On Thu, Oct 19, 2023 at 12:36 AM alienmega via nginx <nginx@nginx.org> wrote: > > Thank you for the information. I didnt notice I was lookgin at the wrong > place. It turns out that the culprit is cloudflare. If I dont use it, I can > see the gzip going on and off(as expected), but as soo as I use cloudflare, > it overwrites that response. Now I need to check on cloudflare if there is > anyway to turn it off.
One comment about 3rd parties, like Cloudfare... Remember, the cloud is just someone else's machine. If Cloudfare is supporting protocols like SDPY, then compression is baked into the protocol. You cannot disable compression in this case. So compression may be available and used on their web servers whether you want it or not. An easier way to avoid CRIME and BREACh may be to use TLS v1.2 and above with AEAD ciphers modes like CCM or GCM since CRIME and BREACH were timing attacks on cipher modes like CBC. Stream ciphers should avoid the problem, too, like TLS v1.3's ChaCha20-Poly1305. Jeff _______________________________________________ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
