Anyone know if this version of Nginx comes with SPDY enabled?
If so can it be installed with SPDY enabled in binaries through package managers, and if not, should 1.5.10 be compiled using --with-http_ssl_module and --with-http_spdy_module in order to take advantage of this?
If someone compiles 1.5.10 without that argument and then one day decides he wants to light up SPDY, does he need to recompile Nginx or is there a quicker solution? Thanks!
This is from the section 3.3.1 of SPDY Protocol - Draft 2 [0]:
"When a server receives a non-SPDY request which could have been served via SPDY, it should append a Alternate-Protocol header into the response stream. Note that it is valid to have multiple Alternate-Protocols headers. The field-value can also be specified as a comma-separated list, as per RFC2616 section 4.2."
Thanks for the link; I'm curious as to the downsides however (the article linked in the article doesn't fully cover them), and a Google search doesn't yield anything concrete (i.e. deferred on vs. off).
SSL Labs test will not give you a A+ rating if it is not set at least that long. HSTS headers should always be set for a long period of time to avoid a client that only rarely connects to a site having a MITM attack occur.
Let's be clear that the original CRIME attack was against request header secrets. Therefore, disabling response header compression (as nginx defaults to) does not prevent that. SPDY/3.1 request header compression is a client-side choice, not server-side.
That's true, which is why I was careful to say in its original form :) Since the original attack was on cookies (request headers). To my knowledge, no other SPDY server defaults response header compression to off. But yeah, if your application does pass secrets in response headers, you should be careful.
In the past, there have sometimes been configuration differences between the official packages for different OSes. I know SPDY is enabled on Ubuntu, but I'm not certain of all of the others.
> If someone compiles 1.5.10 without that argument and then one day decides he wants to light up SPDY, does he need to recompile Nginx or is there a quicker solution? Thanks!
In Vanilla nginx said user would need to recompile yes. Do note that the make file contains an 'upgrade' target, though, which performs a seamless binary upgrade.
I'm still new to SPDY, although I'm going to check it out with this release. Are there any best practices or recommendations for running SPDY in production alongside HTTP?
Nothing comes to mind. It runs alongside HTTPS (not HTTP), and in my experience "just works" if a client supports it. In Nginx, its a simple flag flip in the sites-available file.
Anyone know if this version of Nginx comes with SPDY enabled?
If so can it be installed with SPDY enabled in binaries through package managers, and if not, should 1.5.10 be compiled using --with-http_ssl_module and --with-http_spdy_module in order to take advantage of this?
If someone compiles 1.5.10 without that argument and then one day decides he wants to light up SPDY, does he need to recompile Nginx or is there a quicker solution? Thanks!