• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved How can I adjust HSTS in Plesk?

Dukemaster

Dukemaster

Regular Pleskian
Hello Plesk-friends,

Refering to this article by @UFHH01 in How can I adjust HSTS in Plesk?.

I use nginx with apache. First part of UFHH01's help worked great. I also enabled http2.0 by HTTP/2 Support in Plesk

Everything works great. In SSL Labs I get A, the first two entries have 100% the last two 90%.
So I wanted to enable HSTS.
But for Apache the help didn't work.
I think I can't create ssl.config for /etc/apache/config.d because of changes related to the Onyx upgrade.

Do you know what my mistake is?
 
Last edited:
Hi Dukemaster,

if you use the combination "Apache+NGINX", you can't set global HSTS - options twice without issues, described at for example: => #2 ( hint: see "Last step to achieve your requested goal:" ). As you can read, I described the solution for Apache and left out the possibility to use a NGINX - configuration.

If you would like to choose the option, to define HSTS globally for NGINX, you could use for example:
  1. Create a custom nginx - configuration file, as for example:
    Code: 
    touch /etc/nginx/conf.d/001_own_additional_ssl_hsts_.conf
  2. Add for example at "/etc/nginx/conf.d/001_own_additional_ssl_hsts_.conf" :
    Code: 
        ssl_session_timeout         10m;
    ssl_session_cache shared:SSL:50m;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header Strict-Transport-Security 'max-age=15768000;includeSubDomains';
  3. Finally, test your new NGINX - configuration and when you don't experience issues/errors/problems, restart NGINX:
    Code: 
    nginx -t

service nginx restart

or

systemctl start nginx.service
 
Thanks a lot, @UFHH01, You are an amazing expert. Vielen Dank an Dich und alle Entwickler von Plesk aus Berlin und Rüsselsheim!

P.S.: Es fehlen trotzdem noch je 10% in der 3. Zeile Key Exchange und 4. Zeile Cipher Strength, aber A+ reicht vollends zum glücklich sein!

GREAT SUPPORT
 
UFHH01 said:
Hi Dukemaster,

if you use the combination "Apache+NGINX", you can't set global HSTS - options twice without issues, described at for example: => #2 ( hint: see "Last step to achieve your requested goal:" ). As you can read, I described the solution for Apache and left out the possibility to use a NGINX - configuration.

If you would like to choose the option, to define HSTS globally for NGINX, you could use for example:
  1. Create a custom nginx - configuration file, as for example:
    Code: 
    touch /etc/nginx/conf.d/001_own_additional_ssl_hsts_.conf
  2. Add for example at "/etc/nginx/conf.d/001_own_additional_ssl_hsts_.conf" :
    Code: 
        ssl_session_timeout         10m;
    ssl_session_cache shared:SSL:50m;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header Strict-Transport-Security 'max-age=15768000;includeSubDomains';
  3. Finally, test your new NGINX - configuration and when you don't experience issues/errors/problems, restart NGINX:
    Code: 
    nginx -t

service nginx restart

or

systemctl start nginx.service
Click to expand...

Hi

I followed the configuration above on Plesk 17 / apache + nginx / centos 7.2

This does not work: Strict Transport Security (HSTS) No :(
 
Hi FAPM,

FAPM said:
This does not work:
Click to expand...
well, sorry to answer like that, but "This does not work" is nothing which can be investigated. :rolleyes: Pls. consider to include facts ( log - file - entries, configuration files, ... ), because no one is able to guess WHY something "doesn't work", if you don't provide informations about it. :(
In addition, it is as well a good idea to inform us about your depending FQDN, because we are then able to test and see some results. ;)
 
Last edited by a moderator:
Code: 
2016-11-25 17:46:09    Error    64.41.200.101    400    GET /?SSL_Labs_Renegotiation_Test=User_Agent_May_Not_Show HTTP/1.0        SSL Labs (https://www.ssllabs.com/about/assessment.html)    0     Accès SSL/TLS Nginx
2016-11-25 17:46:10    Error    64.41.200.101    400    GET /?SSL_Labs_Renegotiation_Test=User_Agent_May_Not_Show HTTP/1.0        SSL Labs (https://www.ssllabs.com/about/assessment.html)    0     Accès SSL/TLS Nginx
2016-11-25 17:47:37    Error    64.41.200.101        [crit] 18758#0: *594 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking                Erreur Nginx
2016-11-25 17:47:38    Error    64.41.200.101        [crit] 18758#0: *595 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking                Erreur Nginx
2016-11-25 17:48:12    Access    64.41.200.101    200    GET / HTTP/1.0        Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0    508     Accès SSL/TLS Apache
2016-11-25 17:48:12    Access    64.41.200.101    200    GET / HTTP/1.0        Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0    5.42 K    Accès SSL/TLS Nginx
2016-11-25 17:48:24    Error    64.41.200.101    400    GET /?SSL_Labs_Renegotiation_Test=User_Agent_May_Not_Show HTTP/1.0        SSL Labs (https://www.ssllabs.com/about/assessment.html)    0     Accès SSL/TLS Nginx
2016-11-25 17:48:24    Error    64.41.200.101    400    GET /?SSL_Labs_Renegotiation_Test=User_Agent_May_Not_Show HTTP/1.0        SSL Labs (https://www.ssllabs.com/about/assessment.html)    0     Accès SSL/TLS Nginx
2016-11-25 17:49:52    Error    64.41.200.101        [crit] 18758#0: *901 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking                Erreur Nginx
2016-11-25 17:49:52    Error    64.41.200.101        [crit] 18758#0: *902 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking                Erreur Nginx
 
Hi FAPM,

( pls. note, that you can EDIT one of your posts as well... there is mostly no need to use additional own posts right after your previous one! ;) )


Pls. post the result of the following commands:
Code: 
ls -lah /etc/nginx
ls -lah /etc/nginx/conf.d

In addition, pls. post the content of the files:

/etc/nginx/nginx.conf
/etc/nginx/conf.d/001_own_additional_ssl_hsts_.conf ( or whatever you named the file ! )
/var/www/vhosts/system/lesmeilleurestechnologies.com/conf/nginx.conf
OR
/var/www/vhosts/system/lesmeilleurestechnologies.com/conf/nginx_ip_default.conf

Pls. confirm as well, that you RESTARTED nginx, after you made the suggested changes and/or added an additional configuration file for nginx at "/etc/nginx/conf.d/"
 
Last edited by a moderator:
Hi :)

Code: 
ls -lah /etc/nginx
total 88K
drwxr-xr-x  5 root root 4,0K 24 nov.  13:19 .
drwxr-xr-x 94 root root  12K 25 nov.  18:15 ..
drwxr-xr-x  2 root root 4,0K 25 nov.  18:17 conf.d
-rw-r--r--  1 root root 1,2K  5 oct.  13:27 fastcgi.conf
-rw-r--r--  1 root root 1,2K  5 oct.  13:27 fastcgi.conf.default
-rw-r--r--  1 root root 1,1K  5 oct.  13:27 fastcgi_params
-rw-r--r--  1 root root 1,1K  5 oct.  13:27 fastcgi_params.default
-rw-r--r--  1 root root 2,8K  5 oct.  13:27 koi-utf
-rw-r--r--  1 root root 2,2K  5 oct.  13:27 koi-win
-rw-r--r--  1 root root 3,9K  5 oct.  13:27 mime.types
-rw-r--r--  1 root root 3,9K  5 oct.  13:27 mime.types.default
drwxr-xr-x  2 root root 4,0K  5 oct.  13:27 modules.conf.d
-rw-r--r--  1 root root  980  5 oct.  13:27 nginx.conf
-rw-r--r--  1 root root  980  5 oct.  13:27 nginx.conf.default
drwxr-xr-x  7 root root 4,0K 25 nov.  16:59 plesk.conf.d
-rw-r--r--  1 root root  636  5 oct.  13:27 scgi_params
-rw-r--r--  1 root root  636  5 oct.  13:27 scgi_params.default
-rw-r--r--  1 root root  664  5 oct.  13:27 uwsgi_params
-rw-r--r--  1 root root  664  5 oct.  13:27 uwsgi_params.default
-rw-r--r--  1 root root 3,6K  5 oct.  13:27 win-utf

Code: 
ls -lah /etc/nginx/conf.d
total 20K
drwxr-xr-x 2 root root  4,0K 25 nov.  18:17 .
drwxr-xr-x 5 root root  4,0K 24 nov.  13:19 ..
-rw-r--r-- 1 root root   270 25 nov.  17:32 001_own_additional_ssl_hsts_.conf
-rw-r--r-- 1 root root   507 25 nov.  16:59 ssl.conf
-rw------- 1 root nginx  391 25 nov.  18:17 zz010_psa_nginx.conf
 
001_own_additional_ssl_hsts_.conf

Code: 
ssl_session_timeout         10m;
ssl_session_cache shared:SSL:50m;

add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security 'max-age=15768000;includeSubDomains';
 
nginx.conf

Code: 
#user  nginx;
worker_processes  1;

#error_log  /var/log/nginx/error.log;
#error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;

#pid        /var/run/nginx.pid;

include /etc/nginx/modules.conf.d/*.conf;

events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;
    #tcp_nodelay        on;

    #gzip  on;
    #gzip_disable "MSIE [1-6]\.(?!.*SV1)";

    server_tokens off;

    include /etc/nginx/conf.d/*.conf;
}

# override global parameters e.g. worker_rlimit_nofile
include /etc/nginx/*global_params;
 
Yes, Im RESTARTED nginx

And :

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
 
Hi FAPM,

pls. see:


As you might notice, www has HSTS NOT enabled, while non-www has HSTS enabled.



You issue depends on yout current domain - configuration at "Home > Subscriptions > lesmeilleurestechnologies.com > Hosting Settings"

Pls. check for example with the help of "curl" your current headers for the URLs:


You will notice, that ONLY "https://www.lesmeilleurestechnologies.com" has HSTS NOT enabled. ;)
 
Code: 
curl -v https://lesmeilleurestechnologies.com



* About to connect() to lesmeilleurestechnologies.com port 443 (#0)
*   Trying 164.132.149.191...
* Connected to lesmeilleurestechnologies.com (164.132.149.191) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=www.lesmeilleurestechnologies.com,OU=PositiveSSL,OU=Domain Control Validated
*       start date: nov. 25 00:00:00 2016 GMT
*       expire date: nov. 25 23:59:59 2017 GMT
*       common name: www.lesmeilleurestechnologies.com
*       issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: lesmeilleurestechnologies.com
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Fri, 25 Nov 2016 19:52:40 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
< Location: https://www.lesmeilleurestechnologies.com/
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Strict-Transport-Security: max-age=15768000;includeSubDomains
<
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host lesmeilleurestechnologies.com left intact
 
Code: 
curl -v https://www.lesmeilleurestechnologies.com



* About to connect() to www.lesmeilleurestechnologies.com port 443 (#0)
*   Trying 164.132.149.191...
* Connected to www.lesmeilleurestechnologies.com (164.132.149.191) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=www.lesmeilleurestechnologies.com,OU=PositiveSSL,OU=Domain Control Validated
*       start date: nov. 25 00:00:00 2016 GMT
*       expire date: nov. 25 23:59:59 2017 GMT
*       common name: www.lesmeilleurestechnologies.com
*       issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.lesmeilleurestechnologies.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 25 Nov 2016 19:54:16 GMT
< Content-Type: text/html
< Content-Length: 5548
< Last-Modified: Fri, 25 Nov 2016 15:28:04 GMT
< Connection: keep-alive
< Vary: Accept-Encoding
< ETag: "58385884-15ac"
< X-Powered-By: PleskLin
< Accept-Ranges: bytes
<
<!DOCTYPE html>
<html lang="en" dir="ltr" class="sid-plesk">
<head>
    <title>Domain Default page</title>
    <meta name='copyright' content='Copyright 1999-2015. Parallels IP Holdings GmbH. All Rights Reserved.'>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0">
    <meta http-equiv="Cache-Control" content="no-cache">
    <link rel="shortcut icon" href="favicon.ico">
    <link rel="stylesheet" href="css/style.css">
</head>
<body>

<div class="page-container">
    <!-- start: PAGE HEADER-->
    <div class="page-header-wrapper">
        <div class="page-header">
            <a class="product-logo" href="http://www.plesk.com/" target="_blank"><img src="img/logo.png" alt="Plesk"></a>
        </div>
    </div>
    <!-- end: PAGE HEADER-->

    <!-- start: PAGE CONTENT-->
    <div class="page-content-wrapper">
        <div class="page-content">

            <div class="page-info-wrapper">
                <div class="page-info">
                    <div class="page-info-heading">If you are seeing this message, the website for <script>document.write('<a href="http://' + (location.hostname.indexOf(':')>=0?'['+location.hostname+']':location.hostname) + '">' + location.hostname + '</a>');</script> is not available at this time.</div>
                    <p>If you are the owner of this website, one of the following things may be occurring:</p>
                    <ul>
                        <li>You have not put any content on your website.</li>
                        <li>Your provider has suspended this page.</li>
                    </ul>
                    <p><b>Please login to <script>document.write('<a href="https://' + (location.hostname.indexOf(':')>=0?'['+location.hostname+']':location.hostname) + ':8443">https://' + (location.hostname.indexOf(':')>=0?'['+location.hostname+']':location.hostname) +':8443</a>');</script> to receive instructions on setting  up your website.</b></p>
                </div>
            </div>

            <div class="product-info-wrapper">
                <div class="col">
                    <div class="product-info">
                        <div class="product-info-heading">What is Plesk</div>
                        <div class="product-info-content">
                            <p><strong><a href="http://www.plesk.com" target="_blank">Plesk</a></strong> is a hosting control panel with simple and secure web server and website management tools. It was specially designed to help IT specialists manage web, DNS, mail and other services through a comprehensive and user-friendly GUI. <a class="more" href="http://www.plesk.com" target="_blank">Learn more about Plesk</a>.</p>
                            <ul class="links">
                                <li><a class="blog" href="http://devblog.plesk.com/" target="_blank"><span>Developer Blog</span></a></li>
                                <li><a class="forum" href="http://talk.plesk.com/" target="_blank"><span>Forum</span></a></li>
                                <li><a class="knowledge-base" href="http://kb.plesk.com/" target="_blank"><span>Knowledge Base</span></a></li>
                                <li><a class="facebook" href="https://www.facebook.com/Plesk" target="_blank"><span>Facebook</span></a></li>
                                <li><a class="twitter" href="https://twitter.com/PleskOfficial" target="_blank"><span>Twitter</span></a></li>
                                <li><a class="google-plus" href="https://plus.google.com/communities/109881979300958500728" target="_blank"><span>Google+</span></a></li>
                            </ul>
                        </div>
                    </div>
                </div>
                <div class="col">
                    <div class="product-info">
                        <div class="product-info-heading">Test pages</div>
                        <div class="product-info-content">
                            <p>Plesk provides several test pages that you can use for checking the scripting features, testing database connections and mail sending.</p>
                            <p>Click an icon to see test pages for different scripts:</p>
                            <ul class="links">
                                <li><a class="fastcgi" href="test/fcgi/test.html"><span>FastCGI</span></a></li>
                                <li><a class="python" href="test/python/test.html"><span>Python</span></a></li>
                                <li><a class="php" href="test/php/test.html"><span>PHP</span></a></li>
                                <li><a class="perl" href="test/perl/test.html"><span>Perl</span></a></li>
                                <li><a class="ssi" href="test/ssi/test.html"><span>SSI</span></a></li>
                            </ul>
                        </div>
                    </div>
                </div>
            </div> <!-- /.product-info-wrapper -->

        </div>
    </div>
    <!-- end: PAGE CONTENT-->

    <!-- start: PAGE FOOTER-->
    <div class="page-footer-wrapper">
        <div class="page-footer">
            This page was generated by <a href="http://www.plesk.com" target="_blank">Plesk</a>
            <span class="separator"></span>
            <a href="http://www.plesk.com" target="_blank" class="copyright">© 2015 Parallels IP Holdings GmbH. All rights reserved.</a>
        </div>
    </div>
    <!-- end: PAGE FOOTER-->
</div>

</body>
</html>
* Connection #0 to host www.lesmeilleurestechnologies.com left intact
 
When I disable my domain name settings:

Prefered Domain: None
Redirect 301: None

I get :

curl -v https://lesmeilleurestechnologies.com

Code: 
HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 25 Nov 2016 20:04:36 GMT
< Content-Type: text/html
< Content-Length: 5548
< Last-Modified: Fri, 25 Nov 2016 15:28:04 GMT
< Connection: keep-alive
< Vary: Accept-Encoding
< ETag: "58385884-15ac"
< X-Powered-By: PleskLin
< Accept-Ranges: bytes


curl -v https://www.lesmeilleurestechnologies.com

Code: 
< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 25 Nov 2016 20:04:02 GMT
< Content-Type: text/html
< Content-Length: 5548
< Last-Modified: Fri, 25 Nov 2016 15:28:04 GMT
< Connection: keep-alive
< Vary: Accept-Encoding
< ETag: "58385884-15ac"
< X-Powered-By: PleskLin
< Accept-Ranges: bytes
 
You must log in or register to reply here.

Similar threads

L
Question PHP-FPM served by Nginx vs. Apache (again)
Replies
2
Views
586
lema
L
I
Issue Issue with user Certs in Plesk 17, Apache and Nginx
Replies
0
Views
297
IsmaelDSC
I
Jürgen_T
Issue Modsecurity works with Apache but error with nginx
Replies
5
Views
1K
Raul A.
R
P
Question Getting X-Forwarded-For IP address from behind a nginx proxy server
Replies
4
Views
2K
philglau
P
brother4
Question Optimizing PHP FPM Handler Settings for Apache and Nginx in Plesk
Replies
0
Views
1K
brother4
brother4
Back
Top