

Introducing SPDY - jgrahamc
http://blog.cloudflare.com/introducing-spdy

======
joubert
_SPDY is built on top of TLS, which means it requires a site to have a valid
SSL certificate in order to work. This, unfortunately, limits SPDY only to
CloudFlare's paid customers who have enabled Flexible or Full SSL support.
Microsoft is working on revised IETF proposal that is SPDY-like, but removes
the requirement for SSL/TLS. If the TLS requirement is removed in the future,
we'll make SPDY (or whatever it comes to be called) available more broadly._

Can SPDY theoretically be transitioned to not be built on top of TLS, or is
the MSFT work a more likely solution?

~~~
mdwelsh
SPDY does not technically require TLS, but It's the Right Thing To Do [tm].
According to Mike Belshe, there are two reasons that SPDY was designed to use
TLS. The first was pragmatic: Middleboxes on the Internet wouldn't be able to
pass through non-HTTP traffic, so unless a different port was used, the only
way to punch through the various proxy layers was to use end-to-end security.
But the other reason is just as important: It's 2012, folks. It seems insane
that most Web traffic goes in the clear. Browsers are fully capable of doing
the SSL handshake without incurring a major performance cost - even on mobile
devices. Finally, we may not get another chance to change the web protocol
stack for another 15 years, so it's best to get it right now.

------
septerr
"By gathering all scripts, regardless of where they're hosted, into a single
HTTP request, Rocket Loader limits the number of HTTP connections that are
needed. This also means that even third party scripts that appear on your page
are requested under your site's domain. "

How do you do that?

~~~
mbrubeck
CloudFlare's server acts as a proxy. It downloads each resource over HTTP from
its original location and caches it, then delivers all the resources to the
client over SPDY. The preceding paragraph explains it:

 _"For SPDY support, CloudFlare acts as a gateway... We handle the
multiplexing and begin sending down objects we already have in our cache. The
request to the origin server for non-cached objects is sent over standard
HTTP/S."_

This is similar to the proxy mode in Amazon's Silk browser for Kindle Fire.

~~~
igrigorik
Do you rewrite the hosts on all third party sites to be the site domain? I'm
still not following this setup.

Silk is an entirely different setup. Silk (a) manually sets their SPDY gateway
as a browser proxy, which is a system level setting, and (b) silk does not
tunnel HTTPS requests. CloudFlare obviously doesn't have control over my
browsers proxy settings, so if the page I'm loading is abc.com/page, and that
page has a request to twitter.com/widget.js, then the browser _should_ open a
connection directly to twitter.com to fetch that resource.

P.S. SPDY does allow tunneling HTTPS, but once again, that requires a system
level proxy setup.

~~~
moonboots
To use cloudflare's "rocket loader", the host domain dns record must point to
cloudflare instead of the origin server. If abc.com were using cloudflare, a
user's request to abc.com/page would first hit cloudflare's server. Cloudflare
would then proxy the request to abc's origin server, rewrite 3rd party urls,
and return the modified content to the user.

I'm not sure how well cloudflare handles http vary headers, e.g. 3rd party
resources that serve different content depending on cookies or user agent. An
example could be google web fonts which serves different css and fonts to
different browsers.

~~~
igrigorik
Looking through CF's own site, plus a few of their "case study" links, I don't
see the domain rewriting happening on these scripts. And as you indicated,
with additional complication of user cookies / HTTP vary, I'm not sure that's
necessarily a good idea either -- if either of those in place, all of your
cache optimizations go out the door. Best gotcha example: ads.

Seems like there is a bit of false advertising going on here.

~~~
eli
That doesn't seem like a big deal. If you have requirements that every request
hit your server then, duh, you can't have a caching proxy in front of your
pages.

I think _very_ few ads work that way, though. It's almost always a javascript
include (often from a 3rd party ad server).

~~~
igrigorik
I'm saying the oppposite. I have no reason to proxy twitter.js or other ads
scripts on my site. If CF is taking the step to rewrite those to the same
domain, then they also have to guard for respecting all the cache implications
of that.

------
nemo1618
Interesting. I wonder if moot will adopt this for 4chan. Recently he's seemed
interested in optimizing the site (most notably by cleaning up the HTML/CSS
and adding mobile support).

~~~
sirn
4chan is already using CloudFlare Pro (you can check by visiting their SSL
url, they're using CloudFlare cert), so it should be easy for him to enable
SPDY support.

------
grandalf
Is cloudflare mainstream? Any testimonials? Sounds pretty cool.

