Skip to main content

HTTP/2 & Let’s Encrypt for WordPress

dev-blog-migration

Our web blog is now meeting the latest security standards and making it HTTP2-ready is easier than you think. Here’s how we switched our web blog (https://devblog.plesk.com) running on Plesk + NGINX to HTTPS and made it HTTP/2-ready with a free, SSL certificate from Let’s Encrypt. Before we get into the details a few things to start with.

Protocol enhancements like SPDY and HTTP/2 have narrowed the performance gap between encrypted and un-encrypted web traffic, with encrypted HTTP/2 outperforming un-encrypted HTTP/1.1 in some cases. Even more importantly, encryption is now kind of mandatory as Google announced that HTTPS is used as a ranking signal in search results, with HTTPS-enabled sites ranking above their plaintext counterparts. ‘Yes, HTTP/2 is awesome,’ I hear you saying, ‘but it requires HTTPS which, in turn, requires an SSL certificate – and those things cost money, you know?’ Well, here comes the sales pitch: Plesk, together with Let’s Encrypt, makes HTTPS setup a breeze and brings you a faster Web with HTTP/2.

Let’s see how we did it.

HTTPS & Let’s Encrypt

First,  issued a free trusted certificate from Let’s Encrypt with automatic renewal and set it up for devblog.plesk.com, hosted on Plesk 12.5.

There are many manuals available online talking about how to install an SSL certificate on Linux so you might have already seen rows upon rows of command line calls, lists of changes to configuration files, and even instructions for building additional utilities. Well, we decided to make our life easier and just used the Plesk “Let’s encrypt” extension that enables Plesk users to issue and install certificates with auto-renewal functionality in the Plesk UI with just a few clicks.

le__installationForm

You can find the details in one of our previous blog posts here: https://devblog.plesk.com/2015/12/lets-encrypt-plesk/. After a few clicks we were done and had a free, trusted SSL certificate installed on devblog.plesk.com. Let’s enable HTTP/2 next.

HTTP/2

HTTP/2 is the second major version of the HTTP network protocol used by the world wide web.

Ratified in May 2015, HTTP/2 was created to address some significant performance problems with HTTP 1.1 in the modern web era.

  •  HTTP/2 is supported in NGINX web server starting from version 1.9.5.
  •  Currently, HTTP/2 is supported by all major web browsers.
  •  Your sites do not require any changes to get the HTTP/2 advantages.

Now, HTTP/2 is available out-of-the-box for all Plesk 12.5 customers!

Sounds good, doesn’t it? Let’s move on.

First, you need to make sure that the latest Plesk update, Plesk 12.5.30 Update#28, is installed. We don’t, because  we have auto-updates enabled on the server and  recommend you enable them too. Then, we logged in to the server via SSH as root, and ran the following command line utility:

That’s all it took to empower our HTTPS sites with HTTP/2! If you’re not sure about your websites go to https://tools.keycdn.com/http2-test to check for HTTP/2 compliance. 

Screen Shot 2016-04-15 at 10.22.33

Detailed User Instructions for enabling HTTP/2 in Plesk can be found here: https://kb.plesk.com/en/128733

If you’d like to get a second opinion, you are welcome to use the “HTTP/2 and SPDY indicator” extension for Google Chrome, found here.

WordPress

We have now secured the connection between the server and the website. Next step is to configure our WordPress site to only use HTTPS. This required a re-configuration of WordPress settings to replace all http:// links inside the WordPress database with  https://. If you fail to do so you will continue to receive “Mixed content warnings” for previously uploaded content:

  1. Go to the WordPress administrative interface and change both “WordPress Address” and “Site Address” to use https://
  2. Set-up a redirect for all http:// requests to https:// for the respective website.

Screen Shot 2016-04-15 at 11.14.43

Next step was to change the links inside the WordPress database. There are a lot of possible ways to do it, starting from direct SQL queries to wp-cli. We decided to do it via the WordPress interface using the “Better Search & replace” plugin, which can either be installed from the Plesk interface or from the WordPress Administrative interface.

This plugin helped us to find all matches for “https://devblog.plesk.com” in the WordPress database and replace it with “https://devblog.plesk.com“. This plug-in allows you to only find but also find and replace if you with to do so.

Last but not least we had to redirect all http:// requests to the https:// counterpart of our blog using the Plesk interface. We went to Websites & Domains , selected devblog.plesk.com, and then “Apache and nginx Settings”

to set-up the redirect in the “Additional nginx directives” section, like this:

if ($scheme = http) {

return 301 https://$server_name$request_uri;

}

Screen Shot 2016-04-15 at 12.02.11

That’s it! Now, all browser requests to https://devblog.plesk.com are redirected with the 301 code to https://devblog.plesk.com, and that’s just what we wanted.

On a separate note…. .

Load speed test with https://www.webpagetest.org/ shows that the transition from non-SSL HTTP to HTTPS + HTTP/2 has little impact to the site load speed.

In return, we now have a secure connection with a nice green trusted SSL certificate,  including better indexing from Google for free 🙂

By the way, we did not stop with the DevBlog – actually, the new Plesk website (https://www.plesk.com – check it out!) was built on Plesk 12.5 [+ WordPress Toolkit] + WordPress.

Have a nice day 🙂

34 thoughts

  1. Markus E. -

    Nice one. But why is ALPN not already in there ?

    Reply

    Dmitry Libenzon -

    ALPN is available only since openssl 1.0.2 that is not supplied by OS vendors yet.

    Reply

    Mike -

    ALPN support can be added when you distribute your own OpenSSL lib, just like unixadm repo does:
    https://reposerv.unixadm.org/rhel/7/openssl102/x86_64/repoview/

    Reply

  2. chris mayer -

    Hello

    That’s great news and we implemented it allready on our linux servers. what about windows hosting with plesk?

    Reply

  3. Peter Heck -

    https/2 – Unfortunately, this doesn’t work for me:

    Latest Plesk 12.5 release:
    12.5.30 Update #28, last updated at April 18, 2016 06:28 AM
    Also nginx seems to be up-to-date:
    ii sw-nginx 1.9.14-debian7.0.16040615

    OpenSSL is also in the right version:
    ii openssl 1.0.1e-2+deb7u20

    When I first ran the command, Plesk complains about double entires with /etc/nginx/perfect-forward-secrecy.conf for some entries (I created my own config and cypher suites for SSL). OK, disabled all entries in this file and run it again – now it works fine without any error message, ok.
    BUT: Test shows, that https/2 isn’t working. On top of it, Plesk generates some own cypher suite entries in /etc/nging/conf.d/ssl.conf which are blocking a lot of browsers! SSL-Labs test still gets me a A+ rating, but a lot of browsers are now flagged as not working (i.e. all Android < 4.4).

    Any idea, why it doesn't work? And any idea, how I can define my own cypher suites (running the command always add them / change them in the ssl.conf file, so also no way to do some magic there.

    Cheers Peter

    Reply

  4. Thomas -

    Thank you for this nice Tutorial.

    Reply

  5. Andy -

    This works fine on all the servers we have tested.. however, it cuts off a lot of older browsers

    http://screencast.com/t/DVPC7dcI6

    is there no nice fall back ?

    Reply

  6. Miguel -

    enabling http/2 works right away, but now I have several people with older versions of Safari. Will it work safely if I use:
    #/usr/local/psa/bin/http2_pref disable

    Reply

    Dmitry Libenzon -

    Miguel,
    yes, it’s safe. but what is safari version that can’t connect? Could you also let us know OS name/version: Yosemite?

    Reply

    Andy -

    any browser that does not understand tls 1.2 will not work.

    See here for full list : https://www.ssllabs.com/ssltest/analyze.html?d=devblog.plesk.com

    This makes it almost useless for e-commerce stores where you cant afford to turn away customers. It’s a pity that there is no fall back for older browsers.

    Reply

    Peter Heck -

    The following cypher works really good and remains a A+ ranking @ SSL-Labs:

    ssl_ciphers ‘kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED’;

    See screenshot here: https://owncloud.ph-internet.de/index.php/s/TDCDK7saWfqAWmv

    So why not using this cypher to replace the hardcoded one in Plesk which will ban a lot of browsers?

    Cheers Peter

    Reply

  7. Viktor Vogel -

    Yes, the hard coded ciphers / settings are too restrictive and should be optimized in the next Plesk release. I would also love to see the integration of ALPN.

    For now, it’s still easy for you to add custom districtives to add the support for older browers and to get a A or A+ rating.

    Go to the “Apache & nginx Settings” page in your Plesk control panel and enter for the nginx districtives:

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
    ssl_prefer_server_ciphers on;

    Additionally it is important that you create a custom Diffie-Hellman key for Forward Secrecy and use Strict Transport Security (HSTS). But this is a topic for another blog post! 😉

    See result here: https://www.ssllabs.com/ssltest/analyze.html?d=joomla-extensions.kubik-rubik.de (I use an own certificate)

    Cheers
    Viktor

    Reply

  8. Simon -

    Using below in the ssl.conf file @ /etc/nginx/conf.d made tls 1.0 and 1.1 come back, hope this helps someone trying to use http2.

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers kEECDH+ECDSA+AES128:kEECDH+ECDSA+AES256:kEECDH+AES128:kEECDH+AES256:kEDH+AES128:kEDH+AES256:DES-CBC3-SHA+SHA:!aNULL:!eNULL:!LOW:!kECDH:!DSS:!MD5:!EXP:!PSK:!SRP:!CAMELLIA:!SEED;
    ssl_prefer_server_ciphers on;

    Reply

  9. indobotol -

    thank’s for your tutorial…
    nice …

    Reply

  10. Markus E. -

    @Viktor Vogel:

    Do you mind posting a link on how to implement Forward Secrecy and HSTS on Plesk?

    Reply

  11. Markus E. -

    For the record, i used this guide:

    https://www.howtoforge.com/ssl-perfect-forward-secrecy-in-nginx-webserver

    Entered the details in /etc/nginx/conf.d/ssl.conf

    A+ on all sites on my plesk instance now.

    Reply

  12. Peter Heck -

    Found the problem why the http/2.0 support didn’t work for me:

    The #/usr/local/psa/bin/http2_pref enable command is not inserting the http2 directive in the nginx.conf files at /var/www.vhost/system//conf. It shows for example:

    server {
    listen 148.251.9.86:443 ssl;

    instead of

    server {
    listen 148.251.9.86:443 http2 ssl;

    Can you have a look at this?

    Cheers Peter

    Reply

    Peter Heck -

    See http://forum.odin.com/threads/http-2-not-working.337065/

    Problem seems to be related, that the /usr/local/psa/admin/sbin/httpdmng –reconfigure-all command didn’t include the “http2” directive into the nginx.conf file.

    Reply

    Udo Pasch -

    Hello Peter,

    seems to work now. Please have a look at the vhost files located in /etc/nginx/plesk.conf.d/vhosts/

    After i enable http2 with command #/usr/local/psa/bin/http2_pref enable, the server section inside the vhost files was modified like expected.

    Reply

  13. Kingsley -

    Do i really Need SSL for blogs?

    Reply

    Genset Krisbow -

    Same Question, do we need SSL for blogs?

    Reply

  14. EJ -

    It would be great if you showed us how to do a redirect for WIndows Servers…

    Reply

  15. Blog -

    +1 to EJ
    It would be great if you showed us how to do a redirect for WIndows Servers…

    Reply

  16. borneo -

    Hi, This is best post. I have one Question, that is i used SSL but some times it does not work. Do you have a solution???

    Reply

  17. Francois -

    VERY IMPORTANT!

    Be aware that activating HTTP/2 on you Plesk server will have as consequence that all users, that are still on Windows 7 and 8, and browse with Internet Explorer 11.0.9600.18349 (and older) will no longer be able to visualize your secured websites!!!

    Because this version of MS IE is simply NOT compatible…

    This can have VERY serious consequences in traffic and REVENUES for a commercial website for instance, as many people are still using that kind of configurations.

    I have just discovered this problem, because most computers in the EEC buildings in Brussels are still on Windows 7 (that is a whole lot of machines!!!).
    And many other institutions and even private companies have not migrated yet to more recent configurations.

    In light of that, do as you please…
    But personally I have deactivated HTTP/2 on all my servers, before loosing more traffic (and buyers!).

    Reply

  18. Francois -

    Hello again,

    To the person reading the moderated comments:
    I was wrong in the diagnosis of my problem.
    It actually appears that HTTP/2 would not function properly on all my server, probably because of Linux updates on their OS (apt-get/yum upgrade), that would have corrupted the way HTTP protocol works.
    The consequence being that all my servers would ONLY respond with HTTP/2, and NEVER with HTTP/1.1.

    After disabling and then re-enabling HTTP/2, my servers respond correctly, and display HTTPS pages.

    There is yet a lesson in this: there can be problems with HTTP/2 after updates, and everyone should systematically check that HTTPS access is working properly after updating a server…

    Reply

    Silvio -

    Francois!! Thank you very much for your comment! That worked for me too!
    Luckily I read until this last comment! 😀

    Dear Moderator – that should perhaps be noted somewhere in the article!? This issue caused some dissapointement and headache in the first place…

    Otherwise thanks for the good work!

    Greets to you all! 😀

    Reply

  19. Tony -

    That’s great news and we implemented it allready on our linux servers. what about windows hosting with plesk?

    Reply

  20. Tim Enewolwen -

    Nice that we found this answer together. Does it work on a linux server too or do I have to do something different for that? Maybe i should just use windows or would this be a problem?
    I also have the problem that sometimes my SSL doesnt work and sometimes it does. dachdecken So sometimes the visitor is shown the certificate, somethimes he is not. What can i do about that?

    Reply

  21. James -

    Hi friend, thanks for your great article, I have a question, since my site not enabled SSL before, and has rank better in google, if I enable SSL, will it affect my site rank? Have bookmarked your nice post, waiting for your kind reply, thanks a lot!

    Reply

  22. Natalia -

    Thank you for this nice Tutorial. It would be great if you showed us how to do a redirect for WIndows Servers

    Reply

  23. Safari -

    Thanks. I am searching for these types of articles for the security of my WordPress websites.

    Reply

  24. Ikan -

    Be aware that activating HTTP/2 on you Plesk server will have as consequence that all users, that are still on Windows 7 and 8, and browse with Internet Explorer 11.0.9600.18349 (and older) will no longer be able to visualize your secured websites!!!

    Reply

  25. Peter -

    Many thanks for this Howto. Used it today and saved me much time.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

122 Shares
Tweet7
Share98
Share13
Buffer3
Reddit1
+1