On Mon, Feb 27, 2023 at 11:42:49AM -0500, Jeffrey Walton wrote: > Hi Rich, > > > [although it's way more > > complicated than it needs to be, why isn't HTTP/2 the default out of > > the box?] > > HTTP/2 is insecure out-of-the-box. Remember CRIME and BREACH? The > protocol requires compression, and compression is a known attack > vector. From the abstract of RFC 7450: > > This specification describes an optimized expression of the semantics > of the Hypertext Transfer Protocol (HTTP), referred to as HTTP > version 2 (HTTP/2). HTTP/2 enables a more efficient use of network > resources and a reduced perception of latency by introducing header > field compression and allowing multiple concurrent exchanges on the > same connection. It also introduces unsolicited push of > representations from servers to clients. > > I am also not sure the push functionality is well understood in a > security context. > > So it is probably a good idea to make HTTP/2 optional, until an > organization has an opportunity to weigh the risks versus reward. Good points, thanks. Rich. > Jeff > > On Mon, Feb 27, 2023 at 7:44 AM Richard W.M. Jones <rjones@xxxxxxxxxx> wrote: > > > > I fixed this now, but I could find virtually no documentation about it > > online, so I'm writing this email to document what surely must be a > > common problem ... > > > > I wanted to enable HTTP/2 support in Apache on Fedora 38. > > > > I followed the documentation here which worked [although it's way more > > complicated than it needs to be, why isn't HTTP/2 the default out of > > the box?] > > > > https://httpd.apache.org/docs/2.4/howto/http2.html > > > > Anyway the problem I had was that the server worked fine provided > > there were not too many clients (and by "too many" I mean a simple > > load test with 4-16 clients failed). Apache randomly threw 403 > > Forbidden errors, but with less load it gave a normal (2xx) response. > > > > The first problem is the error is misleading: > > > > [Wed Feb 22 13:24:52.013780 2023] [core:error] [pid 3047850:tid 3047899] (24)Too many open files: [remote 192.168.0.139:53738] AH00132: file permissions deny server access: /var/www/html/[filename] > > > > If you concentrate on the second part "file permissions deny server > > access" -- as I did -- then you'll be looking at file permissions, > > SELinux, restorecon, ausearch etc. That's a red herring, there is no > > permissions problem. > > > > The real error is the first part "Too many open files". > > > > It turns out that the default open file limit (1024!) is too low. To > > change this and fix the problem: > > > > # systemctl edit httpd > > > > This creates an "override" file to which you should add (or you could > > just create this file directly): > > > > # cat /etc/systemd/system/httpd.service.d/override.conf > > [Service] > > LimitNOFILE=65536 > > > > and then restart Apache for the change to take effect. > > > > Why on earth Apache needs > 1024 open files to serve a dozen clients > > is not clear at all. > > > _______________________________________________ > users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
