incubator-pagespeed-ngx
incubator-pagespeed-ngx copied to clipboard
apache
BeaconUrl uses HTTP instead of HTTPS + LoadFromFile not working
Hello, We experience 2 problems since we moved from : Linux Debian 8.8 + nginx 1.10.3 + ngx_pagespeed 1.11.33.2-0 (from deb http://packages.dotdeb.org jessie-nginx-http2 all) to : Linux Debian 9.4 + nginx 1.12.2 + ngx_pagespeed 1.13.35.2 (from deb https://packagecloud.io/DaryL/libnginx-mod-pagespeed/debian/ stretch main)
Both servers use HTTPS with http/2 and memcached, nginx+pagespeed config are exactly the same.
The 2 problems on the new config are :
- Pagespeed ignores LoadFromFile (all files are loaded from HTTP)
- Some images are loaded via HTTP instead of HTTPS (mixed content), I think this is related to Pagespeed using http:// in the beacon URL instead of HTTPS
Does anyone have an idea of how to fix these problems please ?
/etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
load_module modules/ngx_pagespeed.so; # This line is required on the new server and not on the old one, but that's the only difference
events {
worker_connections 768;
multi_accept on;
}
http {
# ... nginx config here ...
include snippets/pagespeed.conf;
}
/etc/nginx/sites-enabled/vhost.conf
server {
listen 80;
listen [::]:80;
server_name www.example.com;
return 301 https://$host$request_uri;
}
server{
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.example.com;
# ... SSL config here ...
include snippets/pagespeed-server.conf;
}
/etc/nginx/snippets/pagespeed.conf :
pagespeed on;
pagespeed FileCachePath "/var/tmp";
pagespeed LogDir "/var/log/pagespeed";
pagespeed RewriteLevel CoreFilters;
pagespeed EnableFilters prioritize_critical_css;
pagespeed EnableFilters sprite_images,lazyload_images;
pagespeed EnableFilters convert_png_to_jpeg,convert_jpeg_to_webp;
pagespeed EnableFilters collapse_whitespace;
pagespeed EnableFilters defer_javascript;
pagespeed EnableFilters insert_dns_prefetch;
pagespeed EnableFilters canonicalize_javascript_libraries;
pagespeed FetchHttps enable;
pagespeed LoadFromFile "https?://$host/media" "$document_root/media";
pagespeed LoadFromFile "https?://$host/var" "$document_root/var";
pagespeed LoadFromFile "https?://$host/skin" "$document_root/skin";
pagespeed Disallow "*/admin/*";
pagespeed Disallow "*index.php/admin/*";
pagespeed MemcachedServers "127.0.0.1:11211";
pagespeed LoadFromFileCacheTtlMs 86400000;
pagespeed-server.conf :
# Ensure requests for pagespeed optimized resources go to the pagespeed handler
# and no extraneous headers get set.
location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
add_header "" "";
}
location ~ "^/pagespeed_static/" { }
location ~ "^/ngx_pagespeed_beacon$" { }
I've tried to override the beaconUrl with :
pagespeed BeaconUrl "https://www.example.com/ngx_pagespeed_beacon";
But it doesn't seem to work.
Perhaps is not related, but I think you need to configure ssl certificates pagespeed SslCertDirectory directory; pagespeed SslCertFile file; and the LoadFromFile diectives to be ended with slash pagespeed LoadFromFile "https?://$host/media/" "$document_root/media/"; and need to auth the domain pagespeed Domain http*://*.example.org;
Hi,
Just to bring a little bit of comfort, I have been battling the same LoadFromFile issue for a number of days. Details in this thread here: https://groups.google.com/forum/#!topic/ngx-pagespeed-discuss/bPOimYVrLBA
Just as a thought about your mixed content issue, I'd update the port 80 server block to include the non www form of your domain. Something like this may help "upgrade" insecure requests:
server { listen 80; listen [::]:80; server_name www.example.com example.com; return 301 https://$host$request_uri; }
If your running Wordpress, be sure to add $_SERVER['HTTPS'] = 'on'; into wp-config.php and make sure the sites URL starts with HTTPS. This is either within the General page (single site) or within Network Admin (Multisite)
Shane :)
Apache: ModPagespeedAddResourceHeader "Content-Security-Policy" "upgrade-insecure-requests;" Nginx: pagespeed AddResourceHeader "Content-Security-Policy" "upgrade-insecure-requests;" Might help you force browser only request resourse on HTTPS
Apache: ModPagespeedAddResourceHeader "Content-Security-Policy" "upgrade-insecure-requests;" Nginx: pagespeed AddResourceHeader "Content-Security-Policy" "upgrade-insecure-requests;" Might help you force browser only request resourse on HTTPS
Content-Security-Policy resolved the mixed content warning issue for me on nginx 1.15.6 (Debian Stretch). I used the nginx add_header directive instead as the pagespeed config wasn't kicking in for me:
add_header Content-Security-Policy upgrade-insecure-requests;
NOTE: the mixed content warning doesn't appear when running ngx_pagespeed in standby mode:
pagespeed standby;
and requesting the URL with the ?PageSpeed=on query parameter i.e.
https://example.com?PageSpeed=on
That's a shallow workaround IMHO. I think, the proper solution is following:
# to prevent pagespeed from rewriting https to http
pagespeed MapRewriteDomain https://example.com http://example.com;
pagespeed MapOriginDomain https://example.com http://example.com;
It worked for me, all links were replaced with https ones.
That's a shallow workaround IMHO. I think, the proper solution is following:
# to prevent pagespeed from rewriting https to http pagespeed MapRewriteDomain https://example.com http://example.com; pagespeed MapOriginDomain https://example.com http://example.com;It worked for me, all links were replaced with https ones.
as it did help with beacon, it did not help with /?PageSpeed=noscript which is for some reason put as http instead of https
nginx 1.23.2 + pagespeed 1.15.0.0-8917, and still the beacon is added as http:// when the only page working is http://` without 301;