I am compiling this as a static module in NGINX 1.24.0 on Ubuntu 20.04. When the module is enabled, curl shows that the random-length HTML comment is showing up successfully.
However, a deeper dive shows that the response body is malformed GZIP data. The file format seems OK, until near the end when the random-length HTML comment shows up as plain text, not compressed. I don't think this is a security risk, since it's still inside the TLS encryption, but this malformed GZIP response has caused a monitoring issue.
A New Relic synthetic monitor, of the simple browser type, with verify SSL enabled, will error out with the errors "incorrect header check" and "Z_DATA_ERROR". It looks like New Relic is using Javascript and zlib, which errors out when given this malformed compressed response.
To see the malformed compressed response, try this:
Unfortunately we could not reproduce the issue. Could you please check your app and Nginx configuration? Perhaps you are enabling gzip in your app and not in Nginx.
I am compiling this as a static module in NGINX 1.24.0 on Ubuntu 20.04. When the module is enabled, curl shows that the random-length HTML comment is showing up successfully.
However, a deeper dive shows that the response body is malformed GZIP data. The file format seems OK, until near the end when the random-length HTML comment shows up as plain text, not compressed. I don't think this is a security risk, since it's still inside the TLS encryption, but this malformed GZIP response has caused a monitoring issue.
A New Relic synthetic monitor, of the simple browser type, with verify SSL enabled, will error out with the errors "incorrect header check" and "Z_DATA_ERROR". It looks like New Relic is using Javascript and zlib, which errors out when given this malformed compressed response.
To see the malformed compressed response, try this:
The "extra field" might be that uncompressed plain text that's tacked on to the end of the file.
Here's the response body in a hex viewer. You'll see the plain text random-length HTML comment there.
I think that the trailing garbage is what's causing my monitoring to fail.
You'll see that the random-length HTML comment does not show up at all. That's because gunzip considered it to be trailing garbage and so ignored it.