brotli and libbrotli 1.1.0 added to the repository to all supported platforms
Автор: Alexander Gerasimov
NGINX 1.25.1 Mainline with Brotli, TLS 1.3, OpenSSL 3.0.9, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9
NGINX 1.25.1 mainline with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.9.
Major changes:
- Feature: the «http2» directive, which enables HTTP/2 on a per-server basis; the «http2» parameter of the «listen» directive is now deprecated.
- Change: HTTP/2 server push support has been removed.
- Change: the deprecated «ssl» directive is not supported anymore.
- Bugfix: in HTTP/3 when using OpenSSL.
RHEL 7 / CentOS 7:
yum upgrade -y codeit-repo-release yum-config-manager --disable CodeIT-quic --save yum-config-manager --enable CodeIT-mainline --save
RHEL 8-9 / Alma Linux 8-9 / Rocky Linux 8-9 / CentOS 8-9 / Other EL8/EL9 repos are modular now. To install nginx with HTTP/3 support, you need to enable the appropriate stream:
dnf module reset -y nginx dnf module enable -y nginx:codeit-mainline
We build OpenSSL+QUIC 3.0 separately since v1.21.6, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries.
Exerimental HTTP/3 support added in NGINX 1.25.0 Mainline. We build it with the corresponding module (—with-http_v3_module).
NGINX 1.25.0 QUIC/HTTP3 Notice
Please note that since NGINX 1.25.0 QUIC branches on Mercurial and GitHub are removed.
All the development moved to Mainline branch. Thus, the builds of Mainline version now have QUIC. QUIC Streams and repository will be moved to the archive repo, please switch to mainline:
RHEL 7 / CentOS 7:
yum upgrade -y codeit-repo-release yum-config-manager --enable CodeIT-mainline --save
RHEL 8-9 / Alma Linux 8-9 / Rocky Linux 8-9 / CentOS 8-9 / Other EL8/EL9:
dnf module reset -y nginx dnf module enable -y nginx:codeit-mainline
NGINX team also notified that TCP streams now do not have QUIC support, thus we build without --with-stream_quic_module option.
NGINX 1.25.0 Mainline, собранный с Brotli, TLS 1.3, OpenSSL 3.0.8, поддержкой http2, http3 (QUIC) для Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9
В репозиторий добавлен NGINX 1.25.0 mainline с поддержкой HTTP/3, сжатия brotli от Google, http2, ngx cache purge и ngx http geoip2 module. OpenSSL собран динамически с OpenSSL+QUIC (QuicTLS) 3.0.8.
TLS 1.3 final на сегодня работает в Google Chrome 70+ и Mozilla Firefox 63+.
RHEL 7 / CentOS 7:
yum upgrade -y codeit-repo-release yum-config-manager --disable CodeIT-quic --save yum-config-manager --enable CodeIT-mainline --save
RHEL 8 / Alma Linux 8 / Rocky Linux 8 / CentOS 8 / Other EL8 репозиторий стал модульным. Для установки надо включить соответствующий стрим:
dnf module reset -y nginx dnf module enable -y nginx:codeit-mainline
Для включения TLS 1.3 надо указать:
ssl_protocols TLSv1.2 TLSv1.3;
C версии 1.21.6 мы собираем OpenSSL+QUIC 3.0 отдельно, он устанавливается в /lib64 отдельно с суффиксом .so.81.3 и никак не затрагивает системные библиотеки.
С версии 1.25.0 в NGINX появилась экспериментальная поддержка HTTP/3, наши сборки выполняются с поддержкой этого экспериментального модуля (—with-http_v3_module).
NGINX 1.24.0 stable, собранный с Brotli, TLS 1.3, OpenSSL 3.0.8, поддержкой http2 для Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9
NGINX 1.24.0 stable added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge и ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.8.
TLS 1.3 final works with Google Chrome 70+ and Mozilla Firefox 63+.
RHEL 8-9 / Alma Linux 8-9 / Rocky Linux 8-9 / CentOS 8-9 / Other EL8/EL9 repos are modular now. To install nginx mainline, you need to enable the appropriate stream:
dnf module enable -y nginx:codeit-stable
We build OpenSSL+QUIC 3 separately since v1.23.4, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries.
Apache httpd 2.4.57 with brotli support, TLS 1.3, OpenSSL 3.0.8 with http2, mod_http2 2.0.13 and ALPN for Red Hat Enterprise Linux 7/8/9, CentOS 7, Alma Linux 8/9, Rocky Linux 8/9
Apache httpd 2.4.57-1 with brotli compression library from Google, TLS 1.3, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS 7/8, Alma Linux 8/9, Rocky Linux 8/9 added to repository. mod_http2 2.0.13 and mod_ssl are built dynamically against OpenSSL 3.0.8.
We build OpenSSL+QUIC 3.0.8 separately since v2.4.56-2, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages. On EL8 and EL9 please enable httpd module:
dnf module enable httpd:codeit
Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript
Migration to OpenSSL+QUIC / quictls 3.0
As soon as OpenSSL 1.1.1 is approaching to its EOL, the decision is to migrate to 3.0.
We already provided openssl 3.0.8 builds for AARCH64. All the nginx and apache builds use it as a dependency.
Now we are building 3.0.8 for x86_64. Please note that as of 28.03.2023 nginx and apache are not yet rebuilded and still use 1.1.1 as a dependency, thus dnf upgrade may fail until everything will be rebuilded againgst 3.0.8. This is an expected behavior.
NGINX 1.23.4 will be the first build with OpenSSL 3.0.
Please consider supporting my work.
UPDATE. Builds and migration is finished, please report any problems.
Aarch64 / ARM64/v8 EL9 builds added
Aarch64 / ARM64/v8 EL9 builds added to the repo. Please consider supporting my work.
Aarch64 / ARM64/v8 EL8 builds added
As I got many requests, Aarch64 / ARM64/v8 EL8 builds added to the repo. Please consider supporting my work.
Apache httpd 2.4.56, собранный с Brotli, TLS 1.3 final (RFC 8446), OpenSSL 1.1.1t, ALPN и поддержкой http2 для Rocky Linux, Red Hat Enterprise Linux, Alma Linux и CentOS
В репозиторий добавлен Apache httpd 2.4.56-1 с поддержкой сжатия brotli от Google, mod_http2 2.0.13 для Red Hat Enterprise Linux, Rocky Linux, Alma Linux и CentOS. Mod_ssl собран динамически с OpenSSL 1.1.1t.
Исправлены уязвимости:
- CVE-2023-27522: HTTP response smuggling bug
- CVE-2023-25690: HTTP request smuggling vulnerability
Заметим, что httpd 2.4.54 поддерживает TLS 1.3 при сборке с OpenSSL 1.1.1. Все новые шифры включены и работают.
C версии 2.4.54-2 мы собираем OpenSSL+QUIC 1.1.1 отдельно, он устанавливается в /lib64 отдельно с суффиксом .so.81.1.1 и никак не затрагивает системные библиотеки.
Для установки в EL8 нужно включить соответствующий Module stream:
dnf module enable -y httpd:codeit
TLS 1.3 final на сегодня работает в Google Chrome 70+ и Mozilla Firefox 63+.
Для работы с SELinux в rpm включена соответствующая минимальная политика.
Модуль brotli уже включён в базовый RPM. Всё, что нужно — настроить фильтр
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript