Enable SPDY in Nginx on CentOS 6

Mattias Geniar, Tuesday, December 16, 2014

SPDY is the protocol designed by Google, which is later to be known as HTTP/2. Nginx supports this protocol, on top of SSL connections, and since recent versions it has the --with-http_spdy_module option enabled!

And seeing as how Google is investigating if they can show plain HTTP sites as "unsecure", this may be the perfect time for you to consider an SSL certificate on your site, with SPDY enabled.

Install Nginx from the official repositories

For this to work, the easiest setup is to install Nginx from the official repositories. In the case of CentOS 6, that would be the following simple steps.

$ rpm -ivh "http://nginx.org/packages/rhel/6/noarch/RPMS/nginx-release-rhel-6-0.el6.ngx.noarch.rpm"
$ yum install nginx

Your installed version should be at least in the 1.6 release. If you already have Nginx installed from other sources, such as EPEL, you can install the Nginx repository as shown above and update to the latest version via yum clean all && yum update nginx. The version from the Nginx repository is likely to be the latest one available.

Enable SPDY on SSL vhosts

Since SPDY runs on top of SSL/TLS, you need a working SSL-enabled website already. For that, you'll have a config similar to this in your Nginx.

server {
    listen       443 ssl;
    server_name  ma.ttias.be;
...
    ssl on;
    ssl_certificate ...;
    ssl_certificate_key ...;
}

For a correct SSL configuration, I recommend you have a look at Mozilla's recommended Nginx server configuration, which contains a lot of templates and best practices.

Now, to enable SPDY, first verify that your Nginx version supports the SPDY protocol.

$ nginx -V 2>&1 | grep 'spdy'
configure arguments: --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --conf-path=/etc/nginx/ --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-http_ssl_module --with-http_spdy_module

The line "--with-http_spdy_module" needs to be present in the argument list.

To enable SPDY, it's as easy as changing this line:

listen       443 ssl;

to this one:

listen       443 ssl spdy;

... and reloading your Nginx config with a service nginx reload.

Testing for SPDY

There's a simple website that allows you to test your SPDY configuration: spdycheck.org.

spdy_mattias_geniar_status

If the test indicates a success, you're set!



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

Phil Tuesday, August 4, 2015 at 12:39 - Reply

Hi Mattias, good read. But from a HTTP 1.1 migration perspective, is moving to HTTP/2 really going to be as simple as turning spdy on? What about configuring all the new features like server side push? I would preferably like to have some sort of control over what resources are pushed and when, or does the spdy plugin make nginx do this automatically? I only ask because nginx has a reputation of being minimal to help speed, but it sounds like the “automatic optimal response” would be a lot of work to parse the html, read other resources and work out what the best response would be.

I’m just wondering whether this nginx plugin is a minimal implementation of the spdy protocol rather than something which will actually automatically use the new technology.


    Mattias Geniar Tuesday, August 4, 2015 at 22:53 - Reply

    is moving to HTTP/2 really going to be as simple as turning spdy on

    As you indeed mention, it’s not only enabling the HTTP/2 or SPDY protocol.

    The HTTP/2 improvements come in many forms. One is a simple protocol improvement, by multiplexing everything over a single TCP/IP stream. That part is simply “enabling in your webserver”.

    Using server-side push, request priorities, domain sharding/concatenation, … all require application changes. And what those changes are, will depend on the webserver you use. Not every webserver will use the same kind of Server Side Push syntax to support the standard.

    This’ll probably all become clear in 6-12 months, as HTTP/2 gets wider support in Apache, Nginx and other major webservers.


Nick Wednesday, August 23, 2017 at 17:21 - Reply

Hello Mattias, I tried this out for Centos7 and got the rhel7 files, however

nginx -V 2>&1 | grep ‘spdy’

shows no spdy entry, did not came with nginx :(

Full nginx -V:

nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: –prefix=/etc/nginx –sbin-path=/usr/sbin/nginx –modules-path=/usr/lib64/nginx/modules –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –pid-path=/var/run/nginx.pid –lock-path=/var/run/nginx.lock –http-client-body-temp-path=/var/cache/nginx/client_temp –http-proxy-temp-path=/var/cache/nginx/proxy_temp –http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp –http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp –http-scgi-temp-path=/var/cache/nginx/scgi_temp –user=nginx –group=nginx –with-compat –with-file-aio –with-threads –with-http_addition_module –with-http_auth_request_module –with-http_dav_module –with-http_flv_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_mp4_module –with-http_random_index_module –with-http_realip_module –with-http_secure_link_module –with-http_slice_module –with-http_ssl_module –with-http_stub_status_module –with-http_sub_module –with-http_v2_module –with-mail –with-mail_ssl_module –with-stream –with-stream_realip_module –with-stream_ssl_module –with-stream_ssl_preread_module –with-cc-opt=’-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC’ –with-ld-opt=’-Wl,-z,relro -Wl,-z,now -pie’


Leave a Reply

Your email address will not be published. Required fields are marked *

Inbound links