Add support for gzip content-encoding in HTTP client #8731

zwass · 2025-12-11T21:47:57Z

Toggled via --tls_accept_gzip default off (may switch to default on in future releases)
Send headers indicating gzip support and decompress gzipped responses
Clean up existing gzip compression functoin and add decompression function
Update tests for roundtrip compression and integration testing gzip with an HTTP server

- Toggled via `--tls_enable_gzip` default off - Send headers indicating gzip support and decompress gzipped responses - Clean up existing gzip compression functoin and add decompression function - Update tests for roundtrip compression and integration testing gzip with an HTTP server

directionless

What about using gzip for the uploads?

Also, this feels like something we should enable by default, and thus that we should build the flag names to be more reasonable when we roll that out.

directionless · 2025-12-12T16:19:33Z

osquery/remote/transports/tls.cpp

+CLI_FLAG(bool,
+         tls_enable_gzip,
+         false,
+         "Enable gzip compression for HTTP responses");


If I imagine us in a year, this feels wrong. This feels like the sort of thing we should always have enabled, and perhaps a flag to force disabling it for broken http servers.

So I think we should name it in a way that makes that clear. (eg: I think we'll want to default this to enabled in the future)

Yes I agree that we probably want to make it default at some point, but I definitely want to keep it off by default at first. Perhaps just swap this to tls_disable_gzip and flip the default for now?

Yah -- I think default false for a release is correct. But I think we should name it so we don't end up telling people to use tls_enable_gzip=false

so renaming to tls_disable_gzip makes sense

zwass · 2025-12-15T16:40:27Z

For requests from the osquery client, I think we may want another mechanism for enabling and disabling. Perhaps the server needs to return an Accept-Encoding? Perhaps it should be a separate option?

I would love to pursue adding that.

Ideally we merge this before the coming release so that we can start testing it and continue to expand the gzip capabilities.

directionless · 2025-12-16T02:59:46Z

For requests from the osquery client, I think we may want another mechanism for enabling and disabling. Perhaps the server needs to return an Accept-Encoding? Perhaps it should be a separate option?

Why would be a different option?

zwass · 2025-12-16T16:33:46Z

Why would be a different option?

Because the client can send an Accept-Encoding with the request so the server knows the client can receive gzip. The server on the other hand can only fail to receive a request by returning an error code.

It seems like some state needs to be maintained on the client indicating whether the server can receive gzip. When I think about that, I lean towards the server being able to return a configuration option that indicates it can receive that encoding.

zwass · 2025-12-16T16:56:25Z

Alternatively, I'd be okay with calling the flag tls_gzip and then expecting that is only set to true when the server will support receiving gzipped requests.

zwass · 2025-12-16T21:48:42Z

We discussed further in Slack. Now updated per the discussion.

zwass
  [Today at 12:32 PM](https://osquery.slack.com/archives/C08VA3XQU/p1765917130472619)
[@seph](https://osquery.slack.com/team/U7QP20JQH) regarding the (TLS gzip flag naming)[https://github.com/osquery/osquery/pull/8731#issuecomment-3661415819} I was finding it very appealing to make the single flag tls_gzip that would control both requests and responses but then I realized that could end up being problematic if we want to turn it on by default and not all servers support gzip. I think the viable paths are:
1) Single flag, never enabled by default (or maybe enabled by default in a major version release? with documentation that servers MUST support it?)
2) Separate flags for requests/responses, with requests enabled by default in a future release (server can always choose to ignore and return an uncompressed response)
What are your thoughts?
17 replies
Lucas Rodriguez
  [26 minutes ago](https://osquery.slack.com/archives/C08VA3XQU/p1765920028692899?thread_ts=1765917130.472619&cid=C08VA3XQU)
(server can always choose to ignore and return an uncompressed response)
Though the requests may fail if gzip decoding is not supported by the server, maybe at this point almost all flavors of servers do support it? In any case, users can turn gzip encoding on requests when this happens.
[1:20](https://osquery.slack.com/archives/C08VA3XQU/p1765920041035039?thread_ts=1765917130.472619&cid=C08VA3XQU)
Separate flags makes sense to me (my 2 cents). (edited) 
[1:21](https://osquery.slack.com/archives/C08VA3XQU/p1765920095433859?thread_ts=1765917130.472619&cid=C08VA3XQU)
Guess: if a server supports request decoding it most likely supports response encoding?
zwass
  [22 minutes ago](https://osquery.slack.com/archives/C08VA3XQU/p1765920245537819?thread_ts=1765917130.472619&cid=C08VA3XQU)
Ah sorry I was not clear at all with my wording in #2 there. We would turn on accepting gzip by default but continue to leave sending gzip off by default.
The reason being the request can set an accept encoding for gzip and the server can just choose to return uncompressed data even if osquery supports gzip.
seph
  [21 minutes ago](https://osquery.slack.com/archives/C08VA3XQU/p1765920305219609?thread_ts=1765917130.472619&cid=C08VA3XQU)
<thinks>
[1:26](https://osquery.slack.com/archives/C08VA3XQU/p1765920375432779?thread_ts=1765917130.472619&cid=C08VA3XQU)
So my general goals are to do things that feel right. Defaults should be the common use case, and named well.
[1:27](https://osquery.slack.com/archives/C08VA3XQU/p1765920467141009?thread_ts=1765917130.472619&cid=C08VA3XQU)
So… if I think about it. Osquery ought just be able to handle server gzipped  responses always. We can send the appropriate accept header and assume the right things. Right?
Maybe worth an option in the override a normal behavior to debug something weird.
[1:28](https://osquery.slack.com/archives/C08VA3XQU/p1765920505017809?thread_ts=1765917130.472619&cid=C08VA3XQU)
But sending data is tricky. Since osquery starts with a post, we don't have a way to know what's supported. (Without tracking it, which feels messy)
zwass
  [17 minutes ago](https://osquery.slack.com/archives/C08VA3XQU/p1765920552384189?thread_ts=1765917130.472619&cid=C08VA3XQU)
Yeah this all makes sense to me. I could see removing the flag entirely to accept gzip once we have some more confidence in the feature.
seph
  [16 minutes ago](https://osquery.slack.com/archives/C08VA3XQU/p1765920565114519?thread_ts=1765917130.472619&cid=C08VA3XQU)
So I think separate options, with separate defaults?
Do we think most osquery servers support gzip? That would bias the defaults.
zwass
  [11 minutes ago](https://osquery.slack.com/archives/C08VA3XQU/p1765920885483259?thread_ts=1765917130.472619&cid=C08VA3XQU)
Yeah okay so I think we do
tls_accept_gzip (default false right now, default true once we build confidence in the stability)
tls_send_gzip (default false for the foreseeable future)
Lucas Rodriguez
  [9 minutes ago](https://osquery.slack.com/archives/C08VA3XQU/p1765920968932589?thread_ts=1765917130.472619&cid=C08VA3XQU)
Flags looks good.
What would be a reason for users to set tls_accept_gzip=false?
zwass
  [9 minutes ago](https://osquery.slack.com/archives/C08VA3XQU/p1765920973197429?thread_ts=1765917130.472619&cid=C08VA3XQU)
Fleet for example supports neither at the moment. Could be fronted by a proxy that does though. But we'll add it.
[1:36](https://osquery.slack.com/archives/C08VA3XQU/p1765921018863899?thread_ts=1765917130.472619&cid=C08VA3XQU)
Immediately so that the feature can be toggled for testing. Later, in case they decide they don't want to use the CPU on decompression? Or if a critical bug comes up?
Lucas Rodriguez
  [8 minutes ago](https://osquery.slack.com/archives/C08VA3XQU/p1765921037578599?thread_ts=1765917130.472619&cid=C08VA3XQU)
 Later, in case they decide they don't want to use the CPU on decompression? Or if a critical bug comes up?
Good point.
zwass
  [8 minutes ago](https://osquery.slack.com/archives/C08VA3XQU/p1765921055802709?thread_ts=1765917130.472619&cid=C08VA3XQU)
I could see removing the option in a release or two if we decide it's plenty stable
[1:39](https://osquery.slack.com/archives/C08VA3XQU/p1765921199027469?thread_ts=1765917130.472619&cid=C08VA3XQU)
Okay so I think this PR goes ahead with the tls_accept_gzip flag and future work handles the rest.

lucasmrod · 2025-12-17T12:37:06Z

docs/wiki/installation/cli-flags.md


+`--tls_accept_gzip=true`
+
+(Default false) Enable the HTTP client to process gzip responses from the server. Will turn on sending an `Accept-Encoding: gzip` header. In the future this flag may default to true, or be removed entirely with the feature always on.


Removing a flag would be a breaking change, right? (Because starting osquery with an invalid flag would crash). Maybe the flag can be deprecated+hidden but not removed?

Yah. Toggling the default would be safe, and I assume Zach meant "remove the functionality attached"

Yeah if we really removed it I think we would need to do it in a major version or just log a warning without crashing.

lucasmrod · 2025-12-17T13:12:14Z

osquery/remote/requests.cpp

  return output;
 }
+
+std::string decompressString(const std::string& data) {


Could we return an error/status? Or maybe just add VLOG(1)s on the places that there's an error and the empty string is returned. (Thinking about troubleshooting.)

Yeah, adding error log

lucasmrod

LGTM! Left a few comments.

zwass added 2 commits December 11, 2025 13:30

reduce duplication

a894038

zwass requested review from a team as code owners December 11, 2025 21:47

zwass added remote configuration labels Dec 11, 2025

fix format

6d5839b

directionless reviewed Dec 12, 2025

View reviewed changes

zwass added 2 commits December 16, 2025 13:45

update flag naming

d5af4da

fix format

1eab5e2

lucasmrod reviewed Dec 17, 2025

View reviewed changes

add log

72eac31

directionless approved these changes Dec 17, 2025

View reviewed changes

lucasmrod approved these changes Dec 17, 2025

View reviewed changes

zwass merged commit 538587f into osquery:master Dec 18, 2025
21 checks passed

zwass deleted the http-gzip branch December 18, 2025 00:21

zwass mentioned this pull request Jan 6, 2026

Support gzip compression for agent API responses fleetdm/fleet#37944

Open

26 tasks


		`--tls_accept_gzip=true`

		(Default false) Enable the HTTP client to process gzip responses from the server. Will turn on sending an `Accept-Encoding: gzip` header. In the future this flag may default to true, or be removed entirely with the feature always on.

Uh oh!

Add support for gzip content-encoding in HTTP client #8731

Add support for gzip content-encoding in HTTP client #8731

Uh oh!

Conversation

zwass commented Dec 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

directionless left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

zwass commented Dec 15, 2025

Uh oh!

directionless commented Dec 16, 2025

Uh oh!

zwass commented Dec 16, 2025

Uh oh!

zwass commented Dec 16, 2025

Uh oh!

zwass commented Dec 16, 2025

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

lucasmrod left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

zwass commented Dec 11, 2025 •

edited

Loading