• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Input Bash script to compile Nginx from source with additional modules on Plesk Onyx

This nginx script works so well, but we are still missing the last steps to also use optimal tsl v1.3 to get A+ ssl scores.
 
By the way, this A+ rating can easily be achieved with the help of SSL IT extensions without regard to tsl v1.3
You can achieve A+ without TLSv1.3 so that's helpful and quite correct @IgorG ;) but you can also achieve A+ without using the SSL IT extension too (as we have done for some time). The question about using Plesk and TLSv1.3? We'll deal with that in another thread, because that's a long and difficult subject.... o_O

Edit / Addition - For the setup that we currently use (forum sig) Plesk have now (...finally :D) solved the TLSv1.3 issue. See this post: Resolved - Plesk 17.8.11 / Ubuntu 18.04.3 LTS / OpenSSL / TLSv1.3 :)
 
Last edited:
but you can also achieve A+ without using the SSL IT extension too
Of course, you can, no one argues. But what could be easier to turn on three or four switches in the interface, instead of writing complex entries in the configuration files? :)
 
Of course, you can, no one argues. But what could be easier to turn on three or four switches in the interface, instead of writing complex entries in the configuration files? :)
Yes, can't fault that summary either @IgorG However... If you want to use Let's Encrypt Certificates that cover MultiDomain + Wildcard (including all Sub-Domains) all in the same certificate, then that's still outside of the current Plesk remit.

FWIW With our setup, Apache & Nginx setings made within Plesk plus a combination of Plesk Let's Encrypt Extension and Acme.SH for things like the previous example all works fine :)
 
This nginx script works so well, but we are still missing the last steps to also use optimal tsl v1.3 to get A+ ssl scores.

Hello @Rar9
The only step missing to get A+ SSL score is to enable HSTS on your domain by adding the following line in your domain settings > "Nginx additional configuration" :
NGINX:
more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload";
 
Last edited:
Hello @virtubox,

to add the HSTS header to Nginx additional configuration, would it be not ok to add it just like this?

add_header Strict-Transport-Security max-age=61536000;

Just saw that you add it at the beginning like more_set_headers , is there a difference?

Thx
Sally
 
Hello @virtubox,

to add the HSTS header to Nginx additional configuration, would it be not ok to add it just like this?

add_header Strict-Transport-Security max-age=61536000;

Just saw that you add it at the beginning like more_set_headers , is there a difference?

Thx
Sally

@Sally1

The more_set_headers is not part of the original Nginx source code, it is a directive belonging to the ngx_headers_more module from OpenResty.

A good and detailled explanation with respect to this OpenResty module can be found on Github.

The main difference is that the ngx_headers_more module is a bit more flexible and/or that it contains more options than the modules shipped with Nginx.

Please note that

- OpenResty is essentially a re-invention of and (in most cases, but not all cases) an improvement of Nginx : it is build on Nginx, consisting of additions to Nginx,
- OpenResty contains a whole lot of "loose ends", even though the quality in general is excellent : alignment of Nginx and OpenResty is not always certain,
- Plesk is using default Nginx : adding non-native Nginx code could be and/or become problematic.

I highly recommend to stick to the basic Nginx, as shipped with Plesk - even though shortcomings thereof are present.

Anyway, it is not at all problematic to use the native Ngxinx add_header directives - but beware of specific HSTS (HTTP Strict Transport Security) pitfalls : activation of HSTS and/or changes in Nginx config might lead to unexpected results that cannot be undone easily : please test your (new) Nginx config on a development server first!

Hope the above helps a bit.

Kind regards........
 
Back
Top