251684 – www/apache24: enable mod_brotli by default

Bug 251684 - www/apache24: enable mod_brotli by default

Summary: www/apache24: enable mod_brotli by default

Status:	New

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	freebsd-apache (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-12-08 14:02 UTC by Nathan Weeks
Modified:	2022-03-10 21:00 UTC (History)
CC List:	0 users

See Also:

Flags:	bugzilla: maintainer-feedback? (apache)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nathan Weeks 2020-12-08 14:02:42 UTC

Please consider enabling mod_brotli in the default www/apache24 build.

mod_brotli is now supported by the vast majority of current web browsers, and is in the Apache HTTP Server packages of many Linux distributions, including (at least) Debian 10, Ubuntu 20.04, and RHEL/CentOS 8.

At least a couple other HTTP server ports (nginx-full and likely lighttpd 1.4.56) have brotli enabled by default.

Comment 1 Rafael Grether 2022-02-22 22:08:03 UTC

Despite the mod_brotli is supported by the vast majority of current web browsers, some web applications are vulnerable to an information disclosure attack when a TLS connection carries compressed data, according https://httpd.apache.org/docs/trunk/mod/mod_brotli.html

So, for security reasons, I think and suggest mantain brotli module disabled by default.
Manually, you can perform a "make config" and check Brotli support.

Comment 2 Nathan Weeks 2022-02-22 22:25:08 UTC

True, though mod_deflate is enabled by default, and it carries the same warning: https://httpd.apache.org/docs/trunk/mod/mod_deflate.html