В репозиторий добавлен Apache httpd 2.4.27 с поддержкой http2 для Red Hat Enterprise Linux и CentOS. Mod_ssl собран статически с OpenSSL 1.0.2l. Ссылки:
Заметим, что модуль Http2 Apache httpd с этой версии не поддерживает prefork mpm. Ранее, в версии 2.4.26, мы наблюдали крахи с prefork и решили не выкладывать наши билды из-за них.
Если вам нужен модуль mod_http2, отключите prefork mpm, включите worker mpm в /etc/httpd/conf.modules.d/00-mpm.conf
Или же воспользуйтесь нашим репозиторием. Обращаю ваше внимание на тот факт, что в зависимостях пакета присутствуют apr-util 1.5.0+ и libnghttp, которые я бы рекомендовал взять из репозитория EPEL. Таким образом, для использования Apache HTTPd проще всего подключить репозиторий EPEL: yum install -y epel-release
After yum update these 2.4.27 packages ( before working with 2.4.25-3 packages) on virtualmin and also repel and Remi repo the HTTP/2 is gone! ( CENTOS 7.3x)
Do you have a hint where to look and what to change to get http/2 and alpn back?
Packages ( yum update) seems to be installed corect version is httpd -v 2.4.27 and so on.
Sorry if i’m asking or doing something dumb 😉
John, we also see such behaviour and root of it (in our case) was prefork mpm.
You can check if you also has this problem by looking in your apache httpd log.
Http2 Apache httpd module no longer supports prefork mpm, we experienced crashes with it in 2.4.26 and decided to keep builds private.
Please try disabling prefork mpm and enable worker mpm.
Sorry a howto if possible.
ON a other server DIRECTADMIN we have had some httpd 2.4.26 probs but solved them ourselves and after httpd 2.4.27 update stable and none. (all version from DA and source so no codeit)
But want to test virtualmin and get some more knowledge also outside of panels and co, i’m (was) more windows person….
But don’t know sure how about changing the prefork i had i mind something with event?
Sorry it’s late here now i switched to event and http2 is back again thanks for pointing me in the right direction! 😉
O yea you GURU’S did very i nice job please go on … 😉
(Crashes with the httpd2.4.26 with our server was only with httpd gracefull restarts, not with real restart after stuf as cronjobs and co. , but yes that was not so nice version the 2.4.26 🙁 )
nano or vim:
vim /etc/httpd/conf.modules.d/00-mpm.conf
Yup, John, you are completely right, thank you!
Hello after update to the new release the service won’t start through systemctl. There was a hint that the address is already in use (443). I’ve checked the ports via lsof and netstat. There was nothing listening on the mentioned SSL Port. After rebooting to ensure that the sockets are gone, nothing changed. I couldn’t figure out the root cause with the logs so I had to roll back to the previous release through yum history undo. After that the problem was gone.
Is there sth. similar known to the new package release?
Hello Martin,
No, we hadn’t experienced such problems.
did you the update http2 package of codeit also? i started the install yum install http2 codeitrepo manualy, here it was not in yum update because http2… before other..
mod_http2-1.10.10-1.codeit.x86_64.rpm
and the mod_ssl update with the edits from ssl.conf in ssl.confrpmnew .. ?
John,
yes, mod_http2 is now built as separate package. 1.10.10-1 is current version.
ssl.conf.rpmnew was made by rpm installer, not by us, because you modified it.
In fresh installation on system without ssl.conf file with ssl defaults will be created as ssl.conf.
i know but asked Martin to check himself for important changes in the ssl.conf.rpmnew don’t know could be some different config that cause.
Also if he used copy the full ss.conf.rpmnew to ssl.conf without taking care fore the right settings of server then you have a problem. ( i tried this, just to be curiuous, cypherlist problems then therefore not starting and so on 😉 )
Ah, thank you, just not realized this was reply to Martin.
FYI, there is a «reply» button after comment to place your reply properly.
Ok, all thanks for the support. As mentioned, the issue seemed to be caused by a stupid administration error with two «Listen https 443» in the httpd.conf and ssl.conf. Umcommenting it in the ssl.conf fixed the problem.
Meant commenting it out, not uncommenting 😉
Hello,
Congratulations on the good work! I have the following problem after upgrading to the latest version. In the new ssl.conf there are the following two directives:
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
With them, Apache does not want to start. What is the good practice in this case?
Hello Nedelin,
Please check default ssl.conf (probably it was created as ssl.conf.rpmnew on your system).
We would recommend to use
Hello,
Thanks for your reply! Yes, exactly in the new file ssl.conf.rpmnew the default rows are as follows:
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
Is this a bug?
Nedelin, thank you a lot for your report.
Yes, this is a bug. We’ll update patch set and update release.
In connection with this, http2 will not be supported by the prefork MPM. Whether it’s a good thing to change the worker MPM module is by default.
I thought about this and probably you are right. In our environment, we run httpd with PHP and we still think worker MPM is not safe enough to be run with PHP.
However, we do not see crashes in real environment on test hosts and on real websites that do not carry critical environment for two weeks, so probably we will change defaults and enable worker MPM by default.
Thank you very much! I’m expecting the new updates! 🙂
Build updated.
Yes, I even updated! Everything looks great! 🙂
Hello again,
I have seen the certificate on your website and I have the impression that you are using the same Let’s Encrypt certificate for several sites. I do not know if it is convenient to ask here how is this possible? As far as I know these free certificates are issued for one domain.
Nedelin, yep, we are using same SAN certificate for couple of domains.
This is easily possible with acme php client and certbot:
If you’re getting a certificate for many domains at once, the plugin needs to know where each domain’s files are served from, which could potentially be a separate directory for each domain. When requesting a certificate for multiple domains, each domain will use the most recently specified —webroot-path. So, for instance,
This is great! I am very grateful for the answer. 🙂
So the difference between version 2.4.27-1.codeit and version 2.4.27-2.codeit is only:
Nedelin Petkov says: September 7, 2017 at 12:26 pm
. . .
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
Is this a bug?
Alexander Gerasimov says: September 7, 2017 at 12:29 pm
Nedelin, thank you a lot for your report.
Yes, this is a bug. We’ll update patch set and update release.
Alexander Gerasimov says: September 7, 2017 at 2:48 pm
Build updated.
Yes. Plus 00-mpm.conf file where worker mpm is enabled by default.
Please have a look at this security cve don’t know or its could be related to this package also?
https://access.redhat.com/security/cve/CVE-2017-9788
It was discovered that the httpd's mod_auth_digest module did not properly initialize memory
Yes, I believe, it’s related. We will wait for official release to build patched version.
For me it looks like this was already fixed in Apache itself version 2.4.27 😉
U sorry the link see on the right
https://bugzilla.redhat.com/show_bug.cgi?id=1470748
Yup, you are right, it was fixed in 2.4.27.
So there was indeed one more important reason to use this repo. 😉
But take care with CENTS7.4 kernel if using XENVP while sh. bug not rebooting anymore, you have tus use then the kernel-plus see >
https://bugs.centos.org/view.php?id=13763#c30014
For more info and apache update to come read this linkinfo’s
https://lists.gt.net/apache/dev/472115
Hi,
Trying to bump my httpd version from 2.4.6 to 2.4.27
I did the following:
$ cd /etc/yum.repos.d; wget https://repo.codeit.guru/codeit.el`rpm -q —qf «%{VERSION}» $(rpm -q —whatprovides redhat-release)`.repo
and confirmed the epel-release repo was there by doing:
$ yum install -y epel-release
and that said it was already installed.
I then tried doing a:
$ yum update httpd
And it said there was nothing to update. I currently have Centos 7.3 and httpd 2.4.6 and was hoping to bump httpd up to 2.4.27 as I want to make use of http/2
Do I also need to do anything else to make sure that the codeit repo is picked up by yum ?
Should I have also done a $ yum install codeit ?
I should also check, before I do this. What suexec_docroot do you set in your build for httpd? I’m using virtualmin and I think they have a custom requirement of setting «suexec_docroot» to «/home»
Thanks
Please check output of
Its at the top of the list.
repo id repo name status
CodeIT/x86_64 CodeIT repo. 141
and
$ yum update
reports «No packages marked for update»
I’ve had a chat with the Virtualmin guys and given the need to have a build with ‘suexec_docroot = /home’ and the fact that my current httpd install comes from their repo (I think) it might not be a good idea for me to proceed. I’m guessing that your build doesn’t doesn’t have the Virtualmin customisations..
Thanks for responding.
Jason, I’ve checked on fresh test instance with httpd 2.4.6 and yum update works fine.
So I think you have custom build of httpd 2.4.6 or update of httpd is prohibited in yum configuration.
Please first try with
Ok I will, but I won’t be able to use it unfortunately anyway. It could well be as you say that the fact that I am using a Virtualmin specific 2.4.6 from a Virtualmin repo is the thing thats stopping an update from yours being recognised.
I’m told by the Virtualmin support that I can’t use a generic 2.4.* build. Virtualmin uses SuEXEC and specifies that the suxec_docroot points to /home. I doubt yours does the same and I’m not prepared to lose Virtualmin just to have http/2.
I’m trying to persuade Virtualmin now to to update their repo from the RH SCL repo but with their customisations. Or at least provide it as an option.
I’m told that if I install yours it will break Virtualmin’s support for apache.
Thanks for responding.
Jason have also a look here for virtualmin
https://codeit.guru/en_US/2017/01/apache-httpd-2-4-25-built-against-openssl-1-0-2j-with-http2-for-red-hat-enterprise-linux-and-centos/
Apache 2.4.28 security fix, expecting one
http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3cCACsi253RDMjgzixy_qxJEcse9usBicendZ+pXxsQ=innRJXnmQ@mail.gmail.com%3e
Sorry what todo when CENTOS is updated to 7.4?
jonh, builds are tested on 7.3 and 7.4.
Work on both well.
john, httpd build updated.