• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved How can I adjust HSTS in Plesk?

E

endstationStgt

New Pleskian
Hello,

I installed ownCloud on my Plesk server. Unfortunately, I denotes ownCloud error like this:

"The" Strict Transport Security "HTTP header is not at least" 15552000 "set seconds. To increase security, we recommend enabling HSTS"

How can I adjust HSTS in Plesk?


I have:

Operating System: CentOS 6.8 with Plesk 05:12:30
Web Server Type: Linux
Database Type: MySQL phpMyAdmin
PHP Version: 5.6.24
ownCloud Version: 9.1.0
 
Hi endstationStgt,

the fastest way would be the usage of the Plesk "sslmng - utility", with the following commands:

For NGINX:
Code: 
plesk sbin sslmng --services=nginx --custom --ciphers='EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20' --protocols='TLSv1 TLSv1.1 TLSv1.2'

... where you should define your own ciphers, according to your needs and according to your configuration: => https://mozilla.github.io/server-side-tls/ssl-config-generator/

Afterwards, you will notice, that you now have an additional nginx - configuration file, located at "/etc/nginx/conf.d/ssl.conf", with your defined configuration.


For apache:
The next step is to create another "ssl.conf" - file, but this time, you will do this for apache:
Code: 
plesk sbin sslmng --services=apache --custom --ciphers='EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20' --protocols='All -SSLv2 -SSLv3'

Pls. use the same ciphers, as you used for nginx.

You will now have a new additional apache - configuration file, located at ".../conf.d/ssl.conf" ( where ".../" differs between Debian/Ubuntu - based systems ( => "/etc/apache2/" ) and CentOS/RHEL - based systems ( => "/etc/httpd/" ) ), with your defined configuration.


Last step to achieve your requested goal:

To avoid double "X-Header" loads, when you use apache and nginx together, you will now add only at the ssl - apache2 - configuration file your HSTS - modifications, as for example:

Add at the end of your existing configuration "../conf.d/ssl.conf" :
Code: 
    Header set X-Frame-Options SAMEORIGIN
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options "nosniff"
    Header add Strict-Transport-Security "max-age=15768000;includeSubDomains;preload"

Finally, pls. restart apache and nginx and check your configuration as for example at "https://www.ssllabs.com/ssltest/index.html" or without any security - checks, just check your headers at "http://web-sniffer.net/".
 
Hi UFHH01,
one more question,please
Same to me, but with nextcloud12, PHP5.6, Plesk Onyx 17.5, apache2.4 (httpd 2.4.18-2ubuntu3.3),Ubuntu16LTS:

If I use your mention for apache2, I get this error below.
How can I solve it, what are the steps?

Thank you

Code: 
# plesk sbin sslmng --services=apache --custom --ciphers='EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20' --protocols='All -SSLv2 -SSLv3'

WARNING:Ignoring unsuppored protocol All
WARNING:Ignoring unsuppored protocol -SSLv2
WARNING:Ignoring unsuppored protocol -SSLv3
ERROR:No supported protocols supplied
exit status 1

do I have to use this link also Generate Mozilla Security Recommended Web Server Configuration Files ?
 
eocookie said:
Hi UFHH01,
one more question,please
Same to me, but with nextcloud12, PHP5.6, Plesk Onyx 17.5, apache2.4 (httpd 2.4.18-2ubuntu3.3),Ubuntu16LTS:

If I use your mention for apache2, I get this error below.
How can I solve it, what are the steps?

Thank you

Code: 
# plesk sbin sslmng --services=apache --custom --ciphers='EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20' --protocols='All -SSLv2 -SSLv3'

WARNING:Ignoring unsuppored protocol All
WARNING:Ignoring unsuppored protocol -SSLv2
WARNING:Ignoring unsuppored protocol -SSLv3
ERROR:No supported protocols supplied
exit status 1

do I have to use this link also Generate Mozilla Security Recommended Web Server Configuration Files ?
Click to expand...

PS: For nc/oc-users, if i set this to the apache-configfield at plesk/vhostuser, the HSTS-warning disappears and View HTTP Request and Response Header shows successfully strict-transport-security (max-age=15768000; includeSubDomains; preload):

<IfModule mod_headers.c>
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>
 
I was greatly helped by @UFHH01 's suggestions, but I recently found out that it adds the header "Strict-Transport-Security" to http requests.
This is explicitly mentioned in RFC 6797 - HTTP Strict Transport Security (HSTS)
There it's said that this should NOT be done.

IMHO it's best to create some ssl-settings server-wide using a seperate file /etc/nginx/conf.d/aa400_own_tweaks.conf
It prepares the use of the header Strict-Transport-Security, but does NOT yet add it.
Then use the Plesk interface to add the headers in Additional nginx directives
The headers can there be added for each SSL-site. Only if you connect with SSL the Strict-Transport-Security will be added due to the use of map.

Check these 2 threads and form your own opinion.
Input - How to add nginx header for all https sites (but NOT plain http)?
Issue - XFrame Options / X-XSS-Protection / X-Content-Type-Options / HSTS

At that post is a script that will automatically add the Nginx additional directives to each file that has the HTTPS-redirect enabled.
The script enables me to slowly convert clients to https-only sites without missing a site.

IMHO the parameter "includeSubDomains" is too easily added to all domains.
Most of the time you don't really know if plain http is never used.
 
Last edited:
dandre said:
For the purposes of Nextcloud, I just added the following line in .httpaccess of the directory:

Header always set Strict-Transport-Security "max-age=15768000" env=HTTPS

as mentioned here: ServerPilot | How to Enable HTTP Strict Transport Security (HSTS)
It seems to eliminate the error. Is there a problem with that method?
Click to expand...
There's more ways than one to skin a cat....
The "problem" with this way is that it's a setting that can't be found (nor modified) in the Plesk interface.
IMHO it's not transparent enough.
Whenever there's some problem with that site this directive is more hidden.

It's not wrong at all in its functionality.
In Apache there's no trick needed like in Nginx to make it only happen in https.
In that respect it's more elegant.

You're now using the .htaccess for Apache to add that header.
You could have used it with the same syntax as an Apache directive in the Plesk interface.

I prefer to do these kind of things with Nginx as that's the service that's listening on port 443 (on my system).

A more recent thread here may give you some extra info:

Question - HSTS and ssl.conf command
 
Last edited:
You must log in or register to reply here.

Similar threads

M
Resolved Domain name issue -- certificate for a domain uses server domain. But can't see how or why
Replies
9
Views
2K
MHC_1
M
F
Issue OCSP for Plesk-Panel does not work
Replies
5
Views
764
Peter Debik
P
M
Question Global sttings of HSTS via CLI
Replies
6
Views
2K
Peter Debik
P
W
Question How can I stop plesk listening on port 443 completely?
Replies
3
Views
618
AYamshanov
AYamshanov
O
Question Where in Plesk can I configure 301 redirect for non-existing subdomains?
Replies
2
Views
487
olegos76
O
Back
Top