SPDY - http reloaded - WebTechConference 2012

Transcript

1. Fabian Lange SPDY - http reloaded

2. (WILL BE) PART OF HTTP/2.0

3. HTTP Problems • Single request per connection. Because HTTP can

   only fetch one resource at a time (HTTP pipelining helps, but still enforces only a FIFO queue), a server delay of 500 ms prevents reuse of the TCP channel for additional requests. Browsers work around this problem by using multiple connections. Since 2008, most browsers have finally moved from 2 connections per domain to 6. • Exclusively client-initiated requests. In HTTP, only the client can initiate a request. Even if the server knows the client needs a resource, it has no mechanism to inform the client and must instead wait to receive a request for the resource from the client. • Uncompressed request and response headers. Request headers today vary in size from ~200 bytes to over 2KB. As applications use more cookies and user agents expand features, typical header sizes of 700-800 bytes is common. For modems or ADSL connections, in which the uplink bandwidth is fairly low, this latency can be significant. Reducing the data in headers could directly improve the serialization latency to send requests. • Redundant headers. In addition, several headers are repeatedly sent across requests on the same channel. However, headers such as the User-Agent, Host, and Accept* are generally static and do not need to be resent. • Optional data compression. HTTP uses optional compression encodings for data. Content should always be sent in a compressed format. Source: http://dev.chromium.org/spdy/spdy-whitepaper

4. Web Requests Are Simple • Open a connection • Send

   a request • Receive a response • Done
5. None

6. Transfer per Page

7. How to Avoid Requests • Caching • Domain Sharding –

   Browser Limits • Keep Alive – Dedicated Connections – Waste Ressources • Pipelining

8. TCP Handshake 0ms 1) Host A sends a TCP SYNchronize

   packet to Host B 25ms 2) Host B receives A's SYN 25ms 3) Host B sends a SYNchronize-ACKnowledgement 50ms 4) Host A receives B's SYN-ACK 75ms 5) Host A sends ACKnowledge and data 75ms 6) Host B receives ACK and data. • With a "distance" of just 25ms, this takes us 75ms until data arrives at server
9. None

10. Initial Window • Congestion Control Mechanism • Avoid overloading clients

    • Each ACK of the client increases window • RFC 3390 – Increasing icwnd – Small Resonses are complete without ACK – Avoid the ACK RTT

11. Pushing over http • Push === Long Polling • Consumes

    one connection on clients • On server – Used to be expensive to hold – Modern servers have evented I/O • WebSockets

12. Headers Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding gzip, deflate Accept-Language de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Connection keep-alive

    Cookie __utma=40497137.1800912468.1315901303.1328525769.1328537171.234; __utmz=40497137.1326462670.198.110.utmcsr=twitterfeed|utmccn=blogfee d_de|utmcmd=twitter; wp-settings- 3=editor%3Dhtml%26m0%3Do%26m1%3Do%26m2%3Do%26m3%3Dc%2 6m4%3Do%26m5%3Do%26m6%3Do%26m7%3Do%26m8%3Do%26m9%3 Do%26m10%3Do%26m11%3Do%26align%3Dcenter%26imgsize%3Dfull%2 6urlbutton%3Dnone%26hidetb%3D0; wp-settings-time-3=1328519940; __utma=162617902.1417890302.1315914276.1328537194.1328541774.63; __utmz=162617902.1328537194.62.41.utmcsr=blog.codecentric.de|utmccn =(referral)|utmcmd=referral|utmcct=/; wp-settings-time-81=1321966374 Host blog.codecentric.de User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20100101 Firefox/10.0 http://blog.codecentric.de/

13. http://blog.codecentric.de/files/2012/02/adlite.png Headers Accept image/png,image/*;q=0.8,*/*;q=0.5 Accept-Encoding gzip, deflate Accept-Language de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Connection

    keep-alive Cookie __utma=162617902.1417890302.1315914276.1328537194.1328541774.63; __utmz=162617902.1328537194.62.41.utmcsr=blog.codecentric.de|utmccn=(referral) |utmcmd=referral|utmcct=/; wp-settings- 3=m0%3Do%26m1%3Do%26m5%3Do%26m4%3Do%26editor%3Dhtml%26wplink% 3D1%26align%3Dcenter%26imgsize%3Dfull%26hidetb%3D1%26m7%3Do%26m9% 3Do; wp-settings-time-3=1326290899 Host blog.codecentric.de Referer http://blog.codecentric.de/ User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20100101 Firefox/10.0

14. Content Compression • Gzip is optional • But generally best

    practice LoadModule deflate_module /usr/lib/httpd/modules/mod_deflate.so

15. SPDY TO THE RESCUE

16. SPDY Solutions • Allow many concurrent HTTP requests to run

    across a single TCP session. • Reduce the bandwidth currently used by HTTP by compressing headers and eliminating unnecessary headers. • Make SSL the underlying transport protocol, for better security and compatibility with existing network infrastructure. Although SSL does introduce a latency penalty, we believe that the long-term future of the web depends on a secure network connection. In addition, the use of SSL is necessary to ensure that communication across existing proxies is not broken. • Enable the server to initiate communications with the client and push data to the client whenever possible. Source: http://dev.chromium.org/spdy/spdy-whitepaper

17. Connection Multiplexing • Single TCP Connection transports all requests •

    TCP Handshake still exists • Inital cwnd should be 16

18. Compression • All data is compressed • Includes headers •

    Redundand data is removed – User Agent of second request is known to be same as on first

19. CRIME • Compression Ratio Info-leak Made Easy • Cookie value

    can be detected when compression is effective Sources: threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512 security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor/19914

20. Cookie: JSESSIONID=1234 c: jid=1234 d: kje=2345

21. Cookie: JSESSIONID=1234 Cookie: JSESSIONID=9876 X[i] = c: jid= [i]1234 [i]9876

    Y[j] = d: kje= [j]2345 [j]0987

22. Cookie: JSESSIONID=1234 Cookie: JSESSIONID=1235 X[i] = c: jid=123 [i]4 [i]5

    Y[j] = d: kje=234 [j]5 [j]6

23. Fixes • Don't compress headers • Use a compressor that

    is not affected

24. SSL • Not said to be a problem with HTTP

    • SSL should be default – But actually expensive • SSL hides SPDY traffic, so that proxies don't break it 

25. Pushing • Long Lasting Connection By Design • Send does

    not close the "request" • Two flavors – Server push – Server hint

26. Compatibility • SPDY is backwards compatible • Uses Next Protocol

    Negotiation – tools.ietf.org/html/draft-agl-tls- nextprotoneg-02

27. Adoption • Facebook implements and favors SPDY http://lists.w3.org/Archives/Public/ietf-http-wg/2012JulSep/0251.html • Twitter

    implements and favors SPDY http://lists.w3.org/Archives/Public/ietf-http-wg/2012JulSep/0250.html • Google implements and favors SPDY http://lists.w3.org/Archives/Public/ietf-http-wg/2012JulSep/0219.html • Mozilla implements and favors SPDY http://lists.w3.org/Archives/Public/ietf-http-wg/2012JulSep/0156.html • Wordpress.com uses SPDY https://twitter.com/wordpressdotcom/statuses/238741078172389377

28. Concerns • Encryption by default renders network caching useless

29. SPDY Support Clients • Chrome – since 11 – Ice

    Cream Sandwich • Amazon Silk – Kindle Fire • Firefox – Since 13 • Opera – Since 12.1 Server • Apache mod_spdy • erlang-spdy • node-spdy • Netty 3.3.1 – Means JBoss • Jetty 7.6.2 • Ngnix 1.3 • Tomcat 8.0.0-dev
30. None

31. SPDY Drafts • dev.chromium.org/spdy/spdy-protocol/spdy-protocol- draft1 – First draft 2009 •

    dev.chromium.org/spdy/spdy-protocol/spdy-protocol- draft2 – Changes to server push • dev.chromium.org/spdy/spdy-protocol/spdy-protocol- draft3 – Flow control • Draft 4 will feature compression and QoS changes

32. DEMO: MIGRATING PHP ON APACHE TO SUPPORT SPDY

33. PHP is not Threadsafe • The way SPDY works is

    incompatible with non threadsafe implementations – one connection one httpd worker – But multiple requests • Zend Threadsafe does not support some features (mysql!) • Need to externalize it with cgi

34. mod_php to mod_fcgid + php • yum install mod_fcgid •

    vi /etc/httpd/conf/httpd.conf • mv /etc/httpd/conf.d/php.conf /etc/httpd/conf.d/php.conf.bak • vi /etc/httpd/conf.d/fcgid.conf <Directory "/var/www/html"> Options Indexes FollowSymLinks ExecCGI </Directory>

35. DirectoryIndex index.php AddHandler fcgid-script .fcgi .php DefaultInitEnv PHPRC "/etc/" MaxRequestsPerProcess

    1000 MaxProcessCount 10 MaxRequestLen 209715200 IPCCommTimeout 240 IdleTimeout 240 FCGIWrapper /usr/bin/php-cgi .php

36. mod_prefork to mod_worker • Needs recompilation • Luckily we have

    both already  – httpd -V | grep MPM – httpd.worker -V | grep MPM • sudo vi /etc/init.d/httpd httpd=${HTTPD- /usr/sbin/httpd.worker} prog=httpd.worker

37. mod_ssl • We need mod_ssl patched with NPN • yum

    install subversion curl gcc- c++ patch binutils make • mkdir modssl; cd modssl • svn export http://mod- spdy.googlecode.com/svn/trunk/src/ build_modssl_with_npn.sh • ./build_modssl_with_npn.sh • cp /root/modssl/mod_ssl.so /etc/httpd/modules/mod_ssl.so

38. [root@centos57 modssl]# ./build_modssl_with_npn.sh Using buildroot: /tmp/tmp.CooHIy8770 Downloading http://www.openssl.org/source/openssl-1.0.1-beta2.tar.gz ######################################################################## 100.0%

    Downloading http://www.apache.org/dist/httpd/httpd-2.2.21.tar.gz ######################################################################## 100.0% Downloading https://issues.apache.org/bugzilla/attachment.cgi?id=27969context=patch ######################################################################## 100.0% Uncompressing openssl-1.0.1-beta2.tar.gz ... done Uncompressing httpd-2.2.21.tar.gz ... done Applying Apache mod_ssl NPN patch ... patching file modules/ssl/ssl_private.h patching file modules/ssl/ssl_engine_init.c patching file modules/ssl/ssl_engine_io.c patching file modules/ssl/ssl_engine_kernel.c patching file modules/ssl/mod_ssl.c patching file modules/ssl/mod_ssl.h done Configuring OpenSSL ... done Building OpenSSL (this may take a while) ... done Configuring Apache mod_ssl ... done Building Apache mod_ssl (this may take a while) ... done Generated mod_ssl.so at /root/modssl/mod_ssl.so.

39. mod_spdy • Built from source • mkdir mod_spdy; cd mod_spdy

    • svn co http://src.chromium.org/svn/trunk/tools/depot_tools • export PATH="$PATH":`pwd`/depot_tools • gclient config http://mod- spdy.googlecode.com/svn/trunk/src • gclient sync --force • cd src; make BUILDTYPE=Release • sudo cp out/Release/libmod_spdy.so /etc/httpd/modules/mod_spdy.so • vi /etc/httpd/conf.d/spdy.conf LoadModule spdy_module /etc/httpd/modules/mod_spdy.so SpdyEnabled on

40. chrome://net-internals/#spdy

41. None

42. Is it spdy? • www.devthought.com/2012/03/10/chro me-spdy-indicator/ • ckon.wordpress.com/2012/03/11/spdy- indicator-for-firefox/

43. HTTP 2.07 seconds

44. HTTPS 4.94 seconds

45. SPDY 2.65 seconds

46. real HTTP 17.83 seconds

47. real SPDY 11.70 seconds

48. Online Demo • www.modspdy.com/world-flags/

49. www.belshe.com/2012/08/20/visualizing-spdy-vs-http

50. LET'S MAKE THE WEB FASTER