Admin Console

mod_pagespeed 1.1 admin console: statistics, cache inspection, message history, and config. Setup for nginx, Apache, IIS — accessible at /pagespeed_admin/.

Overview

mod_pagespeed 1.1 includes built-in admin pages for monitoring, configuration inspection, and cache management. Access them at /pagespeed_admin/ on your server.

Two endpoints are exposed: /pagespeed_admin is the per-vhost admin handler, and /pagespeed_global_admin is the process-wide handler and the license/trial console. Both are read-write (cache purge, license apply) and warrant the same access restrictions in production.

Admin pages

Page	URL	Description
Statistics	`/pagespeed_admin/statistics`	Filter activity, cache hit rates, latency
Configuration	`/pagespeed_admin/config`	Active filters and directive values
Histograms	`/pagespeed_admin/histograms`	Page load time, rewrite latency distributions
Caches	`/pagespeed_admin/cache`	Cache status, inspection, and purge
Console	`/pagespeed_admin/console`	Historical graphs (requires StatisticsLogging)
Messages	`/pagespeed_admin/message_history`	Recent log messages

Setup

Add handler paths and corresponding location blocks:

pagespeed StatisticsPath /ngx_pagespeed_statistics;
pagespeed GlobalStatisticsPath /ngx_pagespeed_global_statistics;
pagespeed MessagesPath /ngx_pagespeed_message;
pagespeed ConsolePath /pagespeed_console;
pagespeed AdminPath /pagespeed_admin;
pagespeed GlobalAdminPath /pagespeed_global_admin;

Location blocks for the admin paths must appear before the .pagespeed. resource regex in your config.

Restrict access at the location layer. The = (exact) and ^~ (prefix) matchers run against the request path after nginx normalizes it, which defuses common path-rewriting bypasses (see URL-path ACLs are brittle below):

# Restrict mod_pagespeed admin endpoints to localhost.
# Widen explicitly (e.g. add `allow <admin-CIDR>;`) for ops access.
# Use `location =` exact-match: nginx normalizes the request path before
# this match, defeating common path-bypass tricks (//, /./, %2e, case).
location = /pagespeed_admin {
    allow 127.0.0.1;
    allow ::1;
    deny all;
}
location ^~ /pagespeed_admin/ {
    allow 127.0.0.1;
    allow ::1;
    deny all;
}
# Repeat for /pagespeed_global_admin (license/trial console — at least as sensitive).
location = /pagespeed_global_admin { allow 127.0.0.1; allow ::1; deny all; }
location ^~ /pagespeed_global_admin/ { allow 127.0.0.1; allow ::1; deny all; }

<Location /pagespeed_admin>
    Order allow,deny
    Allow from localhost
    Allow from 127.0.0.1
    SetHandler pagespeed_admin
</Location>

<Location /pagespeed_global_admin>
    Order allow,deny
    Allow from localhost
    Allow from 127.0.0.1
    SetHandler pagespeed_global_admin
</Location>

Add admin path directives to your pagespeed.config:

pagespeed AdminPath /pagespeed_admin
pagespeed GlobalAdminPath /pagespeed_global_admin
pagespeed StatisticsPath /pagespeed_statistics
pagespeed GlobalStatisticsPath /pagespeed_global_statistics
pagespeed MessagesPath /pagespeed_message
pagespeed ConsolePath /pagespeed_console

By default, admin pages are accessible only from localhost. To allow access from other hosts:

pagespeed InfoUrlsLocalOnly off

Use this setting with caution in production — restrict access at the network level (firewall rules) when exposing admin pages to non-local clients.

Windows Event Viewer

The 1.1 IIS module logs warnings and errors to the Windows Event Viewer automatically. Open Event Viewer and look under Windows Logs > Application for entries from the mod_pagespeed source.

Event Viewer captures module startup/shutdown messages, configuration errors, and runtime warnings without any additional configuration.

Access control

Restrict admin page access by domain using domain-level ACLs:

pagespeed AdminDomains Allow localhost;
pagespeed AdminDomains Allow 10.0.0.*;

ModPagespeedAdminDomains Allow localhost
ModPagespeedAdminDomains Allow 10.0.0.*

pagespeed AdminDomains Allow localhost
pagespeed AdminDomains Allow 10.0.0.*

On IIS, the InfoUrlsLocalOnly directive provides an additional layer of access control. When set to on (the default), admin URLs are only accessible from the local machine regardless of the AdminDomains setting.

Available ACL directives: StatisticsDomains, GlobalStatisticsDomains, MessagesDomains, ConsoleDomains, AdminDomains, GlobalAdminDomains.

Default is Allow *. Once any Allow is specified, all other domains are implicitly denied. Wildcards are supported.

Statistics

Statistics are enabled by default and required for features like image rewrite concurrency limiting and background fetch rate limiting. Do not disable them.

pagespeed Statistics on;
pagespeed UsePerVhostStatistics on;

ModPagespeedStatistics on
ModPagespeedUsePerVhostStatistics on

pagespeed Statistics on
pagespeed UsePerVhostStatistics on

Per-vhost statistics are enabled by default on IIS. Each website gets its own set of counters, accessible at /pagespeed_global_admin/statistics on that site.

UsePerVhostStatistics enables per-virtual-host stats while still exposing aggregates at the global admin path.

Console (historical graphs)

The console requires StatisticsLogging to record data over time:

pagespeed StatisticsLogging on;
pagespeed LogDir /var/log/pagespeed;

ModPagespeedStatisticsLogging on
ModPagespeedLogDir /var/log/pagespeed

pagespeed StatisticsLogging on
pagespeed LogDir %ProgramData%\We-Amp\IISWebSpeed\Logs

The log directory must be writable by the IIS app pool identity.

Message history

Set the message buffer size to enable recent log message viewing:

pagespeed MessageBufferSize 100000;

ModPagespeedMessageBufferSize 100000

pagespeed MessageBufferSize 100000

Messages are collected globally from all IIS worker processes and accessible at /pagespeed_global_admin/message_history.

Default is 0 (disabled).

URL-path ACLs are brittle

A WAF or upstream filter that blocks the admin endpoint by string-matching the literal URL is easy to bypass. Common evasion techniques target path normalization differences between the filter and the origin web server:

Duplicate slashes (//pagespeed_admin/)
Path segments (/./pagespeed_admin/, /foo/../pagespeed_admin/)
Percent-encoded characters (/%70agespeed_admin/, /pagespeed_admin/%2e./statistics)
Mixed case (/PageSpeed_Admin/)
Trailing slash present/absent
Path parameters (/pagespeed_admin;param=x/statistics)

Gate access at the web server’s normalized location/handler layer — location = / ^~ on nginx, <Location> on Apache, the handler-bound check on IIS — not at a separate filter that operates on the raw URL string. The web server runs its match against the same normalized path the handler will see.

Important notes

pagespeed_admin and pagespeed_global_admin are read-write (can purge cache; the global handler also drives license activation). Other handlers are read-only.
Always restrict admin page access in production.