* Stuart Henderson <s...@spacehopper.org> le [29-01-2018 08:14:03 +0000]: > On 2018-01-28, Thuban <thu...@yeuxdelibad.net> wrote: > > > >> Yes it's possible. Make sure to set the appriopriate HTTP headers aswell > >> with relayd: read "Accept-Encoding" and if it's acceptable set > >> "Content-Encoding". > > > > Indeed, it works. > > > > relayd.conf : > > > > match response header "Accept-Encoding" value "gzip" > > match response header set "Content-Encoding" value "gzip" > > > > Then : > > > > cd /var/www/htdocs/site > > gzip style.css && mv style.css.gz style.css > > > > Now, open URL pointing to style.css, and here you go. > > > > However, all your files must be gzipped, or the browser is unhappy. > > > > Thanks a lot. > > > > > > Fun hack, but it's going to break for a browser that doesn't support gzip. > Also it's a nice trap for the next admin that comes along (which may be your > future self :)
The fun part comes when you trap script kiddies with gzip bomb:
- Create a bomb : `dd if=/dev/zero bs=1M count=10240 | gzip > surprise.html`
(yeah, this is not html, but bots don't care)
- In html code, put something like
<a rel="nofollow" style="display:none;" href="surprise.html">Do NOT
follow this link or you will have problems!</a>
- In relayd.conf :
match request header "Accept-Encoding" value "gzip"
match request path "/surprise.html"
match response header set "Content-Encoding" value "gzip"
A bot fetching "surprise.html" will see CPU usage increasing, too bad...
Regards.
signature.asc
Description: PGP signature
