В репозиторий добавлен Apache httpd 2.4.34 с поддержкой сжатия brotli от Google, http2 для Red Hat Enterprise Linux и CentOS. Mod_ssl собран статически с OpenSSL 1.1.0h. Ссылки:
Заметим, что модуль Http2 Apache httpd с версии 2.4.27 не поддерживает prefork mpm. Если вам нужен модуль mod_http2, отключите prefork mpm, включите event mpm в /etc/httpd/conf.modules.d/00-mpm.conf
Это действите уже сделано в файле, который мы поставляем в пакете. Если вы обновляете вашу инсталляцию, обновите файл.
Для работы с SELinux установите следующий boolean:
setsebool -P httpd_execmem=1
Модуль brotli уже включён в базовый RPM. Всё, что нужно — настроить фильтр
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript
Dear Friends
You said:
«brotli support is already included in base RPM file. All you need is to add filters like
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript»
In the earlier version there was a file brotili.conf in /etc/httpd/conf.d/, there is no longer available in this new version. May you be so kind and explain, where should I add this: «AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript», to have Brotli Compression enabled?
Thank you in advance for your help and support.
Sincerely
Hi Mateusz,
You can add this to any virtual host or even directly to main httpd.conf file.
Hello,
I have the latest build installed with Chrome developer mode showing h2 as protocol and some files compressed using br but a quick test using @ https://tools.keycdn.com/http2-test show that ALPN and HTTP/2 is not supported. Is there any additional directive required/missing?
Hello Amit,
I think HTTP/2 and ALPN do really work on your site. ALPN is the only supported way for HTTP/2 negotiation in Chrome, so if you see h2 protocol in dev tools, APLN and HTTP/2 really work.
Thank you for the reply. I’ve had to switch back to stock Apache 2.2 as I was getting out of memory errors. I have a CentOS 7x VM running on Azure with PHP 7x from Remi and tried your Apache 2.4 packages to run a large wordpress based website without success. I’ll have to debug on a local VM to determine why memory is getting depleted.
Hello Amit,
Please share errors from your log.
Also please note that PHP is not thread safe (at least in 7.0 and 7.1 they have bugs that cannot be fixed without ABI changes), so ensure you are using Apache httpd in prefork or event mode. Alternatively, you can use php in fpm mode (that will be default one in Fedora).
Hi guys, thanks for maintaining this repo! I tried to upgrade to the latest version, but I’m getting a dependency error. I’m using your CentOS 7 binary and my OpenSSL is 1.0.2k and mod_ssl is 2.4.33-3. Any idea how to resolve this error?
—> Running transaction check
—> Package libbrotli.x86_64 1:1.0.3-2.codeit.el7 will be installed
—> Package mod_ssl.x86_64 1:2.4.34-1.codeit.el7 will be an update
—> Processing Dependency: sscg >= 2.2.0 for package: 1:mod_ssl-2.4.34-1.codeit.el7.x86_64
—> Finished Dependency Resolution
—> Running transaction check
—> Package kernel.x86_64 0:3.10.0-862.2.3.el7 will be erased
—> Package mod_ssl.x86_64 1:2.4.34-1.codeit.el7 will be an update
—> Processing Dependency: sscg >= 2.2.0 for package: 1:mod_ssl-2.4.34-1.codeit.el7.x86_64
—> Finished Dependency Resolution
Error: Package: 1:mod_ssl-2.4.34-1.codeit.el7.x86_64 (CodeIT)
Requires: sscg >= 2.2.0
Hi JD,
Please add EPEL repository:
sudo yum install epel-release
That worked! Thanks so much. You’re the best!
Sorry, but installing the epel-release generates this:
Error: Package: 1:mod_ssl-2.4.39-2.codeit.el7.x86_64 (CodeIT)
Requires: sscg >= 2.2.0
Available: sscg-0.4.1-4.el7.noarch (epel)
sscg = 0.4.1-4.el7
You could try using —skip-broken to work around the problem
—> Package mod_ssl.x86_64 1:2.4.53-2.codeit.el7 will be an update
—> Processing Dependency: sscg >= 2.2.0 for package: 1:mod_ssl-2.4.53-2.codeit.el7.x86_64
—> Package openssl-quic-libs.x86_64 0:1.1.1n-2.codeit.el7 will be installed
—> Finished Dependency Resolution
Error: Package: 1:mod_ssl-2.4.53-2.codeit.el7.x86_64 (CodeIT)
Requires: sscg >= 2.2.0
You could try using —skip-broken to work around the problem
You could try running: rpm -Va —nofiles —nodigest
[root@ip-10-49-83-228 tmp]# sudo yum install epel-release
Loaded plugins: changelog, versionlock
Package matching epel-release-7-11.noarch already installed. Checking for update.
Nothing to do
[root@ip-10-49-83-228 tmp]# yum list epel-release
Loaded plugins: changelog, versionlock
Installed Packages
even after installing epel-release-latest-7.noarch.rpm, please help
sscg is a part of epel.
Please double check that epel repository points to correct place and is enabled.
Will this be updated to openssl 1.1.0i?
Yes, we are preparing the update.
The original question was about brotli.conf missing now in this version
Would an /etc/httpd/conf.modules.d/brotli.conf file like this
# This is the Apache server configuration file for providing brotli support
# through brotli_module
#
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript
not also work — or is there a reason it was removed because it causes problems in this way of implementation above ??
the post system stripped the greater than and less than command sign so I am trying to add underscores to prevent that here
# This is the Apache server configuration file for providing brotli support
# through brotli_module
#
_ _
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript
_ _
Hello,
No, brotli.conf was not removed: it is now bundled to main rpm file, as Fedora does.
No, it does not cause any problems for us.
What do you mean by «not also work»? If you see any error message, please share it. If this configuration is silently ignored for you, please check that config file is included somewhere. We need more details to assist you 🙂
I was just asking if the filter you showed could be used in a /etc/httpd/conf.modules.d/brotli.conf file to automatically launch the module.
I did not see a brotli.conf file — so I made one but did not enable it yet — Drupal 7 — which I use — has some issues with brotli compression in such a way that a Drupal module called the «HTTP Parallel Request & Threading Library» to support brotli compression should be enabled and «Advanced CSS/JS Aggregation» also enabled and checked to make sure the code of several patches are in the proper version before enabling it on the server.
Also while it requires PHP 5 and the following functions must also be available on the server:
* stream_socket_client
* stream_select
* stream_set_blocking
* stream_get_meta_data
* stream_socket_get_name
there is no way to tell how it will react with PHP-FPM but to test it — later when I have time
The real question I have is about the static build of openssl 1.1.0h. I am considering upgrading the Bind of Centos 7 from 9.9.94 to 9.11 ( bind-9.11.1-7.P3.fc27 RPM for x86_64 ) which has a dependency of libcrypto.so.1.1(OPENSSL_1_1_0) but a —test of an rpm -Uvh of the file fails the dependency.
If I install the Fedora version of openssl — for Fedora 27 which is also 1.1.0h, and is the last version which will work with GLIBC 2.17, it will require a small hack to force an install to ignore the conflict with the existing /etc/pki/tls/openssl.conf file
Is there a way to expose libcrypto.so.1.1 to the bind-libs so I do not need to install it at all ??
Once the bind-libs go on, the rest of bind 9.11 will install. BIND 9.9.4 actually anything <= 9.10 has a views directive bug which prevents IN dynamic data from being posted to both the internal and external view, which causes a certbot renewal using the dns_rfc2136_authenticator plugin for the DNS-01 challenge for a wildcard cert to fail because the TXT file written to the DNS zone is not ever seen by the challenge server.
So . . . is there a way to expose libcrypto.so.1.1 to the bind-libs so I do not need to install it at all ??
You can upgrade bind, as soon as openssl is built into mod_ssl.so file from mod_ssl rpm file. We do not install separate openssl files to your system, so you won’t have any problems with other packages.