В репозиторий добавлен Apache httpd 2.4.54-1 с поддержкой сжатия brotli от Google, mod_http2 2.0.2 для Red Hat Enterprise Linux, Rocky Linux, Alma Linux и CentOS. Mod_ssl собран динамически с OpenSSL 1.1.1o.
Исправлена уязвимость CVE-2022-26377: Apache HTTP Server: mod_proxy_ajp: Possible request smuggling.
Заметим, что httpd 2.4.54 поддерживает TLS 1.3 при сборке с OpenSSL 1.1.1. Все новые шифры включены и работают.
C версии 2.4.54-2 мы собираем OpenSSL+QUIC 1.1.1 отдельно, он устанавливается в /lib64 отдельно с суффиксом .so.81.1.1 и никак не затрагивает системные библиотеки.
Для установки в EL8 нужно включить соответствующий Module stream:
dnf module enable -y httpd:codeit
TLS 1.3 final на сегодня работает в Google Chrome 70+ и Mozilla Firefox 63+.
Для работы с SELinux в rpm включена соответствующая минимальная политика.
Модуль brotli уже включён в базовый RPM. Всё, что нужно — настроить фильтр
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript
Hello,
I am just curious if you are aware of any troubles with the repo? Possible corruption maybe? I running into a Content-Length issue when trying to pull down packages.
——
Downloading Packages:
[MIRROR] httpd-filesystem-2.4.54-1.module_codeit.codeit.el8.noarch.rpm: Interrupted by header callback: Server reports Content-Length: 33590 but expected size is: 33598
(1/11): apr-1.7.0-2.el8.x86_64.rpm 772 kB/s | 129 kB 00:00
[MIRROR] httpd-tools-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm: Interrupted by header callback: Server reports Content-Length: 102586 but expected size is: 102582
[MIRROR] httpd-filesystem-2.4.54-1.module_codeit.codeit.el8.noarch.rpm: Interrupted by header callback: Server reports Content-Length: 33590 but expected size is: 33598
(2/11): httpd-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm 3.6 MB/s | 1.5 MB 00:00
[MIRROR] httpd-tools-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm: Interrupted by header callback: Server reports Content-Length: 102586 but expected size is: 102582
[FAILED] httpd-tools-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm: No more mirrors to try — All mirrors were already tried without success
(4-5/11): mod_http2-2.0.2-1.codeit.el8.x86_64.rpm 44% [===============================================- ] 901 kB/s | 1.7 MB 00:02 ETA
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing ‘yum clean packages’.
Error: Error downloading packages:
httpd-tools-2.4.54-1.module_codeit.codeit.el8.x86_64: Cannot download, all mirrors were already tried without success
——
Thanks for your time!
Hello, no, we do not have information about the issues, thanks for reporting!
Could you provide more information on repository? Is this «stable» or «testing» EL8 repo?
You bet.
I am running a Rocky Linux VM (kvm/qemu). The repo file looks like this…
[CodeIT]
name=CodeIT repo
baseurl=https://repo.codeit.guru/packages/centos/$releasever/$basearch
enabled=1
gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-MasterOfDevon
gpgcheck=1
[CodeIT-mainline]
name=CodeIT mainline repo
baseurl=https://repo.codeit.guru/packages/mainline/centos/$releasever/$basearch
enabled=1
gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-MasterOfDevon
gpgcheck=1
[CodeIT-testing]
name=CodeIT testing repo
baseurl=https://repo.codeit.guru/packages/testing/$releasever/$basearch
enabled=0
gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-MasterOfDevon
gpgcheck=1
I am trying to test out some packages, and how they work with each other before I upgrade my live systems.
I appreciate your response and all your efforts, thank you!!
I just jumped back in and tested it, and it seems to be working well now. If you threw your time at this, and I appreciate it very much!
Thank you!
——
Total download size: 3.8 M
Installed size: 9.9 M
Is this ok [y/N]: y
Downloading Packages:
(1/11): apr-1.7.0-2.el8.x86_64.rpm 308 kB/s | 129 kB 00:00
(2/11): httpd-filesystem-2.4.54-1.module_codeit.codeit.el8.noarch.rpm 78 kB/s | 33 kB 00:00
(3/11): httpd-tools-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm 497 kB/s | 100 kB 00:00
(4/11): mod_http2-2.0.2-1.codeit.el8.x86_64.rpm 613 kB/s | 153 kB 00:00
(5/11): apr-util-1.6.1-6.el8.1.x86_64.rpm 27 MB/s | 104 kB 00:00
(6/11): apr-util-bdb-1.6.1-6.el8.1.x86_64.rpm 14 MB/s | 23 kB 00:00
(7/11): apr-util-openssl-1.6.1-6.el8.1.x86_64.rpm 18 MB/s | 26 kB 00:00
(8/11): mailcap-2.1.48-3.el8.noarch.rpm 26 MB/s | 38 kB 00:00
(9/11): rocky-logos-85.0-4.el8.x86_64.rpm 65 MB/s | 328 kB 00:00
(10/11): httpd-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm 1.7 MB/s | 1.5 MB 00:00
(11/11): openssl-quic-libs-1.1.1o-1.codeit.el8.x86_64.rpm 3.6 MB/s | 1.4 MB 00:00
—————————————————————————————————————————————————————————————————————————————————————-
Total 3.7 MB/s | 3.8 MB 00:01
Installed:
apr-1.7.0-2.el8.x86_64 apr-util-1.6.1-6.el8.1.x86_64 apr-util-bdb-1.6.1-6.el8.1.x86_64 apr-util-openssl-1.6.1-6.el8.1.x86_64 httpd-2.4.54-1.module_codeit.codeit.el8.x86_64
httpd-filesystem-2.4.54-1.module_codeit.codeit.el8.noarch httpd-tools-2.4.54-1.module_codeit.codeit.el8.x86_64 mailcap-2.1.48-3.el8.noarch mod_http2-2.0.2-1.codeit.el8.x86_64 openssl-quic-libs-1.1.1o-1.codeit.el8.x86_64
rocky-logos-85.0-4.el8.x86_64
——
Thank you for the confirmation!
Hello Alexander (and Team),
I am wondering if you could direct me on how to go about resolving this issue?
«No available modular metadata for modular package ‘mod_http2-2.0.3-1.codeit.el8.x86_64’, it cannot be installed on the system»
I have reloaded my repo, but have had no luck trying to get mod_http2 updated. Below is the full run of my dnf update.
——
# dnf update
Last metadata expiration check: 0:07:01 ago on Sat 09 Jul 2022 02:58:50 AM MDT.
Dependencies resolved.
================================================================================================================================================================================
Package Architecture Version Repository Size
================================================================================================================================================================================
Upgrading:
httpd x86_64 2.4.54-1.module_codeit.codeit.el8 CodeIT 1.5 M
httpd-devel x86_64 2.4.54-1.module_codeit.codeit.el8 CodeIT 225 k
httpd-filesystem noarch 2.4.54-1.module_codeit.codeit.el8 CodeIT 33 k
httpd-tools x86_64 2.4.54-1.module_codeit.codeit.el8 CodeIT 100 k
mod_http2 x86_64 2.0.3-1.codeit.el8 CodeIT 155 k
mod_md x86_64 2.4.54-1.module_codeit.codeit.el8 CodeIT 169 k
mod_ssl x86_64 1:2.4.54-1.module_codeit.codeit.el8 CodeIT 131 k
Installing dependencies:
openssl-quic-libs x86_64 1.1.1q-1.codeit.el8 CodeIT 1.4 M
Transaction Summary
================================================================================================================================================================================
Install 1 Package
Upgrade 7 Packages
Total download size: 3.7 M
Is this ok [y/N]: y
Downloading Packages:
(1/8): httpd-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm 29 MB/s | 1.5 MB 00:00
(2/8): httpd-devel-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm 4.0 MB/s | 225 kB 00:00
(3/8): httpd-filesystem-2.4.54-1.module_codeit.codeit.el8.noarch.rpm 2.8 MB/s | 33 kB 00:00
(4/8): openssl-quic-libs-1.1.1q-1.codeit.el8.x86_64.rpm 20 MB/s | 1.4 MB 00:00
(5/8): httpd-tools-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm 6.0 MB/s | 100 kB 00:00
(6/8): mod_http2-2.0.3-1.codeit.el8.x86_64.rpm 14 MB/s | 155 kB 00:00
(7/8): mod_ssl-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm 11 MB/s | 131 kB 00:00
(8/8): mod_md-2.4.54-1.module_codeit.codeit.el8.x86_64.rpm 6.7 MB/s | 169 kB 00:00
———————————————————————————————————————————————————————————
Total 37 MB/s | 3.7 MB 00:00
Running transaction check
No available modular metadata for modular package ‘mod_http2-2.0.3-1.codeit.el8.x86_64’, it cannot be installed on the system
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing ‘dnf clean packages’.
Error: No available modular metadata for modular package
——
I appreciate your help!
Hello Alexander,
I second to this issue.
Tried on a fresh Rocky 8.6 & OL9 fresh install.
Thanks,
Alex
Hello Alex,
Sorry, fixed.
Thank you for reporting!
Hello!
Sorry for the issue: we are lacking installation tests and metadata updates and caches cause problems for us sometimes.
Thank you for reporting!
Please test again.
Success Alex!
Thank you for checking into it. I really appreciate your builds and your upkeep. Thank you!
——
# dnf update mod_http2
Last metadata expiration check: 1:08:16 ago on Sun 10 Jul 2022 03:10:29 PM MDT.
Dependencies resolved.
================================================================================================================================================================================================================================================================
Package Architecture Version Repository Size
================================================================================================================================================================================================================================================================
Upgrading:
mod_http2 x86_64 2.0.3-2.module_codeit.codeit.el8 CodeIT 155 k
Transaction Summary
================================================================================================================================================================================================================================================================
Upgrade 1 Package
Total download size: 155 k
Is this ok [y/N]: y
Downloading Packages:
mod_http2-2.0.3-2.module_codeit.codeit.el8.x86_64.rpm 589 kB/s | 155 kB 00:00
—————————————————————————————————————————————————————————————————————————————————————-
Total 585 kB/s | 155 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Upgrading : mod_http2-2.0.3-2.module_codeit.codeit.el8.x86_64 1/2
Cleanup : mod_http2-2.0.2-1.codeit.el8.x86_64 2/2
Running scriptlet: mod_http2-2.0.2-1.codeit.el8.x86_64 2/2
Verifying : mod_http2-2.0.3-2.module_codeit.codeit.el8.x86_64 1/2
Verifying : mod_http2-2.0.2-1.codeit.el8.x86_64 2/2
Upgraded:
mod_http2-2.0.3-2.module_codeit.codeit.el8.x86_64
Complete!
——
Take care!!
Hello Alex,
Soooo, where is your «Buy Me A Coffee» or «Gift» or «Donate» button? I am not sure you comprehend how much time and effort you save me (and I’m sure others) with your builds. Every time I stand up a new system or reload a web server, its just a breath of fresh air to know that I am not gunna have to spend a day or two compiling!
Sincerely. Thank you for your efforts, your time, and even attention to the issues some of us run into. It has not been lost on me brother.
Thank you!
Hello, KP!
Thank you for asking, never thought about that, but let’s give it a try: https://www.paypal.com/donate/?hosted_button_id=CU9S26GMJJUD2
Thank you for your kind words and I’m really happy that you like my work.
Hi Alexander,
I’m running on Oracle Linux 7,9 (binary compatible w/ RHEL), and I’m on httpd 2.4.54, which I believe is the latest. I was just reading that it integrates with openssl 1.1.1o. My problem is that we run Tenable.io scans on our servers, to screen for security issues, and have identified an issue as being ‘openssl 1.1.1 < openssl 1.1.1p', which apparently causes some security issues.
If I were to download and install openssl 1.1.1p, that wouldn't do me any good, right? Because the openssl version has to be built into the httpd build?
Thanks for your efforts! I love the CodeIT repo!
Hi Mark!
We make httpd builds dynamically and we always update OpenSSL to the latest version.
Our httpd builds use openssl-quic-libs package (not openssl111-libs as our earlier builds), the latest version is 1.1.1q.
Hello,
in RHEL8 the apache package is still 2.4.53
Dependencies resolved.
=====================================================================================================================================================================================================================
Package Architecture Version Repository Size
=====================================================================================================================================================================================================================
Installing:
httpd x86_64 2.4.53-1.codeit.el8 CodeIT 1.5 M
Installing dependencies:
apr x86_64 1.7.0-2.el8 CodeIT 129 k
apr-util x86_64 1.6.1-6.el8 CodeIT 103 k
httpd-filesystem noarch 2.4.53-1.codeit.el8 CodeIT 33 k
httpd-tools x86_64 2.4.53-1.codeit.el8 CodeIT 100 k
mailcap noarch 2.1.48-3.el8 rhel-8-for-x86_64-baseos-rpms 39 k
mod_http2 x86_64 2.0.2-1.codeit.el8 CodeIT 153 k
redhat-logos x86_64 84.5-1.el8 rhel-8-for-x86_64-baseos-rpms 364 k
Transaction Summary
=====================================================================================================================================================================================================================
Install 8 Packages
ETA for the update to 2.4.54
Hello Nanda,
It’s already there, please use modules:
https://codeit.guru/en_US/2022/06/rhel-8-alma-linux-8-rocky-linux-8-centos-8-other-el8-repo/
Hello,
installed 2.4.46 time ago…we just had to change docroot and rebuild the package.
Now, is it safe to update the packages to 2.5.54 and openssl devel-libs or do we need to change and rebuild again?
Thanks
Hello Stephan,
devel packages only needed to rebuild the package. To update to 2.4.54 simply upgrade httpd from the repository and openssl-quic-libs will be automatically installed.
I consider this as a safe operation, but please always have you backups.
«had to change docroot…» for Virtualmin, it needs /home docroot.
So, when update, is it mantaining docroot /home ? Thanks
Sure it will, as docroot is specified in the config file(s), not in the build.