On Aug 12, 2013, at 21:32 , offmind wrote:
> And what if we are using gzip_static?
> As far as I understand, we have to block gzipping page code. But what about
> .js .css with no secure content?
Statically gzipped files do not depend on user input so they are not subject
to BREACH.
--
Igor S
I am using the statement is:
if ($ host! = www.mj.com|ci.mj.com) {rewrite ^ / (. *) $ http://www.mj.com/
$ 1 permanent;}
This page contains a redirect loop occurs causing the problem can not access
the site, I ask you how to handle this statement to be compatible with
multiple subdomains, thank you
On Aug 19, 2013, at 9:56 , B.R. wrote:
> On Mon, Aug 19, 2013 at 12:41 AM, Igor Sysoev wrote:
>
> These are different vulnerabilities: SSL compression is subject to
> CRIME vulnerability while HTTP/SSL compression is subject to BREACH
> vulnerability.
>
> Incorrect.
>
> CRIME attacks a vulner
On Mon, Aug 19, 2013 at 12:41 AM, Igor Sysoev wrote:
>
> These are different vulnerabilities: SSL compression is subject to
> CRIME vulnerability while HTTP/SSL compression is subject to BREACH
> vulnerability.
>
Incorrect.
CRIME attacks a vulnerability in the implementation of SSLv3 and TLS1.
On Aug 18, 2013, at 14:27 , howard chen wrote:
> Hi,
>
> Thanks for the insight.
>
> Finally I solved by:
>
> if ($scheme = https) {
> gzip off;
> }
This does not work on server level. And on location level it may work in wrong
way.
> Separating into two servers require to duplicate the
On Aug 18, 2013, at 21:09 , itpp2012 wrote:
> Igor Sysoev Wrote:
> ---
>> Yes, modern nginx versions do not use SSL compression.
> [...]
>> You have to split the dual mode server section into two server server
>> sections and set "gzip off"
>> SS
Hello!
On Wed, Aug 14, 2013 at 06:56:32AM -0400, MKl wrote:
> Hello,
>
> to increase security of SSL I added some eliptic-curves-ciphers to the
> chain. For HTTPS it's working fine, but for the mail proxy it does not work,
> I only always get RC4-SHA instead of the ECDH ciphers.
> See configurat
Hello!
On Sun, Aug 18, 2013 at 05:29:11PM -0400, B.R. wrote:
[...]
> > > Testing conf is of course a duplicate of work, but that's a safe
> > operation.
> > > The command output will determine if your new configuration will work
> > > without having to carefully watch logs with anxiety.
> >
> >
Hello,
On Sun, Aug 18, 2013 at 3:14 PM, Maxim Dounin wrote:
>
> Making any changes to the configuration isn't something
> significant: even without changes at all new binary on disk might
> not consider an old configuration as a valid e.g. due to some
> module not compiled in. And a reload migh
Hello,
On Sun, Aug 18, 2013 at 4:48 PM, itpp2012 wrote:
> I think we could all benefit from a nginx recommendation on using gzip with
> single and dual mode server sections regarding a hardening approach against
> breach. Maxim?
>
As Igor advised, 2 different servers to server HTTP & HTTPS req
I think we could all benefit from a nginx recommendation on using gzip with
single and dual mode server sections regarding a hardening approach against
breach. Maxim?
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,241953,241993#msg-241993
___
On Sun, 2013-08-18 at 16:08 +0800, Edwin Lee wrote:
> Hi,
>
> Is is alright to have two installations of nginx on the same machine?
> I have a running instance of nginx with php installed from distribution
> package manager.
> Instead of writing another config, I would like to compile and install
On Sun, Aug 18, 2013 at 12:31 PM, Paul N. Pace wrote:
> Igor said:
>>You have to split the dual mode server section into two server server
>>sections and set "gzip off"
>>SSL-enabled on. There is no way to disable gzip in dual mode server section,
>>but if you really
>>worry about security in ge
Igor said:
>You have to split the dual mode server section into two server server sections
>and set "gzip off"
>SSL-enabled on. There is no way to disable gzip in dual mode server section,
>but if you really
>worry about security in general the server sections should be different.
Adie said:
>Th
Hello!
On Sat, Aug 17, 2013 at 12:36:38PM -0400, B.R. wrote:
> Hello,
>
>
> On Sat, Aug 17, 2013 at 7:37 AM, Maxim Dounin wrote:
>
> > Hello!
> >
> > I don't think that calling "nginx -t" as a mandatory step before
> > configuration reload is a good idea: nginx binary running and
> > nginx bi
This discussion started regarding concerns about the BREACH, which (if you
documented about it) attacks SSL-encrypted HTTP-level-compressed data, thus
implying the discussion around gzip.
---
*B. R.*
___
nginx mailing list
nginx@nginx.org
http://mailman.n
I think you mistake ssl/tls level compression with gzip http compression,
both are different.
If you put gzip in http section, all server sections under this http will
inherits this gzip config.
This is why Igor recommends you to split the server config for SSL and
non-SSL, and put 'gzip on' only
On 18 August 2013 18:09, itpp2012 wrote:
> Igor Sysoev Wrote:
> ---
>> Yes, modern nginx versions do not use SSL compression.
> [...]
>> You have to split the dual mode server section into two server server
>> sections and set "gzip off"
>> SSL-e
Igor Sysoev Wrote:
---
> Yes, modern nginx versions do not use SSL compression.
[...]
> You have to split the dual mode server section into two server server
> sections and set "gzip off"
> SSL-enabled on. There is no way to disable gzip in dual m
Hi everyone!
I would like to ask for 5 minutes of your time and participate in a
survey that is intended to monitor current trends in Nginx community and
suggest improvements to Nginx.
To participate just visit this URL and use Facebook, Google accounts or
your Email to login:
http://surve
I thought that "if" statements slowed nginx down?
On Sun, Aug 18, 2013 at 6:27 AM, howard chen wrote:
> Hi,
>
> Thanks for the insight.
>
> Finally I solved by:
>
> if ($scheme = https) {
> gzip off;
> }
>
> Separating into two servers require to duplicate the rules like rewrite,
> which is
Hi,
Thanks for the insight.
Finally I solved by:
if ($scheme = https) {
gzip off;
}
Separating into two servers require to duplicate the rules like rewrite,
which is cumbersome.
Thanks anyway
On Sat, Aug 17, 2013 at 8:43 PM, Igor Sysoev wrote:
> On Aug 17, 2013, at 8:59 , howard chen
you could specify the configure file by -c option or even specify prefix by
-p
and could compile anther nginx instance by --prefix configure option
2013/8/18 Edwin Lee
> Hi,
>
> Is is alright to have two installations of nginx on the same machine?
> I have a running instance of nginx with php
Hi,
Is is alright to have two installations of nginx on the same machine?
I have a running instance of nginx with php installed from distribution package
manager.
Instead of writing another config, I would like to compile and install nginx
from source code and run as second instance.
The second
Thanks, I knew about those instructions but I was trying to "build it hte
Debian way" :-(
Found this page with some more instructions/hints:
http://wiki.debian.org/IntroDebianPackaging but no luck.
So I guess if nobody can help me do it this way, in a few days I'll give it
a try with the instruc
Use the official instructions from
https://github.com/pagespeed/ngx_pagespeed and you'll have no problems.
Well, I haven't upgraded from 1.4.1 yet, but that works fine.
Steve
On 18/08/13 19:46, ovidiu wrote:
I'm trying to follow this tutorial:
http://www.howtoforge.com/using-ngx_pagespeed-wit
I'm trying to follow this tutorial:
http://www.howtoforge.com/using-ngx_pagespeed-with-nginx-on-debian-wheezy to
build nginx with ngx_pagespeed on a Debian Wheezy machine. Unfortunately so
far I have been using nginx from dotdeb so I'm trying to use their sources.
The error occurs when building:
27 matches
Mail list logo
