Why PageSpeed is not working and How to debug?

[CHAULVET Chris]

Hello,

I do have a strange issue with PageSpeed module version 14 on a server with Plesk and Cloudflare CDN.

The module is installed with success on the server and enable. The similar setup has been made on another server which is working well.

But, something is so strange, when we navigate on the website, no optimization are made. By example, the jpg to webp, or js/css compression are not working ...

I do have this kind of following message in the message history : 

[Sun, 23 Jan 2022 16:34:44 GMT] [Info] [14653] HTTPCache key=https://www.my-website.com/840-thickbox_default/parquet-chene-massif-brosse-vernis-14x140-qualite-rustique.jpg fragment=mywebsite.com: remembering recent failure for 299 seconds.

I've check many direction to find the bug but I'm lost ...

In the header, the cache-control value is: max-age=31536000

Here is the option values:

Here is the configuration on the server:

 

In the graph, I do have the following faillure rates:

Do you have any idea what's happening?

Thanks for your help!

Regards,

Chris

[Longinos]

Hi

The message "... HTTPCache key=https://www.my-....." is normal behaviour, pagespeed can´t fecht a resource and "remember" the failure for some time and don´t try to fecht again for amount of time.

Regarding the config, you have 3 ModPagespeedDomain:

1 for https://www....

2 for *.somedomain.com

These 2 works only for http, not for https

Try to change for some like:

ModPagespeedDomain http*://*.somedomain.com

This cover http and https, the main domain (somedomain.com) and all the subdomains belongs to it.

In the image Options I can see ModPagespeedFechtHttps enable and  ModPagespeedSslCertDirectory /etc/ssl/cert but in the image config only see  ModPagespeedFechtHttps enable so the config is incomplete, because ModPagespeedSslCertDirectory /etc/ssl/cert is set but is not in the config image.

Cloudflare: you must set CF to respect the origin headers.

In Caching -> Configuration -> Browser TTL chose "Respect origin headers"

and if you have any  Rules -> Page Rules you must set "Origin Cache Control" to enable.

Pagespeed serves html with cache-control: max-age=0, nocache so you must see this header in the html served

Other resources, like images, js or css are server with cache-control: max-age=31536000 when optimized (have pagespeed in the url)

When make this changes, clear the CF cache

To debug you must add ?PageSpeedFilters=+debug to the request:

https.//www.somedomain.com/?PageSpeedFilters=+debug

and then take a look at the html code, here you can see debug messages as html comments.

[CHAULVET Chris]

Hello Longinos,

Thanks for your help!

Here, I've done the following changes:

1. I've updated ModPagespeedDomain, Cloudflare configuration as you recommended.
2. U've updated the ModPagespeedSslCertDirectory /opt/psa/var/certificates/
3. For ModPagespeedFechtHttps, with another server, it's same setup and it's working.

When I enabled Debug (?PageSpeedFilters=+debug AND Cloudflare Development Mode =  true), I do have the folowing lines in comments :

1. First load of the page: <!--deadline_exceeded for filter ImageRewrite-->
2. Second load of the page: <!--4xx status code, preventing rewriting of https://www.mywebsite.com/themes/e-parquets/img/espace_pro.png-->

But, the .png of the image, is not rewriting a webp (and there is no webp in the page found).

Any other ideas?

Thank you for your help.

Regards,

[Longinos]

Hi

The "dead-line..." is a transitional status, don´t worry about it. Pagespeed has a default 10ms window to optimize a resource, if don´t optimize in this time it serves the original file, and do the optimization in a background task.

The 4xx stuff in the png file say that pagespeed is unable to fecht the original resource and then no optimization es done.

For the https fecht, what certificates are in /opt/psa/var/certificates/? If there are the site certificates the config is wrong.

Think in pagespeed as a web client, it need the CA root certificates to validate the site certificate chain.

If you use chrome or firefox without any root certificate, the browser is unable to verify the site certificate and you get and error, same with pagespeed fecht.

By default in a Ubuntu/debian distro these root certificates are in   /etc/ssl/certs as you have before.

If the distro is RedHat based (RedHat, Centos, Rocky Linux...) the directory must be /etc/pki/tls/certs and you need to configure

ModPagespeedSslCertFile file where file, by defautl, is ca.pem

Have you any cache in front of the site other than the CF? Some line Varnish or nginx proxy cache

Have you some load balancer in front of the site?

[CHAULVET Chris]

Hello,

In the directory, I do have several lets encrypts certificates for the apache value "SSLCertificateFile".

The apache value "SSLCACertificateFile" is also pointing in the same directory.

By example :

• mywebsite1.com/conf/httpd.conf : SSLCertificateFile /opt/psa/var/certificates/scfv3alor
• mywebsite2.com/conf/httpd.conf : SSLCertificateFile /opt/psa/var/certificates/scfv4loxn
• mywebsite3.com/conf/httpd.conf : SSLCertificateFile /opt/psa/var/certificates/scfv1apmd

Should "ModPagespeedSslCertFile " point to "/opt/psa/var/certificates/scfv3alor" ? for the mywebsite1? (in theory yes).

By default in a Ubuntu/debian distro these root certificates are in   /etc/ssl/certs as you have before.

I do have like so many files in that directory with .crt, .pem, files. I think the /opt/psa/var/certificates/scfv3alor has more sense because it's in the vhost.conf file, right?

Thanks,

Chris

[Longinos]

No, not rigth....

In pagespeed you need to set the root and intermediate certificates, not the one used to identify your own site.

Your own certificate is signed by a Certificate Authority (CA), root or intermediate, so when you go to your web site in the browser you must have these CA certificates to validate your certificate. Pagespeed fechting the resources is like a browser, need the CA certificate to validate yours.

I don´t know why in Debian/Ubuntu is only needed the directory, in RedHat/Centos is needed the directory AND the file, by default the file is called ca-boundle.pem

[CHAULVET Chris]

Hello,

Yes, we do haveonly Cloudflare as Caching.

Here is a working setup :

OK     ModPagespeedFetchHttps enable,allow_self_signed,allow_unknown_certificate_authority,allow_certificate_not_yet_valid
OK   ModPagespeedSslCertDirectory /opt/psa/var/certificates/ (Plesk Cert Directory).
KO    #ModPagespeedSslCertDirectory /opt/psa/var/certificates/scfv2bjzo (LetsEncrypt Cert File of the vhost)
KO    #ModPagespeedSslCertDirectory /etc/ssl/certs (the Debian Cert Directory).

On CF, the "Your SSL/TLS encryption mode is Full" : was on "full" and the certificate on the browser were displaying CF. I'm testing with "strict" now.

For all KOs, the "Cache-Control headers" rates of the "Console" is about 92%.

Here is the console of the setup : Do you think everything is okay? Because the cache-control header look too high  even if it's like 55,13% ...

Regards,

Chris

[Longinos]

Hi

Whats certificates are in /opt/psa/var/certificates/? These you use for your website? If yes, read the last email before this.

If resources are not rewrited cause have "bad" cache headers, take a look at the cache-control of the headesr WITHOUT Cloudflare in place, put it in developer mode and see how these headers looks. Pagespeed need resources to be public cacheable aka cache-control with a max-age greather than 0, without nocache or similar things.

[CHAULVET Chris]

Hello,

/opt/psa/var/certificates : It's Plesk Let's Encrypts certificates for each domaines (www.mywebsite.com, sub1.mywebsite.com, sub2.mywebsite.com".

/etc/ssl/certs: Here, I don't see any ca.pem or ca-boundle.pem.

1. As you are explaining, if I understand well, I should use a "root certificate CA file", not the Let's Encrypt Certificate. But, in the following screenshot, I do have many files.
When I'm using "SslCertDirectory /etc/ssl/certs", the Cache-

Do you know how to get the "ROOT CA Certificates", I do have this value Resources not rewritten because of restrictive Cache-Control headers: 99.xx%.

About the cache-control header, I enabled the developpement mode of CF but valus is still high the Resources not rewritten because of restrictive Cache-Control headers: 56.59%

Thank you again for your help.

Chris

[CHAULVET Chris]

Re,

"When I'm using "SslCertDirectory /etc/ssl/certs", the value is "Resources not rewritten because of restrictive Cache-Control headers: 99.xx%."

Do you know how to get the "ROOT CA Certificates" ?"

[Longinos]

Hi

if your distro is Ubuntu/Debian (as I deduze with the path you posted: /etc/ssl/certs) you no need to set the file config, only the directory.

About the restrictive Cache-Control headers:

1.- Put CF in development mode or pause it or wahtever other way you can get the headers from the origin.

2.- Make a request to your web page

3.- Whit chrome or firefox DevTools panel, take a look at the headers of the resources and see what cache-control headers have.

For example, you see that https://mydomain.com/some-folder/some-image.jpg get the error restrictive Cache-Control headers

Then this resource is used in https://mydomain.com/some-page/

make a request to this page and see what cache-control some-image.jpg have.

This headers must look as cache-control: max-age=86400, public

The number must be any number greather than 0 and public maybe is here or maybe is not.

An other way to try debug:

https://mydomain.com/some-forlder/some-page/?PageSpeedFilters=+debug

This put debug messages in the html code as comments.