Supporting Http2 on Amazon Linux with Apache with OpenSSL 1.0.1

openssl redhat http2 amazon-linux

I'm trying to run an http2 web server on Amazon linux over Apache. From what I understand OpenSSL 1.0.2 is required to use Http2. However, my current distribution only supports OpenSSL 1.0.1. I've checked RedHat and its the same.

Is there an easy way to do this?


Well first up you need to understand that packaged distributions offer stability and security over the latest versions. This is a trade off that works well most of the time, but leaves you behind the latest features like HTTP/2.

Crucially it does not usually leave you behind on security patches as these are usually back ported into previous versions which are easily applied by running an update (e.g. running "sudo yum update" on red hat). So I will mention security a lot in this answer rather than just simply answering your question so you can understand the concerns here.

Next up you also need to realise that HTTP/2 is still fairly new - the spec was only finalised in May 2015 and implementations for Apache (and Nginx) only started to show up at the end of 2015 and are still marked as experimental in official documentation. There have been a lot of changes and bug fixes to mod_http2 for example, though this has slowed down more recently and it now seems fairly stable. So the point is you not only want the latest version of openssl but really should install the latest version of Apache too to ensure the latest stable and secure version (notably versions 2.4.18 - 2.4.20 had a security issue in mod_http2 when using client certs for example).

So, back to the distro problem, if you want the latest features for a package (and HTTP/2 is relatively new so counts under that banner) then you've a few options:

  1. Build from source.
  2. Find another rpm or repository that packages later versions of software for your OS.
  3. Put something which does support HTTP/2 in front of your webserver.

The first two of these mean stepping outside of the officially supported packaged versions and does bring in security concerns. You'll need to stay on top of any bugs or issues in those version and do the same manual upgrades again when you think is necessary, as you lose the safety net of distro supported patches (which are much easier to apply).

Building from source is how packages used to be installed and is nowhere near as hard as some might think. I've a blog post on how to build openssl, nghttp2 and Apache httpd from source precisely to allow HTTP/2, which should work on most Linux systems (though I've not tried it on Amazon Linux), but exact config options will depend on how you run Apache. The good news is you can install openssl in a separate location just for Apache's use and continue to use the older, distro supported version for the rest of your system. However do bear in mind that a public facing webserver is obviously a key potential vulnerability and the one where you'd ideally like to be running the packaged version! Installing from source also usually requires root access and so introduces possibility of nefarious code getting on your system so you really should only download source code from official sites and mirrors. Most source code installs allow you to verify a download before you install it which is recommended. See the Apache instructions on verifying downloads for example.

Using other, unofficial packages (e.g. from http://rpmfind.net) or repositories should in theory be even simpler than building from source but shifts the security aspect to trusting those who put together the packages or manage the repos. This affects you not only in terms of trusting that they haven't altered the code, but also leaves you to trust they will continue to update and maintain newer versions in future. Honestly I'm not a big fan for those reasons and prefer to just install from source if I need a later package but maybe that's just me.

The final option is to put something in front of your webserver which does support http/2. That could be software or hardware like another webserver, load balancer or perhaps a CDN. Cloudflare for example is a CDN with excellent HTTP/2 support and even a free plan (note I have not used it but see other recommend it). Downside here is more infrastructure and you may also not wish to lose the control of managing this yourself on your server(s).

Bit long winded but hope that helps!

Related

Postfix - How to prevent external clients from using my server as a relay? [closed]
How can I create a user account that only allows for uploads via sftp?
I changed mysql root password and I cant access It. password contained some chars
Hacked CentOS 5 server - possible rootkit installed? [duplicate]
pptp vpn - Kill User Connection
is it possible to direct connect a client and server with 10GBASE CX4 copper cables?
Something is blocking port 25 - how to debug?
Determining type of Linux machine
How to make domain point to another web directory?
vsftpd: **ONLY** Ftp access for local user?
How do you run Nginx on port 8080 and Apache on port 80 on the same box?
Can the startup order for windows services be configured? If so, where?