How to enable GZIP compression in IIS 7 5

Question

I want to compress my files using GZIP  Can you share the web config code for compressing files with GZIP   Is there anything more that I have to do after uploading my web config file

User · Answer

Filing this under  wow Turns out that IIS has different levels of compression configurable from 1-9  Some of my dynamic SOAP requests have been getting out of control recently  With the uncompressed SOAP being about 14MB and compressed 3MB  I noticed that in Fiddler when I compressed my request under Transformer it came to about 470KB instead of the 3MB - so  I figured there must be some way to get better compression  Eventually found this very informative blog post http   weblogs asp net owscott iis-7-compression-good-bad-how-much I went ahead and ran this commnd  followed by iisreset   C  Windows System32 Inetsrv Appcmd exe set config -section httpCompression - name  gzip   staticCompressionLevel 9 - name  gzip   dynamicCompressionLevel 9 Changed dynamic level up to 9 and now my compressed soap matches what Fiddler gave me - and it about 1 7th the size of the existing compressed file  Milage will vary  but for SOAP this is a massive massive improvement

User · Answer

Sometimes no matter what you do or follow whole internet posts  Try on the MIMETYPES of applicationhost config of the server  https   docs microsoft com en-us iis configuration system webserver httpcompression  configuration-sample

User · Answer

GZip Compression can be enabled directly through IIS   First  open up IIS    go to the website you are hoping to tweak and hit the Compression page  If Gzip is not installed  you will see something like the following        The dynamic content compression module is not installed     We should fix this  So we go to the    Turn Windows features on or off    and select    Dynamic Content Compression    and click the OK button   Now if we go back to IIS  we should see that the compression page has changed  At this point we need to make sure the dynamic compression checkbox is checked and we   re good to go  Compression is enabled and our dynamic content will be Gzipped   Testing - Check if GZIP Compression is Enabled  To test whether compression is working or not  use the developer tools in Chrome or Firebug for Firefox and ensure the HTTP response header is set   Content-Encoding  gzip

User · Answer

If anyone runs across this and is looking for a bit more up-to-date answer or copy-paste answer or answer targeting multiple versions than JC Raja s post  here s what I ve found   Google s got a pretty solid  easy-to-understand introduction to how this works and what is advantageous and not   https   developers google com web fundamentals performance optimizing-content-efficiency optimize-encoding-and-transfer They recommend the HTML5 Boilerplate project  which has solutions for different versions of IIS     NET version 3  NET version 4  NET version 4 5   MVC 5   Available here  https   github com h5bp server-configs-iis They have web configs that you can copy and paste changes from theirs to yours and see the changes  much easier than digging through a bunch of blog posts   Here s the web config settings for  NET version 4 5  https   github com h5bp server-configs-iis blob master dotnet 204 5 MVC5 Web config   lt  xml version  1 0  encoding  utf-8   gt   lt configuration gt     lt appSettings gt       lt add key  webpages Version  value  3 0 0 0    gt       lt add key  webpages Enabled  value  false    gt       lt add key  ClientValidationEnabled  value  true    gt       lt add key  UnobtrusiveJavaScriptEnabled  value  true    gt     lt  appSettings gt     lt system web gt       lt  --             Set compilation debug  true  to insert debugging             symbols into the compiled page  Because this             affects performance  set this value to true only             during development      -- gt       lt compilation debug  true  targetFramework  4 5    gt        lt  -- Security through obscurity  removes  X-AspNet-Version HTTP header from the response -- gt       lt  -- Allow zombie DOS names to be captured by ASP NET   con   com1   lpt1   aux   prt   nul  etc  -- gt       lt httpRuntime targetFramework  4 5  requestValidationMode  2 0  requestPathInvalidCharacters    enableVersionHeader  false  relaxedUrlToFileSystemMapping  true    gt        lt  -- httpCookies httpOnlyCookies setting defines whether cookies               should be exposed to client side scripts              false  Default   client side code can access cookies              true  client side code cannot access cookies              Require SSL is situational  you can also define the               domain of cookies with optional  domain  property -- gt       lt httpCookies httpOnlyCookies  true  requireSSL  false    gt        lt trace writeToDiagnosticsTrace  false  enabled  false  pageOutput  false  localOnly  true    gt     lt  system web gt       lt system webServer gt       lt  -- GZip static file content   Overrides the server default which only compresses static files over 2700 bytes -- gt       lt httpCompression directory   SystemDrive  websites  compressed  minFileSizeForComp  1024  gt         lt scheme name  gzip  dll   Windir  system32 inetsrv gzip dll    gt         lt staticTypes gt           lt add mimeType  text    enabled  true    gt           lt add mimeType  message    enabled  true    gt           lt add mimeType  application javascript  enabled  true    gt           lt add mimeType  application json  enabled  true    gt           lt add mimeType       enabled  false    gt         lt  staticTypes gt       lt  httpCompression gt        lt httpErrors existingResponse  PassThrough  errorMode  Custom  gt         lt  -- Catch IIS 404 error due to paths that exist but shouldn t be served  e g   controllers   global asax  or IIS request filtering  e g  bin  web config  app code  app globalresources  app localresources  app webreferences  app data  app browsers  -- gt         lt remove statusCode  404  subStatusCode  -1    gt         lt error statusCode  404  subStatusCode  -1  path   notfound  responseMode  ExecuteURL    gt         lt remove statusCode  500  subStatusCode  -1    gt         lt error statusCode  500  subStatusCode  -1  path   error  responseMode  ExecuteURL    gt       lt  httpErrors gt        lt directoryBrowse enabled  false    gt       lt validation validateIntegratedModeConfiguration  false    gt        lt  -- Microsoft sets runAllManagedModulesForAllRequests to true by default              You should handle this according to need but consider the performance hit               Good source of reference on this matter  http   www west-wind com weblog posts 2012 Oct 25 Caveats-with-the-runAllManagedModulesForAllRequests-in-IIS-78         -- gt       lt modules runAllManagedModulesForAllRequests  false    gt        lt urlCompression doStaticCompression  true  doDynamicCompression  true    gt       lt staticContent gt         lt  -- Set expire headers to 30 days for static content-- gt         lt clientCache cacheControlMode  UseMaxAge  cacheControlMaxAge  30 00 00 00    gt         lt  -- use utf-8 encoding for anything served text plain or text html -- gt         lt remove fileExtension   css    gt         lt mimeMap fileExtension   css  mimeType  text css    gt         lt remove fileExtension   js    gt         lt mimeMap fileExtension   js  mimeType  text javascript    gt         lt remove fileExtension   json    gt         lt mimeMap fileExtension   json  mimeType  application json    gt         lt remove fileExtension   rss    gt         lt mimeMap fileExtension   rss  mimeType  application rss xml  charset UTF-8    gt         lt remove fileExtension   html    gt         lt mimeMap fileExtension   html  mimeType  text html  charset UTF-8    gt         lt remove fileExtension   xml    gt         lt mimeMap fileExtension   xml  mimeType  application xml  charset UTF-8    gt         lt  -- HTML5 Audio Video mime types-- gt         lt remove fileExtension   mp3    gt         lt mimeMap fileExtension   mp3  mimeType  audio mpeg    gt         lt remove fileExtension   mp4    gt         lt mimeMap fileExtension   mp4  mimeType  video mp4    gt         lt remove fileExtension   ogg    gt         lt mimeMap fileExtension   ogg  mimeType  audio ogg    gt         lt remove fileExtension   ogv    gt         lt mimeMap fileExtension   ogv  mimeType  video ogg    gt         lt remove fileExtension   webm    gt         lt mimeMap fileExtension   webm  mimeType  video webm    gt         lt  -- Proper svg serving  Required for svg webfonts on iPad -- gt         lt remove fileExtension   svg    gt         lt mimeMap fileExtension   svg  mimeType  image svg xml    gt         lt remove fileExtension   svgz    gt         lt mimeMap fileExtension   svgz  mimeType  image svg xml    gt         lt  -- HTML4 Web font mime types -- gt         lt  -- Remove default IIS mime type for  eot which is application octet-stream -- gt         lt remove fileExtension   eot    gt         lt mimeMap fileExtension   eot  mimeType  application vnd ms-fontobject    gt         lt remove fileExtension   ttf    gt         lt mimeMap fileExtension   ttf  mimeType  application x-font-ttf    gt         lt remove fileExtension   ttc    gt         lt mimeMap fileExtension   ttc  mimeType  application x-font-ttf    gt         lt remove fileExtension   otf    gt         lt mimeMap fileExtension   otf  mimeType  font opentype    gt         lt remove fileExtension   woff    gt         lt mimeMap fileExtension   woff  mimeType  application font-woff    gt         lt remove fileExtension   crx    gt         lt mimeMap fileExtension   crx  mimeType  application x-chrome-extension    gt         lt remove fileExtension   xpi    gt         lt mimeMap fileExtension   xpi  mimeType  application x-xpinstall    gt         lt remove fileExtension   safariextz    gt         lt mimeMap fileExtension   safariextz  mimeType  application octet-stream    gt         lt  -- Flash Video mime types-- gt         lt remove fileExtension   flv    gt         lt mimeMap fileExtension   flv  mimeType  video x-flv    gt         lt remove fileExtension   f4v    gt         lt mimeMap fileExtension   f4v  mimeType  video mp4    gt         lt  -- Assorted types -- gt         lt remove fileExtension   ico    gt         lt mimeMap fileExtension   ico  mimeType  image x-icon    gt         lt remove fileExtension   webp    gt         lt mimeMap fileExtension   webp  mimeType  image webp    gt         lt remove fileExtension   htc    gt         lt mimeMap fileExtension   htc  mimeType  text x-component    gt         lt remove fileExtension   vcf    gt         lt mimeMap fileExtension   vcf  mimeType  text x-vcard    gt         lt remove fileExtension   torrent    gt         lt mimeMap fileExtension   torrent  mimeType  application x-bittorrent    gt         lt remove fileExtension   cur    gt         lt mimeMap fileExtension   cur  mimeType  image x-icon    gt         lt remove fileExtension   webapp    gt         lt mimeMap fileExtension   webapp  mimeType  application x-web-app-manifest json  charset UTF-8    gt       lt  staticContent gt       lt httpProtocol gt         lt customHeaders gt            lt  --     SECURITY Related Headers                 More information  https   www owasp org index php List of useful HTTP headers         -- gt           lt  --                   Access-Control-Allow-Origin                 The  Access Control Allow Origin  HTTP header is used to control which                 sites are allowed to bypass same-origin policies and send cross-origin requests                   Secure configuration  Either do not set this header or return the  Access-Control-Allow-Origin                  header restricting it to only a trusted set of sites                  http   enable-cors org                    lt add name  Access-Control-Allow-Origin  value       gt                  -- gt            lt  --                   Cache-Control                 The  Cache-Control  response header controls how pages can be cached                 either by proxies or the user s browser                  This response header can provide enhanced privacy by not caching                 sensitive pages in the user s browser cache                    lt add name  Cache-Control  value  no-store  no-cache   gt                  -- gt            lt  --                   Strict-Transport-Security                 The HTTP Strict Transport Security header is used to control                 if the browser is allowed to only access a site over a secure connection                 and how long to remember the server response for  forcing continued usage                  Note  Currently a draft standard which only Firefox and Chrome support  But is supported by sites like PayPal                   lt add name  Strict-Transport-Security  value  max-age 15768000   gt                  -- gt            lt  --                   X-Frame-Options                 The X-Frame-Options header indicates whether a browser should be allowed                 to render a page within a frame or iframe                  The valid options are DENY  deny allowing the page to exist in a frame                  or SAMEORIGIN  allow framing but only from the originating host                  Without this option set  the site is at a higher risk of click-jacking                    lt add name  X-Frame-Options  value  SAMEORIGIN    gt                  -- gt            lt  --                   X-XSS-Protection                 The X-XSS-Protection header is used by Internet Explorer version 8                  The header instructs IE to enable its inbuilt anti-cross-site scripting filter                  If enabled  without  mode block   there is an increased risk that                 otherwise  non-exploitable cross-site scripting vulnerabilities may potentially become exploitable                   lt add name  X-XSS-Protection  value  1  mode block   gt                  -- gt            lt  --                       MIME type sniffing security protection                 Enabled by default as there are very few edge cases where you wouldn t want this enabled                  Theres additional reading below  but the tldr  it reduces the ability of the browser  mostly IE                   being tricked into facilitating driveby attacks                  http   msdn microsoft com en-us library ie gg622941 v vs 85  aspx                 http   blogs msdn com b ie archive 2008 07 02 ie8-security-part-v-comprehensive-protection aspx         -- gt           lt add name  X-Content-Type-Options  value  nosniff    gt            lt  -- A little extra security  by obscurity   removings fun but adding your own is better -- gt           lt remove name  X-Powered-By    gt           lt add name  X-Powered-By  value  My Little Pony    gt            lt  --                  With Content Security Policy  CSP  enabled  and a browser that supports it  http   caniuse com  feat contentsecuritypolicy            you can tell the browser that it can only download content from the domains you explicitly allow          CSP can be quite difficult to configure  and cause real issues if you get it wrong          There is website that helps you generate a policy here http   cspisawesome com            lt add name  Content-Security-Policy   default-src  self   style-src  self   unsafe-inline   script-src  self  https   www google-analytics com     gt                  -- gt            lt  --       SECURITY Related Headers    -- gt            lt  --                 Force the latest IE version  in various cases when it may fall back to IE7 mode                 github com rails rails commit 123eb25 commitcomment-118920                 Use ChromeFrame if it s installed for a better experience for the poor IE folk                 -- gt           lt add name  X-UA-Compatible  value  IE Edge chrome 1    gt           lt  --                 Allow cookies to be set from iframes  for IE only                  If needed  uncomment and specify a path or regex in the Location directive                   lt add name  P3P  value  policyref  amp quot  w3c p3p xml amp quot   CP  amp quot IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT amp quot     gt                  -- gt          lt  customHeaders gt       lt  httpProtocol gt        lt  --          lt rewrite gt               lt rules gt               Remove force the WWW from the URL              Requires IIS Rewrite module http   learn iis net page aspx 460 using-the-url-rewrite-module              Configuration lifted from http   nayyeri net remove-www-prefix-from-urls-with-url-rewrite-module-for-iis-7-0              NOTE  You need to install the IIS URL Rewriting extension  Install via the Web Platform Installer              http   www microsoft com web downloads platform aspx                 Important Note             using a non-www version of a webpage will set cookies for the whole domain making cookieless domains              eg  fast CD-like access to static resources like CSS  js  and images  impossible                 IMPORTANT  THERE ARE TWO RULES LISTED  NEVER USE BOTH RULES AT THE SAME TIME                    lt rule name  Remove WWW  stopProcessing  true  gt                       lt match url            gt                       lt conditions gt                           lt add input   HTTP HOST   pattern    www            gt                       lt  conditions gt                       lt action type  Redirect  url  http   example com PATH INFO   redirectType  Permanent    gt                   lt  rule gt                   lt rule name  Force WWW  stopProcessing  true  gt                       lt match url        gt                       lt conditions gt                           lt add input   HTTP HOST   pattern   example com     gt                       lt  conditions gt                       lt action type  Redirect  url  http   www example com  R 0   redirectType  Permanent    gt                   lt  rule gt                      E-TAGS                 E-Tags are actually quite useful in cache management especially if you have a front-end caching server such as Varnish  http   en wikipedia org wiki HTTP ETag   http   developer yahoo com performance rules html etags                 But in load balancing and simply most cases ETags are mishandled in IIS  and it can be advantageous to remove them            removed as in https   stackoverflow com questions 7947420 iis-7-5-remove-etag-headers-from-response           lt rewrite gt              lt outboundRules gt                 lt rule name  Remove ETag  gt                    lt match serverVariable  RESPONSE ETag  pattern        gt                    lt action type  Rewrite  value      gt                 lt  rule gt              lt  outboundRules gt           lt  rewrite gt               -- gt       lt  --                 Built-in filename-based cache busting              In a managed language such as  net  you should really be using the internal bundler for CSS   js             or get cassette or similar               If you re not using the build script to manage your filename version revving              you might want to consider enabling this  which will route requests for              css style 20110203 css to  css style css              To understand why this is important and a better idea than all css v1231              read  github com h5bp html5-boilerplate wiki Version-Control-with-Cachebusting                   lt rule name  Cachebusting  gt                       lt match url          d     js css png jpg gif       gt                       lt action type  Rewrite  url   R 1  R 2     gt                   lt  rule gt                lt  rules gt           lt  rewrite gt -- gt      lt  system webServer gt      lt runtime gt       lt assemblyBinding xmlns  urn schemas-microsoft-com asm v1  gt         lt dependentAssembly gt           lt assemblyIdentity name  System Web Helpers  publicKeyToken  31bf3856ad364e35    gt           lt bindingRedirect oldVersion  1 0 0 0-3 0 0 0  newVersion  3 0 0 0    gt         lt  dependentAssembly gt         lt dependentAssembly gt           lt assemblyIdentity name  System Web Mvc  publicKeyToken  31bf3856ad364e35    gt           lt bindingRedirect oldVersion  1 0 0 0-5 0 0 0  newVersion  5 0 0 0    gt         lt  dependentAssembly gt         lt dependentAssembly gt           lt assemblyIdentity name  System Web Optimization  publicKeyToken  31bf3856ad364e35    gt           lt bindingRedirect oldVersion  1 0 0 0-1 1 0 0  newVersion  1 1 0 0    gt         lt  dependentAssembly gt         lt dependentAssembly gt           lt assemblyIdentity name  System Web WebPages  publicKeyToken  31bf3856ad364e35    gt           lt bindingRedirect oldVersion  1 0 0 0-3 0 0 0  newVersion  3 0 0 0    gt         lt  dependentAssembly gt         lt dependentAssembly gt           lt assemblyIdentity name  WebGrease  publicKeyToken  31bf3856ad364e35    gt           lt bindingRedirect oldVersion  1 0 0 0-1 5 2 14234  newVersion  1 5 2 14234    gt         lt  dependentAssembly gt       lt  assemblyBinding gt     lt  runtime gt   lt  configuration gt    Edit  One update if you need Gzip compression on WebAPI responses  I wasn t aware our WebAPI wasn t returning Gzipped responses until recently and scratched my head for a while because we had dynamic and static compression turned on in web config  We looked at writing our own compression services and response handlers  still on WebAPI 2 not on  NET Core where it s easier now   but that was too cumbersome for what seemed like something we should just be able to turn on    If you re interested here s what we were looking at for our own compression service https   krzysztofjakielaszek com 2017 03 26 webapi2-response-compression-gzip-brotli-deflate  EDIT  Link is now offline  but you can view the code content here  https   web archive org web 20190608161201 https   krzysztofjakielaszek com 2017 03 26 webapi2-response-compression-gzip-brotli-deflate     Instead  we found this great post by Ben Foster  http   benfoster io blog aspnet-web-api-compression   If you can modify applicationHost config  running your own servers   you can pop that config file open and add the mimeTypes you want to compress  I pulled the relevant ones based on what our API was returning to clients from our Web Config   Save that file  IIS will pickup your changes  recycle app pools  and your WebAPI will start returning gzip compressed responses to clients who request it    If you don t see gzipped responses  check the response content type with Fiddler or Chrome Firefox Dev Tools  and ensure it matches what you added  I had to change the view mode  use large request rows  in Chrome Dev Tools to ensure it showed the total size vs transferred size  If everything validates  try rebooting the server once to just ensure it was properly applied  I did have one syntax error where when I opened up the site in IIS  IIS poppped open a message about a parsing error that I had to fix in the config file    lt httpCompression directory   TEMP  iisexpress IIS Temporary Compressed Files  gt       lt scheme name  gzip  dll   IIS BIN  gzip dll    gt       lt dynamicTypes gt                        lt  -- compress JSON responses from Web API -- gt                      lt add mimeType  application json  enabled  true    gt                     lt  dynamicTypes gt       lt staticTypes gt                   lt  staticTypes gt   lt  httpCompression gt

User · Answer

This is more an add-on to the best answer above  GZip Compression can be enabled directly through IIS  which is correct if your running IIS on Windows desktop however     If your running IIS on Windows Server  this content compression feature is found in a different place to desktop Windows  not in programs and features in Control Panel     First open  Server Manager  then click Manage -   Add Roles  amp  Features  then keep clicking NEXT  make sure you select the correct server when you see the list of servers if your managing multiple servers from this instance  until you get to SERVER ROLES  scroll down to and open  Web Server  IIS      then  Web Server  then  Performance  then tick  Dynamic Content Compression  then click INSTALL    I tested this on Server 2016 Standard so there may be slight differences if your on an earlier version of Server   Then follow the instructions from Testing - Check if GZIP Compression is Enabled

User · Answer

Global Gzip in HttpModule  If you don t have access to shared hosting - the final IIS instance  You can create a HttpModule that gets added this code to every HttpApplication Begin Request event -  HttpContext context   HttpContext Current  context Response Filter   new GZipStream context Response Filter  CompressionMode Compress   HttpContext Current Response AppendHeader  Content-encoding    gzip    HttpContext Current Response Cache VaryByHeaders  Accept-encoding     true

[compression] How to enable GZIP compression in IIS 7.5

Filing this under #wow

Turns out that IIS has different levels of compression configurable from 1-9.

Examples related to compression

Examples related to gzip

Examples related to web-config