Disable HTTP Compression in Apache

By | 2012/09/13

I’ll show you a quick way to actively check a server for compression as well as how to disable compression in Apache. Note: This has _no_ effect on the CRIME TLS vulnerability but does mitigate BREACH. 🙂


Test for Compression

A simple test page to test for HTTP compression is here:

http://www.gidnetwork.com/tools/gzip-test.php

Or alternatively, below is a manual test for compression over HTTPS.

Using openssl, make a connection to the server. Putting in a request header of ‘Accept-Encoding: compress, gzip’ will prompt the server to respond with compression. Note that the page that comes back looks like gibberish as it is compressed. There is also a header ‘Content-Encoding: gzip’ that is replied from the server.

$ openssl s_client -connect www.apache.org:443
CONNECTED(00000003)
[skip certificate info]
GET / HTTP/1.1  [Enter]
Host: google.com [Enter]
Accept-Encoding: compress, gzip [Enter, Enter]

HTTP/1.1 200 OK
Date: Thu, 13 Sep 2012 16:58:57 GMT
Server: Apache/2.4.1 (Unix) OpenSSL/1.0.0g
Last-Modified: Thu, 13 Sep 2012 15:09:56 GMT
ETag: "891a-4c996b33b64aa-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 9005
Content-Type: text/html; charset=utf-8

###v#######^ӓ#1%˗#####Y###########yA$$##        # m+O##########NU#I#h'####&3#-^P#
u#########^
           ####Sv#######N#########[#####y#e"U##Ng########>######!#####p##D&############D܅?C5N#####JC####^wL#g#y ΦI9###########8W#H##k#޴####'#####H###:vv[##(V###ٛ#####O#####s######'zKw#_#####9n#N##_##,###Nf###!#K#g#C##Orxō#############/####Wy<ޑQR#p######:v######JE#############8###U###############%HNG##+#E#s######]U###D#####Vi䨱##SG#v########Q#8########9'b###sRh#-#n

A server that does not support DEFLATE or compression will ignore the compress header request and simply reply back the page in plain text, uncompressed:

$ openssl s_client -connect www.example.com:443
CONNECTED(00000003)
[skip ssl cert info]
GET / HTTP/1.1
Host: google.com
Accept-Encoding: compress, gzip

HTTP/1.1 200 OK    
Date: Thu, 13 Sep 2012 17:02:49 GMT
Connection: Keep-Alive
Server: Apache
X-UA-Compatible: IE=edge
Last-Modified: Wed, 12 Sep 2012 07:08:22 GMT
Accept-Ranges: bytes
Vary: *
Content-Length: 26717
Content-Type: text/html; charset=utf-8

<!DOCTYPE html>
<html lang="en" class="no-js">
<head>
        <meta charset="utf-8" />

Disable Compression

To disable compression in Apache, typically you just need to disable the module mod_deflate. After making the below adjustments, test again with the above manual test to confirm compression is disabled.

Debian/Ubuntu:

$ sudo a2dismod deflate
 
Module deflate disabled.
Run '/etc/init.d/apache2 restart' to activate new configuration!

$ sudo /etc/init.d/apache2 restart

Red Hat or CentOS:

$ sudo nano /etc/httpd/conf/httpd.conf

Comment out this line:

LoadModule deflate_module modules/mod_deflate.so

It should now look like this:

#LoadModule deflate_module modules/mod_deflate.so

Close and save the file then restart httpd:

$ sudo /etc/init.d/httpd restart


2 thoughts on “Disable HTTP Compression in Apache

  1. David Ramirez

    At least related to Apache 2.2.x on CentOS, the bugzilla entry:
    https://bugzilla.redhat.com/show_bug.cgi?id=857051#c5
    seems to fix the issue.

    I just added the suggested line:
    export OPENSSL_NO_DEFAULT_ZLIB=1

    to /etc/sysconfig/httpd
    and after restarting the httpd service, it passed the vulnerability scan against CRIME.
    The patch to openssl mentioned in the bug looks to be in place. Nothing else was needed.
    Launching also:

    openssl s_client -connect my.server.com:443

    reports

    Compression: NONE
    Expansion: NONE

    which satisfies the need and seems to solve the problem.
    N.B.
    Alas, the security scan after this hinted at the (related) BEAST vulnerability being still alive.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.