Skip to main content
Version: 3.14.x.x LTS

Apache httpd 2.4

How to migrate to nevisProxy based on Apache's httpd/2.4

In navajo.xml, web.xml, and other cfg-files, which may be included via some attributes, rewrite the following names:

  • libmod_nevisproxy.so.1 to libmod_nevisproxy${HTTPDLIB_VERSION}.so.1
  • libmodqos_ap_2_2.so.1 to libmodqos_ap${HTTPDLIB_VERSION}.so.1
  • libmodsetenvifplus_ap_2_2.so.1 to libmodsetenvifplus_ap${HTTPDLIB_VERSION}.so.1
  • libgenerators_ap_2_2.so.1 to libgenerators_ap${HTTPDLIB_VERSION}.so.1
  • libStatus_Servlet.so.1 to libStatus_Servlet${HTTPDLIB_VERSION}.so.1
  • "ch::nevis::navajo::apglue::httpd_2_2_x::servlet:status::StatusServlet" to "ch::nevis::navajo::apglue::httpd${HTTPD_LIB_VERSION}x::servlet::status::StatusServlet"
  • "ch::nevis::navajo::apglue::httpd_2_2_x::servlet::ApacheServlet" to "ch::nevis::navajo::apglue::httpd${HTTPD_LIB_VERSION}x::servlet::ApacheServlet"

You need at least version 3.12.17.0 for these changes.

For all instances created after 3.12.17.0, the above steps are not necessary. However, be aware not to use "old" names containing "2_2" or "2_4". Such names may not work correctly on a new instance created after 3.12.17.0. Always use ${HTTPD_LIB_VERSION} instead. If in the navajo.xml the parameters CustomLog, TransferLog or ErrorLog contain more than one pipe '|', the first pipe must be replaced with |$, e.g.,:

httpd/2.2:

  ErrorLog=""|/opt/nevisproxy/bin/qslogger -p -t nevisProxy/error/default -f local3 -l
INFO |/opt/nevisproxy/bin/bclogmgr size=524288000 archives=2
/var/opt/nevisproxy/default/logs/apache.log""

httpd/2.4:

 ErrorLog=""|$/opt/nevisproxy/bin/qslogger -p -t nevisProxy/error/default -f local3 -l
INFO |/opt/nevisproxy/bin/bclogmgr size=524288000 archives=2
/var/opt/nevisproxy/default/logs/apache.log""

After rewriting the names mentioned above, add the following entry to the env.conf (nevisproxy config env): APACHE_VERSION=2.4

How to add support of http/2

You need to use httpd/2.4 as explained in the chapter How to migrate to nevisProxy based on Apache's httpd/2.4. Then, add the following into the navajo.xml (under the Connector attribute):

<H2
  H2Direct="on"
  Protocols="h2 h2c http/1.1"
  H2SerializeHeaders="on"
/>

Default DH parameters with Apache httpd/2.4

Starting with configurations of nevisProxy that are using Apache 2.4, the DH parameters used by default are the ones defined in RFC 3526.

The length of the chosen parameter corresponds to the key size of the used server certificate.

There is no risk with that practice.

Using the predefined public parameters in RFC 3526 doesn't impact the security of the DH algorithm, as long as they have a sufficient size (more than 1024bits).

Moreover, the predefined ones are optimized and have been evaluated to cover security requirements. Thus nevisProxy is in line with current best practices.

Of course, if someone wishes to use their own DH parameters, using the SSLOpenSSLConfCmd apache directive with the are the solutions for the moment.

Finally, with Apache 2.4, if custom DH parameters are defined using the now deprecated SSLDHParametersFile directive, they are ignored and a relevant notice is traced.

Defining custom DH parameters for Apache httpd/2.4 in first certificate

The SSLDHParametersFile directive is not compatible with Apache httpd/2.4 and a notice is traced when this is detected.

With Apache httpd/2.4, custom DH parameters for ephemeral keys should be added to the first file configured using the SSLCertificateFile directive. Such parameters can be generated using the command "openssl dhparam" and appended to the certificate file. Only the first certificate file can be used for custom parameters, as they are applied independently of the authentication algorithm type.

Example of creating custom DH parameters of 2048 bits and appending them to first_certificate.pem:

 -openssl dhparam -out dHParam.pem 2048
 -cat dHParam.pem >> first_certificate.pem