首页 > http&spdy, 网络协议 > SPDY的抓包调试

SPDY的抓包调试

2012年12月16日 发表评论 阅读评论 10,919 次浏览

SPDY默认运行在SSL安全协议之内,因此对它的抓包调试会比较麻烦,Nginx的SPDY支持没有找到对应的关闭ssl的选项,而Apache的mod-spdy模块有个对应的SpdyDebugUseSpdyForNonSslConnections选项(http://code.google.com/p/mod-spdy/wiki/ConfigOptions),可以设置采用non-SSL运行SPDY,所以这里也就试试它。
因为系统上默认已经有了Apache,所以采用二进制简单安装mod-spdy模块。
1,系统环境:

[root@localhost ~]# cat /etc/issue
CentOS release 6.2 (Final)
Kernel \r on an \m
[root@localhost ~]# uname -a
Linux localhost.localdomain 2.6.32-220.el6.i686 #1 SMP Tue Dec 6 16:15:40 GMT 2011 i686 i686 i386 GNU/Linux

2,已安装的Apache:

[root@localhost ~]# httpd -v
Server version: Apache/2.2.15 (Unix)
Server built:   Dec  8 2011 18:07:26
[root@localhost ~]# whereis httpd
httpd: /usr/sbin/httpd.event /usr/sbin/httpd.worker /usr/sbin/httpd /etc/httpd /usr/lib/httpd /usr/include/httpd /usr/share/man/man8/httpd.8.gz
[root@localhost ~]# ls /etc/httpd/modules/
mod_actions.so        mod_authnz_ldap.so      mod_cgid.so        mod_expires.so       mod_mime_magic.so      mod_rewrite.so
mod_alias.so          mod_authz_dbm.so        mod_cgi.so         mod_ext_filter.so    mod_mime.so            mod_setenvif.so
mod_asis.so           mod_authz_default.so    mod_dav_fs.so      mod_filter.so        mod_negotiation.so     mod_speling.so
mod_auth_basic.so     mod_authz_groupfile.so  mod_dav.so         mod_headers.so       mod_proxy_ajp.so       mod_status.so
mod_auth_digest.so    mod_authz_host.so       mod_dav_svn.so     mod_ident.so         mod_proxy_balancer.so  mod_substitute.so
mod_authn_alias.so    mod_authz_owner.so      mod_dbd.so         mod_include.so       mod_proxy_connect.so   mod_suexec.so
mod_authn_anon.so     mod_authz_svn.so        mod_deflate.so     mod_info.so          mod_proxy_ftp.so       mod_unique_id.so
mod_authn_dbd.so      mod_authz_user.so       mod_dir.so         mod_ldap.so          mod_proxy_http.so      mod_userdir.so
mod_authn_dbm.so      mod_autoindex.so        mod_disk_cache.so  mod_log_config.so    mod_proxy_scgi.so      mod_usertrack.so
mod_authn_default.so  mod_cache.so            mod_dumpio.so      mod_log_forensic.so  mod_proxy.so           mod_version.so
mod_authn_file.so     mod_cern_meta.so        mod_env.so         mod_logio.so         mod_reqtimeout.so      mod_vhost_alias.so
[root@localhost ~]#

3,根据系统环境从链接https://developers.google.com/speed/spdy/mod_spdy/下载对应的二进制包:mod_spdy 32-bit .rpm (CentOS/Fedora),进行安装:

[root@localhost ~]# cd /home/mod_spdy/
[root@localhost mod_spdy]# ls
mod-spdy-beta_current_i386.rpm
[root@localhost mod_spdy]# rpm -U mod-spdy-beta_current_i386.rpm
warning: mod-spdy-beta_current_i386.rpm: Header V4 DSA/SHA1 Signature, key ID 7fac5991: NOKEY
error: Failed dependencies:
	mod_ssl >= 2.2 is needed by mod-spdy-beta-0.9.3.3-386.i386
[root@localhost mod_spdy]#

提示差mod_ssl模块,查看系统当前Apache版本:

[root@localhost mod_spdy]# rpm -q httpd
httpd-2.2.15-15.el6.centos.i686

http://rpm.pbone.net/或直接用Google检索mod_ssl模块,由于该模块要与httpd匹配使用,所以搜索关键字为:mod_ssl-2.2.15-15.el6.centos.i686,找到对应的rpm文件:
ftp://ftp.isu.edu.tw/pub/Linux/CentOS/6.2/os/i386/Packages/mod_ssl-2.2.15-15.el6.centos.i686.rpm
进行安装:

[root@localhost mod_spdy]# rpm -U mod_ssl-2.2.15-15.el6.centos.i686.rpm
warning: mod_ssl-2.2.15-15.el6.centos.i686.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY

再安装mod_spdy模块:

[root@localhost mod_spdy]# rpm -U mod-spdy-beta_current_i386.rpm
warning: mod-spdy-beta_current_i386.rpm: Header V4 DSA/SHA1 Signature, key ID 7fac5991: NOKEY
job 1 at 2012-12-15 03:15

4,重启Apache,却提示出错:

[root@localhost mod_spdy]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: httpd: Syntax error on line 221 of /etc/httpd/conf/httpd.conf: Syntax error on line 9 of /etc/httpd/conf.d/load_ssl_with_npn.conf: Cannot load /usr/lib/httpd/modules/mod_ssl_with_npn.so into server: /usr/lib/httpd/modules/mod_ssl_with_npn.so: cannot restore segment prot after reloc: Permission denied
                                                           [FAILED]

这需要关闭SELinux,因此:

[root@localhost modules]# /usr/sbin/setenforce 0
[root@localhost modules]# /etc/init.d/httpd start
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName
                                                           [  OK  ]

通过setenforce命令修改是立即生效,机器重启后需重新设置,可直接修改SELinux的配置文件/etc/selinux/config,改为disabled即重启后,SELinux也处于关闭状态。
5,检查spdy是否生效:


6,下面才是本文的重点,即让spdy运行在no-ssl之上,修改对应的配置文件并重启Apache:

[root@localhost conf.d]# pwd
/etc/httpd/conf.d
[root@localhost conf.d]# vi spdy.conf
[root@localhost conf.d]# cat spdy.conf
LoadModule spdy_module /usr/lib/httpd/modules/mod_spdy.so
<IfModule spdy_module>
    # Turn on mod_spdy. To completely disable mod_spdy, you can set
    # this to "off".
    SpdyEnabled on
    # In order to support concurrent multiplexing of requests over a
    # single connection, mod_spdy maintains its own thread pool in
    # each Apache child process for processing requests.  The default
    # size of this thread pool is very conservative; you can override
    # it with a larger value (as below) to increase concurrency, at
    # the possible cost of increased memory usage.
    #
    #SpdyMaxThreadsPerProcess 30
    # Memory usage can also be affected by the maximum number of
    # simultaneously open SPDY streams permitted for each client
    # connection.  Ideally, this limit should be set as high as
    # possible, but you can tweak it as necessary to limit memory
    # consumption.
    #
    #SpdyMaxStreamsPerConnection 100
    SpdyDebugUseSpdyForNonSslConnections 2
</IfModule>
[root@localhost conf.d]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName
                                                           [  OK  ]
[root@localhost conf.d]#

注意其中的SpdyDebugUseSpdyForNonSslConnections配置项,根据mod-spdy的官方wiki,2表示SPDY的协议版本(当前一共有4个版本)。
根据http://www.chromium.org/spdy/spdy-tools-and-debugging,以no-ssl形式启动Google浏览器:

访问Apache站点的80端口,同样可验证的确是SPDY协议:

通过Wireshark的抓包如下所示(需注意,由于spdy是持久连接,因此为了抓到完整的数据包,需在启动Google浏览器前把Wireshark设置好并启动抓包,然后启动Google浏览器访问spdy站点,然后关闭Google浏览器,最后才停止Wireshark抓包,通过端口过滤到对应的数据包):

抓包文件下载:spdy-no-ssl.rar

完全参考:
1,http://code.google.com/p/mod-spdy/
2,https://developers.google.com/speed/spdy/mod_spdy/
3,http://code.google.com/p/mod-spdy/wiki/ConfigOptions

转载请保留地址:http://www.lenky.info/archives/2012/12/2065http://lenky.info/?p=2065


备注:如无特殊说明,文章内容均出自Lenky个人的真实理解而并非存心妄自揣测来故意愚人耳目。由于个人水平有限,虽力求内容正确无误,但仍然难免出错,请勿见怪,如果可以则请留言告之,并欢迎来讨论。另外值得说明的是,Lenky的部分文章以及部分内容参考借鉴了网络上各位网友的热心分享,特别是一些带有完全参考的文章,其后附带的链接内容也许更直接、更丰富,而我只是做了一下归纳&转述,在此也一并表示感谢。关于本站的所有技术文章,欢迎转载,但请遵从CC创作共享协议,而一些私人性质较强的心情随笔,建议不要转载。

法律:根据最新颁布的《信息网络传播权保护条例》,如果您认为本文章的任何内容侵犯了您的权利,请以Email或书面等方式告知,本站将及时删除相关内容或链接。

  1. 2013年1月9日20:30 | #1

    @lenky

    谢谢。但我搜到这个issue,说是解决了在3下的问题,不知道为啥又复发了:
    http://code.google.com/p/mod-spdy/issues/detail?id=48

  2. 2013年1月9日04:54 | #2

    Hi.
    发现SpdyDebugUseSpdyForNonSslConnections设成3的情况下,–use-spdy=no-ssl访问http无效,但https有效。你这儿也有这个问题吗?

    • lenky
      2013年1月9日08:29 | #3

      我记得好像只支持到2~

  1. 本文目前尚无任何 trackbacks 和 pingbacks.