Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Apache HTTP Server Installation Guide

Red Hat JBoss Core Services 2.4.62

For use with Red Hat JBoss middleware products.

Red Hat Customer Content Services

Abstract

Install, upgrade, and configure the Red Hat JBoss Core Services Apache HTTP Server on supported operating systems.

To report an error or to improve our documentation, log in to your Red Hat Jira account and submit an issue. If you do not have a Red Hat Jira account, then you will be prompted to create an account.

Procedure

  1. Click the following link to create a ticket.
  2. Enter a brief description of the issue in the Summary.
  3. Provide a detailed description of the issue or enhancement in the Description. Include a URL to where the issue occurs in the documentation.
  4. Clicking Create creates and routes the issue to the appropriate documentation team.

Making open source more inclusive
Copy link

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.

Red Hat JBoss Core Services (JBCS) provides a collection of supplementary software, including the Apache HTTP Server, that you can use with various Red Hat JBoss middleware products. Red Hat packages this supplementary software under JBCS to allow for faster distribution of updates and for a more consistent update experience.

For a full list of components that JBCS supports, see the Core Services Apache HTTP Server Component Details web page.

Note

Before you attempt to access the Core Services Apache HTTP Server Component Details web page, ensure that you have an active Red Hat subscription and you are logged in to the Red Hat Customer Portal.

1.1. JBCS Apache HTTP Server
Copy link

Red Hat JBoss Core Services (JBCS) provides a distribution of the Apache HTTP Server that multiple Red Hat JBoss middleware products use. The Apache HTTP Server processes requests that web clients send over the Hypertext Transfer Protocol (HTTP).

In older JBoss product releases, each JBoss middleware product provided a separate distribution of the Apache HTTP Server. Starting from the following product versions, each JBoss middleware product uses the JBCS distribution of the Apache HTTP Server:

  • Red Hat JBoss Enterprise Application Platform (JBoss EAP) 7.0 or later
  • Red Hat JBoss Web Server 3.1 or later

Both JBCS and Red Hat Enterprise Linux (RHEL) provide separate distributions of the Apache HTTP Server.

Important

On RHEL versions 9 and 10, JBCS does not provide an RPM distribution of the Apache HTTP Server. JBCS provides only an archive file distribution of the Apache HTTP Server for RHEL 9 and RHEL 10 systems.

Unlike JBCS releases on earlier RHEL versions, the JBCS distributions of the Apache HTTP Server for RHEL 9 and RHEL 10 systems are based on the RHEL distribution of the Apache HTTP Server httpd package. JBCS provides archive file distributions on RHEL 9 and RHEL 10 to support the ability to run multiple instances of the Apache HTTP Server simultaneously.

Consider the following differences between the Apache HTTP Server distributions that JBCS and RHEL provide:

On RHEL versions 7 and 8
  • You can install the JBCS Apache HTTP Server from an archive file or RPM package. You can install the RHEL Apache HTTP Server from an RPM package only.

  • Only the JBCS Apache HTTP Server provides the load-balancing HTTP connectors mod_jk and mod_proxy_cluster. The RHEL Apache HTTP Server does not provide these modules.

    Note

    In JBCS 2.4.37 and earlier releases, the mod_proxy_cluster connector was named mod_cluster.

  • On RHEL 7, only the JBCS Apache HTTP Server provides the mod_proxy_uwsgi module. From RHEL 8 onward, the JBCS and RHEL distributions of the Apache HTTP Server both provide the mod_proxy_uwsgi module.
On RHEL versions 9 and 10
  • Unlike JBCS releases on RHEL 7 and RHEL 8, the JBCS releases on RHEL 9 and RHEL 10 are based on the RHEL distribution of the Apache HTTP Server httpd package. JBCS on RHEL 9 or RHEL 10 therefore has certain behavioral differences compared to the JBCS distributions of the Apache HTTP Server on earlier RHEL versions. For more information, see Behavioral differences between JBCS distributions on different RHEL versions.
  • JBCS provides only an archive file distribution of the Apache HTTP Server. If you want to install the Apache HTTP Server from an RPM package, your only option is to install the RHEL distribution of the httpd package by using Application Streams.
  • The version of the Apache HTTP Server that JBCS provides is different from the version of the Apache HTTP Server that RHEL provides through the Application Streams feature.
  • The JBCS and RHEL distributions of the Apache HTTP Server provide identical copies of the mod_jk connector and the mod_proxy_cluster connector.
On all RHEL versions
  • The JBCS Apache HTTP Server uses a top-level jbcs-httpd24-2.4/httpd installation directory. The RHEL Apache HTTP Server uses standard RHEL directories for an installation of the httpd package such as /etc/httpd, usr/share/httpd, var/log/httpd, and so on.
  • When you install a JBCS distribution of the Apache HTTP Server from an archive file or from RPM packages by using the groupinstall option, you also automatically install the mod_jk and mod_proxy_cluster connectors.
  • The JBCS Apache HTTP Server does not provide or support the mod_php module. Only the RHEL Apache HTTP Server supports the mod_php module.

Unlike JBCS 2.4.62 on RHEL 7 or RHEL 8, the JBCS 2.4.62 distributions for RHEL 9 and RHEL 10 systems are based on the RHEL distribution of the Apache HTTP Server httpd package. This change to the way Red Hat distributes the httpd package from RHEL 9 onward helps to provide Apache HTTP Server users with a more consistent and streamlined user experience.

Because of this difference, JBCS 2.4.62 on RHEL 9 or RHEL 10 has certain behavioral differences compared to JBCS 2.4.62 on earlier RHEL versions.

Consider the following information:

  • On RHEL 9 and RHEL 10, the mod_security module does not support the SecCollectionGCFrequency directive for specifying garbage collection frequency. The mod_security module that JBCS provides on RHEL 7 and RHEL 8 supports the SecCollectionGCFrequency directive.
  • On RHEL 9 and RHEL 10, the mod_deflate module does not support the DeflateAlterEtag directive for specifying how to alter the ETag header when a response is compressed. The mod_deflate module that JBCS provides on RHEL 7 and RHEL 8 supports the DeflateAlterEtag directive.

  • On RHEL 9 and RHEL 10, the httpd.conf.sample file does not include the following content:

    • A default PidFile directive for specifying the file in which the server records the process ID of the daemon
    • A default list of AddLanguage directives for mapping specific filename extensions to specific content languages
    • A default LanguagePriority directive for setting the precedence of language variants in situations where a client does not express a preference

    • A configuration section for the web_dav module for web-based distributed authoring and versioning (WebDav)

      The httpd.conf.sample file that JBCS provides on RHEL 7 and RHEL 8 includes all of the preceding content.

Red Hat JBoss Core Services (JBCS) provides a distribution of the Apache HTTP Server for different versions of the Red Hat Enterprise Linux (RHEL) and Windows Server operating systems.

Consider the following guidelines for installing the JBCS Apache HTTP Server on supported operating systems:

  • On all supported RHEL and Windows Server versions, you can install the JBCS Apache HTTP Server by using archive installation files that are available for each platform.
  • On RHEL versions 7 and 8, you can install the JBCS Apache HTTP Server by using Red Hat Package Manager (RPM) packages.
  • On RHEL versions 9 and 10, if you want to install the Apache HTTP Server from an RPM package, you must install the RHEL distribution of the Apache HTTP Server by using Application Streams. You cannot install the JBCS Apache HTTP Server on RHEL 9 or RHEL 10 by using RPM packages.

If you previously installed Red Hat JBoss Core Services (JBCS) 2.4.57 or earlier, you can upgrade your existing JBCS installation to the latest 2.4.62 release. The steps to upgrade JBCS differ depending on whether you installed the product from archive files or RPM packages.

If you previously installed the JBCS Apache HTTP Server 2.4.57 or earlier from an archive file, you can upgrade to the latest 2.4.62 release.

Important

JBCS 2.4.62 installations on RHEL versions 8, 9, or 10 do not include standalone versions of any package dependencies such as openssl-pkcs11, jansson, curl, brotli, and nghttp2. JBCS distributions on RHEL versions 8, 9, or 10 require that you install the platform-supplied version of any dependencies. JBCS distributions on RHEL 7 or Windows Server still include standalone versions of package dependencies.

The upgrade process includes the following steps:

  1. Installing the Apache HTTP Server 2.4.62
  2. Setting up the Apache HTTP Server 2.4.62
  3. Removing an earlier version of Apache HTTP Server

Prerequisites

  • If you are using Red Hat Enterprise Linux (RHEL), you have root user access.
  • If you are using Windows Server, you have administrative access.
  • You have an existing installation of the JBCS Apache HTTP Server 2.4.57 or earlier that you installed from an archive file.

Procedure

  1. Shut down any running instances of the Apache HTTP Server 2.4.57.
  2. Back up the Apache HTTP Server 2.4.57 installation and configuration files.
  3. Install the Apache HTTP Server 2.4.62 by using the archive file installation method for the current system. For more information, see Additional Resources at the end of this section.

  4. Migrate your configuration from the Apache HTTP Server version 2.4.57 to version 2.4.62.

    Note

    The JBCS configuration files might have changed since the Apache HTTP Server 2.4.57 release. Update the 2.4.62 version configuration files rather than overwrite them with the configuration files from a different version, such as the Apache HTTP Server 2.4.57.

  5. Remove the Apache HTTP Server 2.4.57 root directory.

If you previously installed the JBCS Apache HTTP Server 2.4.57 or earlier from RPM packages, you can upgrade to the latest 2.4.62 release by using the dnf groupupdate command.

Prerequisites

  • You have an existing installation of the JBCS Apache HTTP Server 2.4.57 or earlier that you installed from RPM packages on RHEL 7 or RHEL 8.

Procedure

  • Enter the following command as the root user: 

    # dnf groupupdate jbcs-httpd24

1.4. Key differences between RHEL 7 and RHEL 8
Copy link

This section provides an overview of some of the key changes introduced in Red Hat Enterprise Linux (RHEL) 8.

Removed security functionality
All-numeric user and group names are deprecated in RHEL 7 and their support is completely removed in RHEL 8.
Memory management
In RHEL 7, the existing memory bus has capacity for 48/46 bit of virtual/physical memory addressing, and the Linux kernel implements 4 levels of page tables to manage these virtual addresses to physical addresses. With the extended address range, the memory management in RHEL 8 supports the implementation of 5-level page tables, to allow handling of the expanded address range. In RHEL 8, support for 5-level page tables is disabled by default, even if the system supports this feature.
XFS supports
RHEL 7 can mount XFS file systems with shared copy-on-write data extents only in the read-only mode. In RHEL 8, the XFS file system supports shared copy-on-write data extent functionality. This feature enables two or more files to share a common set of data blocks.
NFS configuration
In RHEL 7, the NFS configuration is located in the /etc/sysconfig/nfs file. In RHEL 8, the NFS configuration is located in the /etc/nfs.conf file.

1.5. Key differences between RHEL 8 and RHEL 9
Copy link

This section provides an overview of some of the key changes introduced in Red Hat Enterprise Linux (RHEL) 9.

Application Streams enhancement

RHEL 8 introduced a feature called Application Streams. RHEL uses Application Streams to deliver and update multiple versions of user-space components such as applications, runtime languages, and databases more frequently than the core operating system packages. Each Application Stream represents a specific version of a component, and each component in an Application Stream has a defined life cycle. Application Streams provide users greater flexibility to use the component versions that suit their requirements for specific use cases and workloads without impacting the underlying stability of the platform or deployments.

On RHEL 8, Red Hat packaged the content in Application Streams as a combination of RPM packages, modules (package groups), and Software Collections. RHEL 9 further enhances the Application Streams feature by providing initial Application Stream versions that you can install as RPM packages by using the standard dnf install command

Availability of Apache connectors and load balancers

RHEL 9 provides a distribution of the Apache Tomcat Connector (mod_jk) and the JBoss HTTP Connector (mod_proxy_cluster) for load-balancing web client requests to back-end application servers. The RHEL distribution of mod_jk and mod_proxy_cluster is identical to the JBCS distribution of these modules.

Installing the RHEL distribution of the Apache HTTP Server does not automatically install the mod_jk and mod_proxy_cluster modules. For more information about installing mod_jk and mod_proxy_cluster from RPM packages on RHEL 9, see the Apache HTTP Server Connectors and Load Balancing Guide.

1.6. Key differences between RHEL 9 and RHEL 10
Copy link

This section provides an overview of some of the key changes introduced in Red Hat Enterprise Linux (RHEL) 10.

Changes in the httpd package

In RHEL 10.0, the httpd package includes the following changes that affect the httpd daemon usage and deployment:

  • The mod_authnz_fcgi package is now loaded by default. You can use this module with FastCGI-based authorizer applications to authenticate. For more information, see the Apache link:https://httpd.apache.org/docs/2.4/mod/mod_authnz_fcgi.html [mod_authnz_fcgi] documentation.
  • The httpd.service unit file now applies a number of security hardening settings by default. For example, the ProtectHome=read-only setting is now applied by default. It mounts the /home filesystem read-only for the httpd service. For the full list of hardening settings, see the /usr/lib/systemd/system/httpd.service file.

  • The support for OpenSSL ENGINE has been removed. You must no longer use the SSLCryptoDevice configuration directive.

    Note

    PKCS#11 URIs are still supported via the OpenSSL pkcs11-provider package.

  • Support for the Berkeley DB databases has been removed since Red Hat Enterprise Linux 9. Modules, such as mod_authz_dbm, now use the LMDB database type by default. As an alternative, you can also use the SDBM database type.
Removal of the mod_jk package
The mod_jk package has been removed from RHEL 10.0. You can use the mod_proxy_cluster package instead.

On all supported Red Hat Enterprise Linux (RHEL) versions, Red Hat JBoss Core Services (JBCS) provides a distribution of the Apache HTTP Server that you can install from archive files. You can download and extract the archive files from the Software Downloads page on the Red Hat Customer Portal. You must install the base archive file for the original 2.4.62 release. You can also install the latest service pack release, if any.

When you install the Apache HTTP Server from an archive file, you can manage the product in different ways. For example, you can use a system daemon at system startup or manage the Apache HTTP Server from a command line.

You can download the Apache HTTP Server archive files from the Software Downloads page on the Red Hat Customer portal.

Note

If you have write access to the intended installation directory, you can install the archive file with non-root privileges.

Prerequisites

  • You have installed the krb5-workstation and mailcap packages.

    If you want to install these packages, enter the following command as the root user: 

    # dnf install krb5-workstation mailcap

Procedure

  1. Open a browser and log in to the Software Downloads page on the Red Hat Customer Portal.
  2. From the Product drop-down menu, select Apache HTTP Server.
  3. From the Version drop-down menu, select the correct JBCS version.

  4. On the Releases tab, click Download next to the Red Hat JBoss Core Services Apache HTTP Server 2.4.62 archive file that matches the platform and architecture for your system.

    Note

    Despite the 2.4.62 naming convention, the JBCS archive file for RHEL 10 provides a distribution of Apache HTTP Server 2.4.63.

  5. Extract the downloaded archive file to your installation directory.

    Note

    On RHEL systems, install the Apache HTTP Server in the /opt/ directory.

    The extraction of the archive file automatically creates the top-level jbcs-httpd24-2.4/httpd directory for the Apache HTTP Server. This document refers to the jbcs-httpd24-2.4/httpd directory as HTTPD_HOME.

  6. To install the latest service pack release, if any, perform the following steps:

    1. On the Software Downloads page, click the Security Advisories tab.

    2. On the Security Advisories tab, click Download next to the latest Red Hat JBoss Core Services Apache HTTP Server 2.4.62 Service Pack archive file that matches the platform and architecture for your system.

      For example, if you want to install the Service Pack X release of the Apache HTTP Server 2.4.62 on RHEL 8, click Download next to the Red Hat JBoss Core Services Apache HTTP Server 2.4.62 Service Pack X for RHEL 8 x86_64 file.

      Note

      Service pack releases are cumulative. By downloading the latest service pack release, you also install any previous service pack releases automatically.

When you install the JBCS Apache HTTP Server from an archive file on RHEL, you can start and stop the Apache HTTP Server directly from the command line. Before you can run the Apache HTTP Server from the command line, you must perform the following series of configuration tasks:

2.2.1. Creating an Apache user
Copy link

Before you run the Apache HTTP Server from the command line for the first time, you must create the apache user account and group. You must also assign ownership of the Apache directories to the apache user, so that the user can run the Apache HTTP Server.

Note

You must perform all steps in this procedure as the root user.

Prerequisites

Procedure

  1. On a command line, go to the HTTPD_HOME directory.

  2. To create the apache user group, enter the following command: 

    # groupadd -g 48 -r apache

  3. To create the apache user in the apache user group, enter the following command: 

    # /usr/sbin/useradd -c "Apache" -u 48 -g apache -s /sbin/nologin -r apache

  4. To assign ownership of the Apache directories to the apache user, enter the following command: 

    # chown -R apache:apache *

Verification

  • To verify that the apache user is the owner of the directory, enter the following command: 

    # ls -l

2.2.2. Disabling or enabling SSL support
Copy link

Before you run the Apache HTTP Server, you can choose to disable or enable SSL support by renaming the SSL configuration file. The Apache HTTP Server supports SSL by default.

Procedure

  1. Go to the HTTPD_HOME/conf.d/ directory.

  2. To enable or disable SSL, perform either of the following steps:

    • If you want to disable SSL, rename ssl.conf to ssl.conf.disabled.
    • If you want to re-enable SSL, rename ssl.conf.disabled to ssl.conf.

Before you run the Apache HTTP Server from the command line for the first time, you must run the Apache HTTP Server post-installation script.

Procedure

  1. On a command line, go to the HTTPD_HOME directory.

  2. Enter the following command: 

     ./.postinstall

When you install the JBCS Apache HTTP Server from an archive file on RHEL, you can start the Apache HTTP Server directly from the command line.

Prerequisites

Procedure

  1. On a command line, go to the HTTPD_HOME/sbin/ directory.

  2. Enter the following command as the root user: 

     ./apachectl start

When you install the JBCS Apache HTTP Server from an archive file on RHEL, you can stop a running instance of the Apache HTTP Server directly from the command line.

Prerequisites

Procedure

  1. On a command line, go to the HTTPD_HOME/sbin/ directory.

  2. Enter the following command as the root user: 

     ./apachectl stop

When you install the JBCS Apache HTTP Server from an archive file on RHEL, you can start the Apache HTTP Server from the command line as a user without root privileges. In this situation, you can use a non-root user account, such as the apache user.

Procedure

  1. Stop all instances of the Apache HTTP Server : 

    pkill httpd

  2. In the HTTPD_HOME/conf/httpd.conf file, set the http listen port to higher than 1024: 

    Listen 2080
ServerName <hostname>:2080

  3. In the HTTPD_HOME/conf.d/ssl.conf file, set the https listen port to higher than 1024: 

    Listen 2443

  4. Change the ownership of the logs directory: 

    chown -R apache:apache HTTPD_HOME/logs/

  5. Change the ownership of the run directory: 

    chown -R apache:apache HTTPD_HOME/var/run/

  6. Verify that httpd is running under the apache user only rather than the root and apache users: 

    $ ps -eo euser,egroup,comm | grep httpd

    This command produces the following type of output: 

    apache   apache   httpd
apache   apache   httpd
apache   apache   httpd
...
    Important

    Limit the file permissions of the apache user and enable SELinux . This helps to prevent the following scenarios:

    • Unauthorized access or modification of files and directories by website users
    • Unwanted changes to the Apache HTTP Server configuration files

When you install the JBCS Apache HTTP Server from an archive file on RHEL, you can use a system daemon to perform management tasks. Using the Apache HTTP Server with a system daemon provides a way to start the Apache HTTP Server services at system startup. The system daemon also provides start, stop and status check functions.

On all supported RHEL versions, the default system daemon is systemd.

Prerequisites

Procedure

  1. To determine which system daemon is running, enter the following command: 

    $ ps -p 1 -o comm=

    If systemd is running, the following output is displayed: 

    systemd

  2. To set up the Apache HTTP Server for systemd, run the .postinstall.systemd script as the root user: 

    # cd HTTPD_HOME
# sh httpd/.postinstall.systemd

  3. To control the Apache HTTP Server by using systemd, enter any of the following commands as the root user:

    • To enable the Apache HTTP Server services to start at system startup: 

      # systemctl enable jbcs-httpd24-httpd.service

    • To start the Apache HTTP Server: 

      # systemctl start jbcs-httpd24-httpd.service

    • To stop the Apache HTTP Server: 

      # systemctl stop jbcs-httpd24-httpd.service

    • To verify the status of the Apache HTTP Server: 

      # systemctl status jbcs-httpd24-httpd.service
      Note

      Any user can run the systemctl status command.

Important

To revert any changes that the .postinstall.systemd script affects, you can enter the following command: 

# cd HTTPD_HOME
# sh httpd/.postinstall.services.cleanup

For more information about using systemd, see the Additional resources links.

2.7. SELinux policies for the Apache HTTP Server
Copy link

You can use Security-Enhanced Linux (SELinux) policies to define access controls for the Apache HTTP Server. These policies are a set of rules that determine access rights to the product.

2.7.1. SELinux policy information
Copy link

The SELinux security model is enforced by the kernel and ensures that applications have limited access to resources such as file system locations and ports. SELinux policies ensure that any errant processes that are compromised or poorly configured are restricted or prevented from running.

The jbcs-httpd24-httpd-selinux packages in your Apache HTTP Server installation provide a mod_proxy_cluster policy. The following table contains information about the supplied SELinux policy.

Expand
Table 2.1. RPMs and Default SELinux Policies
NamePort InformationPolicy Information

mod_proxy_cluster

Two ports (6666 for TCP and 23364 for UDP) are added for httpd_port_t to allow the httpd process to use them.

A post-installation script configures the context mapping for /var/cache/mod_proxy_cluster to enable the httpd process to write at this location.

In this release, the archive packages provide SELinux policies. The root Apache HTTP Server folder includes a .postinstall.selinux file. If required, you can run the .postinstall.selinux script.

Important

By default, the SELinux policy that the Apache HTTP Server provides is not active and the Apache HTTP Server processes run in the unconfined_t domain. This domain does not confine the processes. If you choose not to enable the SELinux policy that is provided, restrict file access for the apache user, so that the apache user only has access to the files and directories that are necessary for the Apache HTTP Server runtime.

Procedure

  1. Install the selinux-policy-devel package: 

    dnf install -y selinux-policy-devel

  2. Run the .postinstall.selinux script: 

    cd <httpd_home>
sh .postinstall.selinux

  3. Make and install the SELinux module: 

    cd <httpd_home>/selinux/
make -f /usr/share/selinux/devel/Makefile
semodule -i jbcs-httpd24-httpd.pp

  4. Apply the SELinux contexts for the Apache HTTP Server: 

    restorecon -r <httpd_home>

  5. Add access permissions to the required ports for the Apache HTTP Server: 

    semanage port -a -t http_port_t -p tcp 6666
semanage port -a -t http_port_t -p udp 23364

  6. Start the Apache HTTP Server service: 

    <httpd_home>/sbin/apachectl start

  7. Check the context of the running process expecting httpd_t: 

    $ ps -eZ | grep httpd | head -n1

unconfined_u:unconfined_r:httpd_t:s0-s0:c0.c1023 2864 ? 00:00:00 httpd

  8. Verify the contexts of the httpd directories. For example: 

    ls -lZ <httpd_home>/logs/

On Red Hat Enterprise Linux (RHEL) versions 7 and 8, Red Hat JBoss Core Services (JBCS) provides a distribution of the Apache HTTP Server that you can install from RPM packages. RPM installation packages for the JBCS Apache HTTP Server are available from Red Hat Subscription Management. Installing the Apache HTTP Server from RPM packages installs the Apache HTTP Server as a service.

Important

JBCS provides RPM distributions of the Apache HTTP Server for RHEL versions 7 and 8 only. JBCS does not provide RPM distributions of the Apache HTTP Server for RHEL 9 or later.

If you want to install the Apache HTTP Server from RPM packages on RHEL 9 or later, you must use the Application Streams feature of RHEL. For more information, see Installing the Apache HTTP Server on RHEL 9 or later by using Application Streams.

3.1. Attaching subscriptions to RHEL
Copy link

Before you download and install the RPM packages for the Apache HTTP Server, you must attach subscriptions to Red Hat Enterprise Linux (RHEL). You can attach subscriptions by registering your system with Red Hat Subscription Management and by subscribing to the respective Content Delivery Network (CDN) repositories. You can subsequently perform some verification steps to ensure that a subscription provides the required CDN repositories.

Procedure

  1. To register your system with Red Hat Subscription Management:

    1. Log in to the Red Hat Subscription Management web page.
    2. Click the Systems tab.
    3. Click the Name of the system that you want to add the subscription to.
    4. Change from the Details tab to the Subscriptions tab, and then click Attach Subscriptions.
    5. Select the check box next to the subscription that you want to attach, and then click Attach Subscriptions.

  2. To subscribe to the Apache HTTP Server CDN repositories for your operating system version, enter the following command as the root user: 

    # subscription-manager repos --enable <repository>
    Note

    If you are using RHEL 7, replace <repository> with jb-coreservices-1-for-rhel-7-server-rpms.

    If you are using RHEL 8, replace <repository> with jb-coreservices-1-for-rhel-8-x86_64-rpms.

Verification

  1. Log in to the Red Hat Subscriptions web page.
  2. In the Subscription Name column, click the subscription that you want to select.
  3. Under Products Provided, you require Red Hat JBoss Core Services.

For more information about registering your installed version of RHEL, see the Additional resources links.

Additional resources

You can install the JBCS Apache HTTP Server from RPM packages on RHEL 7 or RHEL 8 by using the DNF package manager.

Prerequisites

Procedure

  • To install the Apache HTTP Server, enter the following command as the root user: 

    # dnf groupinstall jbcs-httpd24

When you install the Apache HTTP Server from an RPM package, you can optionally remove SSL support before you run the Apache HTTP Server. The Apache HTTP Server supports SSL by default. You can choose to remove SSL support by removing the mod_ssl package.

Procedure

  • On a command line, enter the following command as the root user: 

    # dnf remove jbcs-httpd24-mod_ssl

When you install JBCS Apache HTTP Server from RPM packages, you can use the command line to start the Apache HTTP Server.

Procedure

  • On a command line, start the Apache HTTP Server service as the root user: 

    # systemctl start jbcs-httpd24-httpd.service

When you install JBCS Apache HTTP Server from RPM packages, you can use the command line to stop the Apache HTTP Server.

Procedure

  • On a command line, stop the Apache HTTP Server service as the root user: 

    # systemctl stop jbcs-httpd24-httpd.service

When you install JBCS Apache HTTP Server from RPM packages, you can configure the Apache HTTP Server service to start at system startup.

Procedure

  • To enable the Apache HTTP Server service to start at system startup, enter the following command as the root user: 

    # systemctl enable jbcs-httpd24-httpd.service

3.7. SELinux policies for the Apache HTTP Server
Copy link

You can use Security-Enhanced Linux (SELinux) policies to define access controls for the Apache HTTP Server. These policies are a set of rules that determine access rights to the product.

3.7.1. SELinux policy information
Copy link

The SELinux security model is enforced by the kernel and ensures that applications have limited access to resources such as file system locations and ports. SELinux policies ensure that any errant processes that are compromised or poorly configured are restricted or prevented from running.

The jbcs-httpd24-httpd-selinux packages in your Apache HTTP Server installation provide a mod_proxy_cluster policy. The following table contains information about the supplied SELinux policy.

Expand
Table 3.1. RPMs and Default SELinux Policies
NamePort InformationPolicy Information

mod_proxy_cluster

Two ports (6666 for TCP and 23364 for UDP) are added for httpd_port_t to allow the httpd process to use them.

A post-installation script configures the context mapping for /var/cache/mod_proxy_cluster to enable the httpd process to write at this location.

When you install the JBCS Apache HTTP Server from RPM packages, the jbcs-httpd2.4-httpd-selinux package provides SELinux policies for the Apache HTTP Server. The jbcs-httpd2.4-httpd-selinux package is available in the jb-coreservices-1-for-rhel-7-server-rpms and jb-coreservices-1-for-rhel-8-x86_64-rpms Content Delivery Network (CDN) repositories.

Procedure

  • Install the jbcs-httpd2.4-httpd-selinux package for the RHEL version that you are using.

You can install the JBCS Apache HTTP Server on Windows Server from a set of archive files that you can download from the Software Downloads page on the Red Hat Customer portal.

You can download the Apache HTTP Server archive files from the Software Downloads page on the Red Hat Customer portal.

Note

If you have write access to the intended installation folder, you can install the archive file with non-administrator privileges.

Procedure

  1. Open a browser and log in to the Software Downloads page on the Red Hat Customer Portal.
  2. From the Product drop-down menu, select Apache HTTP Server.
  3. From the Version drop-down menu, select the correct JBCS version.
  4. On the Releases tab, click Download next to the Red Hat JBoss Core Services Apache HTTP Server 2.4.62 for Windows Server x86_64 file.

  5. Extract the downloaded archive file to your installation directory.

    Note

    On Windows Server systems, install the Apache HTTP Server in the C:\Program Files directory.

    The extraction of the archive file automatically creates the top-level jbcs-httpd24-2.4 folder for the Apache HTTP Server. This document refers to the jbcs-httpd24-2.4 folder as HTTPD_HOME.

  6. To install the latest service pack release, if any, perform the following steps:

    1. On the Software Downloads page, click the Security Advisories tab.

    2. On the Security Advisories tab, click Download next to the latest Red Hat JBoss Core Services Apache HTTP Server 2.4.62 Service Pack X for Windows Server x86_64 file.

      Note

      Service pack releases are cumulative. By downloading the latest service pack release, you also install any previous service pack releases automatically.

When you install JBCS Apache HTTP Server on Windows Server, you can manage the Apache HTTP Server from a command prompt or by using the Computer Management tool. Before you can run the Apache HTTP Server on Windows Server, you must perform the following series of configuration tasks:

Before you run the Apache HTTP Server for the first time on Windows Server, you must run the Apache HTTP Server post-installation script.

Procedure

  1. Open the Command Prompt as an administrative user.
  2. Go to the HTTPD_HOME\etc directory.

  3. Enter the following command: 

    call postinstall.httpd.bat

4.2.2. Installing the Apache HTTP Server service
Copy link

Before you run the Apache HTTP Server for the first time on Windows Server, you must install the Apache HTTP Server as a Windows service.

Note

By default, the Apache HTTP Server is configured to use port 80. If you have Microsoft Internet Information Services (IIS) installed, you must disable or reconfigure Microsoft IIS to avoid port conflicts:

  • Stop the World Wide Web service, and change the Startup Type to Manual.
  • Configure IIS to use different ports.

Alternatively, you can edit httpd.conf before installing the Apache HTTP Server service and change Listen to a port that does not conflict with the Microsoft IIS ports.

Prerequisites

Procedure

  1. Open the Command Prompt as an administrative user.
  2. Go to the HTTPD_HOME\bin directory.

  3. To install the Apache HTTP Server service, enter the following command: 

    httpd -k install
    Note

    A firewall security dialog might be displayed to request networking access for the Apache HTTP Server. Click Allow to access this service from the network.

Before you run the Apache HTTP Server for the first time on Windows Server, you must ensure that the account used to run the service has full control over the HTTPD_HOME folder and all of its subfolders.

Prerequisites

Procedure

  1. Right-click the HTTPD_HOME folder and click Properties.
  2. Select the Security tab.
  3. Click the Edit button.
  4. Click the Add button.
  5. In the text box, enter LOCAL SERVICE.
  6. Select the Full Control check box for the LOCAL SERVICE account.
  7. Click OK.
  8. Click the Advanced button.
  9. Inside the Advanced Security Settings dialog, select LOCAL SERVICE and click Edit.
  10. Select the check box next to the Replace all existing inheritable permissions on all descendants with inheritable permissions from this object option.
  11. Click OK through all the open folder property windows to apply the settings.

4.2.4. Disabling or enabling SSL support
Copy link

Before you run the Apache HTTP Server, you can choose to disable or enable SSL support by renaming the SSL configuration file. The Apache HTTP Server supports SSL by default.

Prerequisites

Procedure

  1. Go to the HTTPD_HOME\conf.d\ directory.

  2. To enable or disable SSL, perform either of the following steps:

    • If you want to disable SSL, rename ssl.conf to ssl.conf.disabled.
    • If you want to re-enable SSL, rename ssl.conf.disabled to ssl.conf.

When you install JBCS Apache HTTP Server on Windows Server, you can start the Apache HTTP Server service by using the Command Prompt or the Computer Management tool.

Prerequisites

Procedure

  • Perform either of the following steps:

    • Open the Command Prompt as an administrator and enter the following command: 

      net start Apache2.4
    • Click Start > Administrative Tools > Services, right-click the httpd service, and click Start.

When you install JBCS Apache HTTP Server on Windows Server, you can stop the Apache HTTP Server service by using the Command Prompt or the Computer Management tool.

Prerequisites

Procedure

  • Perform either of the following steps:

    • Open the Command Prompt as an administrator and enter the following command: 

      net stop Apache2.4
    • Click Start > Administrative Tools > Services, right-click the httpd service, and click Stop.

The Red Hat Enterprise Linux (RHEL) Application Streams feature delivers and updates multiple versions of user-space components such as applications, runtime languages, and databases in an AppStream repository. On RHEL 9 or later, if you want to install the Apache HTTP Server from an RPM package, you must install the RHEL distribution of the Apache HTTP Server by using Application Streams.

Important

Red Hat JBoss Core Services (JBCS) does not provide an RPM distribution of the Apache HTTP Server for RHEL 9 or later. The Apache HTTP Server httpd package that the RHEL AppStream repository provides is the only supported RPM distribution of the Apache HTTP Server for RHEL 9 or later systems.

Note

On RHEL 10, the supported httpd package version in the RHEL AppStream repository is 2.4.63 or later.

When you install the RHEL distribution of the Apache HTTP Server, the mod_jk and mod_proxy_cluster packages are not automatically installed. For more information about installing mod_jk or mod_proxy_cluster from RPM packages on RHEL 9 or later, see the Apache HTTP Server Connectors and Load Balancing Guide.

The RHEL Application Streams feature provides the mod_jk connector on RHEL 9 only. RHEL 10 does not provide or support installation of the mod_jk package. If you want to install an HTTP connector from an RPM package on RHEL 10, you can install the mod_proxy_cluster package by using RHEL Application Streams.

You can install the RHEL 9 or later distribution of the Apache HTTP Server from an RPM package by using the standard dnf install command. You can subsequently start and stop the Apache HTTP Server from the command line as the root user. Alternatively, you can enable the Apache HTTP Server to start automatically at system startup.

For more information about installing, starting, and stopping the RHEL distribution of the Apache HTTP Server, see Setting up the Apache HTTP web server.

5.2. SELinux policies for the Apache HTTP Server
Copy link

You can use Security-Enhanced Linux (SELinux) policies to define access controls for the Apache HTTP Server. These policies are a set of rules that determine access rights to the product.

The Apache HTTP Server has an SELinux type name of httpd_t. By default, the Apache HTTP Server can access files and directories in /var/www/html and other web server directories that have an SELinux type context of httpd_sys_content_t.

You can also customize the SELinux policy for the Apache HTTP Server if you want to use a non-standard configuration.

The Hypertext Transfer Protocols (HTTP) are standard methods of transmitting data between applications, such as servers and browsers, over the internet. The Apache HTTP Server supports the use of HTTP/2 for encrypted connections that are using Transport Layer Security (TLS), which is indicated by the h2 keyword when enabled.

HTTP/2 improves on HTTP/1.1 by providing the following enhancements:

  • Header compression omits implied information to reduce the size of the header that is transmitted.
  • Multiple requests and responses over a single connection use binary framing rather than textual framing to break down response messages.
Note

The Apache HTTP Server does not support the use of HTTP/2 for unencrypted connections that are using the Transmission Control Protocol (TCP), which is indicated by the h2c keyword when enabled.

HTTP/2 is not available for web servers that are using the Multi-Processing Module (MPM) pre-fork (modules/mod_mpm_prefork.so).

6.1. Prerequisites
Copy link

  • You have root user access on Red Hat Enterprise Linux.
  • You have administrative access on Windows Server.
  • You have installed Red Hat JBoss Core Services Apache HTTP Server 2.4.23 or later.

  • You have installed the SSL module (modules/mod_ssl.so).

    If you need to install the SSL module, enter the following command: 

    dnf install mod_ssl

  • You have installed the HTTP/2 module (modules/mod_http2.so).

    If you need to install the HTTP/2 module, enter the following command: 

    dnf install mod_http2
Note

Red Hat Enterprise Linux 6 is no longer supported and subsequently was removed from the documentation.

6.2. Enabling HTTP/2 for the Apache HTTP Server
Copy link

You can enable HTTP/2 for the Apache HTTP Server by updating configuration file settings in the HTTP_HOME directory.

Procedure

  1. To add the http2_module to the configuration:

    1. Open the HTTP_HOME/conf.modules.d/00-base.conf file.

    2. Enter the following line: 

      ...
LoadModule http2_module modules/mod_http2.so

  2. To add the h2 protocol to the configuration:

    1. Open the HTTP_HOME/conf/httpd.conf file.

    2. If you want to enable HTTP/2 support for a virtual host, add the h2 protocol to the virtual host configuration.

      Alternatively, if you want to enable HTTP/2 support for all server connections, add the h2 protocol to the main server configuration section.

      For example: 

      <IfModule http2_module>
    Protocols h2 http/1.1
    ProtocolsHonorOrder on
</IfModule>

  3. To update the Secure Socket Layer (SSL) configuration:

    1. Open the HTTP_HOME/conf.d/ssl.conf file:

    2. Ensure the SSLEngine directive is set to enabled. The SSL Engine is enabled by default. 

      SSLEngine on

    3. Update the SSLProtocol directive to disable the SSLv2 and SSLv3 protocols. This forces connections to use the Transport Layer Security (TLS) Protocols. 

      SSLProtocol all -SSLv2 -SSLv3

    4. Update the SSLCipherSuite directive to specify which SSL ciphers can be used with the Apache HTTP Server.

      For example: 

      SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
      Note

      For more information about the SSL module and the supported directives, see Apache HTTP Server Documentation Version 2.4 - Modules: Apache Module mod_ssl.

  4. To restart the Red Hat JBoss Core Services Apache HTTP Server, and apply the changed configuration, perform one of the following steps as the root user:

    • If you want to use systemd to start the Apache HTTP Server on Red Hat Enterprise Linux, enter the following command: 

      # systemctl restart jbcs-httpd24-httpd.service

    • If you want to use apachectl to start Red Hat JBoss Core Services on Red Hat Enterprise Linux, enter the following command: 

      # HTTP_HOME/sbin/apachectl restart

    • If you want to start the Apache HTTP Server on Windows Server, enter the following command: 

      # net restart Apache2.4

You can view the Apache HTTP Server access log or request log to verify that HTTP/2 is enabled.

Prerequisites

Procedure

  1. Access the server from a browser or by using the curl command-line tool.

  2. To check the SSL/TLS request log, enter the following command: 

    $ grep 'HTTP/2'  HTTP_HOME/logs/ssl_request_log

  3. To check the SSL/TLS access log, enter the following command: 

    $ grep 'HTTP/2'  HTTP_HOME/logs/ssl_access_log

Verification

  1. If HTTP/2 is enabled, the grep 'HTTP/2' HTTP_HOME/logs/ssl_request_log command produces the following type of output: 

    [26/Apr/2018:06:44:45 +0000] 172.17.0.1 TLSv1.2 AES128-SHA "HEAD /html-single/index.html HTTP/2" -

  2. If HTTP/2 is enabled, the grep 'HTTP/2' HTTP_HOME/logs/ssl_access_log command produces the following type of output: 

    172.17.0.1 - - [26/Apr/2018:06:44:45 +0000] "HEAD /html-single/index.html HTTP/2" 200 -

You can use the curl command-line tool to verify that HTTP/2 is enabled.

Note

The curl package that is provided with Red Hat Enterprise Linux 7 or earlier does not support HTTP/2.

Prerequisites

  • You have enabled HTTP/2.

  • You are using a version of curl that supports HTTP2.

    To check that you are using a version of curl that supports HTTP/2, enter the following command: 

    $ curl -V

    This command produces the following type of output: 

    curl 7.55.1 (x86_64-redhat-linux-gnu) ...
Release-Date: 2017-08-14
Protocols: dict file ftp ftps gopher http https ...
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy Metalink PSL

Procedure

  1. To check that the HTTP/2 protocol is active, enter the following command: 

    $ curl -I https://<JBCS_httpd_server>:<port>/<test.html>
    Note

    In the preceding example, replace <JBCS_httpd_server> with the URI of the server, such as example.com, and replace <test.html> with any HTML file that you want to use to test the configuration. An example HTML test page is not provided. The port number is dependent on your configuration.

Verification

  • If the HTTP/2 protocol is active, the curl command produces the following output: 

    HTTP/2 200

    Otherwise, if the HTTP/2 protocol is inactive, the curl command produces the following output: 

    HTTP/1.1 200

Chapter 7. Securing connections by using OCSP
Copy link

Online Certificate Status Protocol (OCSP) is a technology that allows web browsers and web servers to communicate over a secured connection. The encrypted data is sent from one side and decrypted by the other side before processing. The web browser and the web server both encrypt and decrypt the data.

7.1. Online Certificate Status Protocol
Copy link

When a web browser and a web server communicate over a secured connection, the server presents a set of credentials in the form of a certificate. The browser then validates the certificate and sends a request for certificate status information. The server responds with a certificate status of current, expired, or unknown.

The certificate contains the following types of information:

  • Syntax for communication
  • Control information such as start time, end time, and address information to access an Online Certificate Status Protocol (OCSP) responder.

The web server uses an OCSP responder to check the certificate status. You can configure the web server to use the OCSP responder that is listed in the certificate or another OCSP responder. OCSP allows a grace period for expired certificates, which allows access to a server for a limited time before renewing the certificate.

OCSP overcomes limitations of the older Certificate Revocation List (CRL) method.

You can configure the Apache HTTP Server to support SSL connections, by installing the mod_ssl package and specifying configuration settings in the ssl.conf file.

Prerequisites

  • You have generated an SSL certificate and private key.
  • You know the location of the SSL certificate and private key file.
  • You have obtained the Common Name (CN) that is associated with the SSL certificate.

Procedure

  1. To install mod_ssl, enter the following command: 

    # dnf install jbcs-httpd24-mod_ssl

  2. To specify SSL configuration settings:

    1. Open the JBCS_HOME/httpd/conf.d/ssl.conf file.

    2. Enter details for the ServerName, SSLCertificateFile, and SSLCertificateKeyFile.

      For example: 

      <VirtualHost _default_:443>
ServerName www.example.com:443
SSLCertificateFile /opt/rh/jbcs-httpd24/root/etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /opt/rh/jbcs-httpd24/root/etc/pki/tls/private/localhost.key
      Note
      • The ServerName must match the Common Name (CN) that is associated with the SSL certificate. If the ServerName does not match the CN, client browsers display domain name mismatch errors.
      • The SSLCertificateFile specifies the path to the SSL certificate file.
      • The SSLCertificateKeyFile specifies the path to the private key file that is associated with the SSL certificate.
  3. Verify that the Listen directive matches the hostname or IP address for the httpd service for your deployment.

  4. To restart the Apache HTTP Server, enter the following command: 

    # service jbcs-httpd24-httpd restart

7.3. Using OCSP with the Apache HTTP Server
Copy link

You can use the Online Certificate Status Protocol (OCSP) for secure connections with the Apache HTTP Server.

Prerequisites

Procedure

  1. Configure a certificate authority.

    Note

    Ensure that your CA can issue OCSP certificates. The CA must be able to append the following attributes to the certificate: 

    [ usr_cert ]
...
authorityInfoAccess=OCSP;URI:http://<HOST>:<PORT>
...
[ v3_OCSP ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSP Signing

    In the preceding example, replace HOST and PORT with the details of the OCSP responder that you will configure.

  2. Configure an OCSP responder.

You can configure the Apache HTTP Server to validate OCSP certificates, by defining OCSP settings in the ssl_conf file.

Prerequisites

Procedure

  1. Open the JBCS_HOME/httpd/conf.d/ssl.conf file.

  2. Specify the appropriate OCSP configuration details for your deployment.

    For example: 

    # Require valid client certificates (mutual auth)
SSLVerifyClient require
SSLVerifyDepth  3
# Enable OCSP
SSLOCSPEnable on
SSLOCSPDefaultResponder http://<HOST>:<PORT>
SSLOCSPOverrideResponder on
    Note

    The preceding example shows how to enable OCSP validation of client certificates. In the preceding example, replace <HOST> and <PORT> with the IP address and port of the default OCSP Responder.

You can use the OpenSSL command-line tool to verify the OCSP configuration for the Apache HTTP Server.

Procedure

  • On the command line, enter the openssl command in the following format: 

    # openssl ocsp -issuer cacert.crt -cert client.cert -url http://HOST:PORT -CA ocsp_ca.cert -VAfile ocsp.cert

    In the preceding command, ensure that you specify the following details:

    • Use the -issuer option to specify the CA certificate.
    • Use the -cert option to specify the client certificate that you want to verify.
    • Use the -url option to specify the HTTP server validating Certificate (OCSP).
    • Use the -CA option to specify the CA certificate for verifying the Apache HTTP Server server certificate.
    • Use the -VAfile option to specify the OCSP responder certificate.





Revised on 2025-10-23 11:58:25 UTC

Legal Notice
Copy link

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top