text/html is not included by default when specifying zstd_types #3
Comments
bradsoto
changed the title
bradsoto
changed the title
|
@bradsoto BTW, just configure your zstd_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; |
|
This is a snippet of my current config. When requesting gzip or brotli encoding for text/html it works. When requesting zstd encoding it also works, but (unlike gzip or brotli) requires text/html added in at the end. gzip on;
gzip_min_length 256;
gzip_comp_level 9;
gzip_proxied any;
gzip_types application/atom+xml application/geo+json application/javascript application/json application/ld+json application/manifest+json application/rdf+xml application/rss+xml application/vnd.ms-fontobject application/wasm application/x-perl application/x-web-app-manifest+json application/xhtml+xml application/xml application/xspf+xml audio/midi font/otf image/bmp image/svg+xml text/cache-manifest text/calendar text/css text/javascript text/markdown text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/xml;
brotli on;
brotli_comp_level 8;
brotli_window 16m;
brotli_min_length 256;
brotli_types application/atom+xml application/geo+json application/javascript application/json application/ld+json application/manifest+json application/rdf+xml application/rss+xml application/vnd.ms-fontobject application/wasm application/x-perl application/x-web-app-manifest+json application/xhtml+xml application/xml application/xspf+xml audio/midi font/otf image/bmp image/svg+xml text/cache-manifest text/calendar text/css text/javascript text/markdown text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/xml;
zstd on;
zstd_comp_level 14;
zstd_min_length 256;
zstd_types application/atom+xml application/geo+json application/javascript application/json application/ld+json application/manifest+json application/rdf+xml application/rss+xml application/vnd.ms-fontobject application/wasm application/x-perl application/x-web-app-manifest+json application/xhtml+xml application/xml application/xspf+xml audio/midi font/otf image/bmp image/svg+xml text/cache-manifest text/calendar text/css text/javascript text/markdown text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/xml text/html; |
|
@bradsoto |
|
@bradsoto |
|
@bradsoto I will push a fix as soon as possible. Thanks for your report! |
tokers
added
bug
|
Fix verified! Everything works as expected. |
|
Plese note this creates a potential vector for BREACH attack as documented in similar discussion on Brotli here https://answers.launchpad.net/ubuntu/+source/nginx/+question/678209 |
|
@kravietz, that's true, in the sense that all LZ-style compression of HTTP responses are vulnerable to BREACH. I don't believe Zstd has any features that make it any more or less vulnerable than Brotli or Gzip, the latter of which is nonetheless ubiquitously deployed on the web. Mitigating BREACH/CRIME/HEIST/etc. style vulnerabilities is therefore orthogonal to selecting a compressor. |
|
@felixhandte I think the point the Ubuntu Security Team had in the Brotli discussion linked above was that |
|
Ah, just as I expected - #5 :) |
|
@kravietz, aha, I missed that detail. Makes sense. |
|
Actually I don't catch the point why nginx gzip module would always compress the |
|
How can I configure or edit my nginx.conf through configmap to activate the zstd? |
When serving content-type text/html: this module does not encode zstd by default. It must be added to zstd_types manually. This goes against the expected behaviors like the gzip and brotli modules (when specifying zstd_types. The module serves zstd for text/html when zstd_types is not specified). Expected behavior is mentioned in the documentation, "types in addition to text/html"
The text was updated successfully, but these errors were encountered: