Hi Rich,
[although it's way more
complicated than it needs to be, why isn't HTTP/2 the default out of
the box?]
HTTP/2 is insecure out-of-the-box. Remember CRIME and BREACH? The
protocol requires compression, and compression is a known attack
vector. From the abstract of RFC 7450:
This specification describes an optimized expression of the semantics
of the Hypertext Transfer Protocol (HTTP), referred to as HTTP
version 2 (HTTP/2). HTTP/2 enables a more efficient use of network
resources and a reduced perception of latency by introducing header
field compression and allowing multiple concurrent exchanges on the
same connection. It also introduces unsolicited push of
representations from servers to clients.
I am also not sure the push functionality is well understood in a
security context.
So it is probably a good idea to make HTTP/2 optional, until an
organization has an opportunity to weigh the risks versus reward.
Jeff
On Mon, Feb 27, 2023 at 7:44 AM Richard W.M. Jones <rjones(a)redhat.com> wrote:
>
> I fixed this now, but I could find virtually no documentation about it
> online, so I'm writing this email to document what surely must be a
> common problem ...
>
> I wanted to enable HTTP/2 support in Apache on Fedora 38.
>
> I followed the documentation here which worked [although it's way more
> complicated than it needs to be, why isn't HTTP/2 the default out of
> the box?]
>
>
https://httpd.apache.org/docs/2.4/howto/http2.html
>
> Anyway the problem I had was that the server worked fine provided
> there were not too many clients (and by "too many" I mean a simple
> load test with 4-16 clients failed). Apache randomly threw 403
> Forbidden errors, but with less load it gave a normal (2xx) response.
>
> The first problem is the error is misleading:
>
> [Wed Feb 22 13:24:52.013780 2023] [core:error] [pid 3047850:tid 3047899] (24)Too
many open files: [remote 192.168.0.139:53738] AH00132: file permissions deny server
access: /var/www/html/[filename]
>
> If you concentrate on the second part "file permissions deny server
> access" -- as I did -- then you'll be looking at file permissions,
> SELinux, restorecon, ausearch etc. That's a red herring, there is no
> permissions problem.
>
> The real error is the first part "Too many open files".
>
> It turns out that the default open file limit (1024!) is too low. To
> change this and fix the problem:
>
> # systemctl edit httpd
>
> This creates an "override" file to which you should add (or you could
> just create this file directly):
>
> # cat /etc/systemd/system/httpd.service.d/override.conf
> [Service]
> LimitNOFILE=65536
>
> and then restart Apache for the change to take effect.
>
> Why on earth Apache needs > 1024 open files to serve a dozen clients
> is not clear at all.
>