Welcome! Log In Create A New Profile

Advanced

Re: trying to disable gzip

Maxim Dounin
October 18, 2023 12:48PM
Hello!

On Wed, Oct 18, 2023 at 04:13:39PM +0000, alienmega via nginx wrote:

> Hello,
> I am trying to disable gzip to mitigate the breach attack( I use
> a service to check for vulnerabilities and it came up with
> that). I added gzip off to nginx.conf file and then check the
> configuration with nginx -t, and then reloaded with systemctl
> reload nginx.
>
> When I visit the site, I still have
> Accept-Encoding: gzip, deflate, br

The "Accept-Encoding" is a _request_ header, sent by your browser.
You have to look at the response headers instead, notably
Content-Encoding.

> I check that I dont have gip on anywhere else on /etc/nginx/*
> grep -Ri "gzip off" /etc/nginx

As long as you don't have "gzip on" (or "gzip_static", but it is
certainly not affected by BREACH) in your nginx configuration,
nginx won't use gzip. Note though that if you are using some
backend server to return dynamic responses, you might need to
disable gzip there as well.

Note well that completely disabling gzip might not be the best
solution. The BREACH attack only affects response body
compression if the resource being returned 1) contains some secret
information and 2) it reflects some user input. That is, it
certainly does not affect static files, and can be easily avoided
by masking secrets in dynamic pages, see
https://www.breachattack.com/ for details.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Re: trying to disable gzip

Maxim Dounin October 18, 2023 12:48PM

Re: trying to disable gzip

noloader October 19, 2023 01:24PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 333
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready