How to turn off gzip compression for SSL traffic
Igor Sysoev
igor at sysoev.ru
Mon Aug 19 04:43:02 UTC 2013
On Aug 18, 2013, at 14:27 , howard chen wrote:
> Hi,
>
> Thanks for the insight.
>
> Finally I solved by:
>
> if ($scheme = https) {
> gzip off;
> }
This does not work on server level. And on location level it may work in wrong way.
> Separating into two servers require to duplicate the rules like rewrite, which is cumbersome.
I believe that dual mode server block may be subject to vulnerabilities due to site map,
so BREACH is the least of them.
--
Igor Sysoev
http://nginx.com/services.html
> On Sat, Aug 17, 2013 at 8:43 PM, Igor Sysoev <igor at sysoev.ru> wrote:
> On Aug 17, 2013, at 8:59 , howard chen wrote:
>
>> Hi,
>>
>> As you know, due the breach attack (http://breachattack.com), HTTP compression is no longer safe (I assume nginx don't use SSL compression by default?), so we should disable it.
>
> Yes, modern nginx versions do not use SSL compression.
>
>> Now, We are using config like the following:
>>
>> gzip on;
>> ..
>>
>> server {
>> listen 127.0.0.1:80 default_server;
>> listen 127.0.0.1:443 default_server ssl;
>>
>>
>>
>> With the need to split into two servers section, is it possible to turn off gzip when we are using SSL?
>
>
> You have to split the dual mode server section into two server server sections and set "gzip off"
> SSL-enabled on. There is no way to disable gzip in dual mode server section, but if you really
> worry about security in general the server sections should be different.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20130819/454fc158/attachment.html>
More information about the nginx
mailing list