Resolved How can I adjust HSTS in Plesk?

[endstationStgt]

Hello,

I installed ownCloud on my Plesk server. Unfortunately, I denotes ownCloud error like this:

"The" Strict Transport Security "HTTP header is not at least" 15552000 "set seconds. To increase security, we recommend enabling HSTS"

How can I adjust HSTS in Plesk?


I have:

Operating System: CentOS 6.8 with Plesk 05:12:30
Web Server Type: Linux
Database Type: MySQL phpMyAdmin
PHP Version: 5.6.24
ownCloud Version: 9.1.0

 

[UFHH01]

Hi endstationStgt,

the fastest way would be the usage of the Plesk "sslmng - utility", with the following commands:

For NGINX:

plesk sbin sslmng --services=nginx --custom --ciphers='EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20' --protocols='TLSv1 TLSv1.1 TLSv1.2'

... where you should define your own ciphers, according to your needs and according to your configuration: => https://mozilla.github.io/server-side-tls/ssl-config-generator/

Afterwards, you will notice, that you now have an additional nginx - configuration file, located at "/etc/nginx/conf.d/ssl.conf", with your defined configuration.


For apache:
The next step is to create another "ssl.conf" - file, but this time, you will do this for apache:

plesk sbin sslmng --services=apache --custom --ciphers='EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20' --protocols='All -SSLv2 -SSLv3'

Pls. use the same ciphers, as you used for nginx.

You will now have a new additional apache - configuration file, located at ".../conf.d/ssl.conf" ( where ".../" differs between Debian/Ubuntu - based systems ( => "/etc/apache2/" ) and CentOS/RHEL - based systems ( => "/etc/httpd/" ) ), with your defined configuration.


Last step to achieve your requested goal:

To avoid double "X-Header" loads, when you use apache and nginx together, you will now add only at the ssl - apache2 - configuration file your HSTS - modifications, as for example:

Add at the end of your existing configuration "../conf.d/ssl.conf" :

    Header set X-Frame-Options SAMEORIGIN
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options "nosniff"
    Header add Strict-Transport-Security "max-age=15768000;includeSubDomains;preload"

Finally, pls. restart apache and nginx and check your configuration as for example at "https://www.ssllabs.com/ssltest/index.html" or without any security - checks, just check your headers at "http://web-sniffer.net/".

 

[eocookie]

Hi UFHH01,
one more question,please
Same to me, but with nextcloud12, PHP5.6, Plesk Onyx 17.5, apache2.4 (httpd 2.4.18-2ubuntu3.3),Ubuntu16LTS:

If I use your mention for apache2, I get this error below.
How can I solve it, what are the steps?

Thank you

# plesk sbin sslmng --services=apache --custom --ciphers='EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20' --protocols='All -SSLv2 -SSLv3'

WARNING:Ignoring unsuppored protocol All
WARNING:Ignoring unsuppored protocol -SSLv2
WARNING:Ignoring unsuppored protocol -SSLv3
ERROR:No supported protocols supplied
exit status 1

do I have to use this link also Generate Mozilla Security Recommended Web Server Configuration Files ?

 

[eocookie]

Hi UFHH01,
one more question,please
Same to me, but with nextcloud12, PHP5.6, Plesk Onyx 17.5, apache2.4 (httpd 2.4.18-2ubuntu3.3),Ubuntu16LTS:

If I use your mention for apache2, I get this error below.
How can I solve it, what are the steps?

Thank you

# plesk sbin sslmng --services=apache --custom --ciphers='EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20' --protocols='All -SSLv2 -SSLv3'

WARNING:Ignoring unsuppored protocol All
WARNING:Ignoring unsuppored protocol -SSLv2
WARNING:Ignoring unsuppored protocol -SSLv3
ERROR:No supported protocols supplied
exit status 1

do I have to use this link also Generate Mozilla Security Recommended Web Server Configuration Files ?

PS: For nc/oc-users, if i set this to the apache-configfield at plesk/vhostuser, the HSTS-warning disappears and View HTTP Request and Response Header shows successfully strict-transport-security (max-age=15768000; includeSubDomains; preload):

<IfModule mod_headers.c>
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>

 

[mr-wolf]

I was greatly helped by @UFHH01 's suggestions, but I recently found out that it adds the header "Strict-Transport-Security" to http requests.
This is explicitly mentioned in RFC 6797 - HTTP Strict Transport Security (HSTS)
There it's said that this should NOT be done.

IMHO it's best to create some ssl-settings server-wide using a seperate file /etc/nginx/conf.d/aa400_own_tweaks.conf
It prepares the use of the header Strict-Transport-Security, but does NOT yet add it.
Then use the Plesk interface to add the headers in Additional nginx directives
The headers can there be added for each SSL-site. Only if you connect with SSL the Strict-Transport-Security will be added due to the use of map.

Check these 2 threads and form your own opinion.
Input - How to add nginx header for all https sites (but NOT plain http)?
Issue - XFrame Options / X-XSS-Protection / X-Content-Type-Options / HSTS

At that post is a script that will automatically add the Nginx additional directives to each file that has the HTTPS-redirect enabled.
The script enables me to slowly convert clients to https-only sites without missing a site.

IMHO the parameter "includeSubDomains" is too easily added to all domains.
Most of the time you don't really know if plain http is never used.

 

[dandre]

For the purposes of Nextcloud, I just added the following line in .httpaccess of the directory:

Header always set Strict-Transport-Security "max-age=15768000" env=HTTPS

as mentioned here: ServerPilot | How to Enable HTTP Strict Transport Security (HSTS)
It seems to eliminate the error. Is there a problem with that method?

 

[mr-wolf]

For the purposes of Nextcloud, I just added the following line in .httpaccess of the directory:

Header always set Strict-Transport-Security "max-age=15768000" env=HTTPS

as mentioned here: ServerPilot | How to Enable HTTP Strict Transport Security (HSTS)
It seems to eliminate the error. Is there a problem with that method?

There's more ways than one to skin a cat....
The "problem" with this way is that it's a setting that can't be found (nor modified) in the Plesk interface.
IMHO it's not transparent enough.
Whenever there's some problem with that site this directive is more hidden.

It's not wrong at all in its functionality.
In Apache there's no trick needed like in Nginx to make it only happen in https.
In that respect it's more elegant.

You're now using the .htaccess for Apache to add that header.
You could have used it with the same syntax as an Apache directive in the Plesk interface.

I prefer to do these kind of things with Nginx as that's the service that's listening on port 443 (on my system).

A more recent thread here may give you some extra info:

Question - HSTS and ssl.conf command