Product Documentation

SPDY (Speedy)

Warning SPDY is deprecated from NetScaler 12.0 build 56.20 onwards and as an alternative, Citrix recommends you to use the HTTP/2 feature. For more information, see HTTP/2 topic.

SPDY is an open networking experimental protocol developed by Google to reduce the time taken by a client to load a web page in a browser. An application layer protocol, SPDY changes the way in which HTTP requests and responses are handled. SPDY offers the following advantages compared to a regular HTTP transaction:

  • Multiplexed requests and responses—In a single SPDY session, multiple requests from the client can be sent over a single TCP connection to the server. This reduces the number of TCP connections and also optimizes usage of each TCP connection.
  • Request prioritization—When requesting services from the server, a client can assign a priority to each request.
  • Header Compression—SPDY compresses the HTTP request and response headers, saving bandwidth and reducing latency.
  • Server push—The server can send data to the client before the client requests it.
  • Security—SPDY is secure by design, because SSL is required for SPDY connections.

Citrix ADC supports the SPDY/2 and SPDY/3 (from Citrix ADC 10.5 onwards) versions.

Note: SPDY support depends on the browser version being used.

If you use a Citrix ADC appliance as a SPDY gateway for your servers, the servers do not have to support SPDY. The Citrix ADC appliance accepts the incoming SPDY requests, converts them, and sends them to the servers as HTTP requests. It also converts the HTTP responses and sends them to the clients as SPDY responses. While the key value of SPDY is reduced bandwidth consumption and faster communication with clients, an additional benefit of the Citrix ADC solution is that you avoid the time consuming task of upgrading your web servers and applications to support SPDY.

To use a Citrix ADC appliance as a SPDY gateway, you must enable SPDY on the appliance.

System requirements

Both ends of a SPDY connection must support the same version of SPDY. In addition, the clients must meet the following requirements:

Support ZLIB compression and accept compressed data.

Support the Next Protocol Negotiation (NPN) TLS extension, because NPN is used in the TLS handshake.

How SPDY works over SSL

If SPDY is enabled, when the Citrix ADC appliance sees TLS ALPN extension with list of supported protocols in the Client Hello message, it responds with either SPDY/3 or SPDY/2 in the ALPN extension in its Server Hello.

Citrix ADC can also negotiate SPDY over NPN. When Citrix ADC sees an empty NPN extension in the Client Hello message, it responds with a list of the protocols that it supports. If SPDY is enabled on the Citrix ADC appliance, the appliance advertises HTTP/1.1 and SPDY/2 protocols. The client selects one protocol from this list and negotiates the protocol with the server. Because sending the negotiated protocol in plain text would raise security issues, the client sends the Change Cipher Spec notification which defines the details of the encryption for the session, followed by the Next Protocol message, which contains the encrypted protocol that the client has chosen. The client then sends the Finished message. The Citrix ADC appliance decrypts the Next Protocol message, and then sends a Finished message.

A session is then established, and application data can be exchanged.

Note The NPN extension is not supported on a Citrix ADC FIPS appliance and with TLS protocol versions 1.1 and 1.2.

Configure SPDY

By default, SPDY is disabled on the Citrix ADC appliance. After you enable SPDY, the appliance advertises SPDY/2 and/or SPDY/3 along with HTTP/1.1 during an SSL handshake. To enable SPDY on the Citrix ADC appliance, you must enable SPDY in the HTTP profile bound to the SSL virtual server.

To configure SPDY by using the command line interface

At the command prompt, do the following:

Enable SPDY on a HTTP profile

set ns httpProfile <profileName> -SPDY <options>

Example

> set ns httpProfile profile1 -SPDY ENABLED

Bind the HTTP profile to a SSL virtual server.

set lb vserver <ssl-vserver-name> -httpProfileName <httpProfile-with-spdy>

Example

> set lb vserver SPDY_LB -httpProfileName profile1

Note: To apply SPDY globally, enable SPDY on the global HTTP profile (nshttp_default_profile).

You can view the statistics by using the following command:

stat protocol http -detail

To configure SPDY by using the GUI

Navigate to SystemProfiles, and in the HTTP Profiles tab, update the profile on which you want to enable SPDY.

Navigate to Traffic Management > Load BalancingVirtual Servers, and associate the HTTP profile to the appropriate SSL virtual server.

Troubleshoot SPDY

If SPDY sessions are not enabled even after performing the required steps, check the following conditions.

If the client is using a Chrome browser, SPDY might not work in some scenarios because Chrome sometimes does not initiate TLS handshake.

If there is a forward-proxy between the client and the Citrix ADC appliance, and the forward-proxy doesn’t support SPDY, SPDY sessions might not be enabled.

Citrix ADC does not support NPN over TLS 1.1/1.2. To use SPDY, the client should disable TLS1.1/1.2 in the browser.

Similarly, if the client wants to use SPDY, SSL2/3 must be disabled on the browser.

SPDY (Speedy)