Nginx Brotli Support

Asked by Adam Chalemian on 2019-01-30

Are there plans to include the 3rd-party Brotli module[1] in the Nginx package? I noticed that even the latest cosmic (18.10) supports Nginx 1.15.5, but does not include Brotli support. I (selfishly) would like to have this included with the nginx-light variant as well as the others.

Our only option is to compile and “hold” nginx, which is a real bummer.

Brotli is supported by the major browsers[2] and affords much better compression ratios in many circumstances.

[1] https://github.com/google/ngx_brotli
[2] https://caniuse.com/#feat=brotli

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu nginx Edit question
Assignee:
Thomas Ward Edit question
Solved by:
Thomas Ward
Solved:
2019-01-31
Last query:
2019-01-31
Last reply:
2019-01-31
Thomas Ward (teward) said : #1

Hello.

Firstly, the Google ngx_brotli has not been supported for 2 years by them (and that module as you linked does not build properly). The latest 'fork' in support is actually run by someone else. [1]

Adding brotli was asked in IRC several months ago. I asked for the Ubuntu Security Team to do a cursory review of this. They discovered two potential issues. [2] [3]

I further discovered that the Brotli module that is here is actually vulnerable to BREACH which relates to how things're compressed. [4].

While I am not overly concerned with the BREACH risk (you can mitigate this by disabling compression), nginx-light is not the place for this module. nginx-light is the most lightest version in terms of features, and it was generally discussed that if brotli support is added, it's added to nginx-full or nginx-extras primarily.

We also are trying to not add any major deltas between Debian where we can. To that end, this should be requested in Debian first, though this has already been done within the past few weeks with no feedback from Debian. [5]

In further IRC discussions, it was determined that if we do include this, it'd be included in nginx-extras where a majority of the third-party modules reside, not in nginx-light and nginx-full at this time.

I can bring this up with others on the Server Team, maybe even over the mailing lists, to get opinions on whether to include this. However, the two potential crash vectors that were found by the Security Team are concerning because it could result in crashes or DoS risks.

[1]: https://github.com/eustas/ngx_brotli
[2]: https://github.com/eustas/ngx_brotli/issues/21
[3]: https://github.com/eustas/ngx_brotli/issues/22
[4]: https://github.com/eustas/ngx_brotli/issues/23
[5]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919320

Best Thomas Ward (teward) said : #2

I did some talking with my contact on the Security Team, and after that discussion we came to the conclusion that the Brotli module needs work before it can be included in Ubuntu's nginx packaging. This also explains why the request hasn't come in Debian with any level of traction.

Some things to note:

(1) the Google repository shows no movement for 2 years. This suggests that perhaps Google doesn't care as much about the module. The only "actively developed" version is the fork I linked to in my prior messages.

(2) The only remaining active fork for this has a NUMBER of bugs not limited to the issues identified here in my previous post. There're two other substantially concerning bugs [1] [2] which suggest that the module is not yet ready for production 'deployment' in a packaged form.

(3) Commits and fixes to issues have been sporadic at best and not consistent or regular in timing.

Given these things, as the semi-official package maintainer here in Ubuntu, and with the agreement of my contact on the Security team, we're going to consider the 'brotli' module as it currently stands not ready for packaging or inclusion, as the module itself needs some work from the Security and bug-fixing sides.

Therefore, Brotli is not going to be included in Ubuntu's NGINX packages at this time.

[1]: https://github.com/eustas/ngx_brotli/issues/26
[2]: https://github.com/eustas/ngx_brotli/issues/27

Adam Chalemian (adamchal) said : #3

@Thomas, thanks for the thorough examination and consideration. Given that browser support is high and compression ratio is usually much better than gzip, I’m surprised that this module doesn’t get much love.

I agree with you completely and understand how those two issues alone are enough to dissuade you from including this module for now.

Thanks again!

Adam Chalemian (adamchal) said : #4

Thanks Thomas Ward, that solved my question.