Completely disable SSL for domains

[kenneth-vkd]

Hi
In our hosting environment we are getting bad hits on SEO as many sites were allowing HTTPS connections with an invalid certificate (Plesk default self-signed) and have now disabled SSL support.
However if we now try to visit https://domain.tld it shows the default server page.
http://domain.tld still works fine and shows the correct website.

Is there a way for us to completely disable SSL unless it has been enabled for the specific domain, so that the server just refuses the connection when no SSL vhost is enabled?

 

[Alvin_Allen]

You can disable SSL support by following this KB https://kb.plesk.com/en/124057
However, you HTTPS connection will redirect to the default domain as defined in Plesk.
I add a simple 301 redirect in the .htaccess file for the domains that don't use HTTPS:

RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

 

[kenneth-vkd]

This will of course handle the redirection, but we will still get the certificate warning or is Plesk/Apache smart enough to handle this?

 

[IgorG]

Try to do it with something like this:

# for i in `mysql -uadmin -p\`cat /etc/psa/.psa.shadow\` psa -Ns -e "select name from domains"`; do /usr/local/psa/bin/domain -u $i -ssl false; done

 

[kenneth-vkd]

Sorry for my late reply to this.
The suggested solutions fix the problem in #2 fixes the issue, but the user first has to click past the certificate warning.
The solution in #4 just bulk disables SSL, but does not fix the actual issue.

It must be possible to have Plesk completely deny https access if SSL support is disabled for the given domain, even in situations where we run with shared IP.

 

[Boken]

It must be possible to have Plesk completely deny https access if SSL support is disabled for the given domain

Not sure that it is good idea.

 

[Sergio Manzi]

I've tried solution #2 by Alvin_Allen by inserting his code in /var/www/vhosts/default/htdocs/.htaccess and it works but indeed the issue remain of being asked about the invalid certificate.

I'm wondering if that is the correct place to put such a hack: We have nginx acting as a proxy in front of Apache, so a similar solution should probably be applied at the nginx level. I guess, but I don't know how, and I'm not even sure we wouldn't be asked about the invalid certificate as well... so.... just a speculation...

BTW, I've just tried to access an handful of well known sites that I know for sure are not using https with a valid certificate: all of them ask for a confirmation about the invalid certificate and if granted they serve through https, with the invalid certificate.

Redirecting https -> http is probably not a good idea...

Edit: Giving a 400 (or 501...) could be an alternative solution...

Edit 2: But at the end of the day the best solution (obviously beside correctly implementing https with a valid certificate) would probably be to do what all others are doing and just enable https even if you don't have a valid certificate.