I have CENTOS7 server, with:
Server version: Apache/2.4.6 (CentOS)
.
How can i enable/add HTTP/2 on these Apache ?
I'm trying to send http2 requests from the client via Nghttp, but i get an error in the response (recv RST_STREAM frame ) as a result of server which does not supports Http2.
I saw that i have to enable module_http2 in the apache, but i didn't
found hot can i do this.
Thanks in Advance.
HTTP/2 support was only added in Apache 2.4.18 which is not available in the standard CentOS/Red Hat repos. Though as mod_http2 was (and still is at time of writing) being actively worked on you should go with the latest version (2.4.33 at time of writing - though there are further mod_http2 patches available on top of that).
Additionally HTTP/2 requires OpenSSL 1.0.2 or above which means you need CentOS/RHEL 7.4 or above unless you want to install your own version of OpenSSL as well your own version of Apache. Note you need Apache 2.4.26 or above if you want to go further than that and go to OpenSSL 1.1.0.
So you need to download and compile a later Apache (and possibly OpenSSL) from source - or find another repo with these later versions. This does carry some risks - primarily that you lose the easy security patches that repo versions supply. CentOS Apache 2.4.6 actually includes all the latest security patches of later versions (assuming you regularly run "yum update" to update it) - but not the functionality changes like HTTP/2 (hence why they leave version number at 2.4.6).
If you're interested in installing from source then I've a step by step blog post on how to do that here: https://www.tunetheweb.com/performance/http2/
You can install a newer version of httpd than is included in the base repositories through the httpd24 Software Collection. Once you've enabled the SCL, you need the following packages:
httpd24
httpd24-nghttp2
httpd24-mod_ssl *
* It's best to configure SSL too, because for example Chrome will only do HTTP2 with TLS.
Related
I am learning about jMeter, following this course. I want to add an FTP request, but there is no such thing in the menu.
There is no Add → Config Element → FTP Request Defaults and no Add → Sampler → FTP Request. But I have for example Add → Sampler → HTTP Request.
I am using jMeter 2.13.20161028 on Debian GNU/Linux 9.
You need to install a separate package in order to add FTP protocol support to your JMeter installation: jmeter-ftp, you can do it like:
sudo apt-get update && apt get install jmeter-ftp
JMeter restart will be required to pick the plugin up.
It seems that your Debian distribution comes with a little bit outdated JMeter version (~3 years old) so I would recommend considering upgrading to the latest version (JMeter 3.3 as of now), the most recent JMeter versions normally come with new features, bug fixes and performance improvements.
JMeter is pure Java application so there is no need to use package manager, given you have Java 8 you should be able to just download the latest JMeter tarball, unpack it and run.
At present we are on Apache/2.2.15 (UNIX) version. To fix the vulnerabilities we are suggested to upgrade to new version. I got new version from online using "wget" command and followed steps mentioned on this link http://httpd.apache.org/docs/2.2/install.html#download.
Once I am done, checked version using httpd -v. It gives me old version Apache/2.2.15 (UNIX). If I check using /usr/local/apache2/bin/httpd - v. It gives me new version. Did I successfully upgraded the version or not? If not what should I do?
I tried "yum install httpd" - It says "Nothing to do".
You now have two versions of Apache installed. You have the one installed with the system package manager (yum) in /usr/sbin/httpd. You have one installed manually in /usr/local/apache2/....
Which one you get will be determined entirely by which path you use.
In general, mixing system-managed packages with manually installed packages is a recipe for trouble. If you want to stick with the newer version in /usr/local, you should remove the system version, and realize that you will lose some manageability. For example, you will no longer be able to use yum install ... to install new Apache modules, and you will not be able to verify the installed files using tools like rpmverify.
If your distribution currently has Apache 2.2.x, that suggests your distribution is fairly old. For example, RHEL (and CentOS) 7 (and similar variants) have version 2.4.6 packaged, so you may want to update your host to something newer than whatever you're running now.
Yes, its successfully upgraded as per the screenshot.
httpd 2.2.15 is the version with RHEL 6 repository, here HTTPD_HOME is /etc/httpd (Highest version provided for HTTPD via RPM RHEL 6 is 2.2.15)
httpd 2.4.6 is the version with EPEL-HTTPD24 repository, here HTTPD_HOME is /usr/local/apache2/
I recently realized that our servers were vulnerable to CVE-2014-0224 by doing an SSL Labs scan.
We are running a node.js server on our site. I read that the vulnerability was eliminated in node.js version 0.10.29, so I used nvm to install version 0.11.13 on our ubuntu 12 server. However, after restarting the node.js server, the scan still shows we're vulnerable.
Thinking that perhaps node.js was relying on the system installation of openssl rather than using their own, I upgraded that, as well. openssl version -b now shows that we have the version that was built on 1 Oct 2014 ... which should be plenty good by all accounts (upgrading to this version was how I eliminated the vulnerability from another one of our servers that was running a ruby server ... also on ubuntu 12).
However, I haven't been able to find the right combination to eliminate the vulnerabilty from our node.js server. How can I do that? :o)
Aha! I updated one node.js version later (0.11.14), and that solved the problem. No more vulnerabilities for me! :o)
One of the projects requires support much higher version php used in main web project
Env:
- Debian 7.6 (3.2 x86_64)
- Nginx 1.6.0
- php-fpm (PHP 5.3.28)
My task: Install alternate version of php-fpm (php) and use it in another web project.
I don't want to install Apache with the desired version of php (mod-php) and use Nginx as frontend for Apache
Please describe other ways of resolving my situation, if they exist
I was researching this topic in the past. Never went through with it but you might find this useful.
I installed GitLab 6.6.5 via the omnibus package on Ubuntu 12.04 LTE. My question is will the Ubuntu OpenSSL heartbleed update cover the GitLab's installation? The installation has an embedded nginx that is installed. I have enabled SSL via the GitLab Omnibus Merge Request #66.
Having an embedded NGinX doesn't mean it won't use the /usr/bin/openssl installed on your system. (for instance, the ngx_http_ssl_module does require openssl)
If that openssl is 1.0.1g or 1.0.2, you won't have any issue.
openssl version
If not, it is easy enough to recompile it and install it.
To be sure, you can type:
ldd /path/to/nginx
That will give you the path of the openssl used by the binary nginx.
To get the full path, you can then use
readlink -f /path/to/libssl.so.1.0.0
Bruno adds in the comments:
It's probably more about /lib/*/libssl.so.1.0.0 than /usr/bin/openssl (which ldd should indicate indeed).
In principle, upgrading to the package with the fix and restarting NGinX should fix the issue.
Also note that the version numbers in distribution packages (e.g. Ubuntu) don't necessarily match the official version numbers exactly, because they tend to keep the same version number (for the same features), but backport the security patches
The OP crushedGrass points out in the comments Jacob Vosmaer (jacobvosmaer)'s commit "Update omnibus-software (CVE-2014-0160)", in omnibus-gitlab
so all I had to do was run a reconfiguration.
I believe both your and Bruno's feedback is spot on, there are just more dependencies that have to match up.
GitLab uses Chef cookbooks to configure the setup and I definitely do not know enough about it to modify it downstream.
Just so it is clear:
-> # ldd /opt/gitlab/embedded/sbin/nginx
...
libssl.so.1.0.0 => /opt/gitlab/embedded/lib/libssl.so.1.0.0 (0x00007fe3cf8f9000)
libcrypto.so.1.0.0 => /opt/gitlab/embedded/lib/libcrypto.so.1.0.0 (0x00007fe3cf520000)
...
Gitlab omnibus uses its own bundled OpenSSL. apt-get update will not update and protect an install of gitlab omnibus.