HTTP/2 and WHM 58 with EA4
Tested on a clean and dirty CentOS 7 install and running production on a small server for a few weeks now (~20 sites).
Will probably give you cancer.
If you want symlink protection, you"ll need to edit SPECS/ea-apache24.spec, search for 401 or 402 and uncomment TWICE in it, depending on what you want to use.
The rack911 patch does not require apr to be modified from stock, so you can skip it.
mkdir /root/rpmbuild
cd /root/rpmbuild
yum -y install rpm-build
mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
echo "%_topdir %(echo $HOME)/rpmbuild" > ~/.rpmmacros
mkdir poop
git clone https://github.com/Cacasapo/ea-apache2-http2.git poop
mv poop/SOURCES/find.pl /usr/lib64/perl5
mv poop/SOURCES/042_mod_http2.conf /etc/apache2/conf.modules.d
\cp -R poop/SPECS/* SPECS/
\cp -R poop/SOURCES/* SOURCES/
rm -fr poop
#skip if not using Bluehost
git clone https://github.com/Cacasapo/apr.git poop1
\cp -R poop1/SPECS/* SPECS/
\cp -R poop1/SOURCES/* SOURCES/
rm -fr poop1
#openssl depend
yum -y install perl-WWW-Curl
#apr depend
yum -y install lksctp-tools-devel
#apache depend
yum -y install xmlto lua-devel ea-apr-devel ea-apr-util-devel
yum -y install createrepo
mkdir /root/repo
nano /etc/yum.repos.d/local.repo
[local]
name=CentOS-$releasever - local packages
baseurl=file:///root/repo
enabled=1
gpgcheck=0
protect=1
cost=20
priority=1
#OpenSSL
rpmbuild -ba SPECS/openssl.spec
\cp RPMS/x86_64/openssl-parallel* ../repo
createrepo /root/repo
yum clean expire-cache
yum -y install openssl-parallel
#Do nghttp2
rpmbuild -ba SPECS/nghttp2.spec
\cp RPMS/x86_64/libng* ../repo
\cp RPMS/x86_64/nghttp* ../repo
createrepo /root/repo
yum clean expire-cache
yum -y install libnghttp2-devel
#Do apr IF USING BLUEHOST PATCH
rpmbuild -ba SPECS/ea-apr.spec
\cp RPMS/x86_64/ea-apr* ../repo
createrepo /root/repo
yum clean expire-cache
yum -y install ea-apr ea-apr-devel
#Do apache
rpmbuild -ba SPECS/ea-apache24.spec
\cp RPMS/x86_64/ea-apache24* ../repo
createrepo /root/repo
yum clean expire-cache
yum -y install ea-apache24
#Suhosin spec is in there. You know what needs done, by now.
# Remember to create the ini in the php 56 config dir.
-
Please feel free to post your workaround for this, on this forum. Link removed. 0 -
Please feel free to post your workaround for this, on this forum. Link removed.
Done!0 -
HEADS UP. If you use mod_http2 with Magento 2.x or WHMCS with RCM, you will need to insert H2StreamMaxMemSize 512000 into to your /etc/apache2/conf.modules.d/042_mod_http2.conf Magento 2.x's issue was fixed by 128000, but WHMCS's Resellerclubmod promo page hung, so I increased it to 256, then 512. If you do not do this, you will not be able to reliably access the "Payment Processor" page and the Magento's backend will hang at random places, as will some of WHMCS's Resellerclubmods pages. I'm certain other apps are affected by this. I have not seen any adverse effects due to this increased buffer. 0 -
This worked well for me, thanks very much =) [...still, hoping for a better way from cPanel someday] 0 -
Git updated to catch up with cpanel. Cpanel's symlink patch included and enabled by default. Rack911 patch still available. nghttp2 updated. Max: Cpanel would need to do is provide the parallel install of OpenSSL on their repo and push out their apache already compiled for http2, but I reckon they don't want to deal with the hassle. 0 -
Hello, There's a feature request for HTTP2 support at: EasyApache 4 HTTP2 Support I encourage everyone that would like to see support for this offered with EA4 to vote and add feedback to the request. Thanks! 0 -
Getting an error
[root@server rpmbuild]# echo "%_topdir %(echo $HOME)/rpmbuild" > ~/.rpmmacros -bash: syntax error near unexpected token `('
Would appreciate help on this
Replace ` with ' See my next post for update.0 -
Ok I figured out the mistake on the previous command. Now having an issue here
/usr/lib64/libssl.so.10: error adding symbols: DSO missing from command line collect2: error: ld returned 1 exit status make[2]: *** [libevent-client] Error 1 make[2]: *** Waiting for unfinished jobs.... libtool: link: gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wl,-z -Wl,relro -o .libs/client client.o -pthread ../lib/.libs/libnghttp2.so ../third-party/.libs/libhttp-parser.a -levent_openssl -levent -L/opt/ssl/lib -ldl -pthread /usr/bin/ld: client.o: undefined reference to symbol 'SSL_get_error@@libssl.so.10' /usr/lib64/libssl.so.10: error adding symbols: DSO missing from command line collect2: error: ld returned 1 exit status make[2]: *** [client] Error 1 libtool: link: gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wl,-z -Wl,relro -o .libs/libevent-server libevent-server.o -pthread ../lib/.libs/libnghttp2.so ../third-party/.libs/libhttp-parser.a -levent_openssl -levent -L/opt/ssl/lib -ldl -pthread /usr/bin/ld: libevent-server.o: undefined reference to symbol 'SSL_CTX_free@@libssl.so.10' /usr/lib64/libssl.so.10: error adding symbols: DSO missing from command line collect2: error: ld returned 1 exit status make[2]: *** [libevent-server] Error 1 libtool: link: gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wl,-z -Wl,relro -o .libs/tiny-nghttpd tiny-nghttpd.o -pthread ../lib/.libs/libnghttp2.so ../third-party/.libs/libhttp-parser.a -levent_openssl -levent -L/opt/ssl/lib -ldl -pthread make[2]: Leaving directory `/root/rpmbuild/BUILD/nghttp2-1.17.0/examples' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/rpmbuild/BUILD/nghttp2-1.17.0' make: *** [all] Error 2 error: Bad exit status from /var/tmp/rpm-tmp.TZCKCT (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.TZCKCT (%build)
Can you post more of the output? I'd like to see the whole output, just not a snippet, mainly the stuff before:/usr/lib64/libssl.so.10: error adding symbols: DSO missing from command line
if there is stuff before that. The DSO missing from the command line could indicate a linking order problem (ie, libraries are included in the wrong order) but I don't think this is the likely cause of your problem. I was thinking maybe there was an undefined reference to some symbol or something. SSL_get_error was first introduced in SSLeay back in version 0.8. OpenSSL is a fork of SSLeay, I believe, so OpenSSL should contain SSL_get_error I'd think. Maybe somehow OpenSSL isn't getting passed as a library? I'm just taking a guess here and trying to help. I might be really wrong in all of this. Thanks.0 -
So, the error is saying it cannot find the function (or symbol) SSL_CTX_free, SSL_get_error symbol, or SSL_CTX_free in libssl.so.10. What does your /opt/ssl/lib directory look like? You can just run: ls -l /opt/ssl/lib
For some reason, I don't see where libssl is being included. It's been awhile since I played around with stuff like this, but it looks like you have libssl installed in the /usr/lib64/ directory. I would have expected to see stuff like this:/bin/sh ../libtool --tag=CC --mode=link gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wl,-z,relro -o tiny-nghttpd tiny-nghttpd.o ../lib/libnghttp2.la ../third-party/libhttp-parser.la -levent_openssl -levent -L/opt/ssl/lib -ldl -pthread -lssl
or/bin/sh ../libtool --tag=CC --mode=link gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wl,-z,relro -o tiny-nghttpd tiny-nghttpd.o ../lib/libnghttp2.la ../third-party/libhttp-parser.la -levent_openssl -levent -L/opt/ssl/lib -ldl -pthread -lssl-parallel
You did run the steps to compile and install "openSSL-parallel" first, right? These:#OpenSSL rpmbuild -ba SPECS/openssl.spec \cp RPMS/x86_64/openssl-parallel* ../repo createrepo /root/repo yum clean expire-cache yum -y install openssl-parallel
Maybe you should start over fresh and try again, from the beginning. But carefully look at the output from the various commands, to make sure none of them failed. Once, when I was working on a toolchain for the PS3, I had trouble with a library failing to build. It took me a while to realize that a previous library didn't compile correctly. I had a script that compiled the various libraries and I guess it wasn't properly exiting. The library was calling a 3rd party program that wasn't installed and the script didn't detect the command not found. It caused all kinds of issues. I'm wondering if maybe the OpenSSL-parallel thing didn't compile correct for you or maybe you forgot to install it withyum -y install openssl-parallel
What do you think?0 -
Hrmm, I'm running out of ideas Bashed. Does anyone else have any suggestions? Is there anyway to pass extra libraries to rpmbuild? I'm not familiar with the program, but it seems like there's some issues with OpenSSL. Either it's not using the library at all (which I don't think is the case, because we see messages about libssl) or maybe the order of the libraries aren't correct. What version of CentOS are you running? I have CentOS 7.3.1611 ( cat /etc/centos-release to find out). If you're running CentOS 7, I can try following the directions on my server just to see if I can get the same error messages. If I can get the same error messages, I'll have a better chance of fixing it, because than I can play around with it and try various things. Right now, it's kind of hard because I have to have you try all the things I think of. I can't really dig around and see what's going on. I wish I was more help. 0 -
Thanks. [root@server ~]# cat /etc/redhat-release CentOS Linux release 7.3.1611 (Core)
We are running the same version of CentOS. So I logged into my server and followed the directions. I modified them a little and did everything from the /home/spork/src/ directory. So I have a /home/spork/src/repo directory and a /home/spork/rpmbuild directory. My /root/.rpmmacros file looks like this:%_topdir /home/spork/src/rpmbuild
my /etc/yum.repos.d/local.repo file looks like this:[local] name=CentOS-$releasever - local packages baseurl=file:///home/spork/src/repo enabled=1 gpgcheck=0 protect=1 cost=20 priority=1
I follow the steps and get to:rpmbuild -ba SPECS/nghttp2.spec
I execute the command and it finishes, without any errors. To me, this says it's something with your system. If you'd like, I can try and create a simple bash script that executes all the various commands, just in case maybe you mistyped something? If that doesn't work, I'm out of ideas. Would you like me to create a simple bash script for you?0 -
There's a vulnerability with Linux and symlinks. There's a race condition that can happen. There's various patches that can fix this problem. It really comes into play when you run a webserver where people can upload files. They can upload a symbolic link and gain access to files that they normally have no access to (ie, /etc/shadow). One of the patches is made by Bluehost and it patches Apache. It doesn't patch PHP or anything else. Another patch is a kernel patch, which is better, because it fixes it for all programs. cPanel provides the Bluehost patch with EA3. You can turn it on or off. When you run the security advisor, if the Bluehost patch is turned off, it should give you a warning saying there's no symlink protection. With EA4, they removed the Bluehost patch because there's better alternatives (ie, running CageFS or CloudLinux, using the kernel patch, etc). With cPanel v60 (and possibly v58), they've included the patch but it's disabled. To my knowledge, there isn't away to turn it on yet (if you're running EA4). But it's still installed, just disabled. The instructions say if you have it installed (and they don't mention if it's enabled or disabled). If you're running cPanel of any version, you probably have some form of the patch, enabled or disabled. What version of cPanel do you run? You run EA4, not EA3, right? I bet it's installed but not enabled. If you go to WHM >> Security Advisor, you can hit Scan Now or whatever it is, and if you see a message saying something along the lines of No Symlink Protection, you definitely don't have the patch. If you run the advisor and don't see any messages about not having symlink protection, if you didn't specifically patch your kernel and you're not running CloudLinux, you could probably assume you're using the Bluehost patch. I hope this helps. 0 -
Hrmm, I have the same setup. The same version of CentOS, EA4, cPanel / WHM 60.0.28. I have no third party patches installed but I receive: Apache Symlink Protection is enabled
There's another way to gain symlink protection. It involves enabling Apache Jail Shell, among some other things, if memory serves. Maybe that's how I'm getting the protection? I dunno. Anyway, I couldn't clone the repo that you need to clone if you don't have symlink protection enabled. Were you able to clone it?mkdir -p /root/rpmbuild/temp git clone https://github.com/Cacasap/apr.git /root/rpmbuild/temp
? If not, perhaps that's why your build is failing. Maybe I do have the Bluehost patch enabled somehow and perhaps that's why my build succeeds? Whenever I run git clone on that repo, I'm asked for credentials. Did you have a chance to look through the scripts? For what it's worth, you should never run a script without looking through it first, especially if someone in a forum gives it to you. You should go through and just look at the various commands, make sure everything's right. Even if the person doesn't mean to cause trouble, they might have a type like rm -rf / root/rpmbuild. That'd erase / and ./root/rpmbuild. Erasing / would be very bad! Let me know if you see anything that looks wrong or if you need clarification on what some of the commands do in the script. At this point in time, I'd run it without changing the comments and see if it makes it past the step you were getting stuck on. I'd maybe edit the script and comment everything else out under that one step, just so it stops after processing that step where you were getting stuck, to verify it actually succeeds. I didn't do any error checking in the scripts. I just ran the commands and assumed they all worked. With the remove script, I didn't check to see if the files existed before removing them, so you might get a file not found message here or there. Please let me know how it turns out for you and if it gets you any further. Thanks!0 -
Guys, APR no longer needs to be built since Cpanel enabled the Bluehost patch. I removed it from my github and it's absent in my followup post with updated instructions. Also looks like they finally got around to adding the UI component for it(symlink) under Apache config. On another note, Apache has been updated to .25 and has an incompatibility with http2, causing it to segfault. This has been reported and patched in the Apache SVN. I've incorporated the fix in my Apache tar and I'll be updating the git later today, after testing the final git on a clean VM. 0 -
Guys, APR no longer needs to be built since Cpanel enabled the Bluehost patch. I removed it from my github and it's absent in my followup post with updated instructions. Also looks like they finally got around to adding the UI component for it(symlink) under Apache config. On another note, Apache has been updated to .25 and has an incompatibility with http2, causing it to segfault. This has been reported and patched in the Apache SVN. I've incorporated the fix in my Apache tar and I'll be updating the git later today, after testing the final git on a clean VM.
Thanks for the update! Maybe I followed your follow up instructions. It wasn't until I started writing the script that I noticed the stuff for the Bluehost patch. I thought when I tried in the instructions on my CentOS installation, perhaps I skipped over them by accident. So I'm a bit confused. I apologize if this is a naive question, but this gives us HTTP/2 support through Apache, right? I am interested in running that on my server. For some reason, I was thinking this was for another web server that I didn't want to run. Will cPanel replace the modified HTTP/2 version of Apache that your instructions build with the normal copy? How does this special version of Apache not conflict with the cPanel version of Apache? Thanks!0 -
I just tried with and without symlink protection, both times it requested user/pw. Strange, I don't recall seeing that the first time around.
You should have those lines commented out (with #'s). Did you comment them out? The ones that mention the bluehost symlink patch in the script? If so, you shouldn't be getting any prompts for authentication with the github repository, unless it's temporarily removed because of the segfault conditions. Make sure the git clone statement is commented out (in the Bluehost section of the script) along with the lines below it, at least until the next section. All the lines in the bluehost patch section need a # in front of them.0 -
Got tied up with work. 2.4.25 is up. This provides HTTP/2 through Apache and Cpanel updates will not affect it unless they update Apache to a new version, in which case I also follow suit. Gotta run! 0 -
Hrmm. RWH Tech, I talked to cPanel about this once and was under the impression they didn't plan on supporting HTTP/2 in Apache yet because they'd need to include a newer version of libopenssl. I was under the impression that including a newer version of openssl was a lot of work. But your steps were pretty painless and there really wasn't a lot of work, which makes me wonder why cPanel cannot simply provide a separate RPM for Apache with HTTP/2 support or why not just include the newer version of OpenSSL and Apache with HTTP/2 support and replace the current Apache RPM. I wish there was a way to tell cPanel to always grab Apache from the local repository rather than from the cPanel repository, so no matter what, it'd always install your modified version. I know HTTP/2 is backwards compatible with HTTP, so you shouldn't have to rewrite your websites when you implement HTTP/2, but I wonder if there's any HTTP/2 specific stuff that you could use when writing your website. For example, could I write my website in such away where it works with HTTP/2 but does not work with HTTP/1? If so, then when cPanel replaces the HTTP/2 Apache with their non-HTTP/2 Apache, this could cause serious problems for some. Their website might not be accessible until they realize that Apache has been replaced and redo the various steps of yours. Thanks for showing us how to do this. It's much appreciated. HTTP/2 is something I've wanted for a while now. I would have never figured this out on my own! 0 -
It took me a lot of work and time because I don't know what I'm doing and had to do a lot of googling, but cpanel could easily implement it, perhaps as a separate option on EA4 that would install the parallel OpenSSL and an Apache HTTP/2-enabled RPM. I wish there was a way to tell cPanel to always grab Apache from the local repository rather than from the cPanel repository
I don't like this because if there's an Apache update that squashes something critical and I'm in the middle of a week-long drunken murder spree, then people will be exposed. Of course, this can also happen with OpenSSL. I also don't know if there's anything HTTP/2-specific people can do to their sites that will break them with HTTP/1.1, perhaps some front-end person can chime in. I'd say that anything that's HTTP2-specific not running on a HTTP2 server would just be ignored since the server would negotiate HTTP1.1 with the browser, but hey, what do I know? Typically, I'll have Apache updated before Cpanel does, but this time I had to track down and find the fix for the segfault caused by some http2 .c file. I also did HTTP/2 in EA3, back in the day, it's still up on my site and was a lot less fun to do, but worked reliably. Once I saw HTTP2 on EA4 was stable, I shared it here, figured I'd give something back.0 -
...I don't like this because if there's an Apache update that squashes something critical and I'm in the middle of a week-long drunken murder spree, then people will be exposed. Of course, this can also happen with OpenSSL.
Well, I was thinking of not even using your github repository and just grabbing the files manually. Is there something that needs to be changed in Apache or something? I haven't looked at your github commits but I'll browse through them. Essentially, just maintaining the updates myself on my own server, with cPanel not overwriting them. If there are changes that need to be done to Apache (and I'd imagine there are, seeing how you're providing the software via a github repository, rather than linking to it directly), maybe it'd be beneficial to post what you did to the various packages, in case something ever happens and you cannot maintain the repository anymore. People would have the full set of instructions and be able to just download the various packages from their respective websites, make the necessary changes, configure and build the various packages and RPMs, and then install them....Typically, I'll have Apache updated before Cpanel does, but this time I had to track down and find the fix for the segfault caused by some http2 .c file. I also did HTTP/2 in EA3, back in the day, it's still up on my site and was a lot less fun to do, but worked reliably. Once I saw HTTP2 on EA4 was stable, I shared it here, figured I'd give something back.
Cool and thank you very much for sharing. When I got cPanel for the first time, I noticed the various webmail clients were a bit outdated. I found a way to get cPanel to install the latest versions by taking advantage of one of their scripts that was designed just to replace the default configuration with a custom configuration. I had it alway install my downloaded and custom configured versions after it installed the normal versions (Roundcube, Horde, etc). This worked well, but I stopped updating them and then one day, I went and checked, and cPanel actually was providing a newer version than what I was having installed, so I undid it and just decided to let cPanel handle the mail clients. I should have shared with others though, so other people could have benefited from it.0 -
The only time I've modified Apache was for this last update (2.4.25) to include a fixed whatever file that was (some .c file related to http/2). The fix is supposed to be backported from the Apache trunk, so it'll be fixed in .26 and the standard package can be used again. I should've included it as a patch, instead of modifying the release archive, but I didn't have the time or patience to deal with it. As far as the other changes, running a compare in github against the original spec will show what's been done. The OpenSSL spec I grabbed from somewhere and modified. I reckon eventually Cpanel will finally cave and add HTTP/2 support, then the project can be retired as you've retired yours. The thing about sharing this stuff is that it needs to be stable and bulletproof, especially if you're a cranky admin who doesn't like holding hands. 0 -
Rejoice! It has come! EasyApache 4 HTTP2 Support 0 -
I'm certain other apps are affected by this. I have not seen any adverse effects due to this increased buffer. 0
Please sign in to leave a comment.
Comments
25 comments