We are using Google PageSpeed module running on Apache, it is possible to configure it so that the base url uses https?
It currently outputs the following.
<noscript>
<meta HTTP-EQUIV="refresh" content="0;url='http://example.com/?ModPagespeed=noscript'" />
<style><!--table,div,span,font,p{display:none} --></style>
<div style="display:block">Please click here if you are not redirected within a few seconds.</div>
</noscript>
It should be https://example.com - It there a setting inpagespeed.conf to correct this?
It turns out that the site was running behind a load balancer. All HTTPS requests were forwarded via HTTP. To correct the issue we needed to set
ModPagespeedRespectXForwardedProto on
The documentation for https support explains the process.
Related
I'm hosting my git-hub pages website (peps09791.github.io) using a custom domain (https://thebotspeaks.com) with Cloudflare.
To enable HTTPS, I have done the following configurations:
In my _config.yaml file
I have set the URL key accordingly
url: "https://peps0791.github.io"
From my cloudFlare dashboard, I have enabled option of HTTPS rewrites to prevent mixed content error.
I have also enabled Flexible SSL from CloudFlare.
I haven't enabled default HTTPS-redirection because the website breaks over HTTPS. On HTTP, it works fine.
Right now, when I try to access my website using HTTPS, I get mixed content error:
Mixed Content: The page at 'https://thebotspeaks.com/' was loaded over HTTPS, but requested an insecure image 'http://thebotspeaks.com/assets/images/bio-photo.jpg'. This content should also be served over HTTPS.
09:54:45.323 (index):1 Mixed Content: The page at 'https://thebotspeaks.com/' was loaded over HTTPS, but requested an insecure stylesheet 'http://thebotspeaks.com/assets/css/main.css'. This request has been blocked; the content must be served over HTTPS.
09:54:45.785 (index):1 Mixed Content: The page at 'https://thebotspeaks.com/' was loaded over HTTPS, but requested an insecure script 'http://thebotspeaks.com/assets/js/main.min.js'. This request has been blocked; the content must be served over HTTPS.
From console, I can see this:
<script src="https://peps0791.github.io/assets/js/main.min.js"></script>
<link rel="stylesheet" href="https://peps0791.github.io/assets/css/main.css">
How do I resolve this issue?
The problem here is that your assets (i.e. your CSS or JavaScript) are redirecting to the HTTP version of your site. This is because your assets are referencing directly to your GitHub site instead of the Cloudflare-enabled domain.
For example; your HTML references your CSS files at https://peps0791.github.io/assets/css/main.css instead of https://thebotspeaks.com/assets/css/main.css
In order to fix this it looks like you'll need to update your _config.yaml file to have the following URL key:
url: "https://thebotspeaks.com"
More general advice on fixing a variety of Mixed Content issues can be found in the following article on the Cloudflare Knowledge Base: How do I fix the SSL Mixed Content Error Message?
Adding this helped me to deal with the Mixed Content error on GitHub pages on a custom domain secured with enabled HTTPS:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
Apparently for me. The website inside CNAME file in Github repo did NOT had https prefix. So I added https://. and it worked.
Cheers
P.S: Fixed this problem after 1 year, can you believe.
I noticed when accessing a site using HTTPS I get errors in the JS console when trying to include CSS or JS files from a relative path such as this:
<link rel="stylesheet" type="text/css" href="css/demo.css?id=14" />
Mixed Content: The page at 'https://mysiste.com/' was loaded over HTTPS, but requested an insecure stylesheet 'http://mysiste.com/css/demo.css?id=14'. This request has been blocked; the content must be served over HTTPS.
What's the ideal solution for this scenarios?
Should I just force all the HTTP accesses to be redirected to HTTPS?
Or is there a way to tell the server to serve all relative paths using HTTPS?
Relative links will use the protocol and host from the base URL. The base URL is usually the one which can be seen in the URL bar. But it is possible to change the base URL explicitly using the base tag.
This means if you have a base URL with http as protocol set in your page it will still use http instead of https even though you've accessed the site with https and the reference is relative, i.e. like this:
<base href="http://example.com/">
To fix it either remove the base tag or change it to use https instead of http:
<base href="https://example.com">
I have an EC2 server running apache (www.example.com) and mod_pagespeed is installed and working.
I have static content hosted on an Amazon S3 bucket (examplecdn.com)
When the html is served up from https://www.example.com, there are a couple of style references which are served from https://examplecdn.com.
Here's some sample html sent from https://www.example.com
<link rel="stylesheet" type="text/css" href="//examplecdn.com/assets/css/file_one.css"/>
<link rel="stylesheet" type="text/css" href="//examplecdn.com/assets/css/file_two.css"/>
I have read the documentation on mod_pagespeed, but I'm having trouble understanding it. I would expect the two requests to be rewritten into one http request.
I have confirmed using wget that https://examplecdn.com/assets/css/file_one.css is accessible from the www.example.com server
I have simplified my setup to use .htaccess for testing purposes. I can turn simple filters on and off easily without needing to restart the apache server. I'm trying to use the combine_css filter just to attempt to get a basic setup up and running. Here's my .htaccess file:
ModPagespeed on
ModPagespeedEnableFilters remove_comments
ModPagespeedEnableFilters collapse_whitespace
ModPagespeedEnableFilters combine_css
I know the documentation mentions lots of "Domain" settings, but I don't know which ones will do the trick. Can someone please tell me what changes I need to make to my .htaccess file in order to get this working?
Thanks!
From combine css docs:
The filter will not merge together resources from multiple distinct domains, even if those domains are each authorized by Domain. It will merge together resources from multiple distinct domains that have been mapped together via MapRewriteDomain.
And from here:
This directive lets the server accept https requests for www.example.com without requiring a SSL certificate to fetch resources - in fact, this is the only way PageSpeed can service https requests as currently it cannot use https to fetch resources.
ModPagespeedMapOriginDomain http://examplecdn.com/ https://examplecdn.com/
Maybe this will work for you, but why not have those files local? They will be served by your apache server anyway.
[EDIT]
Tested it, this way worked for me:
pagespeed on;
pagespeed RewriteLevel CoreFilters;
pagespeed Domain *.example.com;
pagespeed Domain https://s3.amazonaws.com/mybucket;
pagespeed MapOriginDomain http://localhost https://s3.amazonaws.com;
pagespeed EnableFilters combine_css;
Tested with nginx but should work the same way with Apache. Also should make no difference if the mapped domain is on cloudfront.
Apache 2.2.15 on RHELS 6.1
Using mod_pagespeed on a server behind https (implemented by the network's Reverse Proxy).
All html urls are written as "//server.example.com/path/to/file.css" (so, without the protocol specified).
Problem : using the default configuration, pagespeed rewrites the urls as "http://server.example.com/path/to/file.css"
I'm trying to figure out how to have it rewrite the urls as https (or leave it unspecified as //).
After reading the documentation, I tried using ModPagespeedMapOriginDomain like this
ModPagespeedMapOriginDomain http://localhost https://server.example.com
Also tried
ModPagespeedMapOriginDomain http://localhost //server.example.com
ModPagespeedMapOriginDomain localhost server.example.com
... To no avail. Urls keep being rewritten with "http://".
Question: how can I have pagespeed use https instead of http in its urls?
Full pagespeed config here, if needed
It turns out mod_pagespeed does not work with "protocol-relative" urls.
Still, the issue is bypassed if you enable trim_urls
ModPagespeedEnableFilters trim_urls
Be mindful of the potential risks (depending on your javascript codebase, ajax calls could break or produce unexpected html).
Adding this to your configuration might work:
ModPagespeedRespectXForwardedProto on
That works, if your reverse proxy forwards the X-Forwarded-Proto header in its requests.
That request header tells PageSpeed what the original protocol was that was used for the request at the loadbalancer, and thereby hands it all it needs to know to correctly rewrite urls.
I tried to follow the following stackoverflow answer with no luck
Use HTTPS only for certain pages in servlet based webapp
Here is what i did, created a self signed cert, installed it in tomcat, my entire website works on https. Then i followed the link above to make my login alone https. When i click on login page, the url takes to https://mywebsite.com:8443/signin.htm. I have started my SSL Connector on 443, why is it trying to connect to 8443?
The issue was the redirects in the Connector tag. In server.xml, i had 2 connector, for http(80) and https(443). But the redirect attribute in those connector was set to 8443. I think this means, when the page is on http(80), and according to web.xml we are asking it to goto secure page for example for login then it looks at redirect attribute of http(80) connector. I changed this to 443 and it worked fine.