Opened 8 years ago

Closed 8 years ago

Last modified 2 years ago

#1029 closed enhancement (wontfix)

[Feature request] Please enable support for SPDY + HTTP/2 at the same time (you can merge already existing working open source patch by cloudflare)

Reported by: creativeprogramming@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.9.x
Keywords: Cc:
uname -a:
nginx -V:

Description

I know it's not so 'cool' to ask for this, now that http/2 is working fine and has replaced spdy, but in some real cases advertising and supporting also SPDY can give good benefits, as http/2 is not yet supported by many mobile browsers especially old android / iOS version webviews or native browsers but this is still a significant part of the user landscape.

The very same thing I'm asking here, was just implemented by cloudflare for nginx, see:

https://blog.cloudflare.com/open-sourcing-our-nginx-http-2-spdy-code/

So you can agree... this can help in some cases if a so big service provider wanted to implement it (and thankfully release it opensource!)

At moment I'm using the updated version of the cloudflare patch (modified by felixbuenemann) on nginx/1.10.1 and no issue

I'm using it in production with 100k spdy / http/2 pageviews a day and no issue since 7 days ago

See the updated patch at:

https://gist.github.com/felixbuenemann/44d53b911ebfc2a4ff2b951e49923da8
applied to nginx nginx -v

And comments at:
https://github.com/cloudflare/sslconfig/commit/e384008e0e0d1fd27f201979d40055a6b4f619e6

Please consider to merge or rewrite an equivalent patch for this in nginx core, I ask this as an user, because i really want to be able to stay updated with new nginx versions but keep spdy working too

Change History (2)

comment:1 by Maxim Dounin, 8 years ago

Just some stats for consideration. As of now, SPDY is supported by less than 50% of all clients. And HTTP/2 is supported by more than 70%.

comment:2 by Valentin V. Bartenev, 8 years ago

Resolution: wontfix
Status: newclosed

in some real cases advertising and supporting also SPDY can give good benefits, as http/2 is not yet supported by many mobile browsers especially old android / iOS version webviews or native browsers but this is still a significant part of the user landscape

There are at least three mutually incompatible versions of SPDY: 2, 3, and 3.1.

The patch adds only SPDY/3.1. AFAIK, most of (if not all) "old android / iOS" don't support SPDY version 3.1 and therefore will not use SPDY anyway.

The very same thing I'm asking here, was just implemented by cloudflare for nginx, see: https://blog.cloudflare.com/open-sourcing-our-nginx-http-2-spdy-code/
So you can agree... this can help in some cases if a so big service provider wanted to implement it (and thankfully release it opensource!)

Let me explain what cloudflare really did. They took old SPDY module from nginx 1.9.4 that was removed by a good intention and merged it back with all the known problems it had. After nginx 1.9.4 this code was partially rewritten for HTTP/2 and many bugs (including quite serious ones) have been fixed in its derivative. These issues remain in the patch since cloudflare haven't changed a line: the code is almost the same as it was right before removing from 1.9.4.

At moment I'm using the updated version of the cloudflare patch (modified by felixbuenemann) on nginx/1.10.1 and no issue
I'm using it in production with 100k spdy / http/2 pageviews a day and no issue since 7 days ago

There are a bunch of known problems with the code you use, some of them can even open a door for DoS attack on your server.

Below are the reasons why you probably haven't spotted them yet:

  1. The number of clients that use SPDY with the patch (i.e. that support SPDY/3.1, but don't support HTTP/2) is close to zero;
  2. There are some issues, but because of lack of suitable monitoring and enough expertise you haven't noticed;
  3. You're lucky enough and in your specific configuration it works quite good and nobody tried to attack your server using known problems with the old SPDY module.

Support of some feature doesn't mean just making the code compilable. It's also about investing time and resources on fixing bugs, maintaining the whole codebase in consistence, and for testing it over a huge number of configurations, operating systems and use cases. There's no good reason to spend more time to the dead protocol, but such complicated protocol as SPDY requires a lot of time and attention.

And cloudflare haven't spent it, they only got some promotion out of this patch. Of course they are free to do what they want, but because I care about nginx users, I'm not going to merge this code back. I caution anyone from using the patch. You can use it on your own risk, but you should understand that this code isn't maintained, nobody supports it and fixes bugs.

Version 1, edited 8 years ago by Valentin V. Bartenev (previous) (next) (diff)
Note: See TracTickets for help on using tickets.