• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Batch "Additional directives for http & https"

Sebastian

New Pleskian
We have dozens of subdomains for what we like to add/change additional directives for http and https.
For just a few it's ok to do it in the UI. But is there a way for mass changes, e.g. via ssh or the psa database?

Also or as an alternative it would be great if we could group domains where only the document root path differs, while all other settings are identically. Than we could add new subdomains to this group and all was set, as well as change settings for all at a single place.
 
Hi Sebastian,

The additional directives are configuration files on your service (under the specified sub-domain--depending on your configuration) i.e.:

Additional directives for HTTP
/var/www/vhosts/system/subdomain.example.com/conf/vhost.conf

Additional directives for HTTPS
/var/www/vhosts/system/subdomain.example.com/conf/vhost_ssl.conf

Additional nginx directives
/var/www/vhosts/system/subdomain.example.com/conf/vhost_nginx.conf

It is possible to symilnk configuration files to these file locations and only change the linked file.

*For example:

Create a directory for your files, i.e.:

[root@yourhost:/var/www/vhosts/system]# mkdir conf

Change the group ownership on "conf" to "psaserv" i.e.:

[root@yourhost:/var/www/vhosts/system]# chgrp psaserv ./conf/

Create your additional directive configuration files (based on your need):
/var/www/vhosts/system/conf/vhost.conf
/var/www/vhosts/system/conf/vhost_ssl.conf
/var/www/vhosts/system/conf/vhost_nginx.conf

The files should have the following ownership and permissions (600):

-rw------- root apache vhost.conf
-rw------- root apache vhost_ssl.conf
-rw------- root nginx vhost_nginx.conf

Now link your files (you can do this for each sub-domain):

[root@yourhost:/var/www/vhosts/system/subdomain.example.com/conf]# ln -s ../../conf/vhost.conf vhost.conf
[root@yourhost:/var/www/vhosts/system/subdomain.example.com/conf]# ln -s ../../conf/vhost_ssl.conf vhost_ssl.conf
[root@yourhost:/var/www/vhosts/system/subdomain.example.com/conf]# ln -s ../../conf/vhost_nginx.conf vhost_nginx.conf

Note: If you update the additional directives at any time using Plesk, the symlink will be overwritten.

You will need to reconfigure your websites after you update the file(s), please see:

How to reconfigure websites on Plesk server

Regards,

Alvin

*PLEASE NOTE: Any technical advice or directions given is provided AS IS without any guarantee of its accuracy. If you perform any suggestions or modifications provided as an example by me to your configuration you do so AT YOUR OWN RISK.
 
Note: If you update the additional directives at any time using Plesk, the symlink will be overwritten.
Hi Alvin,

I think I can do better...
This would not happen if you create a file there containing an include to that said file.

Each new domain would get this:

cat /var/www/vhosts/system/domain.com/conf/vhost_nginx.conf

Code:
include /var/www/vhosts/system/conf/vhost_nginx.conf;

You can later edit it and add HSTS like this
cat /var/www/vhosts/system/domain_hsts.com/conf/vhost_nginx.conf
Code:
include /var/www/vhosts/system/conf/vhost_nginx.conf;
add_header Strict-Transport-Security $hsts_header always;

Or if you prefer one with subdomains
cat /var/www/vhosts/system/domain_hsts_all.com/conf/vhost_nginx.conf
Code:
include /var/www/vhosts/system/conf/vhost_nginx.conf;
add_header Strict-Transport-Security $hsts_isd_header always;


cat /var/www/vhosts/system/conf/vhost_nginx.conf
Code:
add_header Referrer-Policy strict-origin-when-cross-origin;

add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options nosniff always;
You would have the benefit of a standard file for each (group of) domain(s) and still be able to add something extra in the Plesk interface. Nothing would get overwritten upon changes.

You can keep different configs in /var/www/vhosts/system/conf/ , but I think I would prefer to keep specific stuff in the domain file itself

A cronjob could check all the /var/www/vhosts/system/*/conf/ folder for the existence of a vhost_nginx.conf file. If no file exists there you could automatically create one with an include to a config which you would want for any domain.
The cronjob can then execute a plesk repair web <domain> -y -v
As this would only happen on domains that are newly created that would be a very safe thing to do in an hourly cronjob.

Later you could manually change the include to a more appropriate config file in that folder.
The vhost_nginx.conf is then there to stay....

All subsequent changes should from then on be done using the Plesk interface.

I know this can be done for nginx files.
I assume it's the same for the others....

I already have a script for doing some custom creation of the vhost_nginx.conf file.
Maybe I will create a script doing what I just described....
Upon request I will even post that here...

The fixed server wide setting could be done here.
This is mine
The "map-thing" is there to fulfil the RFC-requirement to prevent the header being sent on http-connections (as we don't have separate files for http and https)

cat /etc/nginx/conf.d/aa400_own_tweaks.conf
Code:
map $scheme $hsts_header {
    https   'max-age=15768000';
}

map $scheme $hsts_isd_header {
    https   'max-age=15768000; includeSubDomains; preload';
}

proxy_connect_timeout       600;
proxy_send_timeout          600;
proxy_read_timeout          600;
send_timeout                600;

ssl_session_timeout     10m;
ssl_session_cache       shared:SSL:50m;
ssl_dhparam             /etc/dhparam/dhparam4096.pem;
ssl_ecdh_curve          secp521r1:secp384r1:prime256v1;
 
Last edited:
Here's a script that will add a vhost_nginx.conf to every newly created domain if you put a symlink in /etc/cron.hourly/

By default there's no vhost_nginx.conf
It gets created upon first edit from Plesk. By creating one outside of Plesk the "plesk repair" command is used to start using it (It will detect the vhost_nginx.conf and include it in the domain's nginx.conf

It tests the nginx for syntax errors after creating the file.
This should make all this a quite safe thing to do.
It of course depends a lot on what you put in /var/www/vhosts/system/conf/vhost_nginx.conf

It is logging everything to /var/log/vhost_nginx.log

The script will test the configuration after adding the file. If it somehow fails, it will automatically revert that (by deleting the created file) and test again.
The subsequent test is only added as "good practice", but should pass always. If not, the script will stop. I can't think of any scenario where that would happen. Added it anyhow.


cat /usr/local/sbin/vhost_nginx
ln -s /usr/local/sbin/vhost_nginx /etc/cron.hourly/

Code:
#!/bin/bash

INCLUDE=/var/www/vhosts/system/conf/vhost_nginx.conf
HEADLESS=
tty >/dev/null || HEADLESS=true

THISSCRIPT="`readlink -f $0`"
SCRIPTNAME=${THISSCRIPT##*/}
[ -z "${SCRIPTNAME}" ] && SCRIPTNAME=${0##*/}

LOG=/var/log/${SCRIPTNAME}.log
PLESKBIN=/usr/local/psa/bin/domain

if [ ! -f ${INCLUDE} ] ; then
  echo "There is no file ${INCLUDE}" >&2
  exit 1
fi

if ! nginx -t 2>/dev/null ; then
  echo "The Nginx configuration is not valid, abort" >&2
  exit 1
fi

TMPDIR=`mktemp -t -d ${0//*\/}.XXXXXXXXXX`

CREATED=
TMPLOG=${TMPDIR}/log

echo "`date`  **** Found new domain(s) to add a new vhost_nginx.conf" >${TMPLOG}
find /var/www/vhosts/system/ -mindepth 2 -maxdepth 2 -type d -name conf >${TMPDIR}/confs
while read CONF ; do
  NGINXCONF=${CONF}/vhost_nginx.conf

  if [ ! -e ${NGINXCONF} ] ; then
    CREATED=true
    DOMAIN="`echo ${CONF} | sed 's/.*system\///g;s/\/.*//g'`"    # extract DOMAIN out of folder name

    echo "Create ${NGINXCONF}" | tee -a ${TMPLOG}
    echo -e "include ${INCLUDE};\n" >${NGINXCONF}  # create a vhost_nginx.conf in the conf of the domain system space

    chmod 600 ${NGINXCONF}
    chown root:nginx ${NGINXCONF}
    plesk repair web ${DOMAIN} -y -v  # the custom vhost_nginx.conf will not be referenced without this

    if ! nginx -t 2>/dev/null ; then  # check if the nginx config is still valid
      echo "Somehow the Nginx config became invalid after adding this include to ${INCLUDE}" | tee -a ${TMPLOG} >&2
      echo "I will remove the file I just created (${NGINXCONF})" | tee -a ${TMPLOG} >&2
      rm ${NGINXCONF}                   # remove the vhost_nginx.conf of this domain
      plesk repair web ${DOMAIN} -y -v  # let plesk repair fix this (tested this)

      if ! nginx -t 2>/dev/null ; then  # check the nginx config AGAIN to make sure it got fixed
        nginx -t 2>&1 | tee -a ${TMPLOG} >&2
        echo "plesk repair did not fix this" | tee -a ${TMPLOG} >&2
        echo "We now have an invalid nginx config, I will abort the script" | tee -a ${TMPLOG} >&2
        break
      fi
    fi

  fi
done<${TMPDIR}/confs

echo "`date`  **** Finished adding vhost_nginx.conf" >>${TMPLOG}
[ ${CREATED} ] && cat ${TMPLOG} >>${LOG}

rm -r ${TMPDIR}
 
Last edited:
Back
Top