trying to disable gzip

2023-10-18 Thread alienmega via nginx
Hello,
I am trying to disable gzip to mitigate the breach attack( I use a service to 
check for vulnerabilities and it came up with that). I added gzip off to 
nginx.conf file and then check the configuration with nginx -t, and then 
reloaded with systemctl reload nginx.

When I visit the site, I still have
Accept-Encoding: gzip, deflate, br

I check that I dont have gip on anywhere else on /etc/nginx/*
grep -Ri "gzip off" /etc/nginx

I also use brave in incognito mode to make sure there was no cache involve.

Not sure what else to do to disable gzip

I am running php 8.1, nginx1.24 on ubuntu (22.04.03)

this is the result of nginx -V
nginx version: nginx/1.24.0
built by gcc 11.2.0 (Ubuntu 11.2.0-19ubuntu1)
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx 
--modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf 
--error-log-path=/var/log/nginx/error.log 
--http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid 
--lock-path=/var/run/nginx.lock 
--http-client-body-temp-path=/var/cache/nginx/client_temp 
--http-proxy-temp-path=/var/cache/nginx/proxy_temp 
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp 
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp 
--http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx 
--with-compat --with-file-aio --with-threads --with-http_addition_module 
--with-http_auth_request_module --with-http_dav_module --with-http_flv_module 
--with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module 
--with-http_random_index_module --with-http_realip_module 
--with-http_secure_link_module --with-http_slice_module --with-http_ssl_module 
--with-http_stub_status_module --with-http_sub_module --with-http_v2_module 
--with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module 
--with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 
-ffile-prefix-map=/data/builder/debuild/nginx-1.24.0/debian/debuild-base/nginx-1.24.0=.
 -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects 
-fstack-protector-strong -Wformat -Werror=format-security 
-Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions 
-flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -Wl,--as-needed 
-pie'

thank you for any ideas

Sent with [Proton Mail](https://proton.me/) secure email.___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx


Re: trying to disable gzip

2023-10-18 Thread Maxim Dounin
Hello!

On Wed, Oct 18, 2023 at 04:13:39PM +, alienmega via nginx wrote:

> Hello,
> I am trying to disable gzip to mitigate the breach attack( I use 
> a service to check for vulnerabilities and it came up with 
> that). I added gzip off to nginx.conf file and then check the 
> configuration with nginx -t, and then reloaded with systemctl 
> reload nginx.
> 
> When I visit the site, I still have
> Accept-Encoding: gzip, deflate, br

The "Accept-Encoding" is a _request_ header, sent by your browser.  
You have to look at the response headers instead, notably 
Content-Encoding.

> I check that I dont have gip on anywhere else on /etc/nginx/*
> grep -Ri "gzip off" /etc/nginx

As long as you don't have "gzip on" (or "gzip_static", but it is 
certainly not affected by BREACH) in your nginx configuration, 
nginx won't use gzip.  Note though that if you are using some 
backend server to return dynamic responses, you might need to 
disable gzip there as well.

Note well that completely disabling gzip might not be the best 
solution.  The BREACH attack only affects response body 
compression if the resource being returned 1) contains some secret 
information and 2) it reflects some user input.  That is, it 
certainly does not affect static files, and can be easily avoided 
by masking secrets in dynamic pages, see 
https://www.breachattack.com/ for details.

-- 
Maxim Dounin
http://mdounin.ru/
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx


RE: trying to disable gzip

2023-10-18 Thread Reinis Rozitis
> I added gzip off to nginx.conf file and then check the configuration with 
> nginx -t, and then reloaded with systemctl reload nginx.
> 
> When I visit the site, I still have 
> Accept-Encoding: gzip, deflate, br

First of all - how are you testing?
'Accept-Encoding' - is the header in http request sent by client/browser 
identifying what the browser supports to what the server actually responds with 
'Content-Encoding'.


In any case if you see something like that also in 'Content-Encoding' response 
headers - while I don't see that in provided configure line (the module might 
be dynamically loaded?) nginx default gzip module doesn't support 'br' (brotli) 
compression so it's either (a third party) ngx_brotli module (you can search 
your config for 'brotli') or something else ..

.. for example if you are testing on php site  - php can have it's own output 
compression  (for example via 
https://www.php.net/manual/en/zlib.configuration.php#ini.zlib.output-compression
 )

rr 
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx


Re: trying to disable gzip

2023-10-18 Thread alienmega via nginx
Thank you for the information.  I didnt notice I was lookgin at the wrong 
place. It turns out that the culprit is cloudflare. If I dont use it, I can see 
the gzip going on and off(as expected), but as soo as I use cloudflare, it 
overwrites that response. Now I need to check on cloudflare if there is anyway 
to turn it off.




Sent with Proton Mail secure email.

--- Original Message ---
On Wednesday, October 18th, 2023 at 12:46 PM, Maxim Dounin  
wrote:


> Hello!
> 
> On Wed, Oct 18, 2023 at 04:13:39PM +, alienmega via nginx wrote:
> 
> > Hello,
> > I am trying to disable gzip to mitigate the breach attack( I use
> > a service to check for vulnerabilities and it came up with
> > that). I added gzip off to nginx.conf file and then check the
> > configuration with nginx -t, and then reloaded with systemctl
> > reload nginx.
> > 
> > When I visit the site, I still have
> > Accept-Encoding: gzip, deflate, br
> 
> 
> The "Accept-Encoding" is a request header, sent by your browser.
> You have to look at the response headers instead, notably
> Content-Encoding.
> 
> > I check that I dont have gip on anywhere else on /etc/nginx/*
> > grep -Ri "gzip off" /etc/nginx
> 
> 
> As long as you don't have "gzip on" (or "gzip_static", but it is
> certainly not affected by BREACH) in your nginx configuration,
> nginx won't use gzip. Note though that if you are using some
> backend server to return dynamic responses, you might need to
> disable gzip there as well.
> 
> Note well that completely disabling gzip might not be the best
> solution. The BREACH attack only affects response body
> compression if the resource being returned 1) contains some secret
> information and 2) it reflects some user input. That is, it
> certainly does not affect static files, and can be easily avoided
> by masking secrets in dynamic pages, see
> https://www.breachattack.com/ for details.
> 
> --
> Maxim Dounin
> http://mdounin.ru/
> ___
> nginx mailing list
> nginx@nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx