Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1169
  • Last Modified:

mod_deflate & ssl on apache

- Server is ubuntu 8.10
- Apache is 2.2.9

Just wondered. I have a HTTP vhost that has some config as displayed in the code snippet. Would I need to replicate the same entry for the 443 vhost for the same server name? Is there any point in compressing then encrypting (could be vice-versa...not sure).

If not, what should I be doing. Help, suggestions, etc. most welcome.
<IfModule mod_deflate.c>
    SetOutputFilter DEFLATE
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4\.0[678] no-gzip
    BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
    # Don't compress images or txt
    SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|txt|lx2|pdf)$ no-gzip dont-vary

Open in new window

  • 3
  • 2
1 Solution
As far as I know the encryption happens (in term of TCPIP) before the compression (Application Layer) so basically you can't compress before encrypt.

If you use the apache compression module then yes you can compress and SSL traffic, we ran it on a lot of our client sites for a while. However, this comes with a big warning sticker.... if your end user is sat behind a caching proxy and you have multiple users behind that proxy you may end up with them seeing each others content.

Now if your site is a simple open website then thats not an issue. However if its an application where they log in and should see only their own data then you may have issues. We found that some versions of Microsoft IAS in particular cannot handle compressed SSL traffic in a standards compliant way.

So tread carefully with this!
I forgot to answer your first question... the compression can be enabled system wide if done in the main httpd.conf file outside of the default server config section. Or you can do it on a per vhost level.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

RowleyAuthor Commented:

Thanks for the reply and sorry for the delay in getting back to you.

Yes indeed we are hosting a webapp where users log in etc...so the recommendation might be to turn this off eh? Do you have any sources where I can do some further reading on the subject?
We turned it off as the number of client support calls due to cache issues was ridiculous, its amazing how many corporates use old versions of IAS which are "broken" from a standards point of view.

I would suggest you experiment though if you have the time as you may be able to use it for certain file types/pages in your system and you can set the compression up in many many ways, for example:
 - per apache host
 - per vhost
 - per subdirectory of a site
 - per file type
So you may get some benefits from it.

Docs wise I'd suggest google and a search for : mod_deflate apache
Theres lots of sites about how to user and various sample configs.

RowleyAuthor Commented:
Thanks for having a go. Whilst not completely answering my question your shared experience is valuable info nonetheless.


Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now