Bug on nginx session handling

[Christian_Heutger]

As seen by ssllabs I get

Session resumption (caching) No (IDs assigned but not accepted)

The issue is because of session cache not set in nginx.conf. However, I add the correct setting but with getting plesk up2date it got removed. So there need to be a 1) update proof adjustment (worser option) or 2) the direct correct setting done by Plesk (better option) as it's the reason to use an admin panel like plesk not to adjust all settings manually.

 

[Bitpalast]

Settings that you apply directly to configuration files may not survive and update, because these files are auto-generated from database entries of Plesk. To solve this issue you can simple add your individuel Nginx directives to the "Additional nginx directives" section on the "Apache & nginx Settings" icon page of a subscription. These will survive an update.

 

[Christian_Heutger]

Hi Peter,

many thanks. This setting should be a standard with Plesk. I can not set this setting for any subscription on the server, that may be an intermediate solution, but no final solution and is not, what have been paid for with an Admin Panel, which should do the job. Than I can also use Webmin.

Regards,
Christian

 

[Bitpalast]

Session resumption caching in Nginx is not activated by default in Nginx. The default Nginx installation setting is "no session redumption". This is not a Plesk issue, but the default configuration of Nginx. If you want Nginx distributions to have session resumption caching enabled, this will need to be requested from Nginx developers rather than Plesk. Plesk is only the control panel software to control services you run on your machine. It does not provide these services itself.

It is probably also a matter of opinion whether session redumption should be enabled by default or not. Security is higher when a session is not automatically resumed on new connections. For example if a client re-connects with a session ID that was previously used for an encrypted session, the server will not test whether the client is still authorized. An attacker could use an existing session ID to avoid a full TLS handshake. It's an unlikely case, but it is thinkable. I am sure that there will be users who complain if session resumption was activated by default.

After all, your question was why Plesk removes your session resumption setting after an update, and the reason for that is that you had applied your settings to Nginx configuration directly rather than entering them into the Plesk templates. Alternatively you can also add Nginx settings to /etc/nginx/nginx.conf. That file will not be modified re-generation of web server configuration files and it applies server wide Nginx settings. Restart Nginx service afterwards.

 

[Christian_Heutger]

Hi,

many things are not activated by default in several servers, but Parallels/Odin promotes a product for optimized computing and they e.g. provide tls/ssl settings to follow the current security standard, they provide a firewall with predefined rules, so they adjust the settings e.g. to pci dss standards but not all of them. One setting they fail is session handling. Then there may be an option in the panel to deactivate or activate, but current session is also something in between, ids are assigned, but not accepted, either put if completely off or completely on.

However, thanks for your workaround.

Regards,
Christian