Hi Rich, > [although it's way more > complicated than it needs to be, why isn't HTTP/2 the default out of > the box?]
HTTP/2 is insecure out-of-the-box. Remember CRIME and BREACH? The protocol requires compression, and compression is a known attack vector. From the abstract of RFC 7450: This specification describes an optimized expression of the semantics of the Hypertext Transfer Protocol (HTTP), referred to as HTTP version 2 (HTTP/2). HTTP/2 enables a more efficient use of network resources and a reduced perception of latency by introducing header field compression and allowing multiple concurrent exchanges on the same connection. It also introduces unsolicited push of representations from servers to clients. I am also not sure the push functionality is well understood in a security context. So it is probably a good idea to make HTTP/2 optional, until an organization has an opportunity to weigh the risks versus reward. Jeff On Mon, Feb 27, 2023 at 7:44 AM Richard W.M. Jones <rjo...@redhat.com> wrote: > > I fixed this now, but I could find virtually no documentation about it > online, so I'm writing this email to document what surely must be a > common problem ... > > I wanted to enable HTTP/2 support in Apache on Fedora 38. > > I followed the documentation here which worked [although it's way more > complicated than it needs to be, why isn't HTTP/2 the default out of > the box?] > > https://httpd.apache.org/docs/2.4/howto/http2.html > > Anyway the problem I had was that the server worked fine provided > there were not too many clients (and by "too many" I mean a simple > load test with 4-16 clients failed). Apache randomly threw 403 > Forbidden errors, but with less load it gave a normal (2xx) response. > > The first problem is the error is misleading: > > [Wed Feb 22 13:24:52.013780 2023] [core:error] [pid 3047850:tid 3047899] > (24)Too many open files: [remote 192.168.0.139:53738] AH00132: file > permissions deny server access: /var/www/html/[filename] > > If you concentrate on the second part "file permissions deny server > access" -- as I did -- then you'll be looking at file permissions, > SELinux, restorecon, ausearch etc. That's a red herring, there is no > permissions problem. > > The real error is the first part "Too many open files". > > It turns out that the default open file limit (1024!) is too low. To > change this and fix the problem: > > # systemctl edit httpd > > This creates an "override" file to which you should add (or you could > just create this file directly): > > # cat /etc/systemd/system/httpd.service.d/override.conf > [Service] > LimitNOFILE=65536 > > and then restart Apache for the change to take effect. > > Why on earth Apache needs > 1024 open files to serve a dozen clients > is not clear at all. > _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
