Question

Apache mod_pagespeed and Content-Security-Policy

Posted July 23, 2018 2.3k views
ApacheServer OptimizationUbuntu 16.04

I’m currently trying to setup my content security policy via the .htaccess file.

As for the script-src I’ve got things working pretty nicely so far with:

 Header always set Content-Security-Policy-Report-Only: " script-src 'unsafe-inline' 'unsafe-eval' https://example.com:443 https://ajax.googleapis.com:443 https://ajax.cloudflare.com:443 https://v2.zopim.com:443"

However, the pagespeed static files such as https://example.com/pagespeed_static/js_defer.I4cHjq6EEP.js aren’t included despite the fact that scripts like https://v2.zopim.com/bin/v/widget_v2.257.js are also included and also placed in subfolders while I only list the root domain in the security policy.

Does this have to do with the fact that the folder /pagespeed_static/ doesn’t really exist on my server? It at least doesn’t via ftp.

How do I go about fixing this?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

Hi @Evotech,

It sounds like the mod_pagespeed module hasn’t been properly configured.

Let me start from the beginning, how to install it and then configure it

Instalation

Before getting started as usual, you’ll need to update your system.

apt-get update -y

You will need to download the latest version of Mod_pagespeed from their official website. You can do it with the following command:

wget https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_amd64.deb

Once the download is completed, install it by running the following command:

dpkg -i mod-pagespeed-stable_current_amd64.deb

Once the installation has been completed successfully, restart Apache service to apply all the changes:

systemctl restart apache2

Now the installation has been completed and we can continue onto the Configuration part

Configure Mod_pagespeed Web Interface

Modpagespeed module provides a simple and user-friendly web interface to view server state. You can enable Modpagespeed web interface by creating /pagespeed.conf file:

nano /etc/apache2/mods-available/pagespeed.conf

You’ll need to add the following lines

<Location /pagespeed_admin>
    Order allow,deny
    Allow from localhost
    Allow from 127.0.0.1
    Allow from all
    SetHandler pagespeed_admin
</Location>

<Location /pagespeed_global_admin>
    Order allow,deny
    Allow from localhost
    Allow from 127.0.0.1
    Allow from all
    SetHandler pagespeed_global_admin
</Location>

Save and close the file, when you are finished. Then, restart Apache service to apply all the changes:

systemctl restart apache2

Source

Please follow these steps, check if ModPageSpeed actually is used on your Application and see if the issues would still appear.

Regards,
KDSys

Submit an Answer