Enabling apache compression

summersab · 07-12-2017, 08:50 PM

Okay, this is my second solid evening trying to get this to work. I can get mod_deflate compression to work over http but not over https. Via the WhatIsMyIP.org tool, this works:
http://www.whatsmyip.org/http-compre...tsYXBwLmNvbS8=

This does not:
http://www.whatsmyip.org/http-compre...RrbGFwcC5jb20v

Clearly, my htaccess is configured with the correct deflate statements because compression DOES work. So, the issue isn't there. The only other place I can think to look is in my apache configs (from /etc/apache2/sites-available/wordpress.conf):

Code:

ServerName localhost

<VirtualHost *:80>
    UseCanonicalName Off
    ServerAdmin  webmaster@localhost
    DocumentRoot /var/www/wordpress
RewriteEngine on
RewriteCond %{SERVER_NAME} =sayitwithbeef.com [OR]
RewriteCond %{SERVER_NAME} =www.sayitwithbeef.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
    ServerName www.sayitwithbeef.com
    ServerAlias sayitwithbeef.com
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/sayitwithbeef.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/sayitwithbeef.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/sayitwithbeef.com/chain.pem
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/wordpress
</VirtualHost>

<Directory /var/www/wordpress>
    Options +FollowSymLinks
    Options -Indexes
    AllowOverride All
    order allow,deny
    allow from all
</Directory>

What is wrong, here? I don't see anything wrong. I know there's the CRIME exploit - is that what's going on? I'm trying to enable compression for SEO purpose. There has to be some workaround, right?

Thanks for your help!

bathory · 07-13-2017, 05:34 AM

Hi,

Quote:

This does not:
http://www.whatsmyip.org/http-compre...RrbGFwcC5jb20v

It works too, according to the link you've posted above:

Quote:

https://siwbdev.tklapp.com/ is Compressed

Uncompressed Page Size: 34.5 KB
Compressed Page Size: 8.6 KB
Savings: 75.1%

summersab · 07-13-2017, 06:10 PM

I actually just figured it out last night. The directive that I wasn't able to find mentioned in any other post is found in /etc/apache2/conf-enabled/security.conf:

Code:

# Disable HTTP compression when using SSL to protect against BREACH
<Location />
  SetEnvIfExpr "%{HTTPS} == 'on'" no-gzip
</Location>

I'm not sure if editing ssl.conf and wordpress.conf to change the directives in there is required as well (I didn't go back and un-edit the directives I added to those files after I got things working after this change). So, you may need to make changes in those files as well as htaccess.

Is it dangerous to disable this? Sure, in some ways - I'd never do this on a host that handles compliance-related data. However, for general-purpose websites using SSL, it's likely no real danger to any user. So, this is what you need to do to get compression working on Apache 2.4 with SSL enabled.