Add configurable 'compression'

Rationale for disabling compression is the potential for being affected by
the BREACH (CVE-2013-3587) attack and it's considered good practice for https
configuration (see e.g. [0]).

The default remains: to have compression enabled for compressible file-types.

[0] https://cipherli.st/

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>

diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm
index 38921364481a0eb31f126504c3b6443ce57bd9fe..277a1ec34778c47eb519b87996cbf3fa2315b882 100755 (executable)
--- a/PVE/APIServer/AnyEvent.pm
+++ b/PVE/APIServer/AnyEvent.pm
@@ -184,6 +184,7 @@ sub response {
     $reqstate->{hdl}->timeout_reset();
     $reqstate->{hdl}->timeout($self->{timeout});
 
+    $nocomp = !$self->{compression};
     $nocomp = 1 if !$reqstate->{accept_gzip};
 
     my $code = $resp->code;
@@ -552,7 +553,7 @@ sub proxy_request {
 
        $headers->{'cookie'} = PVE::APIServer::Formatter::create_auth_cookie($ticket, $self->{cookie_name}) if $ticket;
        $headers->{'CSRFPreventionToken'} = $token if $token;
-       $headers->{'Accept-Encoding'} = 'gzip' if $reqstate->{accept_gzip};
+       $headers->{'Accept-Encoding'} = 'gzip' if ($reqstate->{accept_gzip} && $self->{compression});
 
        my $content;
 
@@ -1611,6 +1612,7 @@ sub new {
     $self->{base_uri} //= "/api2";
     $self->{dirs} //= {};
     $self->{title} //= 'API Inspector';
+    $self->{compression} //= 1;
 
     # formatter_config: we pass some configuration values to the Formatter
     $self->{formatter_config} = {};