digg_de's picture


I use the turnkey lamp and have problems to enable compression by mode_deflate on a apache2 server. I don't have any idea why it is not working:

Modules are enabled:

# apache2ctl -M
Loaded Modules:
deflate_module (shared)
expires_module (shared)
filter_module (shared)
mime_module (shared)


 <Directory /var/www/>
     Options -Indexes +FollowSymLinks
     AllowOverride All
     Order allow,deny
     Allow from all


 # Deflate Compression by MimeType
 <IfModule mod_deflate.c>
     AddOutputFilterByType DEFLATE text/plain
     AddOutputFilterByType DEFLATE text/html
     AddOutputFilterByType DEFLATE text/xml
     AddOutputFilterByType DEFLATE text/css
     AddOutputFilterByType DEFLATE text/javascript
     AddOutputFilterByType DEFLATE application/xml
     AddOutputFilterByType DEFLATE application/xhtml+xml
     AddOutputFilterByType DEFLATE application/javascript
     AddOutputFilterByType DEFLATE application/x-javascript
     AddOutputFilterByType DEFLATE application/x-font-woff

# Deflate Compression by FileType
<IfModule mod_deflate.c>
    <FilesMatch "\.(js|jpg|jpeg|gif|png|svg|css|eot|ttf|woff)$">
        ExpiresActive on
        ExpiresDefault "access plus 1 month"
        SetOutputFilter DEFLATE

# turns cache on for 1 month
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType text/javascript "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType application/x-font-woff "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/png "access plus 1 month"
    ExpiresByType image/svg+xml "access plus 1 month"
    ExpiresByType image/x-icon "access plus 1 month"

<IfModule mod_headers.c>
    <filesmatch "\\.(ico|jpe?g|png|gif|svg|swf|eot|ttf|woff)$">
        Header set Cache-Control "max-age=2592000, public"
    <filesmatch "\\.(css)$">
        Header set Cache-Control "max-age=604800, public"
    <filesmatch "\\.(js)$">
        Header set Cache-Control "max-age=604800, public"

PageSpeed Insights says: compression not active for svg-, css-, js- and html-files? Can someone help? Thanks!

Jeremy Davis's picture

IIRC compression over SSL is a security concern (I forget the name, BREACH vulnerability perhaps?) so we disabled it by default. If you're using SSL, then perhaps that's it?

Otherwise, TBH, I'm not sure.

Perhaps you could just have a grep through the Apache conf files and see if anything comes up? E.g.:

grep -ir compression /etc/apache2/

'-i' is case-insensitive, '-r' is recursive.

digg_de's picture

I changed the line in the /etc/apache2/mods-available/ssl.conf:

SSLCompression on

After restarting apache PageSpeed Insight says the same: compression not active. But if this is a security problem I will search for more info.

Thanks al lot!!!!

Jeremy Davis's picture

If you find anything of value, please share. If you keep in mind that TurnKey is Debian under the hood, hopefully you should be able to find plenty of info.

AFAIK compression via plain HTTP is not an issue, just via HTTPS. I assume that at some point in the future it will be resolved, but AFAIK compression via HTTPS still stands as a security risk.

We implemented that some time ago now, so perhaps Debian have pushed some update that locks it down further (beyond the change we made)?

We try to pre-configure all our servers following "best practice", but that's not always as straight forward as it seems. Sometimes, even what constitutes "best practice" is contentious. And with most things security, there is often a trade-off when you tighten the screws.

If you have any feedback regarding something that we're being a bit over vigilant about, please let us know and we'll at least revisit it.

Add new comment