以前からHTTP/2が気になっていたのですが、ソースからコンパイルするのも面倒だなと放置していたのですが、下記の記事を読んで試してみることにしました。
Apache httpd 2.4.25 built against OpenSSL 1.0.2j with http2 for Red Hat Enterprise Linux and CentOS
https://codeit.guru/en_US/2017/01/apache-httpd-2-4-25-built-against-openssl-1-0-2j-with-http2-for-red-hat-enterprise-linux-and-centos/
OpenSSL 1.0.2jを組込んだApacheとmod_sslが用意されています。
HTTP/2ではApache 2.4.17+, OpenSSL 1.0.2+が必要になるのですが、標準repoではApache 2.4.6で動作させることはできません。
Apache 2.4.17+を提供するrepositoryにはIUSやSCLがありますが、いずれもOpenSSL 1.0.1eでALPNに対応していないのでHTTP/2では動作しませんでした。
“ALPN/NPN, server did not agree to a protocol”となります。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
# curl --http2 -v https://http2.rootlinks.net * Rebuilt URL to: https://http2.rootlinks.net/ * Trying 192.168.1.1... * TCP_NODELAY set * Connected to http2.rootlinks.net (192.168.1.1) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: none CApath: none * loaded libnssckbi.so * ALPN/NPN, server did not agree to a protocol * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=http2.rootlinks.net * start date: Aug 26 16:06:00 2017 GMT * expire date: Nov 24 16:06:00 2017 GMT * common name: http2.rootlinks.net * issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US > GET / HTTP/1.1 > Host: http2.rootlinks.net > User-Agent: curl/7.55.1 > Accept: */* > < HTTP/1.1 200 OK < Date: Thu, 21 Sep 2017 02:42:32 GMT < Server: Apache/2.4.27 (CentOS) OpenSSL/1.0.1e-fips < Upgrade: h2 < Connection: Upgrade < Last-Modified: Wed, 20 Sep 2017 12:11:22 GMT < ETag: "7-5599ddfc9204a" < Accept-Ranges: bytes < Content-Length: 7 < Content-Type: text/html; charset=UTF-8 < HTTP/2 * Connection #0 to host http2.rootlinks.net left intact |
【検証環境】
・CentOS Linux release 7.4.1708 (Core)
・Kernel 3.10.0-693.2.2.el7.x86_64
- Create CodeIT repo
- Install httpd
- Install mod_ssl
|
1 2 3 4 5 6 7 8 |
# vi /etc/yum.repos.d/codeit.mainline.el7.repo # cat /etc/yum.repos.d/codeit.mainline.el7.repo [CodeITmainline] name=CodeIT mainline repo baseurl=https://repo.codeit.guru/packages/centos/7/x86_64 enabled=1 gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-codeit gpgcheck=1 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
# yum --disablerepo=* --enablerepo=CodeITmainline list all (snip) Available Packages apr.x86_64 1.5.2-1.el7.codeit CodeITmainline apr-debuginfo.x86_64 1.5.2-1.el7.codeit CodeITmainline apr-devel.x86_64 1.5.2-1.el7.codeit CodeITmainline httpd.x86_64 2.4.27-2.codeit CodeITmainline httpd-debuginfo.x86_64 2.4.27-2.codeit CodeITmainline httpd-devel.x86_64 2.4.27-2.codeit CodeITmainline httpd-filesystem.noarch 2.4.27-2.codeit CodeITmainline httpd-manual.noarch 2.4.27-2.codeit CodeITmainline httpd-tools.x86_64 2.4.27-2.codeit CodeITmainline libbrotli.x86_64 1.0.20170828.git.a258234-1.el7.codeit CodeITmainline libbrotli-devel.x86_64 1.0.20170828.git.a258234-1.el7.codeit CodeITmainline mod_http2.x86_64 1.10.10-1.codeit CodeITmainline mod_http2-debuginfo.x86_64 1.10.10-1.codeit CodeITmainline mod_ldap.x86_64 2.4.27-2.codeit CodeITmainline mod_proxy_html.x86_64 1:2.4.27-2.codeit CodeITmainline mod_session.x86_64 2.4.27-2.codeit CodeITmainline mod_ssl.x86_64 1:2.4.27-2.codeit CodeITmainline nginx.x86_64 1:1.12.1-1.el7.codeit CodeITmainline nginx-module-geoip.x86_64 1:1.12.1-1.el7.codeit CodeITmainline nginx-module-image-filter.x86_64 1:1.12.1-1.el7.codeit CodeITmainline nginx-module-njs.x86_64 1:1.12.1.0.1.10-1.el7.codeit CodeITmainline nginx-module-perl.x86_64 1:1.10.3-2.el7.codeit CodeITmainline nginx-module-xslt.x86_64 1:1.12.1-1.el7.codeit CodeITmainline |
インストールディレクトリは標準パッケージと同じようです。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
# yum --disablerepo=* --enablerepo=CodeITmainline info httpd Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Available Packages Name : httpd Arch : x86_64 Version : 2.4.27 Release : 2.codeit Size : 1.3 M Repo : CodeITmainline Summary : Apache HTTP Server URL : http://httpd.apache.org/ License : ASL 2.0 Description : The Apache HTTP Server is a powerful, efficient, and extensible : web server. # repoquery --disablerepo=* --enablerepo=CodeITmainline --list httpd /etc/httpd/conf /etc/httpd/conf.d/autoindex.conf /etc/httpd/conf.d/userdir.conf /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.modules.d /etc/httpd/conf.modules.d/00-base.conf /etc/httpd/conf.modules.d/00-dav.conf /etc/httpd/conf.modules.d/00-lua.conf /etc/httpd/conf.modules.d/00-mpm.conf /etc/httpd/conf.modules.d/00-optional.conf /etc/httpd/conf.modules.d/00-proxy.conf /etc/httpd/conf.modules.d/00-systemd.conf /etc/httpd/conf.modules.d/01-cgi.conf /etc/httpd/conf.modules.d/README /etc/httpd/conf/httpd.conf /etc/httpd/conf/magic /etc/httpd/logs /etc/httpd/modules /etc/httpd/run (snip) |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 |
# yum --disablerepo=* --enablerepo=CodeITmainline install httpd Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package httpd.x86_64 0:2.4.27-2.codeit will be installed --> Processing Dependency: httpd-tools = 2.4.27-2.codeit for package: httpd-2.4.27-2.codeit.x86_64 --> Processing Dependency: httpd-filesystem = 2.4.27-2.codeit for package: httpd-2.4.27-2.codeit.x86_64 --> Processing Dependency: mod_http2 for package: httpd-2.4.27-2.codeit.x86_64 --> Processing Dependency: httpd-filesystem for package: httpd-2.4.27-2.codeit.x86_64 --> Running transaction check ---> Package httpd-filesystem.noarch 0:2.4.27-2.codeit will be installed ---> Package httpd-tools.x86_64 0:2.4.27-2.codeit will be installed ---> Package mod_http2.x86_64 0:1.10.10-1.codeit will be installed --> Processing Conflict: httpd-2.4.27-2.codeit.x86_64 conflicts apr < 1.5.0-1 --> Restarting Dependency Resolution with new changes. --> Running transaction check ---> Package apr.x86_64 0:1.4.8-3.el7 will be updated ---> Package apr.x86_64 0:1.5.2-1.el7.codeit will be an update --> Finished Dependency Resolution Dependencies Resolved =========================================================================================================== Package Arch Version Repository Size =========================================================================================================== Installing: httpd x86_64 2.4.27-2.codeit CodeITmainline 1.3 M Updating: apr x86_64 1.5.2-1.el7.codeit CodeITmainline 111 k Installing for dependencies: httpd-filesystem noarch 2.4.27-2.codeit CodeITmainline 23 k httpd-tools x86_64 2.4.27-2.codeit CodeITmainline 969 k mod_http2 x86_64 1.10.10-1.codeit CodeITmainline 206 k Transaction Summary =========================================================================================================== Install 1 Package (+3 Dependent packages) Upgrade 1 Package Total size: 2.6 M Is this ok [y/d/N]: y Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : apr-1.5.2-1.el7.codeit.x86_64 1/6 Installing : httpd-tools-2.4.27-2.codeit.x86_64 2/6 Installing : httpd-filesystem-2.4.27-2.codeit.noarch 3/6 Installing : mod_http2-1.10.10-1.codeit.x86_64 4/6 Installing : httpd-2.4.27-2.codeit.x86_64 5/6 Cleanup : apr-1.4.8-3.el7.x86_64 6/6 Verifying : httpd-filesystem-2.4.27-2.codeit.noarch 1/6 Verifying : apr-1.5.2-1.el7.codeit.x86_64 2/6 Verifying : httpd-2.4.27-2.codeit.x86_64 3/6 Verifying : mod_http2-1.10.10-1.codeit.x86_64 4/6 Verifying : httpd-tools-2.4.27-2.codeit.x86_64 5/6 Verifying : apr-1.4.8-3.el7.x86_64 6/6 Installed: httpd.x86_64 0:2.4.27-2.codeit Dependency Installed: httpd-filesystem.noarch 0:2.4.27-2.codeit httpd-tools.x86_64 0:2.4.27-2.codeit mod_http2.x86_64 0:1.10.10-1.codeit Updated: apr.x86_64 0:1.5.2-1.el7.codeit Complete! |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
# yum --disablerepo=* --enablerepo=CodeITmainline install mod_ssl Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package mod_ssl.x86_64 1:2.4.27-2.codeit will be installed --> Finished Dependency Resolution Dependencies Resolved =========================================================================================================== Package Arch Version Repository Size =========================================================================================================== Installing: mod_ssl x86_64 1:2.4.27-2.codeit CodeITmainline 1.1 M Transaction Summary =========================================================================================================== Install 1 Package Total download size: 1.1 M Installed size: 2.7 M Is this ok [y/d/N]: y Downloading packages: mod_ssl-2.4.27-2.codeit.x86_64.rpm | 1.1 MB 00:00:23 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : 1:mod_ssl-2.4.27-2.codeit.x86_64 1/1 Verifying : 1:mod_ssl-2.4.27-2.codeit.x86_64 1/1 Installed: mod_ssl.x86_64 1:2.4.27-2.codeit Complete! |
OpenSSL 1.0.2lでビルドされています。
|
1 2 3 4 5 6 |
# strings /usr/lib64/httpd/modules/mod_ssl.so | grep 1.0.2 OpenSSL 1.0.2l 25 May 2017 SSLv3 part of OpenSSL 1.0.2l 25 May 2017 TLSv1 part of OpenSSL 1.0.2l 25 May 2017 DTLSv1 part of OpenSSL 1.0.2l 25 May 2017 (snip) |
以降はHTTP/2に必要な証明書やプロトコルの設定をするのですが、その記事は次回に。
取り敢えず一通り設定して検証したところ無事にHTTP/2で通信が行われていました。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
# curl --http2 -v https://http2.rootlinks.net * Rebuilt URL to: https://http2.rootlinks.net/ * Trying 192.168.1.1... * TCP_NODELAY set * Connected to http2.rootlinks.net (192.168.1.1) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: none CApath: none * loaded libnssckbi.so * ALPN, server accepted to use h2 * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=http2.rootlinks.net * start date: Aug 26 16:06:00 2017 GMT * expire date: Nov 24 16:06:00 2017 GMT * common name: http2.rootlinks.net * issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0xb2ee90) > GET / HTTP/2 > Host: http2.rootlinks.net > User-Agent: curl/7.55.1 > Accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS updated)! < HTTP/2 200 < date: Thu, 21 Sep 2017 05:14:17 GMT < server: Apache/2.4.27 (centos) OpenSSL/1.0.2l < last-modified: Wed, 20 Sep 2017 12:11:22 GMT < etag: "7-5599ddfc9204a" < accept-ranges: bytes < content-length: 7 < content-type: text/html; charset=UTF-8 < HTTP/2 * Connection #0 to host http2.rootlinks.net left intact |
IUSやSCL repositoryもCentOS 7.4からbaseで1.0.2kが提供されているので、そのうち対応すると思います。
本稼働マシンに使用するには少し心配なところもありますが、検証環境でゴリゴリ弄るのには最適だと思います。
こうしてyumで簡単にインストールできるようになるのは本当に有り難いことです。
Thanks! Alexander Gerasimov and CodeIT Technical blog.