Disable HTTP Compression in Apache

By | 2012/09/13

I’ll show you a quick way to actively check a server for compression as well as how to disable compression in Apache. Note: This has _no_ effect on the CRIME TLS vulnerability but does mitigate BREACH. 🙂


Test for Compression

A simple test page to test for HTTP compression is here:

http://www.gidnetwork.com/tools/gzip-test.php

Or alternatively, below is a manual test for compression over HTTPS.

Using openssl, make a connection to the server. Putting in a request header of ‘Accept-Encoding: compress, gzip’ will prompt the server to respond with compression. Note that the page that comes back looks like gibberish as it is compressed. There is also a header ‘Content-Encoding: gzip’ that is replied from the server.

$ openssl s_client -connect www.apache.org:443
CONNECTED(00000003)
[skip certificate info]
GET / HTTP/1.1  [Enter]
Host: google.com [Enter]
Accept-Encoding: compress, gzip [Enter, Enter]

HTTP/1.1 200 OK
Date: Thu, 13 Sep 2012 16:58:57 GMT
Server: Apache/2.4.1 (Unix) OpenSSL/1.0.0g
Last-Modified: Thu, 13 Sep 2012 15:09:56 GMT
ETag: "891a-4c996b33b64aa-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 9005
Content-Type: text/html; charset=utf-8

###v#######^ӓ#1%˗#####Y###########yA$$##        # m+O##########NU#I#h'####&3#-^P#
u#########^
           ####Sv#######N#########[#####y#e"U##Ng########>######!#####p##D&############D܅?C5N#####JC####^wL#g#y ΦI9###########8W#H##k#޴####'#####H###:vv[##(V###ٛ#####O#####s######'zKw#_#####9n#N##_##,###Nf###!#K#g#C##Orxō#############/####Wy<ޑQR#p######:v######JE#############8###U###############%HNG##+#E#s######]U###D#####Vi䨱##SG#v########Q#8########9'b###sRh#-#n

A server that does not support DEFLATE or compression will ignore the compress header request and simply reply back the page in plain text, uncompressed:

$ openssl s_client -connect www.example.com:443
CONNECTED(00000003)
[skip ssl cert info]
GET / HTTP/1.1
Host: google.com
Accept-Encoding: compress, gzip

HTTP/1.1 200 OK    
Date: Thu, 13 Sep 2012 17:02:49 GMT
Connection: Keep-Alive
Server: Apache
X-UA-Compatible: IE=edge
Last-Modified: Wed, 12 Sep 2012 07:08:22 GMT
Accept-Ranges: bytes
Vary: *
Content-Length: 26717
Content-Type: text/html; charset=utf-8

<!DOCTYPE html>
<html lang="en" class="no-js">
<head>
        <meta charset="utf-8" />

Disable Compression

To disable compression in Apache, typically you just need to disable the module mod_deflate. After making the below adjustments, test again with the above manual test to confirm compression is disabled.

Debian/Ubuntu:

$ sudo a2dismod deflate
 
Module deflate disabled.
Run '/etc/init.d/apache2 restart' to activate new configuration!

$ sudo /etc/init.d/apache2 restart

Red Hat or CentOS:

$ sudo nano /etc/httpd/conf/httpd.conf

Comment out this line:

LoadModule deflate_module modules/mod_deflate.so

It should now look like this:

#LoadModule deflate_module modules/mod_deflate.so

Close and save the file then restart httpd:

$ sudo /etc/init.d/httpd restart