0

Enable SPDY on Debian

Few months back Google announced that moving your site to HTTPS will give you a boost in ranking, though the boost in very minor at the moment but later Google has said that its weight will increase so its a good time enable HTTPS on your server. There are other advantages of HTTPS as well but they all come with performance tradeoff due to number of extra “handshake” packets in initial communication, extra CPU cycles require to encrypt/decrypt data, no caching on HTTPS etc.

So what to do?

Don’t worry you can still do few things to improve your site performance and one is use of SPDY with HTTPS which will give you a little boost by compressing request and response headers, use of multiplexed requests over a single connection etc. The process is very simple and just require couple of minutes (providing your site is already configured with standard HTTPS/SSL)

Apache:

First download your the required package from https://developers.google.com/speed/spdy/mod_spdy/. As I have Debian 64bit so I will go for 64bit package


wget https://dl-ssl.google.com/dl/linux/direct/mod-spdy-beta_current_amd64.deb

Install the .deb that you downloaded

dpkg -i mod-spdy-*.deb
apt-get -f install

Enabled the Apache module

a2enmod spdy
/etc/init.d/apache2 restart

There is one more change in order to make SPDY working that in activate the mod from Apache mod_spdy config so edit spdy.conf and make sure you have below line.


SpdyEnabled on

Restart apache so new changes take effect.


/etc/init.d/apache2 restart

Now you are ready to test the SPDY functionality, you can test by various methods. Easiest is to visit spdycheck.org and test your site, another way to install SPDY indicator Chrome extension which will show you a Green lightning icon along with SPDY protocol version in browser address bar if site is SPDY enabled. Another way to test is to visit your site in Chrome then open a new tab as below which will show you the SPDY status.

chrome://net-internals/#spdy

Once all good add SPDY repository in your list you get the latest package automatically. Create a new file /etc/apt/sources.list.d/mod-spdy.list and add the repo.


/etc/apt/sources.list.d/mod-spdy.list
deb http://dl.google.com/linux/mod-spdy/deb/ stable main

Test whether the newly added repository is working.


apt-get update
apt-get upgrade

Nginx:

Nginx above v1.5 support SPDY 3 protocol so make sure you have installed the latest version of it. You can check your nginx version by below

nginx -V

Make sure you you see --with-http_spdy_module in the list of compiled modules. To enable it you just need to add spdy option in your ssl listener so your new config will looks like below.


server {
listen 443 ssl spdy;
...
...
}

After saving the new config just restart the nginx service.

/etc/init.d/nginnx restart

If all good your site is ready to ROCK!!

3

Squid 3 with SSL Bumping and Dynamic Certificates generation

This document guide you how to configure squid with SSL Bumping with Dynamic Certificates generation on Debian 7.

First download Squid 3.4 source code from the official site and extract it

wget http://www.squid-cache.org/Versions/v3/3.4/squid-3.4.10.tar.gz
tar -zxvf squid-3.4.10.tar.gz

Install required packages.

apt-get install build-essential libssl-dev

cd to squid-3.4.10 folder configure it.

./configure --prefix=/usr/local/squid --enable-icap-client --enable-ssl --enable-ssl-crtd --with-default-user=squid

Now compile and install it.

make all
make install

Once install create a new user and own squid’s logs file directory.

useradd squid
chown -R squid:squid /usr/local/squid/var/logs/

Before starting squid create the swap directories.

/usr/local/squid/sbin/squid -z

Now start the squid process

/usr/local/squid/sbin/squid

If there is any issue debug it.

/usr/local/squid/sbin/squid -k parse
/usr/local/squid/sbin/squid -NCd1

Now you should have squid running on 3128 port and in order for SSL bumping and dynamic certificates generation you have to create your own CA (certificate Authority).

mkdir /usr/local/squid/ssl_cert
cd /usr/local/squid/ssl_cert
openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem

Now we need to modify squid.conf, open it and make below changes.

http_port 3128 transparent
always_direct allow all
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB
sslcrtd_children 5

Now we need to perform few more steps for above.

mkdir /usr/local/squid/var/lib
/usr/local/squid/libexec/ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db -M 4MB
chown -R squid:squid /usr/local/squid/var/lib/ssl_db/

Restart squid with ‘/usr/local/squid/sbin/squid -NCd1‘. You should be able to see something like below in the end.

Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 18 flags=41
2014/12/13 13:41:54| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3127 remote=[::] FD 19 flags=41

If all good so far your squid configuration is completed but you need few more steps in order to use it transparently.

Enable IP Forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

Configure iptables to accept and forward connections to squid.

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127
iptables -I INPUT -p tcp -m tcp --dport 3127 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 3128 -j ACCEPT

Now you need to point your client gateway to squid box and install the CA certificate in your browser’s certificate store to avoid certificate warnings.