Install Apache with mod_ssl & mod_http2 on CentOS 8 / RHEL 8

Cpanel/Whm License $3/mo Plesk License $10/mo Cloudlinux License $5/mo

(: May 30, 2019)

Questions: How to install Apache on RHEL 8 / CentOS 8?, how to install mod_ssl on RHEL 8 / CentOS 8?, how to install mod_http2 on RHEL 8 / CentOS 8?. This post will discuss how to install the Apache web server with mod_ssl & mod_http2. Apache is an open-source web server developed by the Apache Software Foundation. A web server (HTTP server) is a network service used to serve content to a client over the web through hypertext transport protocol (HTTP).

In Red Hat Enterprise 8 (RHEL 8), the Apache HTTP Server has been updated to version 2.4.33 with the following new features.

  • Pre-configured multi-processing module (MPM)
  • The minimum UID and GID allowed for users by suexec are now 1000 and 500 respectively (RHEL 7 httpd used 100 and 100).
  • /etc/sysconfig/httpd is no longer a supported interface for setting environment variables for the httpd service
  • HTTP/2 is now supported through the mod_http2 package.
  • New modules added – mod_proxy_uswsgi, mod_proxy_hcheck, mod_proxy_fdpass, mod_cache_socache, and mod_md.
  • New subpackage httpd-filesystem owning directories.
  • New httpd-init.service replaces %post script to create self-signed mod_sslkeypair.
  • The mod_auth_kerb module has been replaced by the mod_auth_gssapi module

Install Apache on RHEL 8

Apache Web server package in RHEL 8 is called httpd. This package and its tools are distributed through Application Stream repository. Install the httpd module on RHEL 8 using the command.

.td_uid_2_5d9085d83ce70_rand.td-a-rec-img{text-align:left}.td_uid_2_5d9085d83ce70_rand.td-a-rec-img img{margin:0 auto 0 0}
$ sudo yum install @httpd
Updating Subscription Management repositories.
Updating Subscription Management repositories.
Last metadata expiration check: 0:43:01 ago on Sat 29 Dec 2018 09:52:44 AM EAT.
Dependencies resolved.
Package Arch Version Repository Size
Installing group/module packages:
httpd x86_64 2.4.35-6.el8+2089+57a79027 rhel-8-for-x86_64-appstream-beta-rpms 1.4 M
httpd-filesystem noarch 2.4.35-6.el8+2089+57a79027 rhel-8-for-x86_64-appstream-beta-rpms 32 k
httpd-tools x86_64 2.4.35-6.el8+2089+57a79027 rhel-8-for-x86_64-appstream-beta-rpms 99 k
mod_ssl x86_64 1:2.4.35-6.el8+2089+57a79027 rhel-8-for-x86_64-appstream-beta-rpms 127 k
mod_http2 x86_64 1.11.3-1.el8+2087+db8dc917 rhel-8-for-x86_64-appstream-beta-rpms 156 k
Installing dependencies:
apr x86_64 1.6.3-8.el8 rhel-8-for-x86_64-appstream-beta-rpms 125 k
apr-util x86_64 1.6.1-6.el8 rhel-8-for-x86_64-appstream-beta-rpms 105 k
redhat-logos-httpd noarch 80.5-1.el8 rhel-8-for-x86_64-baseos-beta-rpms 24 k
Installing weak dependencies:
apr-util-bdb x86_64 1.6.1-6.el8 rhel-8-for-x86_64-appstream-beta-rpms 25 k
apr-util-openssl x86_64 1.6.1-6.el8 rhel-8-for-x86_64-appstream-beta-rpms 27 k
Installing module profiles:
httpd/default
Enabling module streams:
httpd 2.4
Transaction Summary
Install 10 Packages
Total download size: 2.1 M
Installed size: 5.7 M
Is this ok [y/N]: y

This will install the following httpd packages.

  • httpd: The Apache HTTP web Server.
  • httpd-filesystem: contains the basic directory layout for the Apache HTTP server including the correct permissions for the directories.
  • httpd-tools: Contains tools which can be used with the Apache HTTP server
  • mod_http2: Apache httpd module which implements the HTTP2 protocol (h2+h2c) on top of libnghttp2 for httpd 2.4 servers.
  • mod_ssl: Provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
  • and other required dependencies – apr*

The httpd service, by default, reads the configuration from the following locations.

  • /etc/httpd/conf/httpd.conf – This is the main httpd configuration file.
  • /etc/httpd/conf.d/ – This is an auxiliary directory for configuration files that are included in the main configuration file. You can place configuration files like for VirtualHosts in this directory.
  • /etc/httpd/conf.modules.d/ – Contains the configuration files which load dynamic modules packaged in RHEL. Configuration files in this directory are processed first.
  • /usr/lib64/httpd/modules/ – Directory with httpd modules.

Managing httpd service on RHEL 8

This section will describe how to manage Apache HTTP service states – start, stop, restart, and check the current status.

Starting the httpd service:

sudo systemctl start httpd.service

Use below command to enable httpd service to start automatically at boot time:

sudo systemctl enable httpd.service

A single command below can be used to start and enable the service to start at boot time.

sudo systemctl enable --now httpd.service

Confirm if service is set to start at boot.

$ sudo systemctl is-enabled  httpd.service
enabled

Stopping httpd service

To stop the running httpd service, type the following command:

sudo systemctl stop httpd.service

To prevent the service from starting automatically at boot time, type:

sudo systemctl disable httpd.service

Restarting the httpd service

There are two options of restarting httpd service.

1. Stop the running httpd service and immediately start it again – Useful after installing or removing a dynamically loaded module such as PHP.

sudo systemctl restart httpd.service

2. Reload the configuration without affecting active requests – The running httpd service will only reload its configuration file and all requests currently being processed will continue to use the old configuration.

sudo systemctl reload httpd.service

To check the configuration for possible errors, type:

$ sudo apachectl configtest
Syntax OK

If the configuration files doesn’t have an error, you should get Syntax OK.

Loading SSL Module

We installed the mod_ssl module but you have to load the module with LoadModule directive before you can use it.

To load Loading the mod_ssl DSO, add below line at the end of httpd.conf configuration file.

LoadModule ssl_module modules/mod_ssl.so

See below screenshot.

Restart Web server after loading the module to reload configuration.

sudo systemctl restart httpd

The default SSL configuration file /etc/httpd/conf.d/ssl.conf, you can for example disable SSL version 2 and SSL version 3 by modifying the SSLProtocol directive in this file.

SSLProtocol all -SSLv2 -SSLv3

Below line will disable All SSL and TLS Protocols Except TLS 1 and Up

SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2

Restart Apache daemon after making the change.

sudo systemctl restart httpd

To check which versions of SSL and TLS are enabled or disabled, you can use the openssl s_client -connect command.openssl s_client -connect hostname:port -protocol

openssl s_client -connect <hostname>:<port> -<protocol>

Protocol can be -ssl2, -ssl3,-tls1,-tls1_1,-tls1_2 e.t.c

See example below.

# Test if SSLv3 is enabled
$ openssl s_client -connect localhost:443 -ssl3

# Test if TLSv1.2 is enable

$ openssl s_client -connect localhost:443 -tls1_2

Sample output.

# openssl s_client -connect localhost:443 -tls1_2

CONNECTED(00000004)
depth=1 C = US, O = Unspecified, OU = ca-4688871391028164607, CN = rhel8.local, emailAddress = [email protected]
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:C = US, O = Unspecified, CN = rhel8.local, emailAddress = [email protected]
   i:C = US, O = Unspecified, OU = ca-4688871391028164607, CN = rhel8.local, emailAddress = [email protected]
 1 s:C = US, O = Unspecified, OU = ca-4688871391028164607, CN = rhel8.local, emailAddress = [email protected]
   i:C = US, O = Unspecified, OU = ca-4688871391028164607, CN = rhel8.local, emailAddress = [email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIErTCCApWgAwIBAgIIfoNXRr0/654wDQYJKoZIhvcNAQELBQAwezELMAkGA1UE
BhMCVVMxFDASBgNVBAoMC1Vuc3BlY2lmaWVkMR8wHQYDVQQLDBZjYS00Njg4ODcx
MzkxMDI4MTY0NjA3MRQwEgYDVQQDDAtyaGVsOC5sb2NhbDEfMB0GCSqGSIb3DQEJ
ARYQcm9vdEByaGVsOC5sb2NhbDAeFw0xODEyMjkwNzQ3NDFaFw0yMDAxMDMwOTI3
NDFaMFoxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtVbnNwZWNpZmllZDEUMBIGA1UE
AwwLcmhlbDgubG9jYWwxHzAdBgkqhkiG9w0BCQEWEHJvb3RAcmhlbDgubG9jYWww
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCXG/tlwvg8jf7Aa+rBXt8
V0ZV5krqXnkF3N2xccKjJLKRY6psny0rdaf7qNF9fjNPTNmP6PdqSvpxvhG0gjoV
lo0PU79M7sq74esx8A+UdSqPkqDfnrszBthb+PYBj0yQu88/0aS6GIPWbeWF235Z
uRIAYdin92ZmcXqsafX1qGlErgZN+UrisrVPZFgM2rKWMnuIxOmSeqwdsrHGIlv2
lROipNxEosqqqBXAVS3VX7Q8yMaGT3GgU6Nf8TbT84lnMDsYj4bgtlh1Ry+ck8jA
muN3rujvgCsTWQ1v4s4m5/p/iq3aGFOyIq8z2qdCA24leYhSXpPrFqkKXIr7UkTt
AgMBAAGjVjBUMA4GA1UdDwEB/wQEAwIFoDAJBgNVHRMEAjAAMBYGA1UdEQQPMA2C
C3JoZWw4LmxvY2FsMB8GA1UdIwQYMBaAFOwi+L9TpxZTDY3TYF29uCq5mW7MMA0G
CSqGSIb3DQEBCwUAA4ICAQAWgBjsNHhcI9dAAs1cuhmox6j7EYS2nGDe+BVlMdtE
TVBbSfUV27L+9G3NF9XMOjrUmX67mBqEsGwLiyUaDSFS8JgcJ1zw0V2Q0k8PLgnB
uGKOwkKvPWGPtB2GGJCTBbp0WCByPNsufyIG8+7GHov0StG6s8nYUSSjHHQcZpx4
2BybuLmGt6GvSgN+TMPJl5mApPHNdpUrrf8DWyyP2yAgoB6/XSy3rafBP+1WE38C
s+iHgFoTH05iFtPtMVF1/oLVA4jDfU0T4thqoHFLNwAWYPts6dOgOwT9rZe8e0Ft
bXCd4PJ+3RZHB+JV+IPVF6nF+GVXxr0jT/Fu6+15dHVWbdZUWzscdSV8lae0vyhp
jQRgUdISqbVhmWt1ruRTgZ443fj6NgrFeht0X3pS1WnHyxMT3Aj6nAZnInlZoaX0
xNdPE31ZsgWn6yoFXVEWlVs50xZ+31V+2/LDLQiqVYMRoid1uRZxAp4X80AMUfqc
v4g3/ebLhLsdStCVT7YASrJ/a8fRNNFEJhHOlPaqVsaerBvKrviyjocEQsPzX2cK
oP1RlmDMUoDqFHUo8jIFsWAC2YKe0rsNTSwZTYUHZuc+FzRyKKmpsIrzFMNlgZ3h
evqQPJDRyyB+Nru6mxqSn6L36PbdfYkWOWEDmllnCTAATopYBtmegsYncFRNnEnB
Bg==
-----END CERTIFICATE-----
subject=C = US, O = Unspecified, CN = rhel8.local, emailAddress = [email protected]

issuer=C = US, O = Unspecified, OU = ca-4688871391028164607, CN = rhel8.local, emailAddress = [email protected]
.......

The directives for configuring SSL key and certificate are:

SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key

Configuring Firewall

Allow port 80 and 443 if you have firewalld service running.

$ sudo firewall-cmd --add-service={http,https} --permanent
success
$ sudo firewall-cmd --reload
success
$ firewall-cmd --list-services
cockpit dhcpv6-client http https ssh

You can read more about Firewalld on Getting Started With Firewalld.

Loading HTTP/2 Module – mod_http2

Enable support for HTTP/2 by loading mod_http2 module

LoadModule http2_module modules/mod_http2.so

Also add below to the Protocols directive

Protocols h2 h2c http/1.1

Meaning of Protocols directive parameters:

  • h2 – instructs Apache to support HTTP/2 protocol over SSL/TLS
  • h2c – instructs Apache to support HTTP/2 over TCP
  • http/1.1 – if client doesn’t accept HTTP/2 then serve the request over HTTP/1.1

Restart Apache web server to effect reload configuration.

sudo systemctl restart httpd

Ref Apache Module mod_http2 documentation.

Setting up virtual hosts

The Apache HTTP Server’s has a built-in virtual hosting which allows serving information based on which IP address, host name, or port is being requested. Place your VirtualHost configurations files in the /etc/httpd/conf.d/ directory. 

Here is an example:

sudo vim /etc/httpd/conf.d/example.conf

With data similar to below.

<VirtualHost *:80>
    ServerAdmin [email protected]
    DocumentRoot "var/www/html/example"
    ServerName sxi.io
    ServerAlias www.sxi.io
    ErrorLog "/var/log/httpd/example-error_log"
    CustomLog "/var/log/httpd/example-access_log" common
</VirtualHost>
  • ServerName must be a valid DNS name assigned to the server hosting the site.

Restart httpd service to activate the newly created virtual host.

sudo systemctl restart httpd

Additional tags:

  • How to implement HTTP/2 in Apache HTTP Web Server
  • How to configure Apache SSL on RHEL 8

This marks the end of our guide on how to install Apache with mod_ssl & mod_http2 on RHEL 8 / CentOS 8. For the next reading check:

How to Monitor Apache Web Server with Prometheus and Grafana in 5 minutes

How to Install PHP on RHEL 8

How to Install MariaDB on RHEL 8 / CentOS 8

How to Install MySQL 8.0 on RHEL 8

How to Install Go on RHEL 8

.td_uid_4_5d9085d83d0a5_rand.td-a-rec-img{text-align:left}.td_uid_4_5d9085d83d0a5_rand.td-a-rec-img img{margin:0 auto 0 0}

Related posts

The Upside of Bitcoin’s Upside (It’s Not What You Think)

SXI ADMIN

A Pitch Perfect Illustration of Blockchain Hype

SXI ADMIN

Exchange Acquisition Consolidates Finland’s Bitcoin Market

SXI ADMIN

Billionaire Warren Buffett Calls Bitcoin ‘Rat Poison Squared’

SXI ADMIN

Messari Opens Disclosure Registry for Crypto Projects

SXI ADMIN

Alibaba Affiliate to Boost Blockchain Development After $14 Billion Raise

SXI ADMIN

Coinbase Users Can Now Buy and Sell Litecoin

SXI ADMIN

Bitcoin Eyes $10K After High Volume Drop

SXI ADMIN

Price of Bitcoin Falls Under $500 Amid Uncertainty in China

SXI ADMIN

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More