How to Safely Enable Gzip on a HTTPS Site with NGINX

Ok, before you think "OH, YOU JUST DO gzip on AND IT WILL WORK!!! THIS IS CLICKBAIT!!!!!!" and click off. I just want to make you aware that enabling Gzip without any sort of protection will leave your HTTPS site vulnerable to BREACH attacks. In this post, I am going to show you how to safely enable Gzip on a HTTPS site.

One of the mitigations of BREACH involves adding a random length string in the responses. NGINX module ngx_http_length_hiding_filter_module does just that. Implementing in your configuration isn't hard. Here are the steps you can take to enable this module on NGINX in a Debian/Ubuntu environment.

  1. Install ngx_http_length_hiding_filter_module
    • Checkout NGINX source code
      $ apt source nginx
    • Install required packages
      # apt install libpcre3 libpcre3-dev
    • Checkout ngx_http_length_hiding_filter_module source code
      $ git clone https://github.com/nulab/nginx-length-hiding-filter-module.git
    • Configure NGINX with ngx_http_length_hiding_filter_module as a dynamic module
      $ cd nginx-1.18.0/
      $ ./configure --add-dynamic-module=../nginx-length-hiding-filter-module --with-compat
    • Build the module
      $ make modules
    • Copy the module to the modules directory
      # cp objs/ngx_http_length_hiding_filter_module.so /usr/lib/nginx/modules/
    • Create /etc/nginx/modules-available/mod-http-length-hiding-filter-module.conf, the file should include the following line
      load_module modules/ngx_http_length_hiding_filter_module.so;
  2. Enable the module
    # ln -s /etc/nginx/modules-available/mod-http-length-hiding-filter-module.conf /etc/nginx/modules-enabled/50-mod-http-length-hiding-filter-module.conf
  3. Edit the configuration file to reflect the changes
    server {
     ...
     length_hiding_max 1024;
     gzip on;
     gzip_vary on;
     gzip_proxied any;
     gzip_comp_level 6;
     gzip_buffers 16 8k;
     gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
     ...
     location / {
      ...
      length_hiding on;
      ...
     }
    ...
    }
  4. Restart NGINX
    # systemctl restart nginx

Now you should have your HTTPS site configured with Gzip securely. To test if the module is working, visit your website and press Ctrl + U. You should see a randomly generated string at the bottom as shown.

The Overhyped Chinese Linux Distro: Deepin

(This post contains hi-res images, you can click to enlarge any image.)

Deepin is something that could easily fly under my radar, however I just can't ignore its existence because Deepin promotes itself really heavily in its home country. Here is a quick search of Deepin on the Chinese video sharing platform, Bilibili.

A lot of these videos are based around installing Deepin on old hardware (please don't), how great of Deepin being the Chinese operating system and daily driving Deepin instead of Windows, which uhh... is your generic type of Linux videos that a normal Windows user will make.

The Deepin devs have not been the friendliest to the open source community as well. Deepin has their own fork of Wine called deepin-wine and it has been impressive so far for running Windows apps. But it is proprietary and doesn't play well on other distros. Nice job, Deepin!

Anyway, I downloaded the Deepin ISO and gave it a spin in a VM.

Here is your Deepin boot screen which is the standard stuff you would see in a Linux distro. Nothing wrong yet. But I gotta say the boot process is kinda slow.

Woah woah woah, hold on. It just set my resolution to 1080p??? Now I have no other option but to make the VM full screen because my native resolution is 1080p. Now what if my screen is not 1080p? I lived with 1440 * 990 for at least 7 years!

Setting the language to English and clicking next presents me with a Friendly Note™. I gotta say the Friendly Note™ is very friendly as I gave my VM a quad-core vCPU and 4 GB of RAM, which is considered garbage by today's standards. I wonder how I went through with a dual-core CPU back in the days.

Here is the friendly partitioning wizard. It really surprised me that Deepin requires at least 64 GB of storage. That's a lot of storage! Even Windows, the most bloated operating system of all time (cough cough), doesn't require 64 GB of storage to run.

I deleted the VM and recreated it because I don't know how to resize a qcow disk image.

Here we go, much better now.

It comes with a strange partitioning layout. Most of the time I just create a single root (/) file system and I haven't run into many problems with it so far. Your mileage may vary.

Now I am asked to confirm the partitioning layout. It also prompted to create a "backup for system restore", is this Windows 95???

Finally, I get to see the installation. Nothing special over there.

The installation has finished. It stuck at 69 96% at one point but that didn't take too long.

After rebooting I am asked to choose a language again for whatever reason.

Here is the part where you select the keyboard layout. Nothing fancy there.

Now the timezone. Nothing to see here.

Here I create a user. It seems like I can only input a UNIX username as the I can't have space in username.

Tuning my system? What is it doing? Is it going to install a tiling window manager for me?

After it "tunes" my system I am greeted with a login manager. Now it sets the resolution to my native resolution.

Now it is giving me a Friendly Reminder™ that reminds me I am running this in a VM and prompts me to choose from Effect Mode™ and Normal Mode™. I went ahead and selected Normal Mode™.

Yet another setup wizard. This is the third one already.

I nearly died on this one. Here is the Deepin patented Desktop Mode™ selector. I can choose from Fashion Mode™ and Effective Mode™. The only difference seems to be the panel.

I am asked to choose the Running Mode™ again. Just realized that Normal Mode™ doesn't have panel transparency so I selected Effect Mode™ here instead.

And the icon theme as well.

Finally, here's the desktop that we've all been waiting for.

Here is the Multitasking View™, an Apple Exposé style task switcher.

While I was running apt, I realized I already have orphans in my system. This is a clean install! It seems to be removing stuff that shouldn't be removed.

No Linux screenshot is complete without neofetch.

System resource wise... not bad actually! It seems to be using fewer resources than I expected as the VM is running rather slowly.

Deepin comes with this terrible default terminal color theme that does nothing but to make you feel like a 133t h3xx0r as all 133t h3xxors use green terminals.

Deepin doesn't come with PackageKit, Flatpak and Snap. Most software centers will require at least one of those backends to work properly, but the Deepin software center works differently as we will see in a bit.

The version of fcitx that comes with Deepin seems to be out-of-date.

Here is the Deepin software center. A lot of applications are in Chinese so you might need or want to use them.

I picked Chrome from the list and installed it in the system.

And there is Chrome, what are you expecting.

A quick find later exposed that Chrome has been installed into /opt/apps/cn.google.chrome, a rather non-standard location.

Checking out on the web browser, it seems to be a fork of Chromium 93, which is out-of-date already.

Launching the file manager opens "Computer", it seems to call the /data partition created during setup as "Data Disk".

Opening "Data Disk" brings us to the "home" folder. However, this is not the actual home folder but rather a replica of the home folder on the "Data Disk".

It comes with a demo track in the Music folder. The Deepin music player doesn't seem to play well with my resolution.

Closing the music player requires me to choose my "action". Oh well.

At first glance, I thought Deepin comes with GNOME Drawing. But it seems to be its own thing instead

Shutting down Deepin.

Overall, Deepin hasn't been quite impressive to me. I don't see the fancy effects that people are talking about and it seems to be a bit behind the party as of Linux desktop for it not shipping something like Flatpak by default. Definitely needs some improvement and is way too overhyped at least in China.