search

apache / incubator-pagespeed-mod

Apache module for rewriting web pages to reduce latency and bandwidth.
http://modpagespeed.com
Apache License 2.0
696 stars 158 forks source link

https requests directed at a http port #2013

Closed heikkiorsila closed 4 years ago

heikkiorsila commented 4 years ago

I'm running debugging a problem with ngx_pagespeed 1.12.34.2-0 running on nginx at https://wordpress.local (a local container). The https certificate is self-signed. The same problem also occurs on a production system with a properly issued https certificate. The backend is a WordPress server.

nginx access logs indicate that that https requests are being sent to the downstream cache's http port. I believe these are cache purge requests:

_ 127.0.0.1 - - [27/Jul/2020:13:19:52 +0300] "\x16\x03\x01\x00\xBC\x01\x00\x00\xB8\x03\x03\x15\x0B\xFB" 400 150 "-" "-" - - 5.006

The nginx error log reports a SSL specific error:

2020/07/27 13:19:52 [error] 795#825: [ngx_pagespeed 1.12.34.2-0] Serf status 120171(APR does not understand this error code) polling for 1 threaded fetches for 0.05 seconds

I have configured Downstream cache purges to be sent to the https port explicitly, but I'm seing the traffic in http port anyway:

# Set up PageSpeed interface with downstream cache
pagespeed DownstreamCachePurgeLocationPrefix https://wordpress.local/purge;
pagespeed DownstreamCachePurgeMethod PURGE;
pagespeed DownstreamCacheRewrittenPercentageThreshold 95;

Setting EnableCachePurge either on or off does not matter.

Can you think of what is the error here? Is there a workaround? What to try? Thanks!

Lofesa commented 4 years ago

Serf status 120171 is related to SSL comunications. I asume you have this: user -> nginx + proxy cache (Public IP)-> nginx + pagespeed (localhost) Localhost is serving their html resources like https://wordpress.local/path-to-file/image.jpg, rigth? so you need to rewrite the https://wordpress.local part of the url as https://your-public.domain.com, so you need: ModPagespeedMapRewriteDomain "https://your-public.domain.com" "https://wordpress.local"

For make https request with Serf (The internal browser pagespeed uses) you need to configure:

pagespeed FetchHttps enable,allow_self_signed;
pagespeed SslCertDirectory directory;
pagespeed SslCertFile file;

Read the docs here: https://pagespeed.apache.org/doc/https_support#https_fetch. Take care about use of debian/ubuntu vs. centos/redhat distros.

Pagespeed by default only auth the domain where is running, but the http version, so you need to configure the https version: pagespeed Domain http*://*.example.com; This auth cover the http/https version and all the subdomains.

heikkiorsila commented 4 years ago

Serf status 120171 is related to SSL comunications. I asume you have this: user -> nginx + proxy cache (Public IP)-> nginx + pagespeed (localhost)

Thanks Lofesa!

It's: user (localhost) -> (into docker container by port mapping) -> nginx + pagespeed (container) -> php-fpm (container)

There is no public IP as this is a dev setup.

Localhost is serving their html resources like https://wordpress.local/path-to-file/image.jpg, rigth?

Yes.

so you need to rewrite the https://wordpress.local part of the url as https://your-public.domain.com, so you need: ModPagespeedMapRewriteDomain "https://your-public.domain.com" "https://wordpress.local"

For make https request with Serf (The internal browser pagespeed uses) you need to configure:

pagespeed FetchHttps enable,allow_self_signed;
pagespeed SslCertDirectory directory;
pagespeed SslCertFile file;

Read the docs here: https://pagespeed.apache.org/doc/https_support#https_fetch. Take care about use of debian/ubuntu vs. centos/redhat distros.

These didn't seem to have any effect on the error.

Pagespeed by default only auth the domain where is running, but the http version, so you need to configure the https version: pagespeed Domain http*://*.example.com; This auth cover the http/https version and all the subdomains.

This seem to have helped! I don't seem to be getting any garbage into nginx-access.log anymore. Also, no "Serf status 120171" error in nginx-error.log.

It' s unintuitive to me why specifying the "pagespeed Domain" would prevent pagespeed from sending https traffic to http port. It should not do that anyway.

Thanks! I'll be monitoring the logs a few days, and if I don't see anything there, I'll close this issue :)

heikkiorsila commented 4 years ago

Specifically, since this is a generic multisite environment, I added: "pagespeed Domain http://". I tested following combinations:

http*://*            no errors
https://*            no errors
http*://FQDN   no errors
https://FQDN   no errors
http://FQDN     errors
http*                 errors
http*:*               errors
Lofesa commented 4 years ago

Cause if you don't set it, by default pagespeed uses http. To use https you need to explicit set the auth domain. http covers http an https, and .my domain.com covers all subdomain.

El mar., 28 jul. 2020 13:40, Heikki Orsila notifications@github.com escribió:

Specifically, since this is a generic multisite environment, I added: "pagespeed Domain http://". I tested following combinations:

http:// no errors https:// no errors http://FQDN no errorshttps://FQDN no errorshttp://FQDN errors http errors http:* errors

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/apache/incubator-pagespeed-mod/issues/2013#issuecomment-664990424, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFKOZCKF6TMPTWP3QBTL2O3R522JBANCNFSM4PITVWGQ .

heikkiorsila commented 4 years ago

Cause if you don't set it, by default pagespeed uses http. To use https you need to explicit set the auth domain. http covers http an https, and .my domain.com covers all subdomain.

"http" does not work in this case, but "http://*" works.

heikkiorsila commented 4 years ago

Thanks lofesa! I believe this issue is closed.