SPDY的抓包调试 | 安云网

发表评论
1,064 次浏览

A+

FROM:http://www.lenky.info/archives/2012/12/2065

SPDY默认运行在SSL安全协议之内，因此对它的抓包调试会比较麻烦，Nginx的SPDY支持没有找到对应的关闭ssl的选项，而Apache的mod-spdy模块有个对应的SpdyDebugUseSpdyForNonSslConnections选项（http://code.google.com/p/mod-spdy/wiki/ConfigOptions），可以设置采用non-SSL运行SPDY，所以这里也就试试它。
因为系统上默认已经有了Apache，所以采用二进制简单安装mod-spdy模块。
1，系统环境：

[root@localhost ~]# cat /etc/issue

CentOS release 6.2 (Final)

Kernel \r on an \m

[root@localhost ~]# uname -a

Linux localhost.localdomain 2.6.32-220.el6.i686 #1 SMP Tue Dec 6 16:15:40 GMT 2011 i686 i686 i386 GNU/Linux

2，已安装的Apache：

[root@localhost ~]# httpd -v

Server version: Apache/2.2.15 (Unix)

Server built: Dec 8 2011 18:07:26

[root@localhost ~]# whereis httpd

httpd: /usr/sbin/httpd.event /usr/sbin/httpd.worker /usr/sbin/httpd /etc/httpd /usr/lib/httpd /usr/include/httpd /usr/share/man/man8/httpd.8.gz

[root@localhost ~]# ls /etc/httpd/modules/

mod_actions.so        mod_authnz_ldap.so      mod_cgid.so        mod_expires.so       mod_mime_magic.so      mod_rewrite.so

mod_alias.so          mod_authz_dbm.so        mod_cgi.so         mod_ext_filter.so    mod_mime.so            mod_setenvif.so

mod_asis.so           mod_authz_default.so    mod_dav_fs.so      mod_filter.so        mod_negotiation.so     mod_speling.so

mod_auth_basic.so     mod_authz_groupfile.so  mod_dav.so         mod_headers.so       mod_proxy_ajp.so       mod_status.so

mod_auth_digest.so    mod_authz_host.so       mod_dav_svn.so     mod_ident.so         mod_proxy_balancer.so  mod_substitute.so

mod_authn_alias.so    mod_authz_owner.so      mod_dbd.so         mod_include.so       mod_proxy_connect.so   mod_suexec.so

mod_authn_anon.so     mod_authz_svn.so        mod_deflate.so     mod_info.so          mod_proxy_ftp.so       mod_unique_id.so

mod_authn_dbd.so      mod_authz_user.so       mod_dir.so         mod_ldap.so          mod_proxy_http.so      mod_userdir.so

mod_authn_dbm.so      mod_autoindex.so        mod_disk_cache.so  mod_log_config.so    mod_proxy_scgi.so      mod_usertrack.so

mod_authn_default.so  mod_cache.so            mod_dumpio.so      mod_log_forensic.so  mod_proxy.so           mod_version.so

mod_authn_file.so     mod_cern_meta.so        mod_env.so         mod_logio.so         mod_reqtimeout.so      mod_vhost_alias.so

[root@localhost ~]#

3，根据系统环境从链接https://developers.google.com/speed/spdy/mod_spdy/下载对应的二进制包：mod_spdy 32-bit .rpm (CentOS/Fedora)，进行安装：

[root@localhost ~]# cd /home/mod_spdy/

[root@localhost mod_spdy]# ls

mod-spdy-beta_current_i386.rpm

[root@localhost mod_spdy]# rpm -U mod-spdy-beta_current_i386.rpm

warning: mod-spdy-beta_current_i386.rpm: Header V4 DSA/SHA1 Signature, key ID 7fac5991: NOKEY

error: Failed dependencies:

mod_ssl >= 2.2 is needed by mod-spdy-beta-0.9.3.3-386.i386

[root@localhost mod_spdy]#

提示差mod_ssl模块，查看系统当前Apache版本：

1 2	`[root@localhost mod_spdy]# rpm -q httpd` `httpd-2.2.15-15.el6.centos.i686`

在http://rpm.pbone.net/或直接用Google检索mod_ssl模块，由于该模块要与httpd匹配使用，所以搜索关键字为：mod_ssl-2.2.15-15.el6.centos.i686，找到对应的rpm文件：
ftp://ftp.isu.edu.tw/pub/Linux/CentOS/6.2/os/i386/Packages/mod_ssl-2.2.15-15.el6.centos.i686.rpm
进行安装：

1 2	`[root@localhost mod_spdy]# rpm -U mod_ssl-2.2.15-15.el6.centos.i686.rpm` `warning: mod_ssl-2.2.15-15.el6.centos.i686.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY`

再安装mod_spdy模块：

[root@localhost mod_spdy]# rpm -U mod-spdy-beta_current_i386.rpm

warning: mod-spdy-beta_current_i386.rpm: Header V4 DSA/SHA1 Signature, key ID 7fac5991: NOKEY

job 1 at 2012-12-15 03:15

4，重启Apache，却提示出错：

[root@localhost mod_spdy]# /etc/init.d/httpd restart

Stopping httpd: [ OK ]

Starting httpd: httpd: Syntax error on line 221 of /etc/httpd/conf/httpd.conf: Syntax error on line 9 of /etc/httpd/conf.d/load_ssl_with_npn.conf: Cannot load /usr/lib/httpd/modules/mod_ssl_with_npn.so into server: /usr/lib/httpd/modules/mod_ssl_with_npn.so: cannot restore segment prot after reloc: Permission denied

[FAILED]

这需要关闭SELinux，因此：

[root@localhost modules]# /usr/sbin/setenforce 0

[root@localhost modules]# /etc/init.d/httpd start

Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName

[ OK ]

通过setenforce命令修改是立即生效，机器重启后需重新设置，可直接修改SELinux的配置文件/etc/selinux/config，改为disabled即重启后，SELinux也处于关闭状态。
5，检查spdy是否生效：

6，下面才是本文的重点，即让spdy运行在no-ssl之上，修改对应的配置文件并重启Apache：

[root@localhost conf.d]# pwd

/etc/httpd/conf.d

[root@localhost conf.d]# vi spdy.conf

[root@localhost conf.d]# cat spdy.conf

LoadModule spdy_module /usr/lib/httpd/modules/mod_spdy.so

<IfModule spdy_module>

# Turn on mod_spdy. To completely disable mod_spdy, you can set

# this to "off".

SpdyEnabled on

# In order to support concurrent multiplexing of requests over a

# single connection, mod_spdy maintains its own thread pool in

# each Apache child process for processing requests. The default

# size of this thread pool is very conservative; you can override

# it with a larger value (as below) to increase concurrency, at

# the possible cost of increased memory usage.

#

#SpdyMaxThreadsPerProcess 30

# Memory usage can also be affected by the maximum number of

# simultaneously open SPDY streams permitted for each client

# connection. Ideally, this limit should be set as high as

# possible, but you can tweak it as necessary to limit memory

# consumption.

#

#SpdyMaxStreamsPerConnection 100

SpdyDebugUseSpdyForNonSslConnections 2

</IfModule>

[root@localhost conf.d]# /etc/init.d/httpd restart

Stopping httpd: [ OK ]

Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName

[ OK ]

[root@localhost conf.d]#

注意其中的SpdyDebugUseSpdyForNonSslConnections配置项，根据mod-spdy的官方wiki，2表示SPDY的协议版本（当前一共有4个版本）。
根据http://www.chromium.org/spdy/spdy-tools-and-debugging，以no-ssl形式启动Google浏览器：

访问Apache站点的80端口，同样可验证的确是SPDY协议：

通过Wireshark的抓包如下所示（需注意，由于spdy是持久连接，因此为了抓到完整的数据包，需在启动Google浏览器前把Wireshark设置好并启动抓包，然后启动Google浏览器访问spdy站点，然后关闭Google浏览器，最后才停止Wireshark抓包，通过端口过滤到对应的数据包）：