CloudFlare, SPDY protocol

So, I’ve got a customer who’s using CloudFlare. He’s now having issues because CloudFlare apparently insists on having access to SPDY on the server.

Recommendations and/or best practices? I’ve tried installing the thing and it seems to be not quite working as intended. After the install, the httpd simply dies with the SPDY module enabled, so I’ve currently left it disabled for now and came here to ask about resolving this because I’m sure others will eventually google for this issue and come here.

So, that said!

CentOS 7, 5.6 for PHP. Everything else is default as usual for InterWorx. Running v5.1.41 at this time.

Hi Kerio
I have not noticed any issues with cloudflare and CF help shows the order of precedence used http2 over spdy, spdy over http1.
Your already using http2, so spdy I do not think would be used by CF
Many thanks
John


When a client makes a connection to your website both the web browser and server will automatically use the highest protocol available. This means that HTTP/2 takes precedence over SPDY, and SPDY takes precedence over HTTP/1.x.
How CloudFlare HTTP/2 Works
To determine what protocol is used for your connection you can visit [yourdomain.com]/cdn-cgi/trace (replacing [yourdomain.com] with your domain name). You should see information similar to the example below:
fl=21f63
h=www.cloudflare.com
ip=108.61.197.168
ts=1420194924.494
visit_scheme=http
uag=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
colo=SJC
http=h2
loc=US
The line http=h2 in the above example indicates that HTTP/2 is being used. Other possible values are http=spdy/3.1 for SPDY/3.1 and http=http/1.x for HTTP/1.x.
https://support.cloudflare.com/hc/en-us/articles/200168076-What-do-the-HTTP-2-and-SPDY-protocols-do-
SPDY is an open networking protocol developed primarily at Google for transporting web content to help make web pages load faster and reduce latency. HTTP/2 is based on SPDY and is the second major revision of the Hypertext Transfer Protocol, the application protocol for the Word Wide Web. While SPDY is enabled by default for all customers using SSL on their site through Cloudflare, HTTP/2 is only enabled by default for customers of the Free and Pro plan and needs to be enabled under the “Network” application for all other customers.

Hi Kerio

I thought I would try anyway for spdy, and below is how I installed spdy onto a test server, runing centos 6.8 64 bit, all default setup, including all latest updates, on IW 5.1.47, and some pictures showing it installed and working, with a quick test from qualys, showing spdy been used
SSH into server, and run as root or sudo
yum install at
Use the correct version for your server
64 bit
cd /opt
wget https://dl-ssl.google.com/dl/linux/direct/mod-spdy-beta_current_x86_64.rpm
32 bit
cd /opt
wget https://dl-ssl.google.com/dl/linux/direct/mod-spdy-beta_current_i386.rpm
rpm -U mod-spdy-*.rpm
service httpd stop
service httpd start
You can view the spdy.conf as follows: but as spdy runs straight out of the box, there is little you can tweak, but I have shown the conf as below
cat /etc/httpd/conf.d/spdy.conf
LoadModule spdy_module /usr/lib64/httpd/modules/mod_spdy.so
<IfModule spdy_module>
# Turn on mod_spdy. To completely disable mod_spdy, you can set
# this to “off”.
SpdyEnabled on
# In order to support concurrent multiplexing of requests over a
# single connection, mod_spdy maintains its own thread pool in
# each Apache child process for processing requests. The default
# size of this thread pool is very conservative; you can override
# it with a larger value (as below) to increase concurrency, at
# the possible cost of increased memory usage.
#
#SpdyMaxThreadsPerProcess 30
# Memory usage can also be affected by the maximum number of
# simultaneously open SPDY streams permitted for each client
# connection. Ideally, this limit should be set as high as
# possible, but you can tweak it as necessary to limit memory
# consumption.
#
#SpdyMaxStreamsPerConnection 100
</IfModule>
I hope that helps a little
Many thanks
John

spdy-iw.png

Hi,

Interesting, because I tried the exact same thing and even with mod_spdy.so where it is as you describe, I get this:

– Unit httpd.service has begun starting up.
Mar 19 23:22:49 helmsgate.eidolonhost.com httpd[20183]: [Sun Mar 19 23:22:49.071095 2017] [so:warn] [pid 20183] AH01574: module ssl_module is already loaded, skipping
Mar 19 23:22:49 helmsgate.eidolonhost.com httpd[20183]: httpd: Syntax error on line 518 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.d/spdy.conf: Cannot load /usr/lib64/httpd/modules/mod_spdy.so into server: /us
Mar 19 23:22:49 helmsgate.eidolonhost.com systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Mar 19 23:22:49 helmsgate.eidolonhost.com kill[20185]: kill: cannot find process “”
Mar 19 23:22:49 helmsgate.eidolonhost.com systemd[1]: httpd.service: control process exited, code=exited status=1
Mar 19 23:22:49 helmsgate.eidolonhost.com systemd[1]: Failed to start The Apache HTTP Server.
– Subject: Unit httpd.service has failed
– Defined-By: systemd
– Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

– Unit httpd.service has failed.

– The result is failed.

And line 518 of httpd.conf:

Supplemental configuration

Load config files in the “/etc/httpd/conf.d” directory, if any.

IncludeOptional conf.d/*.conf

Which obviously throws an error because of spdy.conf

Hi Kerio
Many thanks
From what I have read, mod_spdy is only for Apache 2.2 and not 2.4. Google gave Apache mod_spdy code base to include in Apache 2.4, but with HTTP/2, spdy is defunct.
However, that said, a few people have tried to install mod_spdy and make it work with Apache 2.4, with varied results, but Interworx also uses Apache for itself, so you are at risk of breaking Interworx if you change APache
I hope that helps
Many thanks
John
https://code.google.com/archive/p/mod-spdy/issues/64
http://www.spinics.net/lists/apache-users/msg111529.html

Hi,

Looks like our best way forward is to enable HTTP2 instead of trying to get mod_spdy to work.

Looking into this at this time…

https://mypastebin.com/cdn-cgi/trace if you’d like to check a customer domain out.

Interestingly, if HTTPS is used, http2 works properly. Methinks I need to get the customer to write a .htaccess rule…

Unfortunately, downloads still do not work as intended.