You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ta...@apache.org on 2014/05/23 22:50:18 UTC
svn commit: r1597179 -
/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_deflate.xml
Author: takashi
Date: Fri May 23 20:50:17 2014
New Revision: 1597179
URL: http://svn.apache.org/r1597179
Log:
Merge r1517551, r1517588 and r1517589 from trunk
Modified:
httpd/httpd/branches/2.4.x/docs/manual/mod/mod_deflate.xml
Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_deflate.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_deflate.xml?rev=1597179&r1=1597178&r2=1597179&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_deflate.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_deflate.xml Fri May 23 20:50:17 2014
@@ -54,6 +54,11 @@ client</description>
</section>
<section id="enable"><title>Enabling Compression</title>
+ <note type="warning"><title>Compression and TLS</title>
+ <p>Some web applications are vulnerable to an information disclosure
+ attack when a TLS connection carries deflate compressed data. For more
+ information, review the details of the "BREACH" family of attacks.</p>
+ </note>
<section id="output"><title>Output Compression</title>
<p>Compression is implemented by the <code>DEFLATE</code>
@@ -62,15 +67,10 @@ client</description>
is placed:</p>
<highlight language="config">
- SetOutputFilter DEFLATE
+SetOutputFilter DEFLATE
+SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip
</highlight>
- <p>Some popular browsers cannot handle compression of all content
- so you may want to set the <code>gzip-only-text/html</code> note to
- <code>1</code> to only allow html files to be compressed (see
- below). If you set this to <em>anything but <code>1</code></em> it
- will be ignored.</p>
-
<p>If you want to restrict the compression to particular MIME types
in general, you may use the <directive module="mod_filter"
>AddOutputFilterByType</directive> directive. Here is an example of
@@ -83,37 +83,6 @@ client</description>
</Directory>
</highlight>
- <p>For browsers that have problems even with compression of all file
- types, use the <directive module="mod_setenvif"
- >BrowserMatch</directive> directive to set the <code>no-gzip</code>
- note for that particular browser so that no compression will be
- performed. You may combine <code>no-gzip</code> with <code
- >gzip-only-text/html</code> to get the best results. In that case
- the former overrides the latter. Take a look at the following
- excerpt from the <a href="#recommended">configuration example</a>
- defined in the section above:</p>
-
- <highlight language="config">
-BrowserMatch ^Mozilla/4 gzip-only-text/html
-BrowserMatch ^Mozilla/4\.0[678] no-gzip
-BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
- </highlight>
-
- <p>At first we probe for a <code>User-Agent</code> string that
- indicates a Netscape Navigator version of 4.x. These versions
- cannot handle compression of types other than
- <code>text/html</code>. The versions 4.06, 4.07 and 4.08 also
- have problems with decompressing html files. Thus, we completely
- turn off the deflate filter for them.</p>
-
- <p>The third <directive module="mod_setenvif">BrowserMatch</directive>
- directive fixes the guessed identity of the user agent, because
- the Microsoft Internet Explorer identifies itself also as "Mozilla/4"
- but is actually able to handle requested compression. Therefore we
- match against the additional string "MSIE" (<code>\b</code> means
- "word boundary") in the <code>User-Agent</code> Header and turn off
- the restrictions defined before.</p>
-
<note><title>Note</title>
The <code>DEFLATE</code> filter is always inserted after RESOURCE
filters like PHP or SSI. It never touches internal subrequests.