Thank you for the information. I didnt notice I was lookgin at the wrong place. It turns out that the culprit is cloudflare. If I dont use it, I can see the gzip going on and off(as expected), but as soo as I use cloudflare, it overwrites that response. Now I need to check on cloudflare if there is anyway to turn it off.
Sent with Proton Mail secure email. ------- Original Message ------- On Wednesday, October 18th, 2023 at 12:46 PM, Maxim Dounin <mdou...@mdounin.ru> wrote: > Hello! > > On Wed, Oct 18, 2023 at 04:13:39PM +0000, alienmega via nginx wrote: > > > Hello, > > I am trying to disable gzip to mitigate the breach attack( I use > > a service to check for vulnerabilities and it came up with > > that). I added gzip off to nginx.conf file and then check the > > configuration with nginx -t, and then reloaded with systemctl > > reload nginx. > > > > When I visit the site, I still have > > Accept-Encoding: gzip, deflate, br > > > The "Accept-Encoding" is a request header, sent by your browser. > You have to look at the response headers instead, notably > Content-Encoding. > > > I check that I dont have gip on anywhere else on /etc/nginx/* > > grep -Ri "gzip off" /etc/nginx > > > As long as you don't have "gzip on" (or "gzip_static", but it is > certainly not affected by BREACH) in your nginx configuration, > nginx won't use gzip. Note though that if you are using some > backend server to return dynamic responses, you might need to > disable gzip there as well. > > Note well that completely disabling gzip might not be the best > solution. The BREACH attack only affects response body > compression if the resource being returned 1) contains some secret > information and 2) it reflects some user input. That is, it > certainly does not affect static files, and can be easily avoided > by masking secrets in dynamic pages, see > https://www.breachattack.com/ for details. > > -- > Maxim Dounin > http://mdounin.ru/ > _______________________________________________ > nginx mailing list > nginx@nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx _______________________________________________ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
