Автор: Alexander Gerasimov

В репозиторий добавлен Apache httpd 2.4.43-4 с поддержкой сжатия brotli от Google, http2 для Red Hat Enterprise Linux и CentOS. Mod_ssl собран динамически с OpenSSL 1.1.1g. Ссылки:

• Apache httpd 2.4.41 для EL7;

Заметим, что httpd 2.4.43 поддерживает TLS 1.3 при сборке с OpenSSL 1.1.1. Все новые шифры включены и работают. C версии 2.4.43-4 мы собираем OpenSSL отдельно, он устанавливается в /opt/codeit/openssl111 и никак не затрагивает системные библиотеки.

TLS 1.3 final на сегодня работает в Google Chrome 70+ и Mozilla Firefox 63+.

Для работы с SELinux в rpm включена соответствующая минимальная политика.

Модуль brotli уже включён в базовый RPM. Всё, что нужно — настроить фильтр

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

В репозиторий добавлен Apache httpd 2.4.43-2 с поддержкой сжатия brotli от Google, http2 для Red Hat Enterprise Linux и CentOS. Mod_ssl собран статически с OpenSSL 1.1.1f. Ссылки:

• Apache httpd 2.4.41 для EL7;

Заметим, что httpd 2.4.43 поддерживает TLS 1.3 при сборке с OpenSSL 1.1.1. Все новые шифры включены и работают.

TLS 1.3 final на сегодня работает в Google Chrome 70+ и Mozilla Firefox 63+.

Для работы с SELinux в rpm включена соответствующая минимальная политика.

Модуль brotli уже включён в базовый RPM. Всё, что нужно — настроить фильтр

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

В репозиторий добавлен Apache httpd 2.4.43 с поддержкой сжатия brotli от Google, http2 для Red Hat Enterprise Linux и CentOS. Mod_ssl собран статически с OpenSSL 1.1.1e. Ссылки:

• Apache httpd 2.4.41 для EL7;

Заметим, что httpd 2.4.43 поддерживает TLS 1.3 при сборке с OpenSSL 1.1.1. Все новые шифры включены и работают.

TLS 1.3 final на сегодня работает в Google Chrome 70+ и Mozilla Firefox 63+.

Для работы с SELinux в rpm включена соответствующая минимальная политика.

Модуль brotli уже включён в базовый RPM. Всё, что нужно — настроить фильтр

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

Changes with Apache 2.4.43

  *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]

Changes with Apache 2.4.42

  *) mod_proxy_http: Fix the forwarding of requests with content body when a
     balancer member is unavailable; the retry on the next member was issued
     with an empty body (regression introduced in 2.4.41). PR63891. 
     [Yann Ylavic]

  *) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
     identifier under load, see .
     [Michael Kaufmann, Stefan Eissing]

  *) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
     PR64140. [Renier Velazco ]

  *) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
     PR64172.

  *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure 
     to allow customization of the usertrack cookie. PR64077.
     [Prashant Keshvani , Eric Covener]

  *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
     AJP13 authentication.  PR 53098. [Dmitry A. Bakshaev ]

  *) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
     [Eric Covener, Yann Ylavic]

  *) Add a config layout for OpenWRT. [Graham Leggett]

  *) Add support for cross compiling to apxs. If apxs is being executed from
     somewhere other than its target location, add that prefix to includes and
     library directories. Without this, apxs would fail to find config_vars.mk
     and exit. [Graham Leggett]

  *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
     issue mod_md#172 (https://github.com/icing/mod_md/issues/172).
     [Michael Kaufmann , Stefan Eissing]

  *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
     [Graham Leggett]

  *) mod_ssl: Support use of private keys and certificates from an
     OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
     [Anderson Sasaki , Joe Orton]

  *) mod_md:
     - Prefer MDContactEmail directive to ServerAdmin for registration. New directive
       thanks to Timothe Litt (@tlhackque).
     - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
       check all matching virtual hosts for protocol support. Thanks to @mkauf.
     - Corrected a check when OCSP stapling was configured for hosts
       where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
     - Softening the restrictions where mod_md configuration directives may appear. This should
       allow for use in  and  sections. If all possible variations lead to the configuration
       you wanted in the first place, is another matter.
     [Michael Kaufmann , Timothe Litt (@tlhackque),
      Michal Karm Babacek (@Karm), Stefan Eissing (@icing)] 

  *) test: Added continuous testing with Travis CI.
     This tests various scenarios on Ubuntu with the full test suite.
     Architectures tested: amd64, s390x, ppc64le, arm64
     The tests pass successfully.
     [Luca Toscano, Joe Orton, Mike Rumph, and others]

  *) core: Be stricter in parsing of Transfer-Encoding headers.
     [ZeddYu , Eric Covener]

  *) mod_ssl: negotiate the TLS protocol version per name based vhost
     configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
     SSLProtocol (from the first vhost declared on the IP:port) is now only
     relevant if no SSLProtocol is declared for the vhost or globally,
     otherwise the vhost or global value apply.  [Yann Ylavic]

  *) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
     output.  PR 64096.  [Joe Orton]

  *) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
     [Giovanni Bechis , Jim Jagielski]

  *) mod_systemd: New module providing integration with systemd.  [Jan Kaluza]

  *) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
     r:notes_table, r:subprocess_env_table as read-only native table alternatives
     that can be iterated over. [Eric Covener]

  *) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection. 
     [Yann Ylavic, Stefan Eissing]

  *) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env, 
     r.headers_out, etc) to remove the key from the table. PR63971. 
     [Eric Covener]

  *) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
     ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct` 
     always `on`, regardless of configuration. Found and reported by
      and
     . [Stefan Eissing] 

  *) mod_http2: Multiple field length violations in the same request no longer cause
     several log entries to be written. [@mkauf]

  *) mod_ssl: OCSP does not apply to proxy mode.  PR 63679.
     [Lubos Uhliarik , Yann Ylavic]

  *) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
     [Jim Jagielski]
 
  *) mod_authn_socache: Increase the maximum length of strings that can be cached by
     the module from 100 to 256.  PR 62149 []

  *) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
     [Ruediger Pluem, Eric Covener]

  *) core: On Windows, fix a start-up crash if  is used with a path that is not
     valid (For example, testing for a file on a flash drive that is not mounted)
     [Christophe Jaillet]

  *) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
     means 'foo' is "not acceptable".  PR 58158 [Chistophe Jaillet]

  *) mod_md v2.2.3: 
     - Configuring MDCAChallenges replaces any previous existing challenge configuration. It
       had been additive before which was not the intended behaviour. [@mkauf]
     - Fixing order of ACME challenges used when nothing else configured. Code now behaves as
       documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
     - Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
     - Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
       "transfer-encoding" to POST requests. This failed in directy communication with
       Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]

  *) mod_md: Adding the several new features.
     The module offers an implementation of OCSP Stapling that can replace fully or
     for a limited set of domains the existing one from mod_ssl. OCSP handling
     is part of mod_md's monitoring and message notifications. If can be used
     for sites that do not have ACME certificates.
     The url for a CTLog Monitor can be configured. It is used in the server-status
     to link to the external status page of a certicate.
     The MDMessageCmd is called with argument "installed" when a new certificate
     has been activated on server restart/reload. This allows for processing of
     the new certificate, for example to applications that require it in different
     locations or formats.
     [Stefan Eissing]

  *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS 
     protection. PR 63688. [Armin Abfalterer ]

В репозиторий добавлен Apache httpd 2.4.41 с поддержкой сжатия brotli от Google, http2 для Red Hat Enterprise Linux и CentOS. Mod_ssl собран статически с OpenSSL 1.1.1c. Ссылки:

• Apache httpd 2.4.41 для EL7;

Заметим, что httpd 2.4.41 поддерживает TLS 1.3 при сборке с OpenSSL 1.1.1. Все новые шифры включены и работают.

TLS 1.3 final на сегодня работает в Google Chrome 70+ и Mozilla Firefox 63+.

Для работы с SELinux установите следующий boolean:

setsebool -P httpd_execmem=1

Модуль brotli уже включён в базовый RPM. Всё, что нужно — настроить фильтр

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

Changes with Apache 2.4.41:

  *) mod_proxy_balancer: Improve balancer-manager protection against 
     XSS/XSRF attacks from trusted users.  [Joe Orton,
     Niels Heinen ]

  *) mod_session: Introduce SessionExpiryUpdateInterval which allows to
     configure the session/cookie expiry's update interval. PR 57300.
     [Paul Spangler ]

  *) modules/filters: Fix broken compilation when using old GCC (<4.2.x).
     PR 63633.  [Rainer Jung, Joe Orton]

  *) mod_ssl: Fix startup failure in 2.4.40 with SSLCertificateChainFile
     configured for a domain managed by mod_md.  [Stefan Eissing]

Changes with Apache 2.4.40

  *) core, mod_rewrite: Set PCRE_DOTALL by default. Revert via 
     RegexDefaultOptions -DOTALL [Yann Ylavic]

  *) core: Remove request details from built-in error documents [Eric Covener]

  *) mod_http2: core setting "LimitRequestFieldSize" is not additionally checked on
     merged header fields, just as HTTP/1.1 does. [Stefan Eissing, Michael Kaufmann]

  *) mod_http2: fixed a bug that prevented proper stream cleanup when connection
     throttling was in place. Stream resets by clients on streams initiated by them
     are counted as possible trigger for throttling. [Stefan Eissing]

  *) mod_http2/mpm_event: Fixes the behaviour when a HTTP/2 connection has nothing
     more to write with streams ongoing (flow control block). The timeout waiting
     for the client to send WINODW_UPDATE was incorrectly KeepAliveTimeout and not
     Timeout as it should be. Fixes PR 63534. [Yann Ylavic, Stefan Eissing]

  *) mod_proxy_balancer: Load balancer required byrequests when bytraffic chosen.
     PR 62372. [Jim Jagielski]

  *) mod_proxy_hcheck: Create the configuration for mod_proxy_hcheck
     when used in BalancerMember. PR 60757. [Jean-Frederic Clere]

  *) mod_proxy_hcheck: Mute extremely frequent debug message. [Yann Ylavic]

  *) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for
     adding certificates and keys to a virtual host. An additional hook allows
     answering special TLS connections as used in ACME challenges.
     Adding 2 new hooks for init/get of OCSP stapling status information when
     other modules want to provide those. Falls back to own implementation with
     same behaviour as before.
     [Stefan Eissing]
  
  *) mod_md: new features
     - protocol
       - supports the ACMEv2 protocol. It is the default and will be used on the next
         certificate renewal, unless another "MDCertificateAuthority" is configured
       - ACMEv2 endpoints use the GET via empty POST way of accessing resources, see
         announcement by Let's Encrypt:       
         https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380
     - challenges
       - new challenge method 'tls-alpn-01' implemented
       - challenge type 'tls-sni-01' has been removed as CAs do not offer this any longer
       - supports command configuration to setup/teardown 'dns-01' challenges
       - supports wildcard certificates when dns challenges are configured
     - status information and monitoring
       - a domain exposes its status at https:///.httpd/certificate-status
       - Managed Domains are now in Apache's 'server-status' page
       - A new handler 'md-status' exposes verbose status information in JSON format
     - new directives
       - "MDCertificateFile" and "MDCertificateKeyFile" to configure a
         Managed Domain that uses static files. Auto-renewal is turned off for those.
       - "MDMessageCmd" that is invoked on several events: 'renewed', 'expiring' and
         'errored'.
       - "MDWarnWindow" directive to configure when expiration warnings shall be issued.
     [Stefan Eissing]

  *) mod_mime_magic: Fix possible corruption of returned strings.
     [Christophe Jaillet]

  *) Default "conf/magic": Fix pattern for "audio/x-wav" for WAV files,
     remove "audio/unknown" pattern for other RIFF files.
     [ГЂngel OllГ© BlГЎzquez ]

  *) mod_proxy_http2: fixing a potential NULL pointer use in logging.
     [Christophe Jaillet, Dr Silvio Cesare InfoSect]

  *) mod_dav: Reduce the amount of memory needed when doing PROPFIND's on large
     collections by improving the memory management. [Joe Orton, Ruediger Pluem]

  *) mod_proxy_http2: adding support for handling trailers in both directions.
     PR 63502. [Stefan Eissing]

  *) mod_proxy_http: forward 100-continue, and minimize race conditions when
     reusing backend connections. PR 60330. [Yann Ylavic, Jean-Frederic Clere]

  *) mod_proxy_balancer: Fix some HTML syntax issues.  [Christophe Jaillet]

  *) When using mod_status with the Event MPM, report the number of requests
     associated with an active connection in the "ACC" field. Previously
     zero was always reported with this MPM.  PR60647. [Eric Covener]

  *) mod_http2: remove the no longer existing h2_ngn_shed.c from Cmake.
     [Stefan Eissing]

  *) mod_proxy/ssl: Proxy SSL client certificate configuration and other proxy
     SSL configurations broken inside  context.  PR 63430.
     [Ruediger Pluem, Yann Ylavic]

  *) mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules.
     PR 61857.  [Markus Gausling , Yann Ylavic]

  *) mod_reqtimeout: Fix default rates missing (not applied) in 2.4.39.
     PR 63325. [Yann Ylavic]

  *) mod_info: Fix output of server settings for PIPE_BUF in mod_info in
     the rare case that PIPE_BUF is defined. [Rainer Jung]

  *) mod_md: Store permissions are enforced on file creation, enforcing restrictions in
     spite of umask. Fixes . [Stefan Eissing]