Gzip是Nginx中用于压缩HTTP响应内容的模块,可以显著减少传输数据量,提高网站性能。但不当配置可能带来安全隐患。
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_min_length 1024;
gzip_comp_level 6;
gzip_vary on;
Gzip压缩可能使BREACH(浏览器侦察和压缩侧信道攻击)成为可能: - 攻击者可利用压缩比差异推断敏感数据 - 特别影响包含CSRF令牌和敏感数据的响应
缓解措施:
# 对敏感页面禁用压缩
location /account {
gzip off;
}
# 或添加随机字节干扰
add_header X-Content-Digest "random-string";
高压缩级别(如9)虽能提高压缩率,但: - 显著增加CPU负载 - 边际效益递减(6级通常是最佳平衡点)
不当的gzip_types配置可能: - 压缩已压缩内容(如图片),浪费CPU资源 - 漏掉应压缩的内容类型
推荐配置:
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/bmp
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
避免压缩小文件:
gzip_min_length 1024; # 小于1KB的文件不压缩
set $no_gzip "";
if ($http_user_agent ~* (MSIE [4-6]|some_malicious_bot)) {
set $no_gzip "1";
}
gzip off if $no_gzip;
# 确保TLS配置足够安全
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384...';
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
$gzip_ratio变量记录压缩比通过合理配置Gzip压缩,可以在提升性能的同时将安全风险降至最低。