WIP: Properly enable gzip compression in nginx config #721
No reviewers
Labels
No labels
approved, awaiting change
bug
configuration
documentation
duplicate
enhancement
extremely low priority
feature request
Fix it yourself
help wanted
invalid
mastodon_api
needs docs
needs tests
not a bug
planned
pleroma_api
privacy
question
static_fe
triage
wontfix
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: AkkomaGang/akkoma#721
Loading…
Reference in a new issue
No description provided.
Delete branch "norm/akkoma:nginx-gzip"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Given that there's already a bunch of other gzip options set in the
nginx config, it's likely someone forgot to actually add the setting to
turn gzip on, so let's fix that.
Just to make sure, it’s probably best to first check whether we already have defenses against the BREACH attack
From https://breachattack.com:
with this patch, yep
yep (e.g. received posts)
yep, responses always include a
set-cookie
directive for__Host-pleroma_key
and it seems to stay the same for multiple requestsThis last bit might be hard for people following many accounts, as they might receive many notifications, posts on TL, etc
.
Afaict except for (possibly too liberal) rate limiting, none of the proposed countermeasures is implemented:
i couldn’t find anything on how to enable this for nginx
While i’m not sure how practical it is for an attacker to both inject plaintext and measure the size of packets received by the victim, it seems best to me to be careful here and only enable compression after adding some more countermeasures here.
Ideally HTB, otherwise e.g. sending the
__Host-pleroma_key
only once for each value (though this probably requires some care and possibly server overhead to track who received the key already and if it was received successfully), more frequent Host-key rotations or adding an unused padding headerX-Akkoma-Random-Padding
to each response with a random length of random data.Properly enable gzip compression in nginx configto WIP: Properly enable gzip compression in nginx configMarking as WIP until proper BREACH mitigations are in place
View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.