KeyCDN Offers HSTS, Secured Setup Needs Work. Here is Guide on KeyCDN Setup For WordPress With W3 Total Cache For HSTS Website on HP Cloud. KeyCDN is less known or rather less advertised. We talked about the basics of KeyCDN. There is a link that webpage, if you click & register via it as Free Trial, you’ll get $5.00 credit, if you directly register, you’ll get $1.00 credit. Like DropBox. Credit Card not required to register for KeyCDN. You can skip reading the next “A Discussion on Page Loading Speed With WordPress, W3 Total Cache on HSTS Website” paragraph if you are looking for setup only – go the next sub header for your need.
KeyCDN Setup : A Discussion on Page Loading Speed With WordPress, W3 Total Cache on HSTS Website
We except that the reader is an advanced user, versed with the terminologies like Uniform Resource Locator, SFTP, Rsync, OpenStack Object Storage, Time To First Byte, HSTS Configuration, HSTS Everywhere Atlas Listing etc.
Directly using Akamai and NetDNA/MaxCDN Enterprise cost too much. Facebook uses the same subdomain of Akamai, HP uses the same subdomain of Akamai, we also use the same subdomain of Akamai. As Akamai is well known to the DNS Cache, the DNS lookup time becomes faster. But, SSL negotiation time of Akamai sucks. Ultimately, Akamai and KeyCDN has no significant difference in total loading time for a sane-sized object. It is not abnormal for Akamai to get DNS Poisoning! Someone targeted Facebook to hack, for using the same subdomain, the user may get affected. All uses the known subdomain for better page loading speed, but has a remote chance of breech of security.
---
In very short, you should use your own SSL certificate with KeyCDN.
We think that using www subdomain for CDN stuffs is a good money saving idea. It is only possible if you are using a naked domain. Only 301 redirect the published URLs corresponding to the naked domains for web pages. Modern web crawlers do not mind www to non-www 301 redirect, only home page 301 redirection is very important – there are idiots who thinks without www websites does not work. If you read the link of previous sentence, possibly you’ll not blame the laymen for www idea. You are using Public Key Pinning, use the second SSL Certificate, not the origin server’s one. Using www subdomain with W3TC is tricky.
If you are confused then buy a $10 certificate for subdomain like dr.abhishekghosh.net.
KeyCDN Setup : KeyCDN Dashboard Part
Every advanced users can enable HSTS, add the custom SSL certificate, activate higher expiry for the content, add 301 redirection from HTTP to HTTPS. Pretty easy works from Web GUI.
KeyCDN Setup : We Will Configure as Origin Push
Push CDN or Origin Push CDN works very much like just a Cloud Storage like DropBox. We upload the content directly to the CDN (automatically by server or manually) and point the URLs of static content for it.
KeyCDN is both Push & Origin Pull CDN. KeyCDN as push CDN support FTP and Rsync. Normal WordPress websites, specially with no user-end uploading, works better with Push. Forum Softwares work better with Origin Pull. We are describing as Push CDN. Origin Push has practically no work.
KeyCDN Setup : WordPress and W3 Total Cache
Actually easy. First go to “General” page of W3TC from WordPress Admin panel, the URL is like this :
1 | https://thecustomizewindows.com/wp-admin/admin.php?page=w3tc_general |
You will use the “Self-Hosted/File Transfer Protocol Upload” option. Save it after enabling CDN. Nginx Microcache will serve the old webpages, if you do not flush the cache, only enabling will do no harm.
Go to the CDN configuration page of W3 Total Cache from WordPress Admin panel, the URL is like this :
1 | https://thecustomizewindows.com/wp-admin/admin.php?page=w3tc_cdn |
You will configure like this screenshot with your real credential, path etc. :
If you need to see the screenshot in full size, click here.
Now run a test and upload the contents as per your need – like tick Host wp-includes/ files, Host theme files etc. option on that webpage and click the upload button beside. WordPress W3 Total Cache Plugin will filter the static files and upload it. Run a curl on any static file to check the header :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | curl -I https://tcw-1d50.kxcdn.com/js/sp-scripts.js HTTP/1.1 200 OK Server: keycdn-engine Date: Sat, 19 Sep 2015 17:36:11 GMT Content-Type: application/javascript Content-Length: 669 Connection: keep-alive Vary: Accept-Encoding Last-Modified: Mon, 31 Aug 2015 16:50:02 GMT ETag: "55e485ba-29d" Expires: Mon, 19 Oct 2015 17:36:11 GMT Cache-Control: max-age=2592000 X-Edge-Location: sgsg Access-Control-Allow-Origin: * Accept-Ranges: bytes |
200 OK, so its fine. Flush the cache and run a test on webpagetest on any URL of your website and check for possible 404.
KeyCDN Setup : HSTS Part
Most painful part is editing the xml file on HTTPS Everywhere Atlas. If you used 301 redirection, you need to lift if off. If you add a new custom subdomain, ideally add rules. This is our current ruleset (see on official website). This is it :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | <ruleset name="The Customize Windows.com"> <!--Direct rewrites: --> <target host="thecustomizewindows.com"/> <target host="www.thecustomizewindows.com"/> <!--Complications: --> <target host="thecustomizewindows.net"/> <target host="www.thecustomizewindows.net"/> <!-- needed for debugging and dev works related to HSTS --> <!--exclusion pattern="^http://cloud\.thecustomizewindows\.com/"/--> <!--test url="http://cloud.thecustomizewindows.com/" /--> <!-- Akamai CDN --> <securecookie host="^a248\.e\.akamai\.net$" name=".+"/> <!-- allow trusted services --> <securecookie host="^cdn\.goroost\.com$" name=".+"/> <securecookie host="^www\.googletagservices\.com$" name=".+"/> <securecookie host="^tpc\.googlesyndication\.com$" name=".+"/> <securecookie host="^googleads\.g\.doubleclick\.net$" name=".+"/> <!-- forcing higher security for currently unused dot net domain --> <rule from="^http://(?:www\.)?thecustomizewindows\.net/" to="https://thecustomizewindows.com/"/> <rule from="^http:" to="https:"/> </ruleset> |
As you can see, if we want to use www subdomain for hosting the static contents, we have to work much, else the browsers will do a 301 redirection to load from the server! KeyCDN has great guide on Zone :
1 | https://www.keycdn.com/support/section/zone-security/ |
If we add a new subdomain like s.thecustomizewindows.com, then we need to create a separate ruleset for that subdomain. Yes, it is optional, but that should be the right work. http://www.s.thecustomizewindows.com should be forced to redirected to the naked domain s.thecustomizewindows.com.
Things are not exactly easy. Next, you need to work on Nginx CORS header. It depends – we have to allow all domains due to Google Ads.
