ModPagespeedLoadFromFile force https and disallow insecure connections

[Jon Moore]

Hi, 

Question:  how can PageSpeed be configured to port 80 requests are automatically redirected to enforce https?

Scenario: when using Apache directives to force secure connections only:

RewriteCond %{HTTPS} off
RewriteRule ^(.)$ "https:\/\/www.example.com\/$1" [R=301,L]
<IfModule mod_headers.c> Header set Strict-Transport-Security max-age=16070400; </IfModule>

When pagespeed is then enabled with a LoadFromFile directive, as recommended for performance:

  ModPagespeedLoadFromFile https://www.example.com/ /home/examplecom/www

Then Pagespeed is loading from file so the directive about switching to HTTPS is ignored.

This means that resources loaded by http:// may not be redirected and may result in mixed secure and insecure resources on the page giving browser warnings etc.

This can happen in two ways:

 - visitor requests page via http:// and the page contains embedded links directing to https://

 - visitor arrives via https:// but the page has some links which are http:// 

[Otto van der Schaaf]

Would configuring mod_pagespeed to rewrite all http resource links to https help?:

ModPagespeedEnableFilters rewrite_domains
ModPagespeedMapRewriteDomain https://www.example.com http://www.example.com

Otto

--
You received this message because you are subscribed to the Google Groups "mod-pagespeed-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mod-pagespeed-di...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mod-pagespeed-discuss/839e24db-9bbc-43dc-8f65-120c93e5109d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.