trying to disable gzip
Hello, I am trying to disable gzip to mitigate the breach attack( I use a service to check for vulnerabilities and it came up with that). I added gzip off to nginx.conf file and then check the configuration with nginx -t, and then reloaded with systemctl reload nginx. When I visit the site, I still have Accept-Encoding: gzip, deflate, br I check that I dont have gip on anywhere else on /etc/nginx/* grep -Ri "gzip off" /etc/nginx I also use brave in incognito mode to make sure there was no cache involve. Not sure what else to do to disable gzip I am running php 8.1, nginx1.24 on ubuntu (22.04.03) this is the result of nginx -V nginx version: nginx/1.24.0 built by gcc 11.2.0 (Ubuntu 11.2.0-19ubuntu1) built with OpenSSL 3.0.2 15 Mar 2022 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.24.0/debian/debuild-base/nginx-1.24.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' thank you for any ideas Sent with [Proton Mail](https://proton.me/) secure email.___ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
Re: trying to disable gzip
Thank you for the information. I didnt notice I was lookgin at the wrong place. It turns out that the culprit is cloudflare. If I dont use it, I can see the gzip going on and off(as expected), but as soo as I use cloudflare, it overwrites that response. Now I need to check on cloudflare if there is anyway to turn it off. Sent with Proton Mail secure email. --- Original Message --- On Wednesday, October 18th, 2023 at 12:46 PM, Maxim Dounin wrote: > Hello! > > On Wed, Oct 18, 2023 at 04:13:39PM +, alienmega via nginx wrote: > > > Hello, > > I am trying to disable gzip to mitigate the breach attack( I use > > a service to check for vulnerabilities and it came up with > > that). I added gzip off to nginx.conf file and then check the > > configuration with nginx -t, and then reloaded with systemctl > > reload nginx. > > > > When I visit the site, I still have > > Accept-Encoding: gzip, deflate, br > > > The "Accept-Encoding" is a request header, sent by your browser. > You have to look at the response headers instead, notably > Content-Encoding. > > > I check that I dont have gip on anywhere else on /etc/nginx/* > > grep -Ri "gzip off" /etc/nginx > > > As long as you don't have "gzip on" (or "gzip_static", but it is > certainly not affected by BREACH) in your nginx configuration, > nginx won't use gzip. Note though that if you are using some > backend server to return dynamic responses, you might need to > disable gzip there as well. > > Note well that completely disabling gzip might not be the best > solution. The BREACH attack only affects response body > compression if the resource being returned 1) contains some secret > information and 2) it reflects some user input. That is, it > certainly does not affect static files, and can be easily avoided > by masking secrets in dynamic pages, see > https://www.breachattack.com/ for details. > > -- > Maxim Dounin > http://mdounin.ru/ > ___ > nginx mailing list > nginx@nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
