From: Rodrigo Campos <rodrigo@sdfg.com.ar>
Date: Mon, 27 Apr 2015 14:26:22 +0000 (-0300)
Subject: Revert "templates/web.sssl.template.yml: Disable spdy header compression"
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=d266e9769474c3092dcc93c138c1d5e3418879f3;p=discourse_docker.git

Revert "templates/web.sssl.template.yml: Disable spdy header compression"

This reverts commit c0ed494c3acf1acf629379f33f413d7660183855. It was late and I
misread the info here:

	https://github.com/18F/tls-standards/issues/24

The first comment clearly states that the server *can* compress spdy header, as
the attack is on request headers (not responses). And modern browsers disable
compression on requests (or chrome, maybe even smarter tricks in newer
versions). In fact, Chrome 21 and Firefox 15 switched off SPDY header
compression[1] and the requirements page on discourse:

	https://github.com/discourse/discourse#requirements

shows newer browsers than those are needed. So it seems safe to enable spdy
header compression on the server.

[1]: https://www.imperialviolet.org/2012/09/21/crime.html
---

diff --git a/templates/web.ssl.template.yml b/templates/web.ssl.template.yml
index 16ba9e2..740311f 100644
--- a/templates/web.ssl.template.yml
+++ b/templates/web.ssl.template.yml
@@ -26,8 +26,10 @@ run:
        ssl_session_tickets off;
        ssl_session_cache shared:SSL:1m;
 
-       # disable SPDY header compression (flawed in spdy < 4)
-       spdy_headers_comp 0;
+       # enable SPDY header compression
+       # The server CAN enable it without any known security risk:
+       # https://github.com/18F/tls-standards/issues/24
+       spdy_headers_comp 6;
 
        # remember the certificate for a year and automatically connect to HTTPS for this domain
        add_header Strict-Transport-Security 'max-age=31536000';