[scl.org] httpd24 and http/2

Joni Herttuainen joni.herttuainen at cern.ch
Fri Oct 13 12:33:08 UTC 2017 

To whomever it may concern, 

I have a question concerning the httpd24 provided by SCL.
I am quite new to system administration, package managing, repositories
etc., so please try to bear with me.  


Some background first:
#########################################

I work as a Software Developer at CERN and I am developing an
application that is running on apache server in the CERN intranet. I
found myself in a situation in which the six simultaneous connections
per domain (restricted by the browser) was not sufficient to achieve
what I wanted, so the natural solution would be to update the server to
support HTTP/2 protocol. 

The current version of the underlying OS on the server computer is
CentOS 7.4. However, the official CentOS repos' version of Apache
(2.4.6) does not support HTTP/2 (supported since version 2.4.18) but
the OS has recent enough version of OpenSSL (1.0.2k > 1.0.2
(required)).


My actual problem:
#########################################

The apache of httpd24 provided by SCL is recent enough to support
HTTP/2. But when I installed the package and configured it, I could not
get the communication in h2 protocol to work.

First of all, there was an error message when loading the mod_http2:
> httpd: Syntax error on line 56 of
> /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf: Syntax error on line
> 40 of /opt/rh/httpd24/root/etc/httpd/conf.modules.d/00-base.conf:
> Cannot load modules/mod_http2.so into server: libnghttp2-
> httpd24.so.14: cannot open shared object file: No such file or
> directory

Which I got rid of by loading the file myself before loading the
module:
> LoadFile /opt/rh/httpd24/root/usr/lib64/libnghttp2-httpd24.so.14

However, this was not the cause for the http2 not to work. The actual
cause was that the SSL module provided by SCL (httpd24-mod_ssl) seems
to be built against OpenSSL version 1.0.1e which is older than the
version required (1.0.2) to support ALPN (i.e. to have http/2
communication with the all the major browsers).

I verified this with a mod_ssl that was built against Apache 2.4.25 and
openSSL 1.0.2j. 

So, I have got a working solution. The problem is that the system
managers are not too happy about having to download modules from yet
another external repositories or to have to store a binary somewhere to
be copied each time they do an installation.

The Actual Question:
#########################################
Would it be possible to update the httpd24-mod_ssl in SCL so that it
was built against more recent version of OpenSSL?

If not for some reason (e.g., compatibility issues with CentOS 7.X),
could it be possible to provide it as another packet (for example
httpd24-mod_ssl_1.0.2k, if it was build against OpenSSL 1.0.2k) now
that CentOS 7.4 is out?

Note:
#########################################
I know that there are programmatic solutions (Web Sockets, EventSource
etc.) that would solve my problem, and that I am not asking for a
solution to my problem. 

#########################################

Thank you for your interest in my issue.

Sincerely,
Joni Herttuainen

More information about the SCLorg mailing list