Questions: How to install Apache on RHEL 8 / CentOS 8?, how to install mod_ssl on RHEL 8 / CentOS 8?, how to install mod_http2 on RHEL 8 / CentOS 8?. This post will discuss how to install the Apache web server with mod_ssl & mod_http2. Apache is an open-source web server developed by the Apache Software Foundation. A web server (HTTP server) is a network service used to serve content to a client over the web through hypertext transport protocol (HTTP).
In Red Hat Enterprise 8 (RHEL 8), the Apache HTTP Server has been updated to version 2.4.33 with the following new features.
- Pre-configured multi-processing module (MPM)
- The minimum UID and GID allowed for users by suexec are now 1000 and 500 respectively (RHEL 7 httpd used 100 and 100).
/etc/sysconfig/httpdis no longer a supported interface for setting environment variables for thehttpdservice- HTTP/2 is now supported through the
mod_http2package. - New modules added – mod_proxy_uswsgi, mod_proxy_hcheck, mod_proxy_fdpass, mod_cache_socache, and mod_md.
- New subpackage
httpd-filesystemowning directories. - New
httpd-init.servicereplaces%post scriptto create self-signedmod_sslkeypair. - The
mod_auth_kerbmodule has been replaced by themod_auth_gssapimodule
Install Apache on RHEL 8 / CentOS 8
Apache Web server package in RHEL 8 is called httpd. This package and its tools are distributed through Application Stream repository. Install the httpd module on RHEL 8 using the command.
$ sudo yum install @httpd
....
Dependencies resolved.
======================================================================================================================================================================================================
Package Architecture Version Repository Size
======================================================================================================================================================================================================
Installing group/module packages:
httpd x86_64 2.4.37-39.module+el8.4.0+655+f2bfd6ee.1 appstream 1.4 M
httpd-filesystem noarch 2.4.37-39.module+el8.4.0+655+f2bfd6ee.1 appstream 38 k
httpd-tools x86_64 2.4.37-39.module+el8.4.0+655+f2bfd6ee.1 appstream 105 k
mod_http2 x86_64 1.15.7-3.module+el8.4.0+553+7a69454b appstream 153 k
mod_ssl x86_64 1:2.4.37-39.module+el8.4.0+655+f2bfd6ee.1 appstream 134 k
Installing dependencies:
apr x86_64 1.6.3-11.el8.1 appstream 124 k
apr-util x86_64 1.6.1-6.el8.1 appstream 104 k
mailcap noarch 2.1.48-3.el8 baseos 38 k
rocky-logos-httpd noarch 84.5-8.el8 baseos 22 k
sscg x86_64 2.3.3-14.el8 appstream 48 k
Installing weak dependencies:
apr-util-bdb x86_64 1.6.1-6.el8.1 appstream 23 k
apr-util-openssl x86_64 1.6.1-6.el8.1 appstream 26 k
Installing module profiles:
httpd/common
Enabling module streams:
httpd 2.4
Transaction Summary
======================================================================================================================================================================================================
Install 12 Packages
Total download size: 2.2 M
Installed size: 5.8 M
Is this ok [y/N]: yThis will install the following httpd packages.
- httpd: The Apache HTTP web Server.
- httpd-filesystem: contains the basic directory layout for the Apache HTTP server including the correct permissions for the directories.
- httpd-tools: Contains tools which can be used with the Apache HTTP server
- mod_http2: Apache httpd module which implements the HTTP2 protocol (h2+h2c) on top of libnghttp2 for httpd 2.4 servers.
- mod_ssl: Provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
- and other required dependencies – apr*
The httpd service, by default, reads the configuration from the following locations.
- /etc/httpd/conf/httpd.conf – This is the main httpd configuration file.
- /etc/httpd/conf.d/ – This is an auxiliary directory for configuration files that are included in the main configuration file. You can place configuration files like for VirtualHosts in this directory.
- /etc/httpd/conf.modules.d/ – Contains the configuration files which load dynamic modules packaged in RHEL. Configuration files in this directory are processed first.
- /usr/lib64/httpd/modules/ – Directory with httpd modules.
Managing httpd service on RHEL 8 / CentOS 8
This section will describe how to manage Apache HTTP service states – start, stop, restart, and check the current status.
Starting the httpd service:
sudo systemctl start httpd.serviceUse below command to enable httpd service to start automatically at boot time:
sudo systemctl enable httpd.serviceA single command below can be used to start and enable the service to start at boot time.
sudo systemctl enable --now httpd.serviceConfirm if service is set to start at boot.
$ sudo systemctl is-enabled httpd.service
enabledStopping httpd service
To stop the running httpd service, type the following command:
sudo systemctl stop httpd.serviceTo prevent the service from starting automatically at boot time, type:
sudo systemctl disable httpd.serviceRestarting the httpd service
There are two options of restarting httpd service.
1. Stop the running httpd service and immediately start it again – Useful after installing or removing a dynamically loaded module such as PHP.
sudo systemctl restart httpd.service2. Reload the configuration without affecting active requests – The running httpd service will only reload its configuration file and all requests currently being processed will continue to use the old configuration.
sudo systemctl reload httpd.serviceTo check the configuration for possible errors, type:
$ sudo apachectl configtest
Syntax OKIf the configuration files doesn’t have an error, you should get Syntax OK.
Loading SSL Module on Apache httpd server
We installed the mod_ssl module but you have to load the module with LoadModule directive before you can use it.
To load Loading the mod_ssl DSO, add below line at the end of httpd.conf configuration file.
$ sudo vi /etc/httpd/httpd.conf
LoadModule ssl_module modules/mod_ssl.soSee below screenshot.
Restart Web server after loading the module to reload configuration.
sudo systemctl restart httpdThe default SSL configuration file /etc/httpd/conf.d/ssl.conf, you can for example disable SSL version 2 and SSL version 3 by modifying the SSLProtocol directive in this file.
SSLProtocol all -SSLv2 -SSLv3Below line will disable All SSL and TLS Protocols Except TLS 1 and Up
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2Restart Apache daemon after making the change.
sudo systemctl restart httpdTo check which versions of SSL and TLS are enabled or disabled, you can use the openssl s_client -connect command.openssl s_client -connect hostname:port -protocol
openssl s_client -connect : - Protocol can be -ssl2, -ssl3,-tls1,-tls1_1,-tls1_2 e.t.c
See example below.
# Test if SSLv3 is enabled
$ openssl s_client -connect localhost:443 -ssl3
# Test if TLSv1.2 is enable
$ openssl s_client -connect localhost:443 -tls1_2Sample output.
$ sudo openssl s_client -connect localhost:443 -tls1_2
CONNECTED(00000004)
depth=1 C = US, O = Unspecified, OU = ca-4688871391028164607, CN = rhel8.local, emailAddress = [email protected]
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:C = US, O = Unspecified, CN = rhel8.local, emailAddress = [email protected]
i:C = US, O = Unspecified, OU = ca-4688871391028164607, CN = rhel8.local, emailAddress = [email protected]
1 s:C = US, O = Unspecified, OU = ca-4688871391028164607, CN = rhel8.local, emailAddress = [email protected]
i:C = US, O = Unspecified, OU = ca-4688871391028164607, CN = rhel8.local, emailAddress = [email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIErTCCApWgAwIBAgIIfoNXRr0/654wDQYJKoZIhvcNAQELBQAwezELMAkGA1UE
BhMCVVMxFDASBgNVBAoMC1Vuc3BlY2lmaWVkMR8wHQYDVQQLDBZjYS00Njg4ODcx
MzkxMDI4MTY0NjA3MRQwEgYDVQQDDAtyaGVsOC5sb2NhbDEfMB0GCSqGSIb3DQEJ
ARYQcm9vdEByaGVsOC5sb2NhbDAeFw0xODEyMjkwNzQ3NDFaFw0yMDAxMDMwOTI3
NDFaMFoxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtVbnNwZWNpZmllZDEUMBIGA1UE
AwwLcmhlbDgubG9jYWwxHzAdBgkqhkiG9w0BCQEWEHJvb3RAcmhlbDgubG9jYWww
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCXG/tlwvg8jf7Aa+rBXt8
V0ZV5krqXnkF3N2xccKjJLKRY6psny0rdaf7qNF9fjNPTNmP6PdqSvpxvhG0gjoV
lo0PU79M7sq74esx8A+UdSqPkqDfnrszBthb+PYBj0yQu88/0aS6GIPWbeWF235Z
uRIAYdin92ZmcXqsafX1qGlErgZN+UrisrVPZFgM2rKWMnuIxOmSeqwdsrHGIlv2
lROipNxEosqqqBXAVS3VX7Q8yMaGT3GgU6Nf8TbT84lnMDsYj4bgtlh1Ry+ck8jA
muN3rujvgCsTWQ1v4s4m5/p/iq3aGFOyIq8z2qdCA24leYhSXpPrFqkKXIr7UkTt
AgMBAAGjVjBUMA4GA1UdDwEB/wQEAwIFoDAJBgNVHRMEAjAAMBYGA1UdEQQPMA2C
C3JoZWw4LmxvY2FsMB8GA1UdIwQYMBaAFOwi+L9TpxZTDY3TYF29uCq5mW7MMA0G
CSqGSIb3DQEBCwUAA4ICAQAWgBjsNHhcI9dAAs1cuhmox6j7EYS2nGDe+BVlMdtE
TVBbSfUV27L+9G3NF9XMOjrUmX67mBqEsGwLiyUaDSFS8JgcJ1zw0V2Q0k8PLgnB
uGKOwkKvPWGPtB2GGJCTBbp0WCByPNsufyIG8+7GHov0StG6s8nYUSSjHHQcZpx4
2BybuLmGt6GvSgN+TMPJl5mApPHNdpUrrf8DWyyP2yAgoB6/XSy3rafBP+1WE38C
s+iHgFoTH05iFtPtMVF1/oLVA4jDfU0T4thqoHFLNwAWYPts6dOgOwT9rZe8e0Ft
bXCd4PJ+3RZHB+JV+IPVF6nF+GVXxr0jT/Fu6+15dHVWbdZUWzscdSV8lae0vyhp
jQRgUdISqbVhmWt1ruRTgZ443fj6NgrFeht0X3pS1WnHyxMT3Aj6nAZnInlZoaX0
xNdPE31ZsgWn6yoFXVEWlVs50xZ+31V+2/LDLQiqVYMRoid1uRZxAp4X80AMUfqc
v4g3/ebLhLsdStCVT7YASrJ/a8fRNNFEJhHOlPaqVsaerBvKrviyjocEQsPzX2cK
oP1RlmDMUoDqFHUo8jIFsWAC2YKe0rsNTSwZTYUHZuc+FzRyKKmpsIrzFMNlgZ3h
evqQPJDRyyB+Nru6mxqSn6L36PbdfYkWOWEDmllnCTAATopYBtmegsYncFRNnEnB
Bg==
-----END CERTIFICATE-----
subject=C = US, O = Unspecified, CN = rhel8.local, emailAddress = [email protected]
issuer=C = US, O = Unspecified, OU = ca-4688871391028164607, CN = rhel8.local, emailAddress = [email protected]
.......The directives for configuring SSL key and certificate are:
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.keyConfiguring Firewall
Allow port 80 and 443 if you have firewalld service running.
$ sudo firewall-cmd --add-service=http,https --permanent
success
$ sudo firewall-cmd --reload
success
$ firewall-cmd --list-services
cockpit dhcpv6-client http https ssh
Loading HTTP/2 Module – mod_http2
Enable support for HTTP/2 by loading mod_http2 module
LoadModule http2_module modules/mod_http2.soAlso add below to the Protocols directive
Protocols h2 h2c http/1.1Meaning of Protocols directive parameters:
- h2 – instructs Apache to support HTTP/2 protocol over SSL/TLS
- h2c – instructs Apache to support HTTP/2 over TCP
- http/1.1 – if client doesn’t accept HTTP/2 then serve the request over HTTP/1.1
Restart Apache web server to effect reload configuration.
sudo systemctl restart httpdRef Apache Module mod_http2 documentation.
Setting up virtual hosts
The Apache HTTP Server’s has a built-in virtual hosting which allows serving information based on which IP address, host name, or port is being requested. Place your VirtualHost configurations files in the /etc/httpd/conf.d/ directory.
Here is an example:
sudo vim /etc/httpd/conf.d/example.confWith data similar to below.
ServerAdmin [email protected]
DocumentRoot "/var/www/html/example"
ServerName example.com
ServerAlias www.example.com
ErrorLog "/var/log/httpd/example-error_log"
CustomLog "/var/log/httpd/example-access_log" common
- ServerName must be a valid DNS name assigned to the server hosting the site.
Restart httpd service to activate the newly created virtual host.
sudo systemctl restart httpdAdditional tags:
- How to implement HTTP/2 in Apache HTTP Web Server
- How to configure Apache SSL on RHEL 8
- Install Apache httpd server on CentOS 8
- Install Apache httpd server on RHEL 8
This marks the end of our guide on how to install Apache with mod_ssl & mod_http2 on RHEL 8 / CentOS 8.
