SPDY的抓包调试

  • A+
所属分类:系统文档

FROM:http://www.lenky.info/archives/2012/12/2065

SPDY默认运行在SSL安全协议之内,因此对它的抓包调试会比较麻烦,Nginx的SPDY支持没有找到对应的关闭ssl的选项,而Apache的mod-spdy模块有个对应的SpdyDebugUseSpdyForNonSslConnections选项(http://code.google.com/p/mod-spdy/wiki/ConfigOptions),可以设置采用non-SSL运行SPDY,所以这里也就试试它。
因为系统上默认已经有了Apache,所以采用二进制简单安装mod-spdy模块。
1,系统环境:

1
2
3
4
5
[root@localhost ~]# cat /etc/issue
CentOS release 6.2 (Final)
Kernel \r on an \m
[root@localhost ~]# uname -a
Linux localhost.localdomain 2.6.32-220.el6.i686 #1 SMP Tue Dec 6 16:15:40 GMT 2011 i686 i686 i386 GNU/Linux

2,已安装的Apache:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[root@localhost ~]# httpd -v
Server version: Apache/2.2.15 (Unix)
Server built:   Dec  8 2011 18:07:26
[root@localhost ~]# whereis httpd
httpd: /usr/sbin/httpd.event /usr/sbin/httpd.worker /usr/sbin/httpd /etc/httpd /usr/lib/httpd /usr/include/httpd /usr/share/man/man8/httpd.8.gz
[root@localhost ~]# ls /etc/httpd/modules/
mod_actions.so        mod_authnz_ldap.so      mod_cgid.so        mod_expires.so       mod_mime_magic.so      mod_rewrite.so
mod_alias.so          mod_authz_dbm.so        mod_cgi.so         mod_ext_filter.so    mod_mime.so            mod_setenvif.so
mod_asis.so           mod_authz_default.so    mod_dav_fs.so      mod_filter.so        mod_negotiation.so     mod_speling.so
mod_auth_basic.so     mod_authz_groupfile.so  mod_dav.so         mod_headers.so       mod_proxy_ajp.so       mod_status.so
mod_auth_digest.so    mod_authz_host.so       mod_dav_svn.so     mod_ident.so         mod_proxy_balancer.so  mod_substitute.so
mod_authn_alias.so    mod_authz_owner.so      mod_dbd.so         mod_include.so       mod_proxy_connect.so   mod_suexec.so
mod_authn_anon.so     mod_authz_svn.so        mod_deflate.so     mod_info.so          mod_proxy_ftp.so       mod_unique_id.so
mod_authn_dbd.so      mod_authz_user.so       mod_dir.so         mod_ldap.so          mod_proxy_http.so      mod_userdir.so
mod_authn_dbm.so      mod_autoindex.so        mod_disk_cache.so  mod_log_config.so    mod_proxy_scgi.so      mod_usertrack.so
mod_authn_default.so  mod_cache.so            mod_dumpio.so      mod_log_forensic.so  mod_proxy.so           mod_version.so
mod_authn_file.so     mod_cern_meta.so        mod_env.so         mod_logio.so         mod_reqtimeout.so      mod_vhost_alias.so
[root@localhost ~]#

3,根据系统环境从链接https://developers.google.com/speed/spdy/mod_spdy/下载对应的二进制包:mod_spdy 32-bit .rpm (CentOS/Fedora),进行安装:

1
2
3
4
5
6
7
8
[root@localhost ~]# cd /home/mod_spdy/
[root@localhost mod_spdy]# ls
mod-spdy-beta_current_i386.rpm
[root@localhost mod_spdy]# rpm -U mod-spdy-beta_current_i386.rpm
warning: mod-spdy-beta_current_i386.rpm: Header V4 DSA/SHA1 Signature, key ID 7fac5991: NOKEY
error: Failed dependencies:
    mod_ssl >= 2.2 is needed by mod-spdy-beta-0.9.3.3-386.i386
[root@localhost mod_spdy]#

提示差mod_ssl模块,查看系统当前Apache版本:

1
2
[root@localhost mod_spdy]# rpm -q httpd
httpd-2.2.15-15.el6.centos.i686

http://rpm.pbone.net/或直接用Google检索mod_ssl模块,由于该模块要与httpd匹配使用,所以搜索关键字为:mod_ssl-2.2.15-15.el6.centos.i686,找到对应的rpm文件:
ftp://ftp.isu.edu.tw/pub/Linux/CentOS/6.2/os/i386/Packages/mod_ssl-2.2.15-15.el6.centos.i686.rpm
进行安装:

1
2
[root@localhost mod_spdy]# rpm -U mod_ssl-2.2.15-15.el6.centos.i686.rpm
warning: mod_ssl-2.2.15-15.el6.centos.i686.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY

再安装mod_spdy模块:

1
2
3
[root@localhost mod_spdy]# rpm -U mod-spdy-beta_current_i386.rpm
warning: mod-spdy-beta_current_i386.rpm: Header V4 DSA/SHA1 Signature, key ID 7fac5991: NOKEY
job 1 at 2012-12-15 03:15

4,重启Apache,却提示出错:

1
2
3
4
[root@localhost mod_spdy]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: httpd: Syntax error on line 221 of /etc/httpd/conf/httpd.conf: Syntax error on line 9 of /etc/httpd/conf.d/load_ssl_with_npn.conf: Cannot load /usr/lib/httpd/modules/mod_ssl_with_npn.so into server: /usr/lib/httpd/modules/mod_ssl_with_npn.so: cannot restore segment prot after reloc: Permission denied
                                                           [FAILED]

这需要关闭SELinux,因此:

1
2
3
4
[root@localhost modules]# /usr/sbin/setenforce 0
[root@localhost modules]# /etc/init.d/httpd start
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName
                                                           [  OK  ]

通过setenforce命令修改是立即生效,机器重启后需重新设置,可直接修改SELinux的配置文件/etc/selinux/config,改为disabled即重启后,SELinux也处于关闭状态。
5,检查spdy是否生效:
SPDY的抓包调试
SPDY的抓包调试
6,下面才是本文的重点,即让spdy运行在no-ssl之上,修改对应的配置文件并重启Apache:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[root@localhost conf.d]# pwd
/etc/httpd/conf.d
[root@localhost conf.d]# vi spdy.conf
[root@localhost conf.d]# cat spdy.conf
LoadModule spdy_module /usr/lib/httpd/modules/mod_spdy.so
<IfModule spdy_module>
    # Turn on mod_spdy. To completely disable mod_spdy, you can set
    # this to "off".
    SpdyEnabled on
    # In order to support concurrent multiplexing of requests over a
    # single connection, mod_spdy maintains its own thread pool in
    # each Apache child process for processing requests.  The default
    # size of this thread pool is very conservative; you can override
    # it with a larger value (as below) to increase concurrency, at
    # the possible cost of increased memory usage.
    #
    #SpdyMaxThreadsPerProcess 30
    # Memory usage can also be affected by the maximum number of
    # simultaneously open SPDY streams permitted for each client
    # connection.  Ideally, this limit should be set as high as
    # possible, but you can tweak it as necessary to limit memory
    # consumption.
    #
    #SpdyMaxStreamsPerConnection 100
    SpdyDebugUseSpdyForNonSslConnections 2
</IfModule>
[root@localhost conf.d]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName
                                                           [  OK  ]
[root@localhost conf.d]#

注意其中的SpdyDebugUseSpdyForNonSslConnections配置项,根据mod-spdy的官方wiki,2表示SPDY的协议版本(当前一共有4个版本)。
根据http://www.chromium.org/spdy/spdy-tools-and-debugging,以no-ssl形式启动Google浏览器:
SPDY的抓包调试
访问Apache站点的80端口,同样可验证的确是SPDY协议:
SPDY的抓包调试
通过Wireshark的抓包如下所示(需注意,由于spdy是持久连接,因此为了抓到完整的数据包,需在启动Google浏览器前把Wireshark设置好并启动抓包,然后启动Google浏览器访问spdy站点,然后关闭Google浏览器,最后才停止Wireshark抓包,通过端口过滤到对应的数据包):
SPDY的抓包调试

抓包文件下载:spdy-no-ssl.rar

完全参考:
1,http://code.google.com/p/mod-spdy/
2,https://developers.google.com/speed/spdy/mod_spdy/
3,http://code.google.com/p/mod-spdy/wiki/ConfigOptions

  • 我的微信
  • 这是我的微信扫一扫
  • weinxin
  • 我的微信公众号
  • 我的微信公众号扫一扫
  • weinxin

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: