Our web blog is now meeting the latest security standards and making it HTTP2-ready is easier than you think. Here’s how we switched our web blog ( https://devblog.plesk.com ) running on Plesk + NGINX to HTTPS and made it HTTP/2-ready with a free, SSL certificate from Let’s Encrypt. Before we get into the details a few things to start with.
Protocol enhancements like SPDY and HTTP/2 have narrowed the performance gap between encrypted and un-encrypted web traffic, with encrypted HTTP/2 outperforming un-encrypted HTTP/1.1 in some cases. Even more importantly, encryption is now kind of mandatory as Google announced that HTTPS is used as a ranking signal in search results, with HTTPS-enabled sites ranking above their plaintext counterparts. ‘Yes, HTTP/2 is awesome,’ I hear you saying, ‘but it requires HTTPS which, in turn, requires an SSL certificate – and those things cost money, you know?’ Well, here comes the sales pitch: Plesk, together with Let’s Encrypt, makes HTTPS setup a breeze and brings you a faster Web with HTTP/2.
Let’s see how we did it.
HTTPS & Let’s Encrypt
First, issued a free trusted certificate from Let’s Encrypt with automatic renewal and set it up for devblog.plesk.com, hosted on Plesk 12.5.
There are many manuals available online talking about how to install an SSL certificate on Linux so you might have already seen rows upon rows of command line calls, lists of changes to configuration files, and even instructions for building additional utilities. Well, we decided to make our life easier and just used the Plesk “Let’s encrypt” extension that enables Plesk users to issue and install certificates with auto-renewal functionality in the Plesk UI with just a few clicks.
You can find the details in one of our previous blog posts here: https://www.plesk.com/2015/12/lets-encrypt-plesk/. After a few clicks we were done and had a free, trusted SSL certificate installed on devblog.plesk.com. Let’s enable HTTP/2 next.
HTTP/2
HTTP/2 is the second major version of the HTTP network protocol used by the world wide web.
Ratified in May 2015, HTTP/2 was created to address some significant performance problems with HTTP 1.1 in the modern web era.
- HTTP/2 is supported in NGINX web server starting from version 1.9.5.
- Currently, HTTP/2 is supported by all major web browsers.
- Your sites do not require any changes to get the HTTP/2 advantages.
Now, HTTP/2 is available out-of-the-box for all Plesk 12.5 customers!
Sounds good, doesn’t it? Let’s move on.
First, you need to make sure that the latest Plesk update, Plesk 12.5.30 Update#28, is installed. We don’t, because we have auto-updates enabled on the server and recommend you enable them too. Then, we logged in to the server via SSH as root, and ran the following command line utility:
#/usr/local/psa/bin/http2_pref enable
That’s all it took to empower our HTTPS sites with HTTP/2! If you’re not sure about your websites go to https://tools.keycdn.com/http2-test to check for HTTP/2 compliance.
Detailed User Instructions for enabling HTTP/2 in Plesk can be found here: https://kb.plesk.com/en/128733
If you’d like to get a second opinion, you are welcome to use the “HTTP/2 and SPDY indicator” extension for Google Chrome, found here.
WordPress
We have now secured the connection between the server and the website. Next step is to configure our WordPress site to only use HTTPS. This required a re-configuration of WordPress settings to replace all http:// links inside the WordPress database with https://. If you fail to do so you will continue to receive “Mixed content warnings” for previously uploaded content:
- Go to the WordPress administrative interface and change both “WordPress Address” and “Site Address” to use https://
- Set-up a redirect for all http:// requests to https:// for the respective website.
Next step was to change the links inside the WordPress database. There are a lot of possible ways to do it, starting from direct SQL queries to wp-cli. We decided to do it via the WordPress interface using the “Better Search & replace” plugin, which can either be installed from the Plesk interface or from the WordPress Administrative interface.
This plugin helped us to find all matches for “https://devblog.plesk.com” in the WordPress database and replace it with “https://devblog.plesk.com“. This plug-in allows you to only find but also find and replace if you with to do so.
Last but not least we had to redirect all http:// requests to the https:// counterpart of our blog using the Plesk interface. We went to Websites & Domains , selected devblog.plesk.com, and then “Apache and nginx Settings”
to set-up the redirect in the “Additional nginx directives” section, like this:
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
That’s it! Now, all browser requests to https://devblog.plesk.com are redirected with the 301 code to https://devblog.plesk.com, and that’s just what we wanted.
On a separate note…. .
Load speed test with https://www.webpagetest.org/ shows that the transition from non-SSL HTTP to HTTPS + HTTP/2 has little impact to the site load speed.
In return, we now have a secure connection with a nice green trusted SSL certificate, including better indexing from Google for free 🙂
By the way, we did not stop with the DevBlog – actually, the new Plesk website (https://www.plesk.com – check it out!) was built on Plesk 12.5 [+ WP Toolkit] + WordPress.
Have a nice day 🙂
97 Comments
Nice one. But why is ALPN not already in there ?
ALPN is available only since openssl 1.0.2 that is not supplied by OS vendors yet.
ALPN support can be added when you distribute your own OpenSSL lib, just like unixadm repo does:
https://reposerv.unixadm.org/rhel/7/openssl102/x86_64/repoview/
Hello
That’s great news and we implemented it allready on our linux servers. what about windows hosting with plesk?
Awesome article . I am searching like this articles since long time .
Thank you for providing one !
https/2 – Unfortunately, this doesn’t work for me:
Latest Plesk 12.5 release:
12.5.30 Update #28, last updated at April 18, 2016 06:28 AM
Also nginx seems to be up-to-date:
ii sw-nginx 1.9.14-debian7.0.16040615
OpenSSL is also in the right version:
ii openssl 1.0.1e-2+deb7u20
When I first ran the command, Plesk complains about double entires with /etc/nginx/perfect-forward-secrecy.conf for some entries (I created my own config and cypher suites for SSL). OK, disabled all entries in this file and run it again – now it works fine without any error message, ok.
BUT: Test shows, that https/2 isn’t working. On top of it, Plesk generates some own cypher suite entries in /etc/nging/conf.d/ssl.conf which are blocking a lot of browsers! SSL-Labs test still gets me a A+ rating, but a lot of browsers are now flagged as not working (i.e. all Android < 4.4).
Any idea, why it doesn't work? And any idea, how I can define my own cypher suites (running the command always add them / change them in the ssl.conf file, so also no way to do some magic there.
Cheers Peter
Thank you for this nice Tutorial.
This works fine on all the servers we have tested.. however, it cuts off a lot of older browsers
http://screencast.com/t/DVPC7dcI6
is there no nice fall back ?
enabling http/2 works right away, but now I have several people with older versions of Safari. Will it work safely if I use:
#/usr/local/psa/bin/http2_pref disable
Miguel,
yes, it’s safe. but what is safari version that can’t connect? Could you also let us know OS name/version: Yosemite?
any browser that does not understand tls 1.2 will not work.
See here for full list : https://www.ssllabs.com/ssltest/analyze.html?d=devblog.plesk.com
This makes it almost useless for e-commerce stores where you cant afford to turn away customers. It’s a pity that there is no fall back for older browsers.
The following cypher works really good and remains a A+ ranking @ SSL-Labs:
ssl_ciphers ‘kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED’;
See screenshot here: https://owncloud.ph-internet.de/index.php/s/TDCDK7saWfqAWmv
So why not using this cypher to replace the hardcoded one in Plesk which will ban a lot of browsers?
Cheers Peter
Yes, the hard coded ciphers / settings are too restrictive and should be optimized in the next Plesk release. I would also love to see the integration of ALPN.
For now, it’s still easy for you to add custom districtives to add the support for older browers and to get a A or A+ rating.
Go to the “Apache & nginx Settings” page in your Plesk control panel and enter for the nginx districtives:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_prefer_server_ciphers on;
Additionally it is important that you create a custom Diffie-Hellman key for Forward Secrecy and use Strict Transport Security (HSTS). But this is a topic for another blog post! 😉
See result here: https://www.ssllabs.com/ssltest/analyze.html?d=joomla-extensions.kubik-rubik.de (I use an own certificate)
Cheers
Viktor
Using below in the ssl.conf file @ /etc/nginx/conf.d made tls 1.0 and 1.1 come back, hope this helps someone trying to use http2.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers kEECDH+ECDSA+AES128:kEECDH+ECDSA+AES256:kEECDH+AES128:kEECDH+AES256:kEDH+AES128:kEDH+AES256:DES-CBC3-SHA+SHA:!aNULL:!eNULL:!LOW:!kECDH:!DSS:!MD5:!EXP:!PSK:!SRP:!CAMELLIA:!SEED;
ssl_prefer_server_ciphers on;
thank’s for your tutorial…
nice …
@Viktor Vogel:
Do you mind posting a link on how to implement Forward Secrecy and HSTS on Plesk?
Thanks.!
I am searching for these types of articles for the security of my WordPress websites.
For the record, i used this guide:
https://www.howtoforge.com/ssl-perfect-forward-secrecy-in-nginx-webserver
Entered the details in /etc/nginx/conf.d/ssl.conf
A+ on all sites on my plesk instance now.
Found the problem why the http/2.0 support didn’t work for me:
The #/usr/local/psa/bin/http2_pref enable command is not inserting the http2 directive in the nginx.conf files at /var/www.vhost/system//conf. It shows for example:
server {
listen 148.251.9.86:443 ssl;
instead of
server {
listen 148.251.9.86:443 http2 ssl;
Can you have a look at this?
Cheers Peter
See http://forum.odin.com/threads/http-2-not-working.337065/
Problem seems to be related, that the /usr/local/psa/admin/sbin/httpdmng –reconfigure-all command didn’t include the “http2” directive into the nginx.conf file.
Hello Peter,
seems to work now. Please have a look at the vhost files located in /etc/nginx/plesk.conf.d/vhosts/
After i enable http2 with command #/usr/local/psa/bin/http2_pref enable, the server section inside the vhost files was modified like expected.
Do i really Need SSL for blogs?
Same Question, do we need SSL for blogs?
Awesome !! Thank you for this nice Tutorial. It would be great if you showed us how to do a redirect for WIndows Servers . Thank you once again
Thanks for sharing such a great post. I love this article
It would be great if you showed us how to do a redirect for WIndows Servers…
+1 to EJ
It would be great if you showed us how to do a redirect for WIndows Servers…
Hi, This is best post. I have one Question, that is i used SSL but some times it does not work. Do you have a solution???
VERY IMPORTANT!
Be aware that activating HTTP/2 on you Plesk server will have as consequence that all users, that are still on Windows 7 and 8, and browse with Internet Explorer 11.0.9600.18349 (and older) will no longer be able to visualize your secured websites!!!
Because this version of MS IE is simply NOT compatible…
This can have VERY serious consequences in traffic and REVENUES for a commercial website for instance, as many people are still using that kind of configurations.
I have just discovered this problem, because most computers in the EEC buildings in Brussels are still on Windows 7 (that is a whole lot of machines!!!).
And many other institutions and even private companies have not migrated yet to more recent configurations.
In light of that, do as you please…
But personally I have deactivated HTTP/2 on all my servers, before loosing more traffic (and buyers!).
Hello again,
To the person reading the moderated comments:
I was wrong in the diagnosis of my problem.
It actually appears that HTTP/2 would not function properly on all my server, probably because of Linux updates on their OS (apt-get/yum upgrade), that would have corrupted the way HTTP protocol works.
The consequence being that all my servers would ONLY respond with HTTP/2, and NEVER with HTTP/1.1.
After disabling and then re-enabling HTTP/2, my servers respond correctly, and display HTTPS pages.
There is yet a lesson in this: there can be problems with HTTP/2 after updates, and everyone should systematically check that HTTPS access is working properly after updating a server…
Francois!! Thank you very much for your comment! That worked for me too!
Luckily I read until this last comment! 😀
Dear Moderator – that should perhaps be noted somewhere in the article!? This issue caused some dissapointement and headache in the first place…
Otherwise thanks for the good work!
Greets to you all! 😀
That’s great news and we implemented it allready on our linux servers. what about windows hosting with plesk?
Nice that we found this answer together. Does it work on a linux server too or do I have to do something different for that? Maybe i should just use windows or would this be a problem?
I also have the problem that sometimes my SSL doesnt work and sometimes it does. dachdecken So sometimes the visitor is shown the certificate, somethimes he is not. What can i do about that?
Hi friend, thanks for your great article, I have a question, since my site not enabled SSL before, and has rank better in google, if I enable SSL, will it affect my site rank? Have bookmarked your nice post, waiting for your kind reply, thanks a lot!
Thank you for this nice Tutorial. It would be great if you showed us how to do a redirect for WIndows Servers
Thanks. I am searching for these types of articles for the security of my WordPress websites.
Be aware that activating HTTP/2 on you Plesk server will have as consequence that all users, that are still on Windows 7 and 8, and browse with Internet Explorer 11.0.9600.18349 (and older) will no longer be able to visualize your secured websites!!!
Many thanks for this Howto. Used it today and saved me much time.
I have several times try to use Let’s Encrypt on my shared host but it’s always fail. Is there any free ssl than let’s encrypt? thanks
HTTP/2 4th generation feature of speed & security, In upcoming days it will take the protocol replacement !
I am also using Let’s Encrypt for my WordPress site and I am very happy
Good tutorial indeed, Thanks for the attempt. besides can you include about redirect for WIndows Servers
very nice and helpful tutorial keep it up
Hi..
To the person reading the moderated comments:
I was wrong in the diagnosis of my problem.
It actually appears that HTTP/2 would not function properly on all my server, probably because of Linux updates on their OS (apt-get/yum upgrade), that would have corrupted the way HTTP protocol works.
The consequence being that all my servers would ONLY respond with HTTP/2, and NEVER with HTTP/1.1.
After disabling and then re-enabling HTTP/2, my servers respond correctly, and display HTTPS pages.
There is yet a lesson in this: there can be problems with HTTP/2 after updates, and everyone should systematically check that HTTPS access is working properly after updating a server..
This works fine on all the servers we have tested.. however, it cuts off a lot of older browsers
good job and I like it
If the browser does not support HTTP/2, then the older version of the HTTP protocol will be uses (HTTP/1.1). You can also specify the SSL settings manually to make it possible for older browsers to load your website. Please look for tutorials via Google! If you want to know more about HTTP/2, then you should read my blog article: https://plesk.com/blog/http2-does-it-improve-site-performance/
thanks for your great article, I have a question, since my site not enabled SSL before, and has rank better in google, if I enable SSL, will it affect my site rank? Have bookmarked your nice post, waiting for your kind reply, thanks a lot!
good job and I like it
From experience I can tell you that you will lose some places in the rankings. Get sure to use the “301 redirects” option within Plesk and after a certain time you will get your rankings back. Since HTTPS became an essential factor for Google (from the security aspect) you will have to switch one day anyway, the sooner the better!
Awesome, you guys are really on the ball with new projects. I’ve been exploring how to get lets encrypt working with HAProxy which I expect will become a more common setup as dockerized environments are adopted.
Good tutorial indeed, Thanks for the sharing with us.
Thanks Viktor Vogel !
Awesome article . I am searching like this articles since long time .
Thank you for providing one !
HTTP/2 does not seem to function properly on my server, probably because of Linux updates on their OS. Maybe that could have corrupted the way HTTP protocol works.
Amazing article. i looking for some kind of stuff. thanks for posting.. thanks..
This is really an awesome article. The details such as HTTP and HTTPs encryption and how to use it on wordpress are really good. Good informative stuff
That’s right. Even i used this procedure to implement SSL.
Finally , https is working on my site
Thanks for the great article. 🙂
Thank your site! information your share is useful to me!
Thank you so much. I was getting so much issues related to WordPress and SSL. This method solved all my problems. Now I’m using https on all my sites.
https migration gave me hard time, now it is working fine for me! thank you for this article, saved me big time..
Can we make a website like https://apkgrail.com/ using WordPress Platform? Everyone is talking about that we can make APK store using WordPress platform, I am curious to know is it possible?
i use plesk for my sites but i am facing such kind of issue. Thank you for resolving my problem.
Thank you such a nice information and helping me to solve my problem, thanks again.
This is so amazing piece of content. Basically this encyrpting thing for wordpress gives kind of headaches. Thanks you made the concept understandable
Awesome !! Thank you for this nice Tutorial. It would be great if you showed us how to do a redirect for WIndows Servers . Thank you once again
SSL certificates are mandatory you can say because as per Google update he will show insecure in the input fields if you didn’t install SSL certificates on your website. So don’t compromise on this to attain better user trust.
Head scratcher here, probably an easy fix but can’t seem to figure out – just came back from several sick days so bare with me.
issue with a specific website with Google Chrome on a particular computer, everyone else does not have the issue. Works on FF, IE. Already did the usual troubleshooting steps, including removing Chrome (also clearing off the Google folders in Appdata), and re-installed with no avail.
Very useful article! I will use it in my work! Thank you!
Thank your site! information your share is useful to me!
working with plesk is really awesome experience . I recommend that you should try this because its more efficient, secure and reliable.
Great this article is very helpful. Thank you for the valuable information.
Okay I am following it for my blog. CAn you help me to setup it for my audience because i am getting error
This is really help ful article for me thanks for sharing this here.
Yes its ok HTTP/2 4th generation feature of speed & security, In upcoming days it will take the protocol replacement!
This is really helpful article specially for wordpress plugins
Hey, awesome article. Thanks for this amazing site.
Nice article rally helpful, thanks for sharing keep it up the Good Work.
SSL certificates are now one of the SEO factors to boost your traffic and Google already announced. After adding https in my blog Sarkari Naukri Guru, I saw huge changes in my traffic.
Nowadays HTTP/2 is very popular in the market but yes I have to say that the encrypted sign on the website gives the visitor that trust to visit the website again. And HTTP/2 version is available on the w3 total cache plugin if you are using WordPress.
Yes HTTP/2 is the future because it can easily handly the excess load on the server when you are getting high traffic. And if you are looking for HTTP/2 for free then w3 cache plugin can help you.
SSL is now ranking factor and SSL create trust factor for your user
is it https:// or SSL really necessary factors to boost traffic and Google ranking
Shubhangi, absolutely. You can see more on the how and why in this article here.
how can i remove spam backlink from my site
Not sure we can help with that Debu :/
can you please suggest me best security plugin for wordpress
Hey there! Yup we’ve got you covered in this article
See section “Install a third-party WordPress security plugin“.
For more WordPress Security Tips, you can check this article out.
Being an seo person I would love to recommend you SSL certificate that you must use for your old or newly registered Domains. Because SSL is top ranking factor these days.
Regards
Mariayh Umaymah
We of course agree Mariayh thanks!
HTTP/2 attempts to solve many of the shortcomings and inflexibilities of HTTP/1.1. Its many benefits include: Multiplexing and concurrency: Several requests can be sent in rapid succession on the same TCP connection, and responses can be received out of order – eliminating the need for multiple connections between the client and the server. if you are looking for any sort of wordpress plugin then W3 total cache can help you.
HTTP/2 attempts to solve many of the shortcomings and inflexibilities of HTTP/1.1. Its many benefits include: Multiplexing and concurrency: Several requests can be sent in rapid succession on the same TCP connection, and responses can be received out of order – eliminating the need for multiple connections between the client and the server. if you are looking for any sort of wordpress plugin then W3 total cache can help you.
Agreed on above statement
making SSL to website need any up gradation of a server
Hi is it secure let’s encrypt SSL for WordPress I mean there is any problem with the google ranking I am waiting for your response
Thanks issue solved in no time.
Being an seo person I would love to recommend you SSL certificate
It would be great if you showed us how to do a redirect for WIndows Servers.
Hey Votix,
You may find the answer here: https://support.plesk.com/hc/en-us/articles/115000327829-How-to-enable-redirection-from-HTTP-to-HTTPS-for-a-domain-in-Plesk
The very next time I read a blog, Hopefully it does not fail me as much as this one. After all, I know it was my choice to read, nonetheless I truly believed you would probably have something useful to talk about. All I hear is a bunch of moaning about something that you can fix if you weren’t too busy looking for attention.