way of accessing resources, see
         announcement by Let's Encrypt:       
         https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380
     - challenges
       - new challenge method 'tls-alpn-01' implemented
       - challenge type 'tls-sni-01' has been removed as CAs do not offer this any longer
       - supports command configuration to setup/teardown 'dns-01' challenges
       - supports wildcard certificates when dns challenges are configured
     - status information and monitoring
       - a domain exposes its status at https:///.httpd/certificate-status
       - Managed Domains are now in Apache's 'server-status' page
       - A new handler 'md-status' exposes verbose status information in JSON format
     - new directives
       - "MDCertificateFile" and "MDCertificateKeyFile" to configure a
         Managed Domain that uses static files. Auto-renewal is turned off for those.
       - "MDMessageCmd" that is invoked on several events: 'renewed', 'expiring' and
         'errored'.
       - "MDWarnWindow" directive to configure when expiration warnings shall be issued.
     [Stefan Eissing]

  *) mod_mime_magic: Fix possible corruption of returned strings.
     [Christophe Jaillet]

  *) Default "conf/magic": Fix pattern for "audio/x-wav" for WAV files,
     remove "audio/unknown" pattern for other RIFF files.
     [ГЂngel OllГ© BlГЎzquez ]

  *) mod_proxy_http2: fixing a potential NULL pointer use in logging.
     [Christophe Jaillet, Dr Silvio Cesare InfoSect]

  *) mod_dav: Reduce the amount of memory needed when doing PROPFIND's on large
     collections by improving the memory management. [Joe Orton, Ruediger Pluem]

  *) mod_proxy_http2: adding support for handling trailers in both directions.
     PR 63502. [Stefan Eissing]

  *) mod_proxy_http: forward 100-continue, and minimize race conditions when
     reusing backend connections. PR 60330. [Yann Ylavic, Jean-Frederic Clere]

  *) mod_proxy_balancer: Fix some HTML syntax issues.  [Christophe Jaillet]

  *) When using mod_status with the Event MPM, report the number of requests
     associated with an active connection in the "ACC" field. Previously
     zero was always reported with this MPM.  PR60647. [Eric Covener]

  *) mod_http2: remove the no longer existing h2_ngn_shed.c from Cmake.
     [Stefan Eissing]

  *) mod_proxy/ssl: Proxy SSL client certificate configuration and other proxy
     SSL configurations broken inside  context.  PR 63430.
     [Ruediger Pluem, Yann Ylavic]

  *) mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules.
     PR 61857.  [Markus Gausling , Yann Ylavic]

  *) mod_reqtimeout: Fix default rates missing (not applied) in 2.4.39.
     PR 63325. [Yann Ylavic]

  *) mod_info: Fix output of server settings for PIPE_BUF in mod_info in
     the rare case that PIPE_BUF is defined. [Rainer Jung]

  *) mod_md: Store permissions are enforced on file creation, enforcing restrictions in
     spite of umask. Fixes . [Stefan Eissing]

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *