Nginx: Disable gzip-compression for https only

Question

Because of the BREACH vulnerability I'd like to disable gzip compression for TLS traffic, but not for regular HTTP traffic.

I could split up every Nginx server section into two separate TLS- and non-TLS sections and configure gzip there, but with a dozen sites running on the same webserver I'd prefer not to do this for every server section.

Is it possible to disable gzip compression for all HTTPS requests, without creating multiple server sections (e.g. from the http section)?

score 2 · Answer 1 · answered Dec 06 '17 at 09:18

2

There is a difference between SSL compression and regular HTML/gzip compression. To protect against the BREACH vulnerability only the former should be disabled. See Disable deflate compression in nginx SSL and this page.

answered Dec 06 '17 at 09:18

Jakub Klinkovský

129

Tim · Answer 2 · 2017-04-24T04:30:50.620

Unfortunately I think the best answer is to separate your servers into http and https. I have around a dozen sites on my web server, I have server three server blocks per domain - https://www serves the traffic, the other three just forward (http://www. http://, https://).

Generally you don't want to serve the same content on http and https for SEO, at least not without making it clear which content is canonical (ie the primary one).

Obviously the config below is only that relevant to this answer, not a full config.

# Main Nginx config file
http {
  gzip on;

  # https site, usually in a file with any other servers for this domain
  server {
    server_name www.example.com;
    listen 443 ssl http2;
    gzip off;
  }

  # http site that forwards to https
  server {
    server_name www.example.com example.com;
    listen       80;
    server_name  example.com www.example.com;
    access_log  /var/log/nginx/access.log;
    return       301 https://www.example.com$request_uri;
  }

  # https / non www server skipped as it's obvious
}

Reducing duplication

If you really want serve the same website on http and https, and want to reduce duplication for things like your location configurations you can do something like this. The server_name and go in the included file but that's a bit opaque.

  # https site, usually in a file with any other servers for this domain
  server {
    server_name www.example.com;
    listen 443 ssl http2;
    gzip off;

    # include the locations, which is common to http and https
    include /etc/nginx/sites-enabled/example_com_location.conf;
  }

  # http site that forwards to https
  server {
    server_name www.example.com example.com;
    listen       80;
    server_name  example.com www.example.com;
    include /etc/nginx/sites-enabled/example_com_location.conf;
  }

score 0 · Answer 3 · answered Oct 07 '13 at 10:25

0

Try This

if ($scheme = https) {
    gzip off;
}

Reference

answered Oct 07 '13 at 10:25

Harikrishnan

1,419

Nginx: Disable gzip-compression for https only

3 Answers3