Apache 2.4.17 released

unihostbrasil

Verified User
Joined
Nov 23, 2009
Messages
208
Location
São Paulo - Brazil
https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/CHANGES

Changes with Apache 2.4.17

*) mod_http2: added donated HTTP/2 implementation via core module. Similar
configuration options to mod_ssl. [Stefan Eissing]

*) mod_proxy: don't recyle backend announced "Connection: close" connections
to avoid reusing it should the close be effective after some new request
is ready to be sent. [Yann Ylavic]

*) mod_substitute: Allow to configure the patterns merge order with the new
SubstituteInheritBefore on|off directive. PR 57641
[Marc.Stern <Marc.Stern approach.be>, Yann Ylavic, William Rowe]

*) mod_proxy: Fix ProxySourceAddress binding failure with AH00938.
PR 56687. [Arne de Bruijn <apache arbruijn.dds.nl>

*) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3,
and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
in accordance with RFC 7568. PR 58349, PR 57120. [Kaspar Brand]

*) mod_ssl: append :!aNULL:!eNULL:!EXP to the cipher string settings,
instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
and later). Enables support for configuring the SUITEB* cipher
strings introduced in OpenSSL 1.0.2. PR 58213. [Kaspar Brand]

*) mod_ssl: Add support for extracting the msUPN and dnsSRV forms
of subjectAltName entries of type "otherName" into
SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
variables. Addresses PR 58020. [Jan Pazdziora <jpazdziora redhat.com>,
Kaspar Brand]

*) mod_logio: Fix logging of %^FB (time to first byte) on the first request on
an SSL connection. PR 58454.
[Konstantin J. Chernov <k.j.chernov gmail.com>]

*) mod_cache: r->err_headers_out is not merged into
r->headers when mod_cache is enabled and the response
is cached for the first time. [Edward Lu]

*) mod_slotmem_shm: Fix slots/SHM files names on restart for systems that
can't create new (clear) slots while previous children gracefully stopping
still use the old ones (e.g. Windows, OS2). mod_proxy_balancer failed to
restart whenever the number of configured balancers/members changed during
restart. PR 58024. [Yann Ylavic]

*) core/util_script: make REDIRECT_URL a full URL. PR 57785. [Nick Kew]

*) MPMs: Support SO_REUSEPORT to create multiple duplicated listener
records for scalability. [Yingqi Lu <[email protected]>,
Jeff Trawick, Jim Jagielski, Yann Ylavic]

*) mod_proxy: Fix a race condition that caused a failed worker to be retried
before the retry period is over. [Ruediger Pluem]

*) mod_autoindex: Allow autoindexes when neither mod_dir nor mod_mime are
loaded. [Eric Covener]

*) mod_rewrite: Allow cookies set by mod_rewrite to contain ':' by accepting
';' as an alternate separator. PR47241.
[<bugzilla schermesser com>, Eric Covener]

*) apxs: Add HTTPD_VERSION and HTTPD_MMN to the variables available with
apxs -q. PR58202. [Daniel Shahaf <danielsh apache.org>]

*) mod_rewrite: Avoid a crash when lacking correct DB access permissions
when using RewriteMap with MapType dbd or fastdbd. [Christophe Jaillet]

*) mod_authz_dbd: Avoid a crash when lacking correct DB access permissions.
PR 57868. [Jose Kahan <jose w3.org>, Yann Ylavic]

*) mod_socache_memcache: Add the 'MemcacheConnTTL' directive to control how
long to keep idle connections with the memcache server(s).
Change default value from 600 usec (!) to 15 sec. PR 58091
[Christophe Jaillet]

*) mod_dir: Prevent the internal identifier "httpd/unix-directory" from
appearing as a Content-Type response header when requests for a directory
are rewritten by mod_rewrite. [Eric Covener]
 
ditto, why do you think it's not an official release? :) It is. Apache needs the mirrors to catch up, and only when they do, the official announcement is placed on their page. This is the reason why a delay exists between the official tarballs and announcement of the release.
 
what about this?
https://httpd.apache.org/docs/2.4/mod/mod_http2.html
need changes to http2 ssl on virtualhost =]
ditto, why do you think it's not an official release? :) It is. Apache needs the mirrors to catch up, and only when they do, the official announcement is placed on their page. This is the reason why a delay exists between the official tarballs and announcement of the release.
 
tried to build this version with http2 support,but failed..anyone can tell me how to enable http2 when using directadmin?
 
It's most likely that your OpenSSL does not support ALPN extension. Please follow these steps to get HTTP/2 enabled with apache:
1) Install OpenSSL, with ALPN support:
Code:
wget ftp://ftp.openssl.org/source/openssl-1.0.2e.tar.gz
tar xzf openssl-1.0.2e.tar.gz
cd openssl-1.0.2e
./config --prefix=/usr/local/lib_http2 no-ssl2 no-ssl3 zlib-dynamic
make depend
make install

2) Install nghttp2:
Code:
cd /usr/local/directadmin/custombuild
./build update
./build [COLOR=#000000]nghttp2[/COLOR]

3) Enable http2 in Apache:
Code:
cd /usr/local/directadmin/custombuild
mkdir -p custom/ap2
cp -p configure/ap2/configure.apache custom/ap2/configure.apache

Edit custom/ap2/configure.apache, find:
Code:
    "--with-ssl=/usr" \

Replace with:
Code:
    "--enable-http2" \
    "--enable-ssl-staticlib-deps" \
    "--with-ssl=/usr/local/lib_http2" \

Re-install apache:
Code:
./build apache

4) Configure Apache to run http2:
Code:
echo 'ProtocolsHonorOrder On' >> /etc/httpd/conf/extra/httpd-includes.conf
echo 'Protocols h2 h2c http/1.1' >> /etc/httpd/conf/extra/httpd-includes.conf

Update SSL Ciphers in /etc/httpd/conf/extra/httpd-ssl.conf:
Code:
cd /usr/local/directadmin/custombuild
./build rewrite_confs

Restart apache now :)
 
Last edited:
Hi Martynas,

Regarding your last 2 steps:
httpd-includes.conf is empty (not anymore after the echo protocols step). SSLCipherSuite can be found in /etc/httpd/conf/extra/httpd-ssl.conf

What is the reason we compile nghttp2? No libs are used to compile in apache and nghttp2 seems to be a proxy which you put in front of apache?
 
Last edited:
Please check:
Code:
ldd /usr/sbin/httpd

And make sure it does not load libssl.so there :)
 
Please check:
Code:
ldd /usr/sbin/httpd

And make sure it does not load libssl.so there :)
[root@]# ldd /usr/sbin/httpd
linux-vdso.so.1 => (0x00007ffead7f6000)
libnghttp2.so.14 => /usr/local/lib/libnghttp2.so.14 (0x00007f9cf48cb000)

Got it :)
However http2 isn't working (yet).. not sure why not.
(Server Version: Apache/2.4.17 (Unix) OpenSSL/1.0.2d)
 
Make sure your web browser supports it. Chrome has a good indicator for it called "HTTP/2 and SPDY indicator" :) Make sure you still have the protocol lines in /etc/httpd/conf/extra/httpd-includes.conf.
 
I am testing it using gtmetrix, webpagetest.org and firefox 41 (my own browser). Just tested Chrome with the indicator which says h2 enabled, but the server is serving http/1.1 (access log of the domain says the same).
httpd-includes is correct.

Summary:
[root@]# apachectl -t -D DUMP_MODULES | grep http2
http2_module (static)

[root@]# ldd /usr/sbin/httpd | grep http2
libnghttp2.so.14 => /usr/local/lib/libnghttp2.so.14 (0x00007f3dea552000)

[root@]# ldd /usr/sbin/httpd | grep ssl
[root@]#

[root@]# httpd -v
Server version: Apache/2.4.17 (Unix)
Server built: Oct 17 2015 11:45:49

For some reason google Chrome is showing some more info now, however access log still says HTTP/1.1
 
Last edited:
Access log still says 1.1, because it's not yet fixed in Apache 2.4.17 :) It'll show http/2 in 2.4.18. More info of how to check if FireFox is using http/2: https://icing.github.io/mod_h2/howto.html

Among the response headers, you see this strange X-Firefox-Spdy entry listing "h2". That is the indication that HTTP/2 is used on this https: connection.

Got that :) I assume it works then :D Thnx Martynas for your support.
 
Code:
wget http://openssl.org/source/openssl-1.0.2d.tar.gz
tar xzf openssl-1.0.2d.tar.gz
cd openssl-1.0.2d
./config --prefix=/usr/local/lib_http2 no-ssl2 no-ssl3 zlib-dynamic
make depend
make install

How does this affect system installed OpenSSL version?
 
How does this affect system installed OpenSSL version?

It does not affect it at all. Only static libraries, and only /usr/local/lib_http2 path is used for OpenSSL 1.0.2d :) So, system binaries do not see the installation of OpenSSL 1.0.2d at all. To remove everything you got installed with previous commands, it's enough to simply execute "rm -rf /usr/local/lib_http2" :)
 
It does not affect it at all. Only static libraries, and only /usr/local/lib_http2 path is used for OpenSSL 1.0.2d :) So, system binaries do not see the installation of OpenSSL 1.0.2d at all. To remove everything you got installed with previous commands, it's enough to simply execute "rm -rf /usr/local/lib_http2" :)

Thank you my good man!
 
Actually one more thing, does compiling Apache with this version of OpenSSL allow us to use TLS 1.2 in Apache where the original OS version of OpenSSL might not support it?

Thank you =)
 
Last edited:
OK thanks... I am having an issue though since the openssl update, phpinfo() for customers shows:

OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.0.2d 9 Jul 2015
OpenSSL Header Version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

But on the command line:

OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
OpenSSL Header Version => OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

Why the discrepancy? This appears to be causing segfaults in /var/log/httpd/error_log when customers run functionality of php_openssl in their scripts.
 
Back
Top