pagespeed cut off STS headers

[Fabio Grasso]

Hello

I'm using pagespeed 1.12.34.3-stable with nginx-1.13.7.

I've found that some headers (like STS) are not present in my site when using nginx. Here is an example:

curl -I https://www.mysite.net #with pagespeed

HTTP/2 200 

server: nginx

content-type: text/html; charset=UTF-8

vary: Accept-Encoding

pragma: public

date: Mon, 18 Dec 2017 19:36:57 GMT

x-page-speed: Powered By ngx_pagespeed

cache-control: max-age=0, no-cache

curl -I https://www.mysite.net?PageSpeed=off #without pagespeed

HTTP/2 200 

server: nginx

date: Mon, 18 Dec 2017 19:37:22 GMT

content-type: text/html; charset=UTF-8

vary: Accept-Encoding

link: <https://www.mysite.net/wp-json/>; rel="https://api.w.org/"

link: <https://www.mysite.net/>; rel=shortlink

x-tec-api-version: v1

x-tec-api-root: https://www. mysite.net/wp-json/tribe/events/v1/

x-tec-api-origin: https://www. mysite.net

strict-transport-security: max-age=31536000

x-content-type-options: nosniff

As you can see I have some headers that are not delivered with pagespeed. One of the missing headers is strict-transport-security and it's important for me to deliver this header with my pages.

Do you have any suggestion on how to instruct pagespeed to maintain this header?

This is my actual configuration:

Global:

pagespeed MessageBufferSize 10240;

pagespeed FileCachePath              "/var/cache/nginx/pagespeed/";

pagespeed Statistics on;

pagespeed UsePerVhostStatistics on;

pagespeed StatisticsLogging on;

pagespeed LogDir /var/log/pagespeed;

pagespeed AdminPath /pagespeed_admin;

pagespeed EnableCachePurge on;

pagespeed ForceCaching on;

Virtual Host:

     pagespeed on;

     pagespeed RewriteLevel CoreFilters;

     pagespeed FileCachePath "/var/cache/nginx/mysite-pagespeed/";

     pagespeed FileCacheSizeKb     2048000;

     pagespeed FileCacheInodeLimit 500000;

     pagespeed LoadFromFile "https://www.mysite.net/wp-content/" "/var/www/mysite.net/wp-content/";

     pagespeed ImplicitCacheTtlMs 864000000;

     include vhosts/pagespeed.include;

     pagespeed InPlaceResourceOptimization on;

     pagespeed EnableFilters extend_cache;

     pagespeed EnableFilters insert_dns_prefetch;

     pagespeed EnableFilters canonicalize_javascript_libraries;

     pagespeed EnableFilters remove_comments;

     # Ensure requests for pagespeed optimized resources go to the pagespeed handler and no extraneous headers get set.

     location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {

          add_header "" "";

     }

     location ~ "^/pagespeed_static/" { }

     location ~ "^/ngx_pagespeed_beacon$" { }

Thanks for your help

Regards

Fabio

[Faber]

I'm still having this issue, also with new version 1.13.35.2-stable

Now I'm trying to use ShardDomain and I need to put an header with Access-Control-Allow-Origin: * in order to load scripts in other subdomains.

Also this header is deleted when using pagespeed.

Any kind of suggestion?

Thanks

Fabio

[Otto van der Schaaf]

For the response headers that are dropped for html responses:

Does that also happen with GET requests (I think curl send a HEAD request with -I)? 

If so, that would narrow the problematic path.

For adding "Access-Control-Allow-Origin" to .pagespeed. resources (I assume those are the problematic resources),

you can use AddResourceHeader.

See https://www.modpagespeed.com/doc/configuration#add-resource-header

Otto

--
You received this message because you are subscribed to the Google Groups "ngx-pagespeed-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ngx-pagespeed-di...@googlegroups.com.
Visit this group at https://groups.google.com/group/ngx-pagespeed-discuss.
For more options, visit https://groups.google.com/d/optout.

[Faber]

Hello Otto and thanks for your answer.

I confirm that with a GET request the headers are shown.

I've tried to insert in my configuration this lines:

     pagespeed AddResourceHeader "Access-Control-Allow-Origin" "*";

     pagespeed AddResourceHeader "Strict-Transport-Security" "max-age=31536000";

     pagespeed AddResourceHeader "X-Content-Type-Options" "nosniff";

But when enabling pagespeed the headers are still not sent. Do you have any other suggestion? Or do you think that I can open a bug?

Thanks

Fabio

[Otto van der Schaaf]

Quick question: Do the urls of the resources that you are testing "AddResourceHeader"  with have .pagespeed. in them?

Otto

--