Apache httpd 2.4.41, собранный с Brotli, TLS 1.3 final (RFC 8446), OpenSSL 1.1.1c, ALPN и поддержкой http2 для Red Hat Enterprise Linux и CentOS

В репозиторий добавлен Apache httpd 2.4.41 с поддержкой сжатия brotli от Google, http2 для Red Hat Enterprise Linux и CentOS. Mod_ssl собран статически с OpenSSL 1.1.1c. Ссылки:

Заметим, что httpd 2.4.41 поддерживает TLS 1.3 при сборке с OpenSSL 1.1.1. Все новые шифры включены и работают.

TLS 1.3 final на сегодня работает в Google Chrome 70+ и Mozilla Firefox 63+.

Для работы с SELinux установите следующий boolean:

setsebool -P httpd_execmem=1

Модуль brotli уже включён в базовый RPM. Всё, что нужно — настроить фильтр

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

Changes with Apache 2.4.41:

  *) mod_proxy_balancer: Improve balancer-manager protection against 
     XSS/XSRF attacks from trusted users.  [Joe Orton,
     Niels Heinen ]

  *) mod_session: Introduce SessionExpiryUpdateInterval which allows to
     configure the session/cookie expiry's update interval. PR 57300.
     [Paul Spangler ]

  *) modules/filters: Fix broken compilation when using old GCC (<4.2.x).
     PR 63633.  [Rainer Jung, Joe Orton]

  *) mod_ssl: Fix startup failure in 2.4.40 with SSLCertificateChainFile
     configured for a domain managed by mod_md.  [Stefan Eissing]

Changes with Apache 2.4.40

  *) core, mod_rewrite: Set PCRE_DOTALL by default. Revert via 
     RegexDefaultOptions -DOTALL [Yann Ylavic]

  *) core: Remove request details from built-in error documents [Eric Covener]

  *) mod_http2: core setting "LimitRequestFieldSize" is not additionally checked on
     merged header fields, just as HTTP/1.1 does. [Stefan Eissing, Michael Kaufmann]

  *) mod_http2: fixed a bug that prevented proper stream cleanup when connection
     throttling was in place. Stream resets by clients on streams initiated by them
     are counted as possible trigger for throttling. [Stefan Eissing]

  *) mod_http2/mpm_event: Fixes the behaviour when a HTTP/2 connection has nothing
     more to write with streams ongoing (flow control block). The timeout waiting
     for the client to send WINODW_UPDATE was incorrectly KeepAliveTimeout and not
     Timeout as it should be. Fixes PR 63534. [Yann Ylavic, Stefan Eissing]

  *) mod_proxy_balancer: Load balancer required byrequests when bytraffic chosen.
     PR 62372. [Jim Jagielski]

  *) mod_proxy_hcheck: Create the configuration for mod_proxy_hcheck
     when used in BalancerMember. PR 60757. [Jean-Frederic Clere]

  *) mod_proxy_hcheck: Mute extremely frequent debug message. [Yann Ylavic]

  *) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for
     adding certificates and keys to a virtual host. An additional hook allows
     answering special TLS connections as used in ACME challenges.
     Adding 2 new hooks for init/get of OCSP stapling status information when
     other modules want to provide those. Falls back to own implementation with
     same behaviour as before.
     [Stefan Eissing]
  
  *) mod_md: new features
     - protocol
       - supports the ACMEv2 protocol. It is the default and will be used on the next
         certificate renewal, unless another "MDCertificateAuthority" is configured
       - ACMEv2 endpoints use the GET via empty POST way of accessing resources, see
         announcement by Let's Encrypt:       
         https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380
     - challenges
       - new challenge method 'tls-alpn-01' implemented
       - challenge type 'tls-sni-01' has been removed as CAs do not offer this any longer
       - supports command configuration to setup/teardown 'dns-01' challenges
       - supports wildcard certificates when dns challenges are configured
     - status information and monitoring
       - a domain exposes its status at https:///.httpd/certificate-status
       - Managed Domains are now in Apache's 'server-status' page
       - A new handler 'md-status' exposes verbose status information in JSON format
     - new directives
       - "MDCertificateFile" and "MDCertificateKeyFile" to configure a
         Managed Domain that uses static files. Auto-renewal is turned off for those.
       - "MDMessageCmd" that is invoked on several events: 'renewed', 'expiring' and
         'errored'.
       - "MDWarnWindow" directive to configure when expiration warnings shall be issued.
     [Stefan Eissing]

  *) mod_mime_magic: Fix possible corruption of returned strings.
     [Christophe Jaillet]

  *) Default "conf/magic": Fix pattern for "audio/x-wav" for WAV files,
     remove "audio/unknown" pattern for other RIFF files.
     [ГЂngel OllГ© BlГЎzquez ]

  *) mod_proxy_http2: fixing a potential NULL pointer use in logging.
     [Christophe Jaillet, Dr Silvio Cesare InfoSect]

  *) mod_dav: Reduce the amount of memory needed when doing PROPFIND's on large
     collections by improving the memory management. [Joe Orton, Ruediger Pluem]

  *) mod_proxy_http2: adding support for handling trailers in both directions.
     PR 63502. [Stefan Eissing]

  *) mod_proxy_http: forward 100-continue, and minimize race conditions when
     reusing backend connections. PR 60330. [Yann Ylavic, Jean-Frederic Clere]

  *) mod_proxy_balancer: Fix some HTML syntax issues.  [Christophe Jaillet]

  *) When using mod_status with the Event MPM, report the number of requests
     associated with an active connection in the "ACC" field. Previously
     zero was always reported with this MPM.  PR60647. [Eric Covener]

  *) mod_http2: remove the no longer existing h2_ngn_shed.c from Cmake.
     [Stefan Eissing]

  *) mod_proxy/ssl: Proxy SSL client certificate configuration and other proxy
     SSL configurations broken inside  context.  PR 63430.
     [Ruediger Pluem, Yann Ylavic]

  *) mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules.
     PR 61857.  [Markus Gausling , Yann Ylavic]

  *) mod_reqtimeout: Fix default rates missing (not applied) in 2.4.39.
     PR 63325. [Yann Ylavic]

  *) mod_info: Fix output of server settings for PIPE_BUF in mod_info in
     the rare case that PIPE_BUF is defined. [Rainer Jung]

  *) mod_md: Store permissions are enforced on file creation, enforcing restrictions in
     spite of umask. Fixes . [Stefan Eissing]

Apache httpd 2.4.41, собранный с Brotli, TLS 1.3 final (RFC 8446), OpenSSL 1.1.1c, ALPN и поддержкой http2 для Red Hat Enterprise Linux и CentOS: 37 комментариев

      1. Dear Alexander

        It would be great to have Apache httpd 2.4.41 with brotli support on CentOS 8. There is no repository for it at your servers and of course it doesn’t work on CentOS8 😉

        Any release information about CentOS 8 repository?

        Thank you in advance for your help and time.

        Sincerely

          1. Dear Alexander

            Yes, you are absolutely right. I was thinking about further major versions of Apache, which I suppose CentOS 8 default repository will not support beyond 2.4.37.

            Sincerely

      1. Thanks, Pascal, I now understand what is the specific problem users address.
        We use Fedora apachectl file that works with systemd, so we really do not support all the features vanilla builds provide.
        I now see that the problem first appeared in 2.4.41-3 build, 2.4.41-2 still supports apachectl -t -D DUMP_RUN_CFG.

        2.4.41-3 is a refresh of Fedora spec and patches, we will try to dig why apachectl behavior changed with updated spec.

        Thank you for the link.

    1. Hi Reio,

      We see that brotli libraries are now present in EPEL repository, package name is «brotli». To avoid problems with same files and different versions, we decided to use brotli libraries from EPEL repository. Please ensure you added it as it is described in repo configuration page.

      No, httpd should not require nginx, it should install brotli package from EPEL instead.

      1. Thanks, I just removed nginx. I noticed earlier already, that brotli 1.0.7 was now taken from epel. But updating httpd to 2.4.41-4 seemingly replaced libbrotli 1.0.6 with nginx. Unfortunately I didn’t save the yum output.

  1. When I do an update on my machine, it suggests to replace «libbrotli.x86_64 1:1.0.6-1.codeit.el7» with «nginx 1:1.16.1-1.el7.codeit», and it also wants to install brotli from epel for dependencies.

    Solution is to «manually» replace brotli with libbrotli :

    # yum shell
    > remove libbrotli
    > install brotli
    > transaction solve
    > transaction run
    > exit

    Doing that you will avoid having to install nginx to remove it afterwards.

  2. Hello,
    thanks for your efforts. So, once installed the newer httpd version on CentOS 7, is
    LoadModule http2_module modules/mod_http2.so
    needed to be added on conf.modules.d/00-base.conf and it works as expected?
    Is it correct?

    And, for example, do you know Virtualmin and possible issues about it?
    thanks

    1. pardon, and also, please: when upgraded, are the old .conf files untouched? That is, does it create the rpmnew files as usual or does it overwrite anything and so, better to do a previous backup of the conf files? Thanks

  3. Hello, I’m trying to rebuild your src rpm because I need the
    %define suexec_docroot /home

    and Epoch :1 and 1: in some Requires…

    then, when I (eg.)
    rpmbuild -ba /root/rpmbuild/SPECS/httpd.spec.41-4

    at first it complains about the installed openssl-devel which conflicts.
    Do I need to uninstall openssl on my machine or why don’t you explain what are the issues with openssl?

    Then, you wrote into the specs
    —with-ssl=/root/openssl-1.1.1d

    why it expects openssl-1.1.1d into the root?
    Maybe that means when you build that rpm, you had the openssl-1.1.1d into /root ?
    If I try to get the latest openssl source into /root/openssl-1.1.1d
    the compiler continues but then
    /root/openssl-1.1.1d/include/openssl/rsa.h:13:34: fatal error: openssl/opensslconf.h: No such file or directory

    maybe because that should be compiled for CentOS 7 before…

    So, please, how to correctly build your rpm with my patch without errors about openssl?
    The problem is: I need to update the Apache 2.4.6 to 2.4.41 on CentOS 7, I don’t need to install it from scratch…this is the main issue. Please help about this, many thanks

    1. Update:
      to try, I can’t even remove openssl from my system because it would remove many dependencies which I can’t remove under any circumstances. And also, at the moment the update to CentOS 8 is still impossible because data to restore would mean too many hours of work. At the moment, the only thing I need is support for the http2 protocol and so it’s getting more complicated than expected.

  4. #cat /etc/yum.repos.d/codeit.el7.repo
    [CodeIT]
    name=CodeIT repo
    baseurl=https://repo.codeit.guru/packages/centos/7/$basearch
    enabled=1
    gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-codeit
    gpgcheck=1
    #yum update httpd*

    Dependencies Resolved

    =============================================================================
    Package Arch Version Repository Size
    =============================================================================
    Updating:
    apr x86_64 1.5.2-1.el7.codeit CodeIT 111 k
    httpd x86_64 2.4.41-4.codeit.el7 CodeIT 1.4 M
    httpd-tools x86_64 2.4.41-4.codeit.el7 CodeIT 1.3 M
    Installing for dependencies:
    httpd-filesystem noarch 2.4.41-4.codeit.el7 CodeIT 27 k
    libnghttp2 x86_64 1.31.1-2.el7 epel 67 k
    mod_http2 x86_64 1.15.3-1.codeit CodeIT 208 k

    Transaction Summary
    =============================================================================
    Install ( 3 Dependent packages)
    Upgrade 3 Packages

    Total download size: 3.0 M
    # rpm -qa | grep httpd
    httpd-tools-2.4.6-90.el7.centos.x86_64
    httpd-2.4.6-90.el7.centos.x86_64
    httpd-itk-2.4.7.04-2.el7.x86_64
    Соотвественно:

    AssignUserId p603 p603-www


    и
    LoadModule mpm_itk_module modules/mod_mpm_itk.so

    После yum update
    Апач не стартует.
    В логах:
    [Wed Feb 05 13:10:21.337262 2020] [suexec:notice] [pid 1203:tid 140542650091712] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
    [Wed Feb 05 13:10:21.337376 2020] [mpm_itk:crit] [pid 1203:tid 140542650091712] mpm-itk cannot use threaded MPMs; please use prefork.

    Помогло откатить пакеты httpd на те которые не из вашего репозитория.
    Я так понимаю что httpd-itk-2.4.7.04-2.el7.x86_64 с httpd-2.4.41-4.codeit.el7.x86_64.rpm не работает.
    У вас в репозитории httpd-itk нет.

    1. Добрый день, Ярослав.
      Да, именно так, для вас новости плохие.
      Мы не поддерживаем mpm itk, а только делаем аналог «родного» httpd с патчами Redhat/Fedora для CentOS 6/7.

      Но всё же попробуйте поменять mpm на prefork в своём конфиге. Мы не тестировали это никогда.

      1. как временное решение:
        # cat codeit.el7.repo
        [CodeIT]
        name=CodeIT repo
        baseurl=https://repo.codeit.guru/packages/centos/7/$basearch
        enabled=1
        gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-codeit
        gpgcheck=1
        exclude=httpd*

    1. Albert, we are not experts on OpenSSL development. But as soon as commit was made on 4 Dec 2019, and latest OpenSSL 1.1.1d was released in September 2019, I think that we still not have this fix in our builds.
      You have to wait for next OpenSSL release (e.g. 1.1.1e) and of course we will make a new build (e.g. httpd-2.4.41-5) against OpenSSL 1.1.1e.

  5. Hello and thanks for this package. I’ve installed it on a CentOS 7.7 server, configured with the Protocols directive and all the stuff. But it keeps saying that ALPN is not enabled. I am missing something? Thanks.

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *