How to configure mod_pagespeed for SSL pages

Asked 17/1, 2013 at 5:42 Answered 25/1, 2013 at 9:6

We have website e.g. http://www.acb.com which points to a hardware load-balancer which is suppose to load-balance two dedicated server. Each server is running apache as a frontend and uses mod_proxy to forward request to tomcat.

Some pages of our website require SSL like https://www.abc.com/login or https://www.abc.com/checkout

SSL is terminated at hardware load-balancer.

When I configured mod_pagespeed it compressed, minimized and merged css file and rewrote them with an absolute url http://www.abc.com/css/merged.pagespeedxxx.css instead of relative url /css/merged.pagespeedxxx.css.

It works fine for non ssl pages but when I navigate to an ssl page such as https://www.abc.com/login all the css and js files are blocked by browser like chrome as their absolute url is not using ssl.

How can I resolve this issue ?

Bolivia answered 17/1, 2013 at 5:42 Comment(0)

Check for https string in this documentation and this one.

You should show us in your question your current ModPagespeedMapOriginDomain && ModPagespeedDomain settings.

From what I understand from these lines:

The origin_specified_in_html can specify https but the origin_to_fetch_from can only specify http, e.g.

ModPagespeedMapOriginDomain http://localhost https://www.example.com

This directive lets the server accept https requests for www.example.com without requiring a SSL certificate to fetch resources - in fact, this is the only way mod_pagespeed can service https requests as currently it cannot use https to fetch resources. For example, given the above mapping, and assuming Apache is configured for https support, mod_pagespeed will fetch and optimize resources accessed using https://www.example.com, fetching the resources from http://localhost, which can be the same Apache process or a different server process.

And these ones:

mod_pagespeed offers limited support for sites that serve content through https. There are two mechanisms through which mod_pagespeed can be configured to serve https requests:

Use ModPagespeedMapOriginDomain to map the https domain to an http domain.

Use ModPagespeedLoadFromFile to map a locally available directory to the https domain.

The solution would be something like that (or the one with ModPagespeedLoadFromFile)

ModPagespeedMapOriginDomain http://localhost https://www.example.com

BUT, the real problem for you is that apache does not directly receive the HTTPS requests as the hardware load balancer handle it on his own. So the mod-pagespeed output filter does not even know it was requested for an SSL domain. And when it modify the HTML content, applying domain rewrite maybe, it cannot handle the https case.

So... one solution (untested) would be using another virtualhost on the apache server, still HTTP if you want, dedicated to https handling. All https related urls (/login,/checkout,...) would then be redirected to this specific domain name by the hardware load balancer. Let's say http://secure.acb.com. This name is only in use between the load balancer and front apaches (and quite certainly apache should restrict access to this VH to the load balancer only).

Then in these http://secure.acb.com virtualhosts mod_pagespeed would be configured to externally rewrite domains to https://www.example.com. Something like:

ModPagespeedMapOriginDomain http://secure.example.com https://www.example.com

Finally the end user request is https://www.example.com/login, the load balancer manages HTTPS, talk to apache with http://secure.example.com, and page results contains only references to https://www.example.com/* assets. Now when theses assets are requested with an https domain request you still have the problem of serving theses assets. So the hardware load balancer should allow all theses assets url in the https domain and send them to the http://secure.abc.com virtualhosts (or any other static VH).

Anatola answered 25/1, 2013 at 9:6 Comment(4)

@Hussain have you tested Olaf Kock's solution. worth a try. – Anatola 29/1, 2013 at 8:29

I Knew about Olaf Kock solution but absolute urls are generated by mod_pagespeed it self its not in my hand to remove http:// – Bolivia 29/1, 2013 at 16:25

If you are getting un-secure HTTP request errors in the broswer and your on HTTPS, setting ModPagespeedMapOriginDomain and ModPagespeedMapRewriteDomain in the config will fix them. – Crompton 15/6, 2017 at 15:38

Love how you approcahed this! I love when an answer isnt just some copy paste of a document but an in-depth explaination + bonus points for a unique possible solution! – Ducky 6/5, 2018 at 21:51

This sounds like you configured the rewritten URL as http://www.abc.com/css/merged.pagespeedxxx.css yourself - therefor: Try to use a protocol-relative URL, e.g. remove http: and just state //www.abc.com/css/merged.pagespeedxxx.css - this will use the same protocol as the embedding page was requested in.

One of the well standardized but relatively unknown features of URLs

Pronounced answered 23/1, 2013 at 21:30 Comment(3)

From Paul Irish:

Caveat: When used on a <link> or @import for a stylesheet, IE7 and IE8 download the file twice. All other uses, however, are just fine.

– Derisive 29/1, 2013 at 14:38

ouch - nice finding and nice-to-read article (including the linked microsoft blog explaining the root cause). It would have been so nice if this simple standard feature would have been working flawlessly. I hope it will not be long until it will work in 100% of cases. – Pronounced 29/1, 2013 at 14:53

@Olarf this is how we are currently using our css and js file .. but mod_pagespeed rewrites it with an absolute path which http:// – Bolivia 29/1, 2013 at 16:31

Recommended topics

Hot tags