update

README.md

@@ -47,14 +47,31 @@ server {
 
 See [examples/example.com.conf](examples/example.com.conf:1) for the full server-level example.
 
-### Reverse proxy with websocket support
+### Optional `http {}` features
 
-Websocket proxying needs one `http {}`-level `map` plus `location {}`-level proxy snippets:
+These snippets are independent `http {}`-level features:
+
+```nginx
+http {
+	include kit/http/gzip.conf;
+}
+```
+
+Use `kit/http/gzip.conf` when you want nginx to compress common text-based responses. It is not specific to proxying or websocket traffic.
 
 ```nginx
 http {
 	include kit/http/websocket-map.conf;
+}
+```
 
+Use `kit/http/websocket-map.conf` only when a `location {}` will include `kit/proxy_pass/websocket.conf`.
+
+### Reverse proxy
+
+Plain HTTP reverse proxying only needs the `location {}`-level proxy snippets:
+
+```nginx
 server {
 	# ...
 	location / {
@@ -62,7 +79,19 @@ http {
 		include kit/proxy_pass/timeout-300.conf;
 		proxy_pass http://app_backend;
 	}
+}
+```
 
+### Websocket reverse proxy
+
+Websocket proxying adds one `http {}`-level dependency plus the websocket location snippet:
+
+```nginx
+http {
+	include kit/http/websocket-map.conf;
+
+	server {
+		# ...
 		location /ws/ {
 			include kit/proxy_pass/forwarded.conf;
 			include kit/proxy_pass/websocket.conf;
@@ -101,6 +130,7 @@ server {
 
 ## Snippet reference
 
+- `kit/http/gzip.conf`: gzip compression for common text-based responses. Must be included inside `http {}`.
 - `kit/http/websocket-map.conf`: defines `$connection_upgrade` for websocket proxying. Must be included inside `http {}`.
 - `kit/security.conf`: common security headers and host normalization. Intended for `server {}`.
 - `kit/ssl/security.conf`: TLS protocol and session resumption settings. Intended for `server {}`.
@@ -124,3 +154,9 @@ The script validates:
 
 - [examples/example.com.conf](examples/example.com.conf:1) as a server-level snippet.
 - [examples/reverse-proxy.nginx.conf](examples/reverse-proxy.nginx.conf:1) as a complete nginx config.
+
+## Notes
+
+- `gzip_proxied` does not remove `ETag` or `Last-Modified` headers. It only controls when nginx may gzip requests that arrived through another proxy.
+- `text/html` does not need to appear in `gzip_types`; nginx compresses it automatically.
+- Gzip over HTTPS can contribute to BREACH-style risk for responses that reflect attacker-controlled input alongside secrets. Keep that in mind for highly sensitive dynamic pages.

examples/reverse-proxy.nginx.conf

@@ -4,6 +4,7 @@ http {
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;
 
+	include kit/http/gzip.conf;
 	include kit/http/websocket-map.conf;
 
 	upstream app_backend {

http/gzip.conf

@@ -0,0 +1,29 @@
+# Enable gzip for common text-based responses.
+gzip on;
+gzip_vary on;
+gzip_comp_level 4;
+gzip_min_length 256;
+
+# This does not remove ETag or Last-Modified headers; it only controls when
+# nginx may gzip requests that already passed through an intermediary proxy.
+gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+
+gzip_types
+	application/atom+xml
+	application/javascript
+	application/json
+	application/ld+json
+	application/manifest+json
+	application/rss+xml
+	application/vnd.geo+json
+	application/vnd.ms-fontobject
+	application/wasm
+	application/x-web-app-manifest+json
+	application/xhtml+xml
+	application/xml
+	image/svg+xml
+	text/css
+	text/javascript
+	text/plain
+	text/xml
+	text/vtt;

scripts/validate-docker.ps1

@@ -13,6 +13,7 @@ $serverSnippetConfig = @(
 	"	include /etc/nginx/mime.types;"
 	"	default_type application/octet-stream;"
 	""
+	"	include /etc/nginx/kit/http/gzip.conf;"
 	"	include /etc/nginx/kit/http/websocket-map.conf;"
 	""
 	"	include /etc/nginx/kit/examples/example.com.conf;"