2

Because of the BREACH vulnerability I'd like to disable gzip compression for TLS traffic, but not for regular HTTP traffic.

I could split up every Nginx server section into two separate TLS- and non-TLS sections and configure gzip there, but with a dozen sites running on the same webserver I'd prefer not to do this for every server section.

Is it possible to disable gzip compression for all HTTPS requests, without creating multiple server sections (e.g. from the http section)?

Danilo Bargen
  • 233
  • 1
  • 3
  • 9
  • 1
    `Is it possible to disable gzip compression for all HTTPS requests, without creating multiple server sections (e.g. from the http section)?` No, not possible, at the moment. This topic was discussed in length some time ago, in Nginx mailing list. If you didn't see the link that Harikrishnan referenced, here it is... http://forum.nginx.org/read.php?2,241953,241953#msg-241953 – Pothi Kalimuthu Oct 07 '13 at 11:52

3 Answers3

3

There is a difference between SSL compression and regular HTML/gzip compression. To protect against the BREACH vulnerability only the former should be disabled. See Disable deflate compression in nginx SSL and this page.

Jakub Klinkovský
  • 131
  • 3
1

Unfortunately I think the best answer is to separate your servers into http and https. I have around a dozen sites on my web server, I have server three server blocks per domain - https://www serves the traffic, the other three just forward (http://www. http://, https://).

Generally you don't want to serve the same content on http and https for SEO, at least not without making it clear which content is canonical (ie the primary one).

Obviously the config below is only that relevant to this answer, not a full config.

# Main Nginx config file
http {
  gzip on;

  # https site, usually in a file with any other servers for this domain
  server {
    server_name www.example.com;
    listen 443 ssl http2;
    gzip off;
  }

  # http site that forwards to https
  server {
    server_name www.example.com example.com;
    listen       80;
    server_name  example.com www.example.com;
    access_log  /var/log/nginx/access.log;
    return       301 https://www.example.com$request_uri;
  }

  # https / non www server skipped as it's obvious
}

Reducing duplication

If you really want serve the same website on http and https, and want to reduce duplication for things like your location configurations you can do something like this. The server_name and go in the included file but that's a bit opaque.

  # https site, usually in a file with any other servers for this domain
  server {
    server_name www.example.com;
    listen 443 ssl http2;
    gzip off;

    # include the locations, which is common to http and https
    include /etc/nginx/sites-enabled/example_com_location.conf;
  }

  # http site that forwards to https
  server {
    server_name www.example.com example.com;
    listen       80;
    server_name  example.com www.example.com;
    include /etc/nginx/sites-enabled/example_com_location.conf;
  }
Tim
  • 30,383
  • 6
  • 47
  • 77
0

Try This

if ($scheme = https) {
    gzip off;
}

Reference

Harikrishnan
  • 1,057
  • 2
  • 14
  • 31
  • Nope, `if` is not allowed in the `http` section: `nginx: [emerg] "if" directive is not allowed here in /etc/nginx/nginx.conf:50; nginx: configuration file /etc/nginx/nginx.conf test failed` – Danilo Bargen Oct 07 '13 at 11:10
  • If you are ready to recompile nginx, I will show you one 100% working idea.I have used it before. – Harikrishnan Oct 07 '13 at 11:37
  • I (always) compile from source. May I know what that 100% working idea is? – Pothi Kalimuthu Oct 07 '13 at 11:44
  • @Harikrishnan I'm not sure I'd prefer recompiling over multiple `server` sections, but please post your solution as an answer, I'm interested in it :) – Danilo Bargen Oct 07 '13 at 11:48
  • hm.I was thinking about http-headers-more nginx module.But in your case it wont work since you are not ready to split them. – Harikrishnan Oct 07 '13 at 11:53
  • @Harikrishnan If there's a way without splitting the `server` sections, I'd prefer that. But if there isn't, I won't get around the splitting... – Danilo Bargen Oct 07 '13 at 12:06
  • unfortumately nginx forums says that `You have to split the dual mode server section into two server server sections and set "gzip off" SSL-enabled on. There is no way to disable gzip in dual mode server section, but if you really worry about security in general the server sections should be different.` http://forum.nginx.org/read.php?2,241953,241959#msg-241959 – Harikrishnan Oct 07 '13 at 12:08