Apache httpd 2.4.54, собранный с Brotli, TLS 1.3 final (RFC 8446), OpenSSL 1.1.1o, ALPN и поддержкой http2 для Rocky Linux, Red Hat Enterprise Linux, Alma Linux и CentOS

В репозиторий добавлен Apache httpd 2.4.54-1 с поддержкой сжатия brotli от Google, mod_http2 2.0.2 для Red Hat Enterprise Linux, Rocky Linux, Alma Linux и CentOS. Mod_ssl собран динамически с OpenSSL 1.1.1o.

Исправлена уязвимость CVE-2022-26377: Apache HTTP Server: mod_proxy_ajp: Possible request smuggling.

Заметим, что httpd 2.4.54 поддерживает TLS 1.3 при сборке с OpenSSL 1.1.1. Все новые шифры включены и работают.
C версии 2.4.54-2 мы собираем OpenSSL+QUIC 1.1.1 отдельно, он устанавливается в /lib64 отдельно с суффиксом .so.81.1.1 и никак не затрагивает системные библиотеки.

Для установки в EL8 нужно включить соответствующий Module stream:

dnf module enable -y httpd:codeit

TLS 1.3 final на сегодня работает в Google Chrome 70+ и Mozilla Firefox 63+.

Для работы с SELinux в rpm включена соответствующая минимальная политика.

Модуль brotli уже включён в базовый RPM. Всё, что нужно — настроить фильтр

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

Apache httpd 2.4.54, собранный с Brotli, TLS 1.3 final (RFC 8446), OpenSSL 1.1.1o, ALPN и поддержкой http2 для Rocky Linux, Red Hat Enterprise Linux, Alma Linux и CentOS: 20 комментариев

  1. Hello,

    I am just curious if you are aware of any troubles with the repo? Possible corruption maybe? I running into a Content-Length issue when trying to pull down packages.

    ——
    Downloading Packages:
    [MIRROR] httpd-filesystem-2.4.54-1.module_codeit.codeit.el8.noarch.rpm: Interrupted by header callback: Server reports Content-Length: 33590 but expected size is: 33598
    (1/11): apr-1.7.0-2.el8.x86_64.rpm 772 kB/s | 129 kB 00:00
    [MIRROR] httpd-tools-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm: Interrupted by header callback: Server reports Content-Length: 102586 but expected size is: 102582
    [MIRROR] httpd-filesystem-2.4.54-1.module_codeit.codeit.el8.noarch.rpm: Interrupted by header callback: Server reports Content-Length: 33590 but expected size is: 33598
    (2/11): httpd-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm 3.6 MB/s | 1.5 MB 00:00
    [MIRROR] httpd-tools-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm: Interrupted by header callback: Server reports Content-Length: 102586 but expected size is: 102582
    [FAILED] httpd-tools-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm: No more mirrors to try — All mirrors were already tried without success
    (4-5/11): mod_http2-2.0.2-1.codeit.el8.x86_64.rpm 44% [===============================================- ] 901 kB/s | 1.7 MB 00:02 ETA
    The downloaded packages were saved in cache until the next successful transaction.
    You can remove cached packages by executing ‘yum clean packages’.
    Error: Error downloading packages:
    httpd-tools-2.4.54-1.module_codeit.codeit.el8.x86_64: Cannot download, all mirrors were already tried without success
    ——

    Thanks for your time!

  2. You bet.

    I am running a Rocky Linux VM (kvm/qemu). The repo file looks like this…

    [CodeIT]
    name=CodeIT repo
    baseurl=https://repo.codeit.guru/packages/centos/$releasever/$basearch
    enabled=1
    gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-MasterOfDevon
    gpgcheck=1

    [CodeIT-mainline]
    name=CodeIT mainline repo
    baseurl=https://repo.codeit.guru/packages/mainline/centos/$releasever/$basearch
    enabled=1
    gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-MasterOfDevon
    gpgcheck=1

    [CodeIT-testing]
    name=CodeIT testing repo
    baseurl=https://repo.codeit.guru/packages/testing/$releasever/$basearch
    enabled=0
    gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-MasterOfDevon
    gpgcheck=1

    I am trying to test out some packages, and how they work with each other before I upgrade my live systems.

    I appreciate your response and all your efforts, thank you!!

    1. I just jumped back in and tested it, and it seems to be working well now. If you threw your time at this, and I appreciate it very much!

      Thank you!

      ——

      Total download size: 3.8 M
      Installed size: 9.9 M
      Is this ok [y/N]: y
      Downloading Packages:
      (1/11): apr-1.7.0-2.el8.x86_64.rpm 308 kB/s | 129 kB 00:00
      (2/11): httpd-filesystem-2.4.54-1.module_codeit.codeit.el8.noarch.rpm 78 kB/s | 33 kB 00:00
      (3/11): httpd-tools-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm 497 kB/s | 100 kB 00:00
      (4/11): mod_http2-2.0.2-1.codeit.el8.x86_64.rpm 613 kB/s | 153 kB 00:00
      (5/11): apr-util-1.6.1-6.el8.1.x86_64.rpm 27 MB/s | 104 kB 00:00
      (6/11): apr-util-bdb-1.6.1-6.el8.1.x86_64.rpm 14 MB/s | 23 kB 00:00
      (7/11): apr-util-openssl-1.6.1-6.el8.1.x86_64.rpm 18 MB/s | 26 kB 00:00
      (8/11): mailcap-2.1.48-3.el8.noarch.rpm 26 MB/s | 38 kB 00:00
      (9/11): rocky-logos-85.0-4.el8.x86_64.rpm 65 MB/s | 328 kB 00:00
      (10/11): httpd-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm 1.7 MB/s | 1.5 MB 00:00
      (11/11): openssl-quic-libs-1.1.1o-1.codeit.el8.x86_64.rpm 3.6 MB/s | 1.4 MB 00:00
      —————————————————————————————————————————————————————————————————————————————————————-
      Total 3.7 MB/s | 3.8 MB 00:01

      Installed:
      apr-1.7.0-2.el8.x86_64 apr-util-1.6.1-6.el8.1.x86_64 apr-util-bdb-1.6.1-6.el8.1.x86_64 apr-util-openssl-1.6.1-6.el8.1.x86_64 httpd-2.4.54-1.module_codeit.codeit.el8.x86_64
      httpd-filesystem-2.4.54-1.module_codeit.codeit.el8.noarch httpd-tools-2.4.54-1.module_codeit.codeit.el8.x86_64 mailcap-2.1.48-3.el8.noarch mod_http2-2.0.2-1.codeit.el8.x86_64 openssl-quic-libs-1.1.1o-1.codeit.el8.x86_64
      rocky-logos-85.0-4.el8.x86_64

      ——

  3. Hello Alexander (and Team),

    I am wondering if you could direct me on how to go about resolving this issue?

    «No available modular metadata for modular package ‘mod_http2-2.0.3-1.codeit.el8.x86_64’, it cannot be installed on the system»

    I have reloaded my repo, but have had no luck trying to get mod_http2 updated. Below is the full run of my dnf update.

    ——

    # dnf update
    Last metadata expiration check: 0:07:01 ago on Sat 09 Jul 2022 02:58:50 AM MDT.
    Dependencies resolved.
    ================================================================================================================================================================================
    Package Architecture Version Repository Size
    ================================================================================================================================================================================
    Upgrading:
    httpd x86_64 2.4.54-1.module_codeit.codeit.el8 CodeIT 1.5 M
    httpd-devel x86_64 2.4.54-1.module_codeit.codeit.el8 CodeIT 225 k
    httpd-filesystem noarch 2.4.54-1.module_codeit.codeit.el8 CodeIT 33 k
    httpd-tools x86_64 2.4.54-1.module_codeit.codeit.el8 CodeIT 100 k
    mod_http2 x86_64 2.0.3-1.codeit.el8 CodeIT 155 k
    mod_md x86_64 2.4.54-1.module_codeit.codeit.el8 CodeIT 169 k
    mod_ssl x86_64 1:2.4.54-1.module_codeit.codeit.el8 CodeIT 131 k
    Installing dependencies:
    openssl-quic-libs x86_64 1.1.1q-1.codeit.el8 CodeIT 1.4 M

    Transaction Summary
    ================================================================================================================================================================================
    Install 1 Package
    Upgrade 7 Packages

    Total download size: 3.7 M
    Is this ok [y/N]: y
    Downloading Packages:
    (1/8): httpd-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm 29 MB/s | 1.5 MB 00:00
    (2/8): httpd-devel-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm 4.0 MB/s | 225 kB 00:00
    (3/8): httpd-filesystem-2.4.54-1.module_codeit.codeit.el8.noarch.rpm 2.8 MB/s | 33 kB 00:00
    (4/8): openssl-quic-libs-1.1.1q-1.codeit.el8.x86_64.rpm 20 MB/s | 1.4 MB 00:00
    (5/8): httpd-tools-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm 6.0 MB/s | 100 kB 00:00
    (6/8): mod_http2-2.0.3-1.codeit.el8.x86_64.rpm 14 MB/s | 155 kB 00:00
    (7/8): mod_ssl-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm 11 MB/s | 131 kB 00:00
    (8/8): mod_md-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm 6.7 MB/s | 169 kB 00:00
    ———————————————————————————————————————————————————————————
    Total 37 MB/s | 3.7 MB 00:00
    Running transaction check
    No available modular metadata for modular package ‘mod_http2-2.0.3-1.codeit.el8.x86_64’, it cannot be installed on the system
    The downloaded packages were saved in cache until the next successful transaction.
    You can remove cached packages by executing ‘dnf clean packages’.
    Error: No available modular metadata for modular package

    ——

    I appreciate your help!

  4. Success Alex!

    Thank you for checking into it. I really appreciate your builds and your upkeep. Thank you!

    ——

    # dnf update mod_http2
    Last metadata expiration check: 1:08:16 ago on Sun 10 Jul 2022 03:10:29 PM MDT.
    Dependencies resolved.
    ================================================================================================================================================================================================================================================================
    Package Architecture Version Repository Size
    ================================================================================================================================================================================================================================================================
    Upgrading:
    mod_http2 x86_64 2.0.3-2.module_codeit.codeit.el8 CodeIT 155 k

    Transaction Summary
    ================================================================================================================================================================================================================================================================
    Upgrade 1 Package

    Total download size: 155 k
    Is this ok [y/N]: y
    Downloading Packages:
    mod_http2-2.0.3-2.module_codeit.codeit.el8.x86_64.rpm 589 kB/s | 155 kB 00:00
    —————————————————————————————————————————————————————————————————————————————————————-
    Total 585 kB/s | 155 kB 00:00
    Running transaction check
    Transaction check succeeded.
    Running transaction test
    Transaction test succeeded.
    Running transaction
    Preparing : 1/1
    Upgrading : mod_http2-2.0.3-2.module_codeit.codeit.el8.x86_64 1/2
    Cleanup : mod_http2-2.0.2-1.codeit.el8.x86_64 2/2
    Running scriptlet: mod_http2-2.0.2-1.codeit.el8.x86_64 2/2
    Verifying : mod_http2-2.0.3-2.module_codeit.codeit.el8.x86_64 1/2
    Verifying : mod_http2-2.0.2-1.codeit.el8.x86_64 2/2

    Upgraded:
    mod_http2-2.0.3-2.module_codeit.codeit.el8.x86_64

    Complete!

    ——

    Take care!!

  5. Hello Alex,

    Soooo, where is your «Buy Me A Coffee» or «Gift» or «Donate» button? I am not sure you comprehend how much time and effort you save me (and I’m sure others) with your builds. Every time I stand up a new system or reload a web server, its just a breath of fresh air to know that I am not gunna have to spend a day or two compiling!

    Sincerely. Thank you for your efforts, your time, and even attention to the issues some of us run into. It has not been lost on me brother.

    Thank you!

  6. Hi Alexander,

    I’m running on Oracle Linux 7,9 (binary compatible w/ RHEL), and I’m on httpd 2.4.54, which I believe is the latest. I was just reading that it integrates with openssl 1.1.1o. My problem is that we run Tenable.io scans on our servers, to screen for security issues, and have identified an issue as being ‘openssl 1.1.1 < openssl 1.1.1p', which apparently causes some security issues.

    If I were to download and install openssl 1.1.1p, that wouldn't do me any good, right? Because the openssl version has to be built into the httpd build?

    Thanks for your efforts! I love the CodeIT repo!

  7. Hello,

    in RHEL8 the apache package is still 2.4.53

    Dependencies resolved.
    =====================================================================================================================================================================================================================
    Package Architecture Version Repository Size
    =====================================================================================================================================================================================================================
    Installing:
    httpd x86_64 2.4.53-1.codeit.el8 CodeIT 1.5 M
    Installing dependencies:
    apr x86_64 1.7.0-2.el8 CodeIT 129 k
    apr-util x86_64 1.6.1-6.el8 CodeIT 103 k
    httpd-filesystem noarch 2.4.53-1.codeit.el8 CodeIT 33 k
    httpd-tools x86_64 2.4.53-1.codeit.el8 CodeIT 100 k
    mailcap noarch 2.1.48-3.el8 rhel-8-for-x86_64-baseos-rpms 39 k
    mod_http2 x86_64 2.0.2-1.codeit.el8 CodeIT 153 k
    redhat-logos x86_64 84.5-1.el8 rhel-8-for-x86_64-baseos-rpms 364 k

    Transaction Summary
    =====================================================================================================================================================================================================================
    Install 8 Packages

    ETA for the update to 2.4.54

  8. Hello,
    installed 2.4.46 time ago…we just had to change docroot and rebuild the package.
    Now, is it safe to update the packages to 2.5.54 and openssl devel-libs or do we need to change and rebuild again?

    Thanks

Добавить комментарий для Alexander Gerasimov Отменить ответ

Ваш адрес email не будет опубликован. Обязательные поля помечены *