"gzip on" is marked as an error

chr4 / nginx.vim

Improved nginx vim plugin (incl. syntax highlighting)

450 stars 41 forks source link

"gzip on" is marked as an error #8

Closed bdesham closed 5 years ago

bdesham commented 6 years ago

I’m not sure if this is an oversight or an intentional feature 😄 I tried adding the following directive to a location block:

gzip on;

and the on was highlighted as an error. I notice that the syntax file includes

hi link ngxGzipOff ngxBoolean
hi link ngxGzipOn Error

I’m curious: why do you consider enabling gzip to be an error?

chr4 commented 6 years ago

This is intentional.

There's a vulnerability with gzip (which do not seem to be mitingated) called BREACH.

To my knowledge there are workarounds to make the use of gzip safe, but they require additional nginx modules or have to be taken care of on the application side. One method would be to use Chunked-Encoding.

I think, as this requires additional efford the use of gzip on should be marked as dangerous to raise awareness that additional mitingations need to be applied.

bdesham commented 5 years ago

OK. Thank you for the explanation (and the great script!).