When will PageSpeed within EasyEngine be updated?


#1

When will you upgrade the version of PageSpeed included within Easy Engine? I believe the current included version is from last year.

I have found that it causes things to break within AMP (the most recent version of PageSpeed is disabled for any AMP page by Google, versions of PageSpeed from last year did not do this though, so you need to disable it manually).

PS: Someone also seems to have asked the same question, but for different reasons, here.


#2

I now have this email from Google:

Google has detected that your site is currently running PageSpeed < 1.9.32.14 or < 1.10.33.7, an older version of PageSpeed. Outdated or unpatched software can be vulnerable to hacking and malware exploits that harm potential visitors to your site. Therefore, we suggest you update the software on your site as soon as possible.

This part sounds pretty serious:

Because there was a vulnerability on your site, it’s possible that your site might have been compromised. We recommend you check your site for any suspicious activity. You can see if Google has detected any hacked content on your site in the Security Issues section of Search Console.


#3

https://developers.google.com/speed/pagespeed/module/announce-sec-update-201603#affected-versions


#4

Received the same email. Thanks for the info, will wait for RT responds.


#5

yes. me too. funny i didn’t know i install this.


#6

yes. me too. funny i didn’t know i install this.

Same here, I actually thought pagespeed was an option that wasn’t really recommended but available (as there were some compatibility issues).

Additional Notes about PageSpeed

PageSpeed is experimental so it may break your website. For this reason, when you run EasyEngine commands related to PageSpeed, it only enable support for PageSpeed but keeps all PageSpeed filters off.

Not sure if this ‘solves’ the vulnerability but; https://rtcamp.com/blog/easyengine-3-1-hhvm-pagespeed/#using-pagespeed

To turn off PageSpeed, you can use --pagespeed=off


#7

@ALL

Can you try?

ee site update example.com --pagespeed=off

Sorry for delay in replying. We don’t use pagespeed ourselve so we did not get any email from Google.


#8

Thanks for your reply @rahul286. When I try the --pagespeed=off command I receive the following message:

Pagespeed is already disabled for given site.

I actually never enabled pagespeed so that makes sense, however, Google still says I am using pagespeed. Not sure what is going on. Other users reported the same issue, also without installing/enabling pagespeed.

Thanks,


#9

Can you please try? ee stack purge --pagespeed


#10

I also posted some details here - https://easyengine.io/blog/disabling-pagespeed/


#11

Thanks @rahul286, that seems to have done the trick.

Anybody wondering, you can check if pagespeed is running (and which version) by checking your page response header.There should be a value for “X-Mod-Pagespeed” with the version number you installed.


#12

Great. Thanks for feedback.:slight_smile:

To test those commands, we created a fresh server with PageSpeed enabled sites.

We stopped using PageSpeed for reasons discussed here - https://github.com/EasyEngine/easyengine/issues/497


#13

Note that it appears a workaround is available if you want to continue to use PageSpeed: https://developers.google.com/speed/pagespeed/module/announce-sec-update-201603#workaround

In PageSpeed config set:

pagespeed Domain http://www.example.com;
pagespeed Domain http://www.example.com:*;
pagespeed Domain https://www.example.com;
pagespeed Domain https://www.example.com:*;

Make your very first Nginx virtual host setting like:

server {
  listen 80;
  pagespeed off;
}

I also removed PageSpeed version from header:

pagespeed XHeaderValue "";


#14

For me I had to change the line:

    # Turning the module on and off
    pagespeed on;

To:

# Turning the module on and off
pagespeed off;

In the file:

/etc/nginx/conf.d/pagespeed.conf


#15

@mdotk will it prevent XSS attack also? I think there are 2 security issues found with PageSpeed.


#16

According to this post

CVE-2012-4360, a cross-site scripting attack, which affects versions starting from 0.10.19.1.

Our version is not affected by the XSS attack?


#17

I have deleted the pagespeed module from my EE config. However I had to also rename several pagespeed related conf files in order to properly remove it. Do the disable pagespeed command also reset my nginx site specific config which meant I had to recreate some settings.

I am not sure if pagespeed was providing any increased performance anyway


#18