2.0 1.1

Admin Console

mod_pagespeed 1.1 admin console: statistics, cache inspection, message history, and config. Setup for nginx, Apache, IIS — accessible at /pagespeed_admin/.

Overview

mod_pagespeed 1.1 includes built-in admin pages for monitoring, configuration inspection, and cache management. Access them at /pagespeed_admin/ on your server.

Two endpoints are exposed: /pagespeed_admin is the per-vhost admin handler, and /pagespeed_global_admin is the process-wide handler and the license/trial console. Both are read-write (cache purge, license apply) and warrant the same access restrictions in production.

mod_pagespeed 1.1 admin console showing live statistics with per-variable deltas and trend sparklines

See it live:explore the mod_pagespeed 1.1 admin console running on our public Apache demo — live statistics, caches, histograms, and message history, no install required.

Admin pages

Page URL Description
Statistics
 /pagespeed_admin/statistics Filter activity, cache hit rates, latency
Configuration
 /pagespeed_admin/config Active filters and directive values
Histograms
 /pagespeed_admin/histograms Page load time, rewrite latency distributions
Caches
 /pagespeed_admin/cache Cache status, inspection, and purge
Console
 /pagespeed_admin/console Historical graphs (requires StatisticsLogging)
Messages
 /pagespeed_admin/message_history Recent log messages

Setup

Add handler paths and corresponding location blocks:

   pagespeed 
 StatisticsPath /ngx_pagespeed_statistics; 
 
  pagespeed 
 GlobalStatisticsPath /ngx_pagespeed_global_statistics; 
 
  pagespeed 
 MessagesPath /ngx_pagespeed_message; 
 
  pagespeed 
 ConsolePath /pagespeed_console; 
 
  pagespeed 
 AdminPath /pagespeed_admin; 
 
  pagespeed 
 GlobalAdminPath /pagespeed_global_admin;

Location blocks for the admin paths must appear before the .pagespeed. resource regex in your config.

Restrict access at the location layer. The = (exact) and ^~ (prefix) matchers run against the request path after nginx normalizes it, which defuses common path-rewriting bypasses (see URL-path ACLs are brittle below):

   # Restrict mod_pagespeed admin endpoints to localhost. 
 
  # Widen explicitly (e.g. add `allow <admin-CIDR>;`) for ops access. 
 
  # Use `location =` exact-match: nginx normalizes the request path before 
 
  # this match, defeating common path-bypass tricks (//, /./, %2e, case). 
 
  location 
 = 
 /pagespeed_admin 
 { 
 
  allow 
 127.0.0.1 
 ; 
 
  allow 
 ::1; 
 
  deny 
 all 
 ; 
 
  } 
 
  location 
 ^~ 
 /pagespeed_admin/ 
 { 
 
  allow 
 127.0.0.1 
 ; 
 
  allow 
 ::1; 
 
  deny 
 all 
 ; 
 
  } 
 
  # Repeat for /pagespeed_global_admin (license/trial console — at least as sensitive). 
 
  location 
 = 
 /pagespeed_global_admin 
 { 
 allow 
 127.0.0.1 
 ; 
 allow 
 ::1; 
 deny 
 all 
 ; } 
 
  location 
 ^~ 
 /pagespeed_global_admin/ 
 { 
 allow 
 127.0.0.1 
 ; 
 allow 
 ::1; 
 deny 
 all 
 ; } 
 
 

   < 
 Location 
 /pagespeed_admin 
 > 
 
  Order 
 allow,deny 
 
  Allow 
 from 
 localhost 
 
  Allow 
 from 
 127 
 . 
 0 
 . 
 0 
 . 
 1 
 
  SetHandler 
 pagespeed_admin 
 
  </ 
 Location 
 > 
 
  
  < 
 Location 
 /pagespeed_global_admin 
 > 
 
  Order 
 allow,deny 
 
  Allow 
 from 
 localhost 
 
  Allow 
 from 
 127 
 . 
 0 
 . 
 0 
 . 
 1 
 
  SetHandler 
 pagespeed_global_admin 
 
  </ 
 Location 
 >

Add admin path directives to your pagespeed.config :

   pagespeed AdminPath /pagespeed_admin 
 
  pagespeed GlobalAdminPath /pagespeed_global_admin 
 
  pagespeed StatisticsPath /pagespeed_statistics 
 
  pagespeed GlobalStatisticsPath /pagespeed_global_statistics 
 
  pagespeed MessagesPath /pagespeed_message 
 
  pagespeed ConsolePath /pagespeed_console

By default, admin pages are accessible only from localhost . To allow access from other hosts:

   pagespeed InfoUrlsLocalOnly off

Use this setting with caution in production — restrict access at the network level (firewall rules) when exposing admin pages to non-local clients.

Windows Event Viewer

The 1.1 IIS module logs warnings and errors to the Windows Event Viewer automatically. Open Event Viewer and look under Windows Logs > Applicationfor entries from the mod_pagespeed source.

Event Viewer captures module startup/shutdown messages, configuration errors, and runtime warnings without any additional configuration.

Access control

Restrict admin page access by domain using domain-level ACLs:

   pagespeed 
 AdminDomains Allow localhost; 
 
  pagespeed 
 AdminDomains Allow 10.0.0.*; 
 
 

   ModPagespeedAdminDomains 
 Allow 
 localhost 
 
  ModPagespeedAdminDomains 
 Allow 
 10 
 . 
 0 
 . 
 0 
 .* 
 
 

   pagespeed AdminDomains Allow localhost 
 
  pagespeed AdminDomains Allow 10.0.0.*

On IIS, the InfoUrlsLocalOnly directive provides an additional layer of access control. When set to on (the default), admin URLs are only accessible from the local machine regardless of the AdminDomains setting.

Available ACL directives: StatisticsDomains , GlobalStatisticsDomains , MessagesDomains , ConsoleDomains , AdminDomains , GlobalAdminDomains .

Default is Allow * . Once any Allow is specified, all other domains are implicitly denied. Wildcards are supported.

Statistics

Statistics are enabled by default and required for features like image rewrite concurrency limiting and background fetch rate limiting. Do not disable them.

   pagespeed 
 Statistics 
 on 
 ; 
 
  pagespeed 
 UsePerVhostStatistics 
 on 
 ; 
 
 

   ModPagespeedStatistics 
 on 
 
  ModPagespeedUsePerVhostStatistics 
 on 
 
 

   pagespeed Statistics on 
 
  pagespeed UsePerVhostStatistics on

Per-vhost statistics are enabled by default on IIS. Each website gets its own set of counters, accessible at /pagespeed_admin/statistics on that site; site-wide aggregates remain at /pagespeed_global_admin/statistics .

UsePerVhostStatistics enables per-virtual-host stats while still exposing aggregates at the global admin path.

Console (historical graphs)

The console requires StatisticsLogging to record data over time:

   pagespeed 
 StatisticsLogging 
 on 
 ; 
 
  pagespeed 
 LogDir /var/log/pagespeed; 
 
 

   ModPagespeedStatisticsLogging 
 on 
 
  ModPagespeedLogDir /var/log/pagespeed 
 
 

   pagespeed StatisticsLogging on 
 
  pagespeed LogDir %ProgramData%\We-Amp\IISWebSpeed\Logs

The log directory must be writable by the IIS app pool identity.

Message history

Set the message buffer size to enable recent log message viewing:

   pagespeed 
 MessageBufferSize 
 100000 
 ; 
 
 

   ModPagespeedMessageBufferSize 
 100000 
 
 

   pagespeed MessageBufferSize 100000

Messages are collected globally from all IIS worker processes and accessible at /pagespeed_global_admin/message_history .

Default is 0 (disabled).

URL-path ACLs are brittle

A WAF or upstream filter that blocks the admin endpoint by string-matching the literal URL is easy to bypass. Common evasion techniques target path normalization differences between the filter and the origin web server:

  • Duplicate slashes ( //pagespeed_admin/ )
  • Path segments ( /./pagespeed_admin/ , /foo/../pagespeed_admin/ )
  • Percent-encoded characters ( /%70agespeed_admin/ , /pagespeed_admin/%2e./statistics )
  • Mixed case ( /PageSpeed_Admin/ )
  • Trailing slash present/absent
  • Path parameters ( /pagespeed_admin;param=x/statistics )

Gate access at the web server’s normalized location/handler layer — location = / ^~ on nginx, <Location> on Apache, the handler-bound check on IIS — not at a separate filter that operates on the raw URL string. The web server runs its match against the same normalized path the handler will see.

Important notes

  • pagespeed_admin and pagespeed_global_admin are read-write (can purge cache; the global handler also drives license activation). Other handlers are read-only.
  • Always restrict admin page access in production.

See also

  • Caching — cache purging via the admin interface
  • Configuration — general configuration reference