eousphoros / mod-spdy Goto Github PK

Looks like some sort of fix is required.

Following these instructions...

https://plainsightro.wordpress.com/2014/09/28/mod_spdy-with-ubuntu-14-04-x64-and-apache-2-4/

This failure occurs...

make[2]: Leaving directory '/tmp/mod-spdy/src/mod_ssl/openssl-1.0.1j/engines/ccgost'
make[1]: Leaving directory '/tmp/mod-spdy/src/mod_ssl/openssl-1.0.1j/engines'
making install in apps...
make[1]: Entering directory '/tmp/mod-spdy/src/mod_ssl/openssl-1.0.1j/apps'
installing openssl
cp: cannot stat 'openssl': No such file or directory
Makefile:101: recipe for target 'install' failed
make[1]: *** [install] Error 1
make[1]: Leaving directory '/tmp/mod-spdy/src/mod_ssl/openssl-1.0.1j/apps'
Makefile:546: recipe for target 'install_sw' failed
make: *** [install_sw] Error 1

Just stumbled on this project and was going to try it out. I see your https://blck.io mentioned as a test site. However, when I hit it while watching chrome://net-internals/#events&q=type:SPDY_SESSION%20is:active, no sessions show up. I'm running Chrome 37 under Debian Linux.

I am running Apache 2.4.7 on Ubuntu 13.10 x32 and after compiling and installing the SSL and SPDY modules, I found that HTTP Strict Transport Security is no longer functional over SSL. The header is sent when accessed via HTTP, however. I have the headers enabled in my site's config under VirtualHost. I did have to disable -Werror in order to get the modules to compile.

Furthermore, every other page load seems to load as plain text under the latest stable version of Chrome (i.e. no CSS / proper wiki skin). My site is https://www.depechemode-live.com. For the time being however, I have disabled mod_spdy in order to have the page working properly for my users.
Internet Explorer 11 seems unaffected, but if I remember correctly IE does not even have SPDY support.

I'm unsure of what other info to provide, so please let me know and I'd be glad to supply it.

Found something on https://code.google.com/p/mod-spdy/wiki/GettingStarted

BUILDTYPE=Release make linux_package_deb

It produces:

  ACTION Extracting last change to /root/src/mod-spdy/src/out/Release/obj/gen/build/LASTCHANGE out/Release/obj/gen/build/LASTCHANGE.always
  ACTION build_install_gyp_linux_package_deb_target_deb_package_beta out/Release/mod-spdy-beta_0.9.4.1-r3bced7d_amd64.deb
Staging common install files in '/tmp/deb.build.RtihBV'...
Staging Debian install files in '/tmp/deb.build.RtihBV'...
Packaging amd64...
dpkg-gencontrol: error: cannot write debian/control: No such file or directory
Cleaning...
make: *** [out/Release/mod-spdy-beta_0.9.4.1-r3bced7d_amd64.deb] Error 2

Is there an updated documentation?

patching file modules/ssl/mod_ssl.c
Hunk #1 succeeded at 436 (offset 19 lines).
Hunk #2 succeeded at 629 (offset 19 lines).
patching file modules/ssl/mod_ssl.h
patching file modules/ssl/ssl_engine_init.c
Hunk #2 FAILED at 614.
1 out of 2 hunks FAILED -- saving rejects to file modules/ssl/ssl_engine_init.c.rej
patching file modules/ssl/ssl_engine_io.c
Reversed (or previously applied) patch detected!  Assume -R? [n]
Skipping patch.
4 out of 4 hunks ignored -- saving rejects to file modules/ssl/ssl_engine_io.c.rej
patching file modules/ssl/ssl_engine_kernel.c
Reversed (or previously applied) patch detected!  Assume -R? [n]

Even with the forced build of 2.4.17, NPN doesn't show up.

Server starts OK.
Works perfecty on plain HTTP.
As soon as I hit an ssl endpoint:

[Sun Apr 06 19:42:04.002012 2014] [mpm_event:notice] [pid 29707:tid 140422025725824] AH00489: Apache/2.4.7 (Ubuntu) OpenSSL/1.0.1f configured -- resuming normal operations
[Sun Apr 06 19:42:04.002058 2014] [core:notice] [pid 29707:tid 140422025725824] AH00094: Command line: '/usr/sbin/apache2'
[Sun Apr 06 19:42:27.027328 2014] [core:notice] [pid 29707:tid 140422025725824] AH00051: child pid 29711 exit signal Segmentation fault (11), possible coredump in /etc/apache2

Latest Ubuntu 14.04 as of today.

Many thanks

I installed mod-spdy and mod_ssl(NPN, of course) on a CentOS 6.5 i686 apache2.4.10 using event MPM, but it only gives me this error:

Wed Jul 30 18:03:59.852880 2014] [spdy:warn] [pid 5350:tid 2887715696] [client 80.x.x.164:59760] [mod_spdy/0.9.4.1-4800e88] [5350:5369:WARNING:mod_spdy.cc(437)] NPN didn't happen during SSL handshake. You're probably using a version of mod_ssl that doesn't support NPN. Without NPN support, the server cannot use SPDY. See http://code.google.com/p/mod-spdy/wiki/GettingStarted for more information on installing a version of mod_spdy with NPN support.

I have used on prefork mpm(mod-SPDY on ap2.4 success) but php got strange so i switch to php-fpm, but DirectAdmin's custombuild can only select event mpm when used php other than mod_php.

Is event mpm not supported?

I have make sure that I have NPN on ssllabs test page.
https://www.ssllabs.com/ssltest/analyze.html?d=vda2.iniiter.com&ignoreMismatch=on

mod_proxy_fcgi now supports network sockets since 2.4.9. So, is it possible to add 2.4.9 support ? If yes, please use labels "https://github.com/eousphoros/mod-spdy/releases" on github to separate the versions between compatibilities, so users can download specific releases directly based on their needs.

By the way, THANKS for your effort since there is long time no news for http://code.google.com/p/mod-spdy/issues/detail?id=64

I think it is worth mentioning that the generated modules work fine with the Apache 2.4.6, too.
At least the Apache distribution of Ubuntu 13.10 (saucy) works well with your mod_spdy fork.

@eousphoros Do you plan to go on with this project?

It would be helpful if there was some documentation on compiling the code and setting it up correctly.

I've currently only tested in Debian 7, 8 and Ubuntu 13, none of them are able to fully compile, does this code currently only work with Ubuntu 14?

in readme file;

    If everything is successful you should have mod-spdy/src/out/Release/libmod_spdy.so and /mod-spdy/src/mod_ssl.so which can be installed into your apache2.4 modules directory.

Did you mean mod-spdy/src/mod_ssl.so (without slash) ?
I didn't test and even this fix is not important, I think it can help to some users.

Just as the topic states, this is not working. By the way, your "live demo" page is as well not running spdy. If you check using google chrome you'll find out that spdy is not used nor available because the server is not announcing it due to missing NPN.

Same using: http://spdycheck.org/#blck.io (i need to reload that page a few times before it actually works)

Output for: blck.io
"Missing NPN Extension in SSL/TLS Handshake

Sorry, but this server is not including an NPN Entension during the SSL/TLS handshake. The NPN Extension is an additional part of the SSL/TLS ServerHello message which allows web servers to tell browsers they support additional protocols, like SPDY. SSL/TLS servers that don't use send the NPN Extension cannot use SPDY because they have no way to tell the browser to use SPDY instead of HTTP."

How did you test that spdy works for you? :-)

I am having an issue when mod_spdy is used with PHP (tested with PHP-FPM & FASTCGI)

This installation is on an Ubuntu 14.04.1 Server with Apache 2.4.10 and PHP 5.5.16. mod_spdy is at commit bfc0fb7.

phpMyAdmin is at: 4.0.10deb1

I noticed the problem while trying to access phpMyAdmin over https, after having enabled mod_spdy.

Chrome reports the following errors in the console:

GET https://mytesthost/phpmyadmin/js/messages.php?lang=en&db=&token=1c39c6387a7fe7ff724de5100ece242d net::ERR_CONNECTION_RESET mytesthost/:1
GET https://mytesthost/phpmyadmin/js/get_image.js.php?theme=pmahomme net::ERR_CONNECTION_RESET mytesthost/:1
GET https://mytesthost/phpmyadmin/js/get_scripts.js.php?scripts[]=jq…ts[]=codemirror/lib/codemirror.js&scripts[]=codemirror/mode/mysql/mysql.js net::ERR_CONNECTION_RESET mytesthost/:1
Uncaught ReferenceError: PMA_commonParams is not defined (index):2
GET https://mytesthost/phpmyadmin/themes/dot.gif net::ERR_CONNECTION_RESET (index):15
GET https://mytesthost/phpmyadmin/themes/pmahomme/img/logo_right.png net::ERR_CONNECTION_RESET (index):7

When spdy is disabled, phpmyadmin runs normally, without any errors on the console.

The Apache2 error log has some of those kind of lines around the time of the request:

[Mon Sep 01 23:12:02.652553 2014] [core:notice] [pid 26544] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 01 23:12:48.716361 2014] [core:notice] [pid 26544] AH00051: child pid 26556 exit signal Segmentation fault (11), possible coredump in /etc/apache2
[Mon Sep 01 23:13:07.736759 2014] [core:notice] [pid 26544] AH00051: child pid 26575 exit signal Segmentation fault (11), possible coredump in /etc/apache2
[Mon Sep 01 23:13:08.737918 2014] [core:notice] [pid 26544] AH00051: child pid 26578 exit signal Segmentation fault (11), possible coredump in /etc/apache2
[Mon Sep 01 23:13:46.827000 2014] [core:notice] [pid 26544] AH00051: child pid 26581 exit signal Segmentation fault (11), possible coredump in /etc/apache2
[Mon Sep 01 23:13:47.828411 2014] [core:notice] [pid 26544] AH00051: child pid 26630 exit signal Bus error (7), possible coredump in /etc/apache2

On a first look, it seems that there is something happening, when, in the case of the first three errors, php is generating js.
Not sure, why the error also happens when loading images (llast two errors), though.

Any ideas?

I have tried installing this mod-spdy on apache 2.4.10, but spdy doesn't work and log messages are showing

[Tue Aug 12 03:10:39.591619 2014] [spdy:warn] [pid 30271] [client 64.41.200.103:56215] [mod_spdy/0.9.4.1-20ce121] [30271:30271:WARNING:mod_spdy.cc(437)] NPN didn't happen during SSL handshake.  You're probably using a version of mod_ssl that doesn't support NPN. Without NPN support, the server cannot use SPDY. See http://code.google.com/p/mod-spdy/wiki/GettingStarted for more information on installing a version of mod_spdy with NPN support.

First I thought it was because of event MPM, but these days I could use worker mpm and prefork mpm.
However, they are still making this error.

Then I used Apache 2.4.7, no error, I can use SPDY, no such errors.

It appears that the NPN patch for mod_ssl in apache 2.4.10 are having problems, in ssllabs test it shows

Next Protocol Negotiation     Yes

But NPN seems not working.

Has anyone run this mod-spdy on apache 2.4.10 successfully?
(because it seems eousphoros is still using 2.4.7)

Sometimes the line

Action regenerating Makefile

does not come out.
Causing make error, looks like it built for a wrong architecture.

UPDATE: looks like because forget to type chmod +x ./build/gyp_chromium

Hello!

I am trying to install mod-spdy on my webserver with CentOS 6 64bits, however, after I update the APR and APR-UTIL, an error occurred. The 'dispatch' isn't installed because a bug during installation. I am using Apache 2.4.12 and NginxAdmin.

Well, about mod-spdy, the follow fails occurs:

----------- root@server1 [/usr/local/src/mod-spdy/src]# ./build_modssl_with_npn.sh ---------------

/usr/lib64/libaprutil-1.so: undefined reference to apr_os_uuid_get' collect2: ld returned 1 exit status make[2]: *** [htpasswd] Error 1 make[2]: Leaving directory/usr/local/src/mod-spdy/src/mod_ssl/httpd-2.4.10/support'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/local/src/mod-spdy/src/mod_ssl/httpd-2.4.10/support'
make: *** [all-recursive] Error 1

------------------- Apache ---------------------

root@server1 [/usr/local/src/mod-spdy/src]# httpd -v
Server version: Apache/2.4.12 (Unix)
Server built: Apr 8 2015 09:51:03
Cpanel::Easy::Apache v3.28.5 rev9999

Thanks a lot for your attention and support.

https://www.openssl.org/news/vulnerabilities.html#2014-0160

on a lot of systems, /usr/bin/python is now python 3. getting this to build on such systems requires replacing 'python' in a bunch of places with 'python2'.

Edge, Firefox and Chrome stopped supporting spdy/3 it seems.

Chrome 44 and Firefox 41 still support spdy/3.1 as of today.

chrome://net-internals/#http2 gives:
Next Protocols: http/1.1,spdy/3.1,h2-14,h2

Enabling spdy/3.1 advertising allows to use spdy again on all of those browsers.

I am using this module on Debian and Apache 2.4.10. My SSL config uses name based virtual hosts and server name indication (SNI). Browser is Chrome 38.0.2125.0.

As long as I stick to GET requests, everything works as expected and many POST requests work too. But some of the XMLHttpRequests send by POST from my browser are not answered. From the browser console the requests seem to be sent to the correct hostname.

Looking at the Apache logs, I see that these requests expired several minutes later, with error 408. They ended up being handled by the default SSL host, indicating that SNI was not used.

So in other words: The browser sends a POST request, Apache ignores SNI, answers from the wrong host and the browser does not accept this answer, as it originates from the wrong host and breaks some of the Javascript policies.

I cannot reproduce this problem every time with mod_spdy, but it does not seem to occur, when I turn off mod_spdy with SpdyEnabled off.

Is it any way to setup mod-spdy on apache according to this article?
https://www.igvita.com/2013/10/24/optimizing-tls-record-size-and-buffering-latency/

Glad this is finally working after Pull #17, but I'm running into the following issue:

Reference:
https://www.ssllabs.com/ssltest/analyze.html?d=mach3.redragon.me&hideResults=on
http://spdycheck.org/#mach3.redragon.me

It looks like while mod_spdy is working properly, advertising and negotiating SPDY sessions, it doesn't seem to advertise http/1.1 as a fallback. Not sure if this has to do with how the new NPN API works, but could we remove the separate http/1.1 function and checks and always advertise http/1.1?
As it stands currently, it checks for http/1.1 support and doesn't advertise it if the server should be advertising it elsewhere.

We should just be able to add http/1.1 support similarly to how @eousphoros added SPDY/3.1 in commit 314aa59 , but correct me if I'm wrong here.

Configuration:
CentOS 6.5 / cPanel VPS
Apache 2.4.10 w/Event MPM

hi!

i followed this https://www.rivy.org/2015/03/build-mod_spdy-with-apache-2-4-on-ubuntu-14-04/ howto to build mod_spdy. however, no spdy version is offered at all. if i use the pre-build mod_spdy offered on that page all versions are offered (including spdy3.1 which is causing problems with POST in my setup).

Would you mind stripping the .so-s?

I use this project on my personal blog, and have not run into any issues. Thank you for the awesome work.

I was going through the HTTP2 RFC, and noticed that they have moved to TLS with ALPN. I am unaware of the low-level differences between NPN and ALPN, so pardon if my question is stupid, but is there a possibility to build this code accordingly?

Debian wheezy amd64, backported apache 2.4.10-6~bpo70+1+SID
Compiled OK.

src/spdycat -nv https://www.domain.hu/
[  0.005] NPN select next protocol: the remote server offers:
Server did not advertise SPDY protocol.
error:140920E3:SSL routines:SSL3_GET_SERVER_HELLO:parse tlsext

Apache error log: AH01998: Connection closed to child 2 with abortive shutdown
Tool: https://github.com/tatsuhiro-t/spdylay

Please advise.