Compression
Similar to SSL/TLS, you can completely offload compression to FortiWeb to save resources on your web servers.
Configuring compression exemptions
If necessary, you can exempt HTTP Host:
names and URLs from compression by FortiWeb. Generally, if a specific web server already applies compression, and if a specific response never needs to be scanned, compressed, or rewritten, it should be exempt from compression by FortiWeb.
If compressed, a request or response usually cannot be scanned, rewritten, or otherwise modified by FortiWeb. If you exempt vulnerable URLs, this will compromise the security of your network. |
To configure a rule exclusion
- Go to Application Delivery > Compression and select the Exclusion Rule tab.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
- Click Create New.
- In Name, type a name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
- Click OK.
- Click Create New.
- Enable Host Status to require that the
Host:
field of the HTTP request match a protected host names entry in order to match the exclusion. - From the Host drop-down list, select which protected host entry that the
Host:
field of the HTTP request must be in to match the exclusion. - In Request URL, enter a literal URL, such as
/folder1/index.htm
that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as/folder1/*
or/folder1/*/index.htm
. - Click OK.
- Include the exception in a compression policy. For details, see Configuring compression offloading.
Also configure Host.
This option is available only if Host Status is enabled.
The URL must begin with a slash ( / ). The URL must not include the domain or IP address.
Configuring compression offloading
Most web servers can be configured to compress files when responding to a request. Compressed files often reduce bandwidth, and can result in faster delivery time to clients. Modern browsers automatically decompress files before displaying the web pages.
To successfully decompress and read the response, clients use the corresponding decompression algorithm. Web servers include an HTTP header such as:
Content-Encoding: gzip
to indicate which algorithm was used to compress the HTTP body:
^_<8B>^H^H+h,M^@^Cimage.png^@<EC><FC>St<AE>K<D4><EF><8B><C6>^\1G<AC>^Q<DB>
<U+0588>Fl۶m۶m۶m<DB>^Y<D1>N<E6><9C><DF>^<AB><B5>sq<CE><D5><D9><FB>b<A5><B5>\<BC><EF><F3>T/<F5><AA><EA><BF>^?<F5>$DZR^X^F
^C
^@^@^@揈<80>,^@^@ <EF><D7><EF>6^D<D8><D7>7<F3><E1><F5>^B^@^@x^@^?^D<F8><E4><9D>
(content truncated)
To gain the benefits that compression offers, and not to configure it on your web servers, you can offload compression to FortiWeb instead.
If your web servers are starved for CPU cycles and RAM, offloading compression from your web servers to FortiWeb can alleviate that bottleneck and improve performance. |
Based upon the HTTP Content-Type:
headers that you select (which correspond to Internet file type/MIME type categories such as images and XML), FortiWeb will compress matching responses. The total size of a large web page with lengthy JavaScripts and CSS, while in transit, could be many times smaller.
The maximum pre-compressed file size that FortiWeb can compress is 128 KB. Files larger than that limit will be transmitted without compression. |
For example, a typical web page is comprised of several responses, such as an HTML document:
Content-Type: text/html
perhaps several images:
Content-Type: image/png
and a JavaScript:
Content-Type: text/javascript
If your protected web servers do not already apply compression, and you configure a compression policy for text/html
and text/javascript
, those typically lengthy and repetitive text-based documents can be efficiently compressed into much smaller responses. If bandwidth between server and client is the performance bottleneck, this could improve performance dramatically.
Not all HTTP clients support compression: RPC clients, for example, transmit binary data and do not support compression. For those host names and/or URLs, you should create exceptions.
To configure a file compression policy
- Before you configure file compression, configure the exceptions, if any. For details, see Configuring compression exemptions.
- Go to Application Delivery > Compression and select the File Compress Policy tab.
- Click Create New.
- Configure these settings:
Name
Enter a name that can be referenced by other parts of the configuration. Don't use spaces or special characters. The maximum length is 63 characters.
Select the compression method for the content type(s) that you specify later:
Gzip
—FortiWeb will use gzip for file compression. For details, see https://tools.ietf.org/html/rfc1952.Brotli
—FortiWeb will use Brotli for file compression. For details, see https://tools.ietf.org/html/rfc7932. Also configure the Compression Level.
This option is available only when you select Brotli for the Compression Type. Select the compression level. The valid range is 1–11.
Exclusion Rule
Select an existing exclusion rule, if any, to apply to the policy. For details, see Configuring compression exemptions.
Optionally, select an exclusion rule and click the Detail link. The exclusion dialog appears. You can view and edit the exclusion rule from here. Use the browser Back button to return.
- Click OK.
- To add or remove a content type, click Create New.
- In the Content Types list, select the content types that you want to compress, then click the right arrow (->) to move them to the Allow Types list.
For external JavaScripts, content type strings vary. If you are unsure of the content type string, for maximum coverage, select all JavaScript content type strings. However, due to wide browser compatibility, despite its current deprecated status, many web servers use
text/javascript
.These apply compression only to JavaScripts that are external to a web page — that is, not directly embedded in a <script>
tag or inline in the HTML document itself, but instead included via reference to a JavaScript file, such as<script src="/nav/menu.js">
, and therefore are contained in a separate HTTP response from the HTML document. Likewise, selecting thetext/css
content type for compression will only compress external CSS. It will not compress CSS embedded directly within the HTML file. (Embedded CSS or JavaScript are governed byContent-Type: text/html
instead.) - Click OK.
- To apply the compression policy, select it in an inline protection profile used by a server policy. For details, see Configuring a protection profile for inline topologies.
If your web servers are already configured to compress responses, you should either disable compression on the server, or configure exceptions for URLs hosted by that server. Otherwise, in some cases, FortiWeb might expend resources compressing responses that have already been compressed by the server. This can cause performance to decrease instead of increase. |
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.