Resolved Disable access to Plesk via IP address

[Martbean]

Hi,

I'm trying to achieve PCI compliance for a server and it's failing because Plesk can be accessed with an invalid/self-signed certificate using the IP address, ie. xxx.xxx.xxx.xxx:8443

I've managed to get Plesk to use the cert from my domain name so https://domain.com:8443 works fine, but I can still access it using the IP address, but with an "invalid certificate" error. Is there a way of disabling Plesk access on the IP address?

Thanks,

Martin.

 

[themew]

It's been a while but I think putting this in your .htaccess will force the browser to use the domain rather than the IP

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^12\.34\.56\.789$
RewriteRule ^(.*)$ http://www.domainname.com/$1 [L,R=301]

 

[AYamshanov]

Hi,

Even with rewrite rule you first see the warning for https://. I think you can't disable access to Plesk via IP-address in this scenario but you can do not use IP-address as a link anywhere.

Some time ago you could buy SSL certificate for IP-address (as an example Securing a Public IP Address - SSL Certi...) but I do not know the current situation.

 

[Martbean]

Hi,

I was thinking that too, that I'd still see the warning, but that might be enough. I'm not using the address nor publicising it but since it's a PCI scan, they are simply looking for common open ports on the IP address. The scan fails because there's a Plesk login on a "insecure" connection, but if it can redirect elsewhere then it should pass.

So is there an .htaccess for Plesk itself?

Thanks,

Martin.

 

[UFHH01]

Hi Martbean,

as you can see at:

=> Plesk for Linux services logs and configuration files ( KB - article: 213403509 )​

... Plesk uses it's own webserver, where you can find the configuration files at: => /etc/sw-cp-server/

If you desire something compairable as

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^12\.34\.56\.789$
RewriteRule ^(.*)$ http://www.domainname.com/$1 [L,R=301]

... for an apache - webserver, you would replace for example "/etc/sw-cp-server/conf.d/plesk.conf":

server {
        listen 8443 ssl;
        listen 8880;

...

with

server {
        listen 12.34.56.789:8443 ssl;
        listen 12.34.56.789:8880;

...

and add as well:

return 301 $scheme://YOUR-DOMAIN.COM:$server_port$request_uri;

... so that all would be redirected to your FQDN.

 

[Martbean]

Awesome, thanks for this! I'm going away for a few days but will give it a go when I get back.

 

[Martbean]

Hi,

I've tried the changes you suggested but it's still not redirecting. Here's the contents of /etc/sw-cp-server/conf.d/plesk.conf:

server_names_hash_bucket_size  64;

server {
                listen xx.xx.xx.xx:8443 ssl;
                listen xx.xx.xx.xx:8880;
                listen 127.0.0.1:8880 default_server;
                include conf.d/*ipv6_ports.inc;

                return 301 $scheme://www.domain.com:$server_port$request_uri;

                ssl_certificate /usr/local/psa/admin/conf/httpsd.pem;
                ssl_certificate_key /usr/local/psa/admin/conf/httpsd.pem;

                include conf.d/*plesk.inc;
                include conf.d/*wpb.inc;
}

Edit: I also restarted psa after making the changes.

Any ideas?

Thanks,

Martin.

 

[Steve Tozer]

Hello,

I have tried the above also and end up getting ERR_Too many redirects. Have cleared browser cache etc.

Anyone got any other suggestions

Thanks

 

[UFHH01]

Hi Steve Tozer,

could you provide MORE informations ( log - file entries ) and could you pls. add as well YOUR current configuration files for further investigations?

 

[Steve Tozer]

Hello @UFHH01

/etc/sw-cp-server/conf.d/plesk.conf

server_names_hash_bucket_size  64;

server {
                listen xx.xxx.xxx.xx:8443 ssl;
                listen xx.xxx.xxx.xx:8880;
                listen 127.0.0.1:8880 default_server;
                include conf.d/*ipv6_ports.inc;

                   return 301 $scheme://server.domain.co.uk:$server_port$request_uri;

                ssl_certificate /usr/local/psa/admin/conf/httpsd.pem;
                ssl_certificate_key /usr/local/psa/admin/conf/httpsd.pem;

                include conf.d/*plesk.inc;
                include conf.d/*wpb.inc;

}

The outcome is wanting the admin area to be available on https://server.domain.co.uk:8443

When going to the IP via https://xx.xxx.xxx.xx:8443 im getting ERR_TOO_MANY_REDIRECTS

I have had a look at the logs I can see the 301 but there are no errors in there.

Im guessing there's something else trying to 301/redirect it to https again

Thanks

Steve

 

[UFHH01]

Hi Steve Tozer,

return 301 $scheme://server.domain.co.uk:$server_port$request_uri;

Pls. consider to remove this line and restart the Plesk Control Panel:

service sw-cp-server restart
service sw-engine restart

If you desire a redirect to a specific "subdomain.domain.com", which is not the current hostname of your server ( pls. have a look at "/etc/hostname" ) you could use for example:

error_page 497 https://subdomain.not-your-hostname.com:$server_port$request_uri;

​

 

[Steve Tozer]

Hello @UFHH01

I have removed line

return 301 $scheme://server.domain.co.uk:$server_port$request_uri;

This stops the whole redirection happening.

The hostname of the server is server.domain.co.uk already and its correctly in /etc/hostname

Thanks

Steve

 

[Steve Tozer]

Hello @UFHH01

Removing that line didnt fix it, it just stops the redirection altogether from the IP.

Thanks

 

[UFHH01]

Hi Steve Tozer,

if you have a look at "config" ( => /etc/sw-cp-server ) you should notice, that there already is the setting:

    error_page 497 https://$hostname:$server_port$request_uri;

... which should redirect each request with a depending IP or hosted domain and the port ":8443", to https://server.domain.co.uk:8443 ( if this is setup as hostname on your server ).

Pls. make sure to setup as well a "Default site" for each of your IPs, hosted on your server ( => HOME > Tools & Settings > IP Addresses ).

 

[Steve Tozer]

Hi @UFHH01

I have just noticed something, if I go to http://ipaddress:8443 it does redirect me correctly to the https://server.domain.co.uk:8443, but if going to https://ipaddress:8443 it doesnt redirect to https://server.domain.co.uk

Steve