Brotli ("br") content-encoding support on the ProxySG appliance

book

Article ID: 168944

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Brotli is a compression algorithm from Google (http://google-opensource.blogspot.ca/2015/09/introducing-brotli-new-compression.html). Prior to version 7.1.x, the ProxySG appliance did not support this content-encoding; thus, features such as transformation of HTTP/S content, virus scanning, and apparent data type did not work (the appliance was not able to compress/decompress such content). If you have a pre-7.x deployment using these features are used and Brotli is detected, refer to the Workaround section.

Resolution

For details on Brotli support in SGOS 7.1.x, refer to the SGOS 7.1.x Administration Guide and Content Policy Language Reference.

Workaround

Use the following policy as a workaround in SGOS 6.x:

define action remove_brotli
    iterate(request.header.Accept-Encoding)
        iterator.exact = "br" iterator.delete()
    end
end

<Proxy>
    action.remove_brotli(yes)


Clients advertise their content encoding handling capability using the "Accept-Encoding" header. This policy will remove "br" (Brotli encoding") from the list of encodings supported by the user-agent/browser so that the server is not aware of this capability and doesn't use it.

Note: The "remove_brotli" action can be conditioned on other factors such as url domain etc. as appropriate.

After applying the policy, a well-behaved server should not send "Brotli" content encoding, but if a broken/bad server still sends "Brotli" content, the ICAP server may not be able to properly inspect the content. To prevent this, you can apply the following policy, which will deny the traffic after it has detected "Brotli" content in the response. The "deny" can be replaced by any suitable custom exception.

<proxy>
    response.header.Content-Encoding.exact = "br" deny