Enable gzip compression in yunohost wordpress sites

Toshiwoz · September 17, 2021, 5:29pm

So, I’m not looking for help, rather putthing this for myself and anyone else experiencing the problem.

How to solve the problem

If you find out that your website is considered not performant, for example using this tool:
https://developers.google.com/speed/pagespeed/insights/

And if the cause is gzip complression not enabled, well the solution is simple, and latest versions should include that by default.

Steps

Go to /etc/nginx/conf.d and look for your specific site’s folder. You should find a mywebsite__x.conf with a content similar to this:

#--MULTISITE--if (!-e $request_filename) {
	#--MULTISITE--rewrite /wp-admin$ $scheme://$host$uri/ permanent;
	#--MULTISITE--rewrite ^/(/[^/]+)?(/wp-.*) /$2 last;
	#--MULTISITE--rewrite ^/(/[^/]+)?(/.*\.php)$ /$2 last;
#--MULTISITE--}

#sub_path_only rewrite ^/$ / permanent;
location / {

       # Path to source
       alias /var/www/wordpress__n/;

       index index.php;
       if (!-e $request_filename)
       {
              rewrite ^(.+)$ /index.php?q=$1 last;
       }

       # Force usage of https
       if ($scheme = http) {
             rewrite ^ https://$server_name$request_uri? permanent;
       }

       client_max_body_size 30m;
       location ~ [^/]\.php(/|$) {
           fastcgi_split_path_info ^(.+?\.php)(/.*)$;
           fastcgi_pass unix:/var/run/php/php7.3-fpm-wordpress__5.sock;
           fastcgi_index index.php;
           include fastcgi_params;
           fastcgi_param REMOTE_USER $remote_user;
           fastcgi_param PATH_INFO $fastcgi_path_info;
           fastcgi_param SCRIPT_FILENAME $request_filename;
       }

  # Include SSOWAT user panel.
  include conf.d/yunohost_panel.conf.inc;
}

Change it to the following:

#--MULTISITE--if (!-e $request_filename) {
	#--MULTISITE--rewrite /wp-admin$ $scheme://$host$uri/ permanent;
	#--MULTISITE--rewrite ^/(/[^/]+)?(/wp-.*) /$2 last;
	#--MULTISITE--rewrite ^/(/[^/]+)?(/.*\.php)$ /$2 last;
#--MULTISITE--}

#sub_path_only rewrite ^/$ / permanent;
location / {

       # Path to source
       alias /var/www/wordpress__n/;

       index index.php;
       if (!-e $request_filename)
       {
              rewrite ^(.+)$ /index.php?q=$1 last;
       }

       # Force usage of https
       if ($scheme = http) {
             rewrite ^ https://$server_name$request_uri? permanent;
       }

       client_max_body_size 30m;
       location ~ [^/]\.php(/|$) {
           fastcgi_split_path_info ^(.+?\.php)(/.*)$;
           fastcgi_pass unix:/var/run/php/php7.3-fpm-wordpress__5.sock;
           fastcgi_index index.php;
           include fastcgi_params;
           fastcgi_param REMOTE_USER $remote_user;
           fastcgi_param PATH_INFO $fastcgi_path_info;
           fastcgi_param SCRIPT_FILENAME $request_filename;
       }
       
       gzip on;
       # Disabled because it doesn't look good except on Firefox
       # add_header Content-Encoding "gzip2";
       gzip_vary on;
       gzip_disable "msie6";
       gzip_min_length 500;
       gzip_proxied any;
       gzip_comp_level 6;
       gzip_buffers 16 8k;
       gzip_http_version 1.1;
       gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

  # Include SSOWAT user panel.
  include conf.d/yunohost_panel.conf.inc;
}

Aleks · September 17, 2021, 6:07pm

gzip is disabled by default because compression + encryption enables the BREACH vulnerability : BREACH - Wikipedia

(and because nginx doesn’t allow to disable gzipping for text/html)

Toshiwoz · September 17, 2021, 6:10pm

Oh, I see I think you mentioned something like that in French somewhere, but my French is quite bad and Google Translate doesn’t like to translate this forum, apparently.

Anyhow, I’ll check the link to see if I should keep it or not. Thing is that google’s pagespeed insights do like it a LOT, my rating went from 7 to 99.

Toshiwoz · September 17, 2021, 6:12pm

Does any of the mentioned mitigations work on yunohost?
If so is it possible to add them to the .conf file?

Aleks · September 17, 2021, 6:22pm

Hmmmm one would need to study these in details … also somebody is mentioning elsewhere that with applications using the SameSite option on cookie, this prevents scenarios where an attacker could exploit BREACH … But all this is tricky.

Thing is, BREACH ain’t like some super high critical vulnerability, an attacker still needs other things like CSRF etc to be able to exploit it … and for “well-known” apps - even wordpress - I’d say they already implement stuff to protect from this (hopefully) … so I’d say feel free to tweak the conf to enable this on your instance if you do really care about SEO

Alternatively we could add gzip in the Yunohost’s wordpress package nginx configuration if we can validate that wordpress ain’t vulnerable to it somehow.

But in the general sense, we can’t yet enable on the global scope by default in Yunohost (or please somebody with a better understanding of all those subtle security stuff comes and convince us that it’s safe to enable gzipping for text/html - or whichever practical mitigation that we can add…)

Toshiwoz · September 17, 2021, 8:37pm

I’ve enabled only to my wordpress instances, eventually I’ll investigate more if there is a way to mitigate.

system · October 2, 2021, 8:37pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.