1.11.33.3 web fonts 403 status + multiple requests ?

[centminmod]

Updated my forums to nginx pagespeed 1.11.33.3 and seems i get only occasional 403s with subsequent reloads of pages for my web fonts served over KeyCDN tested on Opera 39.0.2256.48. Was fine on nginx pagespeed 1.11.33.2

But it only happens when pagespeed is enabled, when pagespeed is disabled it's fine.

example at https://community.centminmod.com/find-new/374420/posts

with pagespeed disabled or off i see only one instance of the fontawesome webfont .woff2 file i.e. https://community.centminmod.com/find-new/374420/posts?PageSpeed=off

with pagespeed enabled, i see it calling all 3 instances of my defined font types for various browsers and all get 403 errors ?

nginx config on CentOS 6.8 64bit

nginx -V nginx version: nginx/1.11.3 built by gcc 4.9.1 20140922 (Red Hat 4.9.1-10) (GCC) built with LibreSSL 2.4.2 TLS SNI support enabled configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -mfpmath=sse -DTCP_FASTOPEN=23 -g -O3 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --add-module=../nginx-module-vts --with-libatomic --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --add-dynamic-module=../ngx_pagespeed-release-1.11.33.3-beta --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-stream_geoip_module=dynamic --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.30 --add-module=../echo-nginx-module-0.59 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.30 --with-pcre=../pcre-8.39 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=../libressl-2.4.2

i have some preload and other resource hints

with ngx_pagespeed off

<!-- <link rel="preload" href="//community.centminmod.com/lato-local.css" as="style"> -->
<link rel="preload" href="//cdnk1.centminmod.com/styles/xenbase/font-awesome/css/font-awesome.min.k.css" as="style">
<!-- <link rel="preload" href="//community.centminmod.com/lato-v11-latin-regular.woff2" as="font" crossorigin> -->
<link rel="preload" href="https://cdnk1.centminmod.com/styles/xenbase/font-awesome/fonts/fontawesome-webfont.woff2?v=4.6.3" as="font" crossorigin>
<link rel="preload" href="https://cdnk1.centminmod.com/js/jquery/jquery-1.11.0.min.js" as="script">
<link rel="preload" href="https://cdnk1.centminmod.com/js/xenforo/xenforo.js?_v=d7390028" as="script">
<link rel="preload" href="//community.centminmod.com/styles/flatawesomeplus/xenforo/xenforo-ui-sprite.png" as="image">
<!-- <link rel="preload" href="https://community.centminmod.com/favicon.ico" as="image"> -->
<link rel="preload" href="//cdnk1.centminmod.com/OneSignalSDK.js" as="script" onload="var script = document.createElement('script'); script.src = this.href; document.body.appendChild(script);">
<!-- <link rel="preconnect" href="https://fonts.gstatic.com" probability="1.0" /> -->
<!-- <link rel="preconnect" href="https://pagead2.googlesyndication.com" probability="1.0" /> -->
<link rel="preconnect" href="https://stats.g.doubleclick.net" probability="1.0" />
<link rel="dns-prefetch" href="https://www.gstatic.com"/>
<link rel="dns-prefetch" href="https://tpc.googlesyndication.com"/>
<!-- <link rel="dns-prefetch" href="https://googleads.g.doubleclick.net"/> -->
<link rel="preconnect" href="https://googleads.g.doubleclick.net" probability="1.0" />

<!-- <link rel="dns-prefetch" href="https://pixel.quantserve.com" /> -->
<!-- <link rel="dns-prefetch" href="https://secure.quantserve.com" probability="1.0" /> -->
<!-- <link rel="preconnect" href="https://secure.quantserve.com" probability="1.0" /> -->

with ngx_pagespeed on

<link rel="preconnect" href="https://stats.g.doubleclick.net" probability="1.0"/>
<link rel="dns-prefetch" href="https://www.gstatic.com"/>
<link rel="dns-prefetch" href="https://tpc.googlesyndication.com"/>
<link rel="preconnect" href="https://googleads.g.doubleclick.net" probability="1.0"/>

relevant pagespeed.conf rules

pagespeed LoadFromFile "http://community.centminmod.com" "/home/nginx/domains/community.centminmod.com/public";
pagespeed LoadFromFile "https://community.centminmod.com" "/home/nginx/domains/community.centminmod.com/public";
pagespeed LoadFromFile "https://cdnk1.centminmod.com" "/home/nginx/domains/community.centminmod.com/public";
pagespeed LoadFromFileRuleMatch disallow .*;
pagespeed LoadFromFileRuleMatch allow \.css$;
pagespeed LoadFromFileRuleMatch allow \.jpe?g$;
pagespeed LoadFromFileRuleMatch allow \.png$;
pagespeed LoadFromFileRuleMatch allow \.gif$;
pagespeed LoadFromFileRuleMatch allow \.js$;

[centminmod]

seems if disable the css file from pagespeed which calls these fonts, the 403s have gone away so far

pagespeed Disallow */styles/xenbase/font-awesome/css/font-awesome.min.k.css*;

[huibaolin]

This might be related our recent change of removing "rel=preload" [1]. @jeffkaufman can you take a look?

[1] https://github.com/pagespeed/mod_pagespeed/commit/68cbc68c912f8737baed100924dd2b2b87261816

[jeffkaufman]

Removing the preload hints shouldn't cause 403 errors. To test this, though, you could disable stripping them:

pagespeed PreserveSubresourceHints on;

What's very weird to me is that it looks like in the first case the woff2 file loads successfully and in the second it 403s. But I don't see a difference between those two requests. They're both for:

https://cdnk1.centminmod.com/styles/xenbase/font-awesome/fonts/fontawesome-webfont.woff2?v=4.6.3