On Aug 18, 2013, at 14:27 , howard chen wrote:
> Hi,
>
> Thanks for the insight.
>
> Finally I solved by:
>
> if ($scheme = https) {
> gzip off;
> }
This does not work on server level. And on location level it may work in wrong
way.
> Separating into two servers require to duplicate the rules like rewrite,
> which is cumbersome.
I believe that dual mode server block may be subject to vulnerabilities due to
site map,
so BREACH is the least of them.
--
Igor Sysoev
http://nginx.com/services.html
> On Sat, Aug 17, 2013 at 8:43 PM, Igor Sysoev <i...@sysoev.ru> wrote:
> On Aug 17, 2013, at 8:59 , howard chen wrote:
>
>> Hi,
>>
>> As you know, due the breach attack (http://breachattack.com), HTTP
>> compression is no longer safe (I assume nginx don't use SSL compression by
>> default?), so we should disable it.
>
> Yes, modern nginx versions do not use SSL compression.
>
>> Now, We are using config like the following:
>>
>> gzip on;
>> ..
>>
>> server {
>> listen 127.0.0.1:80 default_server;
>> listen 127.0.0.1:443 default_server ssl;
>>
>>
>>
>> With the need to split into two servers section, is it possible to turn off
>> gzip when we are using SSL?
>
>
> You have to split the dual mode server section into two server server
> sections and set "gzip off"
> SSL-enabled on. There is no way to disable gzip in dual mode server section,
> but if you really
> worry about security in general the server sections should be different.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
