HTTP2 issues with Mod_Ruid2

Leslie de Groot

• July 13, 2017 10:33

Greetings, I've enabled HTTP2 today through EasyApache 4. I've noticed that many sites on the server are defaced with it enabled. When i disable HTTP2 they are normally displayed. Somehow only Google Chrome is displaying them correctly. Safari and Firefox for example not. See the screenshot i've uploaded for the idea of what is going wrong.

• 

  JacobPerkins

  • July 13, 2017 15:36

  Hi, Try viewing the site w/Chrome's developer tools, and see what's not being received properly.

  0
• 

  Leslie de Groot

  • July 14, 2017 11:07

  Hi, Try viewing the site w/Chrome's developer tools, and see what's not being received properly.

  
  I've tried that and noticed that some resources are getting a 403 status code (Forbidden). With HTTP2 disabled it works just fine.

  0
• 

  cPanelMichael

  • July 14, 2017 16:03

  I've tried that and noticed that some resources are getting a 403 status code (Forbidden). With HTTP2 disabled it works just fine.

  
  Hello, Do you notice any output to /var/log/apache2/error_log when you encounter the 403 error code? Thank you.

  0
• 

  Leslie de Groot

  • July 14, 2017 16:36

  Hello, Do you notice any output to /var/log/apache2/error_log when you encounter the 403 error code? Thank you.

  
  Yes, I'm getting output like: mod_ruid2 domain.nl GET /wp-content/themes/petsandvets-child/style.css?ver=4.8 HTTP/2.0 chdir to /home/virtfs/USER failed I don't understand that this only happens with HTTP2 enabled.

  0
• 

  cPanelMichael

  • July 14, 2017 16:50

  Yes, I'm getting output like: mod_ruid2 domain.nl GET /wp-content/themes/petsandvets-child/style.css?ver=4.8 HTTP/2.0 chdir to /home/virtfs/USER failed

  
  Internal case EA-6541 was opened to inquire if using the "EXPERIMENTAL: Jail Apache Virtual Hosts" option in "WHM >> Tweak Settings" combined with Mod_Ruid2 and Mod_HTTP2 could result in failed requests like the one below seen in the Apache error log when attempting to open a secure URL in a HTTP/2 enabled web browser:
  HTTP/2.0 chdir to /home/virtfs/cptest failed
  Per EA-6541, this was not a reproducible issue. EasyApache 4 will issue a conflict warning when attempting to install Mod_Ruid2 and HTTP2 together. Thank you.

  0
• 

  Leslie de Groot

  • July 14, 2017 16:59

  I've tested this. Updating "EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel" jailshell." from "On" to "Off". "EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel" jailshell." was updated. The problem is resolved this way. However I'm open for feedback whenever this case is resolved.

  0
• 

  rekabis

  • July 31, 2017 07:40

  I also need to know when it will be possible to run mod_ruid2 *and* mod_http2 on the same server. Right now under EasyApache4, if I install mod_http2, mod_mpm_event and mod_cgid get installed and mod_ruid2, mod_mpm_prefork and mod_cgi get uninstalled. If I then try to install mod_ruid2, the opposite happens.

  0
• 

  cPanelMichael

  • July 31, 2017 15:37

  I also need to know when it will be possible to run mod_ruid2 *and* mod_http2 on the same server.

  
  The DSO handler for PHP (that's used in combination with Ruid2) requires the MPM Prefork Apache module. However, the Prefork MPM is not recommended for use with mod_http2. Thus, there's no recommended setup where both mod_ruid2 and mod_http2 are enabled on the server. This is discussed in more detail on the following thread: Prefork and HTTP2 Thank you.

  0
• 

  rekabis

  • August 01, 2017 15:46

  Thus, there's no recommended setup where both mod_ruid2 and mod_http2 are enabled on the server.

  
  So" it comes down to a choice between a modern server and a secure server? Sweet. Any chance when this might be rectified?

  0
• 

  cPanelMichael

  • August 02, 2017 16:37

  Hello, The Prefork MPM isn't recommended for use mod_http2, not because of a bug, but because the two technologies are not compatible with one another. This is described in more detail by an Apache developer in the following comment: Do you require Mod_Ruid2 for protection against symlink race conditions? If so, the following document lists alternatives to using Ruid2:

  0
• 

  davorg

  • August 03, 2017 07:50

  Hello, The Prefork MPM isn't recommended for use mod_http2, not because of a bug, but because the two technologies are not compatible with one another. This described in more detail by an Apache developer in the following comment: Do you require Mod_Ruid2 for protection against symlink race conditions? If so, the following document lists alternatives to using Ruid2:

  0
• 

  cPanelMichael

  • August 03, 2017 15:26

  So If I understand: If I want to use - mod_http2, apache jail with mod_ruid2 - best solution is to use CloudLinux with CageFS and EA4 with Worker MPM and mod_http2? Will this work without any problems?

  
  Hello, You won't be able to use Mod_Ruid2 with Mod_Http2. However, with CloudLinux and CageFS, you do not need to use Ruid2 to receive protection from symlink race conditions. Here's a CloudLinux document on CageFS explaining how it works: CloudLinux Documentation Thank you.

  0

Please sign in to leave a comment.