6.8.1 update: apache and gzip (preventing BREACH attack)

Question

6.8.1 update: apache and gzip (preventing BREACH attack)

hasufell opened this issue 11 years ago · 4 comments

Not sure how to incorporate these two changes
https://gitlab.com/gitlab-org/gitlab-ce/commit/563fec734912d81cd7caea6fa8ec2b397fb72a9b
https://gitlab.com/gitlab-org/gitlab-ce/commit/8af94ed75505f0253823b9b2d44320fecea5b5fb

The ruby on rails page tells me to google:
http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression

So nothing useful there either. Is this attack even a problem on apache?

Answer 1 · 2014-04-29T09:19:28.000Z

This is the default on apache ssl. Note that you must have apache > 2.4. See https://gitlab.com/gitlab-org/gitlab-recipes/blob/master/web-server/apache/gitlab-ssl-apache2.4.conf#L29

Answer 2 · 2014-04-29T10:41:35.000Z

But that seems to disable compression completely, including the assets. So it does not incorporate the second commit.

Answer 3 · 2014-04-29T11:25:15.000Z

\cc @sag47 should now better :)

Answer 4 · 2014-04-29T16:04:55.000Z

It highly depends on the version of Apache you're using. You don't want to break compatibility with older versions of Apache (such as ones using RHEL). CRIME and BREACH have been addressed in the additional security considerations sections of the recipes Apache README.

For newer versions of Apache (2.4+) it's better to use the SSLCompression directive. That is all noted in the recipes Apache README. It's probably better to use that option rather than explicitly state a compression algorithm.

It's not just gzip compression. It's any compression.