Install Apache with mod_ssl/mod_http2 on CentOS 8|RHEL 8

Posted on 82 views

Questions: How to install Apache on RHEL 8 / CentOS 8?, how to install mod_ssl on RHEL 8 / CentOS 8?, how to install mod_http2 on RHEL 8 / CentOS 8?. This post will discuss how to install the Apache web server with mod_ssl & mod_http2. Apache is an open-source web server developed by the Apache Software Foundation. A web server (HTTP server) is a network service used to serve content to a client over the web through hypertext transport protocol (HTTP).

In Red Hat Enterprise 8 (RHEL 8), the Apache HTTP Server has been updated to version 2.4.33 with the following new features.

  • Pre-configured multi-processing module (MPM)
  • The minimum UID and GID allowed for users by suexec are now 1000 and 500 respectively (RHEL 7 httpd used 100 and 100).
  • /etc/sysconfig/httpd is no longer a supported interface for setting environment variables for the httpd service
  • HTTP/2 is now supported through the mod_http2 package.
  • New modules added – mod_proxy_uswsgimod_proxy_hcheckmod_proxy_fdpassmod_cache_socache, and mod_md.
  • New subpackage httpd-filesystem owning directories.
  • New httpd-init.service replaces %post script to create self-signed mod_sslkeypair.
  • The mod_auth_kerb module has been replaced by the mod_auth_gssapi module

Install Apache on RHEL 8 / CentOS 8

Apache Web server package in RHEL 8 is called httpd. This package and its tools are distributed through Application Stream repository. Install the httpd module on RHEL 8 using the command.

$ sudo yum install @httpd
Dependencies resolved.
 Package                                       Architecture                       Version                                                                 Repository                             Size
Installing group/module packages:
 httpd                                         x86_64                             2.4.37-39.module+el8.4.0+655+f2bfd6ee.1                                 appstream                             1.4 M
 httpd-filesystem                              noarch                             2.4.37-39.module+el8.4.0+655+f2bfd6ee.1                                 appstream                              38 k
 httpd-tools                                   x86_64                             2.4.37-39.module+el8.4.0+655+f2bfd6ee.1                                 appstream                             105 k
 mod_http2                                     x86_64                             1.15.7-3.module+el8.4.0+553+7a69454b                                    appstream                             153 k
 mod_ssl                                       x86_64                             1:2.4.37-39.module+el8.4.0+655+f2bfd6ee.1                               appstream                             134 k
Installing dependencies:
 apr                                           x86_64                             1.6.3-11.el8.1                                                          appstream                             124 k
 apr-util                                      x86_64                             1.6.1-6.el8.1                                                           appstream                             104 k
 mailcap                                       noarch                             2.1.48-3.el8                                                            baseos                                 38 k
 rocky-logos-httpd                             noarch                             84.5-8.el8                                                              baseos                                 22 k
 sscg                                          x86_64                             2.3.3-14.el8                                                            appstream                              48 k
Installing weak dependencies:
 apr-util-bdb                                  x86_64                             1.6.1-6.el8.1                                                           appstream                              23 k
 apr-util-openssl                              x86_64                             1.6.1-6.el8.1                                                           appstream                              26 k
Installing module profiles:
Enabling module streams:
 httpd                                                                            2.4

Transaction Summary
Install  12 Packages

Total download size: 2.2 M
Installed size: 5.8 M
Is this ok [y/N]: y

This will install the following httpd packages.

  • httpd: The Apache HTTP web Server.
  • httpd-filesystem: contains the basic directory layout for the Apache HTTP server including the correct permissions for the directories.
  • httpd-tools: Contains tools which can be used with the Apache HTTP server
  • mod_http2: Apache httpd module which implements the HTTP2 protocol (h2+h2c) on top of libnghttp2 for httpd 2.4 servers.
  • mod_ssl: Provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
  • and other required dependencies – apr*

The httpd service, by default, reads the configuration from the following locations.

  • /etc/httpd/conf/httpd.conf – This is the main httpd configuration file.
  • /etc/httpd/conf.d/ – This is an auxiliary directory for configuration files that are included in the main configuration file. You can place configuration files like for VirtualHosts in this directory.
  • /etc/httpd/conf.modules.d/ – Contains the configuration files which load dynamic modules packaged in RHEL. Configuration files in this directory are processed first.
  • /usr/lib64/httpd/modules/ – Directory with httpd modules.

Managing httpd service on RHEL 8 / CentOS 8

This section will describe how to manage Apache HTTP service states – startstoprestart, and check the current status.

Starting the httpd service:

sudo systemctl start httpd.service

Use below command to enable httpd service to start automatically at boot time:

sudo systemctl enable httpd.service

A single command below can be used to start and enable the service to start at boot time.

sudo systemctl enable --now httpd.service

Confirm if service is set to start at boot.

$ sudo systemctl is-enabled  httpd.service

Stopping httpd service

To stop the running httpd service, type the following command:

sudo systemctl stop httpd.service

To prevent the service from starting automatically at boot time, type:

sudo systemctl disable httpd.service

Restarting the httpd service

There are two options of restarting httpd service.

1. Stop the running httpd service and immediately start it again – Useful after installing or removing a dynamically loaded module such as PHP.

sudo systemctl restart httpd.service

2. Reload the configuration without affecting active requests – The running httpd service will only reload its configuration file and all requests currently being processed will continue to use the old configuration.

sudo systemctl reload httpd.service

To check the configuration for possible errors, type:

$ sudo apachectl configtest
Syntax OK

If the configuration files doesn’t have an error, you should get Syntax OK.

Loading SSL Module on Apache httpd server

We installed the mod_ssl module but you have to load the module with LoadModule directive before you can use it.

To load Loading the mod_ssl DSO, add below line at the end of httpd.conf configuration file.

$ sudo vi /etc/httpd/httpd.conf
LoadModule ssl_module modules/

See below screenshot.


Restart Web server after loading the module to reload configuration.

sudo systemctl restart httpd

The default SSL configuration file /etc/httpd/conf.d/ssl.conf, you can for example disable SSL version 2 and SSL version 3 by modifying the SSLProtocol directive in this file.

SSLProtocol all -SSLv2 -SSLv3

Below line will disable All SSL and TLS Protocols Except TLS 1 and Up

SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2

Restart Apache daemon after making the change.

sudo systemctl restart httpd

To check which versions of SSL and TLS are enabled or disabled, you can use the openssl s_client -connect command.openssl s_client -connect hostname:port -protocol

openssl s_client -connect : -

Protocol can be -ssl2, -ssl3,-tls1,-tls1_1,-tls1_2 e.t.c

See example below.

# Test if SSLv3 is enabled
$ openssl s_client -connect localhost:443 -ssl3

# Test if TLSv1.2 is enable
$ openssl s_client -connect localhost:443 -tls1_2

Sample output.

$ sudo openssl s_client -connect localhost:443 -tls1_2

depth=1 C = US, O = Unspecified, OU = ca-4688871391028164607, CN = rhel8.local, emailAddress = [email protected]
verify error:num=19:self signed certificate in certificate chain
Certificate chain
 0 s:C = US, O = Unspecified, CN = rhel8.local, emailAddress = [email protected]
   i:C = US, O = Unspecified, OU = ca-4688871391028164607, CN = rhel8.local, emailAddress = [email protected]
 1 s:C = US, O = Unspecified, OU = ca-4688871391028164607, CN = rhel8.local, emailAddress = [email protected]
   i:C = US, O = Unspecified, OU = ca-4688871391028164607, CN = rhel8.local, emailAddress = [email protected]
Server certificate
subject=C = US, O = Unspecified, CN = rhel8.local, emailAddress = [email protected]

issuer=C = US, O = Unspecified, OU = ca-4688871391028164607, CN = rhel8.local, emailAddress = [email protected]

The directives for configuring SSL key and certificate are:

SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key

Configuring Firewall

Allow port 80 and 443 if you have firewalld service running.

$ sudo firewall-cmd --add-service=http,https --permanent
$ sudo firewall-cmd --reload
$ firewall-cmd --list-services
cockpit dhcpv6-client http https ssh


Loading HTTP/2 Module – mod_http2

Enable support for HTTP/2 by loading mod_http2 module

LoadModule http2_module modules/

Also add below to the Protocols directive

Protocols h2 h2c http/1.1

Meaning of Protocols directive parameters:

  • h2 – instructs Apache to support HTTP/2 protocol over SSL/TLS
  • h2c – instructs Apache to support HTTP/2 over TCP
  • http/1.1 – if client doesn’t accept HTTP/2 then serve the request over HTTP/1.1

Restart Apache web server to effect reload configuration.

sudo systemctl restart httpd

Ref Apache Module mod_http2 documentation.

Setting up virtual hosts

The Apache HTTP Server’s has a built-in virtual hosting which allows serving information based on which IP address, host name, or port is being requested. Place your VirtualHost configurations files in the /etc/httpd/conf.d/ directory.

Here is an example:

sudo vim /etc/httpd/conf.d/example.conf

With data similar to below.

    ServerAdmin [email protected]
    DocumentRoot "/var/www/html/example"
    ErrorLog "/var/log/httpd/example-error_log"
    CustomLog "/var/log/httpd/example-access_log" common
  • ServerName must be a valid DNS name assigned to the server hosting the site.

Restart httpd service to activate the newly created virtual host.

sudo systemctl restart httpd

Additional tags:

  • How to implement HTTP/2 in Apache HTTP Web Server
  • How to configure Apache SSL on RHEL 8
  • Install Apache httpd server on CentOS 8
  • Install Apache httpd server on RHEL 8

This marks the end of our guide on how to install Apache with mod_ssl & mod_http2 on RHEL 8 / CentOS 8.


Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.