• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Bug on nginx session handling

C

Christian_Heutger

Basic Pleskian
As seen by ssllabs I get

Session resumption (caching) No (IDs assigned but not accepted)

The issue is because of session cache not set in nginx.conf. However, I add the correct setting but with getting plesk up2date it got removed. So there need to be a 1) update proof adjustment (worser option) or 2) the direct correct setting done by Plesk (better option) as it's the reason to use an admin panel like plesk not to adjust all settings manually.
 
Settings that you apply directly to configuration files may not survive and update, because these files are auto-generated from database entries of Plesk. To solve this issue you can simple add your individuel Nginx directives to the "Additional nginx directives" section on the "Apache & nginx Settings" icon page of a subscription. These will survive an update.
 
Hi Peter,

many thanks. This setting should be a standard with Plesk. I can not set this setting for any subscription on the server, that may be an intermediate solution, but no final solution and is not, what have been paid for with an Admin Panel, which should do the job. Than I can also use Webmin.

Regards,
Christian
 
Session resumption caching in Nginx is not activated by default in Nginx. The default Nginx installation setting is "no session redumption". This is not a Plesk issue, but the default configuration of Nginx. If you want Nginx distributions to have session resumption caching enabled, this will need to be requested from Nginx developers rather than Plesk. Plesk is only the control panel software to control services you run on your machine. It does not provide these services itself.

It is probably also a matter of opinion whether session redumption should be enabled by default or not. Security is higher when a session is not automatically resumed on new connections. For example if a client re-connects with a session ID that was previously used for an encrypted session, the server will not test whether the client is still authorized. An attacker could use an existing session ID to avoid a full TLS handshake. It's an unlikely case, but it is thinkable. I am sure that there will be users who complain if session resumption was activated by default.

After all, your question was why Plesk removes your session resumption setting after an update, and the reason for that is that you had applied your settings to Nginx configuration directly rather than entering them into the Plesk templates. Alternatively you can also add Nginx settings to /etc/nginx/nginx.conf. That file will not be modified re-generation of web server configuration files and it applies server wide Nginx settings. Restart Nginx service afterwards.
 
Last edited:
Hi,

many things are not activated by default in several servers, but Parallels/Odin promotes a product for optimized computing and they e.g. provide tls/ssl settings to follow the current security standard, they provide a firewall with predefined rules, so they adjust the settings e.g. to pci dss standards but not all of them. One setting they fail is session handling. Then there may be an option in the panel to deactivate or activate, but current session is also something in between, ids are assigned, but not accepted, either put if completely off or completely on.

However, thanks for your workaround.

Regards,
Christian
 
You must log in or register to reply here.

Similar threads

Y
Question Issue Implementing Dynamic CORS Headers in Plesk’s Additional NGINX Directives
Replies
1
Views
355
yfain
Y
F
Issue NGINX Cache won't cache static files
Replies
5
Views
945
Sebahat.hadzhi
Sebahat.hadzhi
s-light
Question NINGX CORS for multiple sub.domains
Replies
1
Views
776
s-light
s-light
P
Question Getting X-Forwarded-For IP address from behind a nginx proxy server
Replies
4
Views
2K
philglau
P
adocsys
Resolved How to add HTTP Security Header on port 80?
Replies
3
Views
2K
adocsys
adocsys
Back
Top