Question

Apache mod_pagespeed and Content-Security-Policy

I’m currently trying to setup my content security policy via the .htaccess file.

As for the script-src I’ve got things working pretty nicely so far with:

 Header always set Content-Security-Policy-Report-Only: " script-src 'unsafe-inline' 'unsafe-eval' https://example.com:443 https://ajax.googleapis.com:443 https://ajax.cloudflare.com:443 https://v2.zopim.com:443"

However, the pagespeed static files such as https://example.com/pagespeed_static/js_defer.I4cHjq6EEP.js aren’t included despite the fact that scripts like https://v2.zopim.com/bin/v/widget_v2.257.js are also included and also placed in subfolders while I only list the root domain in the security policy.

Does this have to do with the fact that the folder /pagespeed_static/ doesn’t really exist on my server? It at least doesn’t via ftp.

How do I go about fixing this?


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Hi @Evotech,

It sounds like the mod_pagespeed module hasn’t been properly configured.

Let me start from the beginning, how to install it and then configure it

Instalation

Before getting started as usual, you’ll need to update your system.

apt-get update -y

You will need to download the latest version of Mod_pagespeed from their official website. You can do it with the following command:

wget https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_amd64.deb

Once the download is completed, install it by running the following command:

dpkg -i mod-pagespeed-stable_current_amd64.deb

Once the installation has been completed successfully, restart Apache service to apply all the changes:

systemctl restart apache2

Now the installation has been completed and we can continue onto the Configuration part

Configure Mod_pagespeed Web Interface

Mod_pagespeed module provides a simple and user-friendly web interface to view server state. You can enable Mod_pagespeed web interface by creating /pagespeed.conf file:

nano /etc/apache2/mods-available/pagespeed.conf

You’ll need to add the following lines

<Location /pagespeed_admin>
    Order allow,deny
    Allow from localhost
    Allow from 127.0.0.1
    Allow from all
    SetHandler pagespeed_admin
</Location>

<Location /pagespeed_global_admin>
    Order allow,deny
    Allow from localhost
    Allow from 127.0.0.1
    Allow from all
    SetHandler pagespeed_global_admin
</Location>

Save and close the file, when you are finished. Then, restart Apache service to apply all the changes:

systemctl restart apache2

Source

Please follow these steps, check if ModPageSpeed actually is used on your Application and see if the issues would still appear.

Regards, KDSys