how to upgrade spdy/2 to spdy/3 on LEMP Ubuntu 14.04?

July 27, 2015 3k views
Nginx Server Optimization LEMP Ubuntu
2a7da21e0db2c5fe1363a984aa802de3c4a02242
By:
sugarhill

I get the following warning message when I use the spdy-test tool at https://spdycheck.org

**Out-of-Date SPDY Protocol Support**
The most recent version of SPDY is spdy/3. The highest version this website supports is spdy/2. There are 3 major versions of SPDY. This website should consider updating its software if possible to support spdy/3.

I read that nginx & openssl should be updated to the latest version to automatically use spdy/3.

I did all upgrades available through digitalocean but especially openssl seems way outdated:

nginx: nginx/1.4.6 (Ubuntu)
openssl: OpenSSL 1.0.1f 6 Jan 2014

Maybe there's a mirror outside of DO I should use?

Log In to Comment
1 Answer
UKn0Me July 27, 2015

SPDY/3 support in was added in 1.5.10. because you're running 1.4.6 you won't have it.
I use Chris Lea's nginx mainline PPA for my servers and because it's mainline version and constantly being updated (about 1-2 days behind official nginx release), you can have access to the latest features (including SPDY/3!). Current version is 1.9.3 and can be found at: https://launchpad.net/~chris-lea/+archive/ubuntu/nginx-devel

Reply
  • sugarhill July 27, 2015

    Thanks for your answer!

    This solved my problem and I'm now using nginx/1.9.3 including SPDY/3

  • sugarhill July 27, 2015

    Hm, the update did produce a problem.

    My ssllabs server rating has been reduced from A+ to A because Strict Transport Security (HSTS) is supposedly not enabled. Although spdycheck.org still reports it is enabled.

    I had a look in my config and even though I opted out of upgrading my nginx config file (after distro-upgrade) a new file "default.dpkg-dist" has been added to /etc/nginx/sites-available which is called from /etc/nginx/sites-enabled/default

    I deleted both files
    etc/nginx/sites-available/default.dpkg-dist
    /etc/nginx/sites-enabled/default
    but I'm still stuck at A with no HSTS

    Is there any other file that needs to be modified after distro-upgrade to recognize HSTS?

  • UKn0Me July 27, 2015

    If you haven't already add the following to your server block:
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    The options are pretty self-explanatory, adjust if required to your needs.

  • sugarhill July 27, 2015

    Yes, I did have this line in my config (otherwise you cant get A+ in the first place) and even included "preload" which I previously submitted at https://hstspreload.appspot.com

    Luckily I found the culprit - it was my wordpress maintanance mode which sends a 503 status code and prevents ssllabs from receiving my HSTS. As soon as I switch off maintenance mode I'm back to A+.

    P.S.: either way I gave you another heart for hanging in with me - thanks a lot UKn0Me :)

Have another answer? Share your knowledge.

Related Questions