SPDY (Speedy)

Warning SPDY is deprecated from NetScaler 12.0 build 56.20 onwards and as an alternative, Citrix recommends you to use the HTTP/2 feature. For more information, see HTTP/2 topic.

SPDY is an open networking experimental protocol developed by Google to reduce the time taken by a client to load a web page in a browser. An application layer protocol, SPDY changes the way in which HTTP requests and responses are handled. SPDY offers the following advantages compared to a regular HTTP transaction:

  • Multiplexed requests and responses—In a single SPDY session, multiple requests from the client can be sent over a single TCP connection to the server. This reduces the number of TCP connections and also optimizes usage of each TCP connection.
  • Request prioritization—When requesting services from the server, a client can assign a priority to each request.
  • Header Compression—SPDY compresses the HTTP request and response headers, saving bandwidth and reducing latency.
  • Server push—The server can send data to the client before the client requests it.
  • Security—SPDY is secure by design, because SSL is required for SPDY connections.

Note: SPDY support depends on the browser version being used.

If you use a NetScaler appliance as a SPDY gateway for your servers, the servers do not have to support SPDY. The NetScaler appliance accepts the incoming SPDY requests, converts them, and sends them to the servers as HTTP requests. It also converts the HTTP responses and sends them to the clients as SPDY responses. While the key value of SPDY is reduced bandwidth consumption and faster communication with clients, an additional benefit of the NetScaler solution is that you avoid the time consuming task of upgrading your web servers and applications to support SPDY.

To use a NetScaler appliance as a SPDY gateway, you must enable SPDY on the appliance.

System requirements

Both ends of a SPDY connection must support the same version of SPDY. In addition, the clients must meet the following requirements:

Support ZLIB compression and accept compressed data.

Support the Next Protocol Negotiation (NPN) TLS extension, because NPN is used in the TLS handshake.

How SPDY works over SSL

If SPDY is enabled, when the NetScaler appliance sees TLS ALPN extension with list of supported protocols in the Client Hello message, it responds with either SPDY/3 or SPDY/2 in the ALPN extension in its Server Hello.

NetScaler can also negotiate SPDY over NPN. When NetScaler sees an empty NPN extension in the Client Hello message, it responds with a list of the protocols that it supports. If SPDY is enabled on the NetScaler appliance, the appliance advertises HTTP/1.1 and SPDY/2 protocols. The client selects one protocol from this list and negotiates the protocol with the server. Because sending the negotiated protocol in plain text would raise security issues, the client sends the Change Cipher Spec notification which defines the details of the encryption for the session, followed by the Next Protocol message, which contains the encrypted protocol that the client has chosen. The client then sends the Finished message. The NetScaler appliance decrypts the Next Protocol message, and then sends a Finished message.

A session is then established, and application data can be exchanged.

Note The NPN extension is not supported on a NetScaler FIPS appliance and with TLS protocol versions 1.1 and 1.2.

Configure SPDY

By default, SPDY is disabled on the NetScaler appliance. After you enable SPDY, the appliance advertises SPDY/2 and/or SPDY/3 along with HTTP/1.1 during an SSL handshake. To enable SPDY on the NetScaler appliance, you must enable SPDY in the HTTP profile bound to the SSL virtual server.

To configure SPDY by using the command line interface

At the command prompt, do the following:

Enable SPDY on a HTTP profile

set ns httpProfile <profileName> -SPDY <options>


> set ns httpProfile profile1 -SPDY ENABLED

Bind the HTTP profile to a SSL virtual server.

set lb vserver <ssl-vserver-name> -httpProfileName <httpProfile-with-spdy>


> set lb vserver SPDY_LB -httpProfileName profile1

Note: To apply SPDY globally, enable SPDY on the global HTTP profile (nshttp_default_profile).

You can view the statistics by using the following command:

stat protocol http -detail

To configure SPDY by using the GUI

Navigate to SystemProfiles, and in the HTTP Profiles tab, update the profile on which you want to enable SPDY.

Navigate to Traffic Management > Load BalancingVirtual Servers, and associate the HTTP profile to the appropriate SSL virtual server.

Troubleshoot SPDY

If SPDY sessions are not enabled even after performing the required steps, check the following conditions.

If the client is using a Chrome browser, SPDY might not work in some scenarios because Chrome sometimes does not initiate TLS handshake.

If there is a forward-proxy between the client and the NetScaler appliance, and the forward-proxy doesn’t support SPDY, SPDY sessions might not be enabled.

NetScaler does not support NPN over TLS 1.1/1.2. To use SPDY, the client should disable TLS1.1/1.2 in the browser.

Similarly, if the client wants to use SPDY, SSL2/3 must be disabled on the browser.