pveproxy: add configurable COMPRESSION

disabling http compression is considered good practice and certain TLS-testing
scripts/sites lower the security rating if it's enabled.

compression is still on by default for the potential speed/performance gain.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>

diff --git a/PVE/API2Tools.pm b/PVE/API2Tools.pm
index fd2f656dcf8c781753ca4863364c0b97667fc13e..b2e3a6bd1d46230a70fde9aa97b00f4b29c9e209 100644 (file)
--- a/PVE/API2Tools.pm
+++ b/PVE/API2Tools.pm
@@ -223,6 +223,7 @@ sub read_proxy_config {
     $shcmd .= 'echo \"CIPHERS:\$CIPHERS\";';
     $shcmd .= 'echo \"DHPARAMS:\$DHPARAMS\";';
     $shcmd .= 'echo \"HONOR_CIPHER_ORDER:\$HONOR_CIPHER_ORDER\";';
+    $shcmd .= 'echo \"COMPRESSION:\$COMPRESSION\";';
 
     my $data = -f $conffile ? `bash -c "$shcmd"` : '';
 
@@ -245,7 +246,7 @@ sub read_proxy_config {
            $res->{$key} = $value;
        } elsif ($key eq 'DHPARAMS') {
            $res->{$key} = $value;
-       } elsif ($key eq 'HONOR_CIPHER_ORDER') {
+       } elsif ($key eq 'HONOR_CIPHER_ORDER' || $key eq 'COMPRESSION') {
            die "unknown value '$value' - use 0 or 1\n" if $value !~ m/^(0|1)$/;
            $res->{$key} = $value;
        } else {

diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
index e984cb8c9f39b361bcb810d84dcc4af130f15916..7a4a804f68bffeac989206e01ec814dd00a633b2 100755 (executable)
--- a/PVE/Service/pveproxy.pm
+++ b/PVE/Service/pveproxy.pm
@@ -111,6 +111,7 @@ sub init {
            cert_file => '/etc/pve/local/pve-ssl.pem',
            honor_cipher_order => $proxyconf->{HONOR_CIPHER_ORDER},
        },
+       compression => $proxyconf->{COMPRESSION},
        # Note: there is no authentication for those pages and dirs!
        pages => {
            '/' => sub { get_index($self->{nodename}, @_) },