В репозиторий добавлен Apache httpd 2.4.41 с поддержкой сжатия brotli от Google, http2 для Red Hat Enterprise Linux и CentOS. Mod_ssl собран статически с OpenSSL 1.1.1c. Ссылки:
Заметим, что httpd 2.4.41 поддерживает TLS 1.3 при сборке с OpenSSL 1.1.1. Все новые шифры включены и работают.
TLS 1.3 final на сегодня работает в Google Chrome 70+ и Mozilla Firefox 63+.
Для работы с SELinux установите следующий boolean:
setsebool -P httpd_execmem=1
Модуль brotli уже включён в базовый RPM. Всё, что нужно — настроить фильтр
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript
Changes with Apache 2.4.41:
*) mod_proxy_balancer: Improve balancer-manager protection against
XSS/XSRF attacks from trusted users. [Joe Orton,
Niels Heinen ]
*) mod_session: Introduce SessionExpiryUpdateInterval which allows to
configure the session/cookie expiry's update interval. PR 57300.
[Paul Spangler ]
*) modules/filters: Fix broken compilation when using old GCC (<4.2.x).
PR 63633. [Rainer Jung, Joe Orton]
*) mod_ssl: Fix startup failure in 2.4.40 with SSLCertificateChainFile
configured for a domain managed by mod_md. [Stefan Eissing]
Changes with Apache 2.4.40
*) core, mod_rewrite: Set PCRE_DOTALL by default. Revert via
RegexDefaultOptions -DOTALL [Yann Ylavic]
*) core: Remove request details from built-in error documents [Eric Covener]
*) mod_http2: core setting "LimitRequestFieldSize" is not additionally checked on
merged header fields, just as HTTP/1.1 does. [Stefan Eissing, Michael Kaufmann]
*) mod_http2: fixed a bug that prevented proper stream cleanup when connection
throttling was in place. Stream resets by clients on streams initiated by them
are counted as possible trigger for throttling. [Stefan Eissing]
*) mod_http2/mpm_event: Fixes the behaviour when a HTTP/2 connection has nothing
more to write with streams ongoing (flow control block). The timeout waiting
for the client to send WINODW_UPDATE was incorrectly KeepAliveTimeout and not
Timeout as it should be. Fixes PR 63534. [Yann Ylavic, Stefan Eissing]
*) mod_proxy_balancer: Load balancer required byrequests when bytraffic chosen.
PR 62372. [Jim Jagielski]
*) mod_proxy_hcheck: Create the configuration for mod_proxy_hcheck
when used in BalancerMember. PR 60757. [Jean-Frederic Clere]
*) mod_proxy_hcheck: Mute extremely frequent debug message. [Yann Ylavic]
*) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for
adding certificates and keys to a virtual host. An additional hook allows
answering special TLS connections as used in ACME challenges.
Adding 2 new hooks for init/get of OCSP stapling status information when
other modules want to provide those. Falls back to own implementation with
same behaviour as before.
[Stefan Eissing]
*) mod_md: new features
- protocol
- supports the ACMEv2 protocol. It is the default and will be used on the next
certificate renewal, unless another "MDCertificateAuthority" is configured
- ACMEv2 endpoints use the GET via empty POST way of accessing resources, see
announcement by Let's Encrypt:
https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380
- challenges
- new challenge method 'tls-alpn-01' implemented
- challenge type 'tls-sni-01' has been removed as CAs do not offer this any longer
- supports command configuration to setup/teardown 'dns-01' challenges
- supports wildcard certificates when dns challenges are configured
- status information and monitoring
- a domain exposes its status at https:///.httpd/certificate-status
- Managed Domains are now in Apache's 'server-status' page
- A new handler 'md-status' exposes verbose status information in JSON format
- new directives
- "MDCertificateFile" and "MDCertificateKeyFile" to configure a
Managed Domain that uses static files. Auto-renewal is turned off for those.
- "MDMessageCmd" that is invoked on several events: 'renewed', 'expiring' and
'errored'.
- "MDWarnWindow" directive to configure when expiration warnings shall be issued.
[Stefan Eissing]
*) mod_mime_magic: Fix possible corruption of returned strings.
[Christophe Jaillet]
*) Default "conf/magic": Fix pattern for "audio/x-wav" for WAV files,
remove "audio/unknown" pattern for other RIFF files.
[ГЂngel OllГ© BlГЎzquez ]
*) mod_proxy_http2: fixing a potential NULL pointer use in logging.
[Christophe Jaillet, Dr Silvio Cesare InfoSect]
*) mod_dav: Reduce the amount of memory needed when doing PROPFIND's on large
collections by improving the memory management. [Joe Orton, Ruediger Pluem]
*) mod_proxy_http2: adding support for handling trailers in both directions.
PR 63502. [Stefan Eissing]
*) mod_proxy_http: forward 100-continue, and minimize race conditions when
reusing backend connections. PR 60330. [Yann Ylavic, Jean-Frederic Clere]
*) mod_proxy_balancer: Fix some HTML syntax issues. [Christophe Jaillet]
*) When using mod_status with the Event MPM, report the number of requests
associated with an active connection in the "ACC" field. Previously
zero was always reported with this MPM. PR60647. [Eric Covener]
*) mod_http2: remove the no longer existing h2_ngn_shed.c from Cmake.
[Stefan Eissing]
*) mod_proxy/ssl: Proxy SSL client certificate configuration and other proxy
SSL configurations broken inside context. PR 63430.
[Ruediger Pluem, Yann Ylavic]
*) mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules.
PR 61857. [Markus Gausling , Yann Ylavic]
*) mod_reqtimeout: Fix default rates missing (not applied) in 2.4.39.
PR 63325. [Yann Ylavic]
*) mod_info: Fix output of server settings for PIPE_BUF in mod_info in
the rare case that PIPE_BUF is defined. [Rainer Jung]
*) mod_md: Store permissions are enforced on file creation, enforcing restrictions in
spite of umask. Fixes . [Stefan Eissing]