• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved How can I adjust HSTS in Plesk?

Dukemaster

Dukemaster

Regular Pleskian
Hello Plesk-friends,

Refering to this article by @UFHH01 in How can I adjust HSTS in Plesk?.

I use nginx with apache. First part of UFHH01's help worked great. I also enabled http2.0 by HTTP/2 Support in Plesk

Everything works great. In SSL Labs I get A, the first two entries have 100% the last two 90%.
So I wanted to enable HSTS.
But for Apache the help didn't work.
I think I can't create ssl.config for /etc/apache/config.d because of changes related to the Onyx upgrade.

Do you know what my mistake is?
 
Last edited:
Hi Dukemaster,

if you use the combination "Apache+NGINX", you can't set global HSTS - options twice without issues, described at for example: => #2 ( hint: see "Last step to achieve your requested goal:" ). As you can read, I described the solution for Apache and left out the possibility to use a NGINX - configuration.

If you would like to choose the option, to define HSTS globally for NGINX, you could use for example:
  1. Create a custom nginx - configuration file, as for example:
    Code: 
    touch /etc/nginx/conf.d/001_own_additional_ssl_hsts_.conf
  2. Add for example at "/etc/nginx/conf.d/001_own_additional_ssl_hsts_.conf" :
    Code: 
        ssl_session_timeout         10m;
    ssl_session_cache shared:SSL:50m;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header Strict-Transport-Security 'max-age=15768000;includeSubDomains';
  3. Finally, test your new NGINX - configuration and when you don't experience issues/errors/problems, restart NGINX:
    Code: 
    nginx -t

service nginx restart

or

systemctl start nginx.service
 
Thanks a lot, @UFHH01, You are an amazing expert. Vielen Dank an Dich und alle Entwickler von Plesk aus Berlin und Rüsselsheim!

P.S.: Es fehlen trotzdem noch je 10% in der 3. Zeile Key Exchange und 4. Zeile Cipher Strength, aber A+ reicht vollends zum glücklich sein!

GREAT SUPPORT
 
UFHH01 said:
Hi Dukemaster,

if you use the combination "Apache+NGINX", you can't set global HSTS - options twice without issues, described at for example: => #2 ( hint: see "Last step to achieve your requested goal:" ). As you can read, I described the solution for Apache and left out the possibility to use a NGINX - configuration.

If you would like to choose the option, to define HSTS globally for NGINX, you could use for example:
  1. Create a custom nginx - configuration file, as for example:
    Code: 
    touch /etc/nginx/conf.d/001_own_additional_ssl_hsts_.conf
  2. Add for example at "/etc/nginx/conf.d/001_own_additional_ssl_hsts_.conf" :
    Code: 
        ssl_session_timeout         10m;
    ssl_session_cache shared:SSL:50m;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header Strict-Transport-Security 'max-age=15768000;includeSubDomains';
  3. Finally, test your new NGINX - configuration and when you don't experience issues/errors/problems, restart NGINX:
    Code: 
    nginx -t

service nginx restart

or

systemctl start nginx.service
Click to expand...

Hi

I followed the configuration above on Plesk 17 / apache + nginx / centos 7.2

This does not work: Strict Transport Security (HSTS) No :(
 
Hi FAPM,

FAPM said:
This does not work:
Click to expand...
well, sorry to answer like that, but "This does not work" is nothing which can be investigated. :rolleyes: Pls. consider to include facts ( log - file - entries, configuration files, ... ), because no one is able to guess WHY something "doesn't work", if you don't provide informations about it. :(
In addition, it is as well a good idea to inform us about your depending FQDN, because we are then able to test and see some results. ;)
 
Last edited by a moderator:
Code: 
2016-11-25 17:46:09    Error    64.41.200.101    400    GET /?SSL_Labs_Renegotiation_Test=User_Agent_May_Not_Show HTTP/1.0        SSL Labs (https://www.ssllabs.com/about/assessment.html)    0     Accès SSL/TLS Nginx
2016-11-25 17:46:10    Error    64.41.200.101    400    GET /?SSL_Labs_Renegotiation_Test=User_Agent_May_Not_Show HTTP/1.0        SSL Labs (https://www.ssllabs.com/about/assessment.html)    0     Accès SSL/TLS Nginx
2016-11-25 17:47:37    Error    64.41.200.101        [crit] 18758#0: *594 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking                Erreur Nginx
2016-11-25 17:47:38    Error    64.41.200.101        [crit] 18758#0: *595 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking                Erreur Nginx
2016-11-25 17:48:12    Access    64.41.200.101    200    GET / HTTP/1.0        Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0    508     Accès SSL/TLS Apache
2016-11-25 17:48:12    Access    64.41.200.101    200    GET / HTTP/1.0        Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0    5.42 K    Accès SSL/TLS Nginx
2016-11-25 17:48:24    Error    64.41.200.101    400    GET /?SSL_Labs_Renegotiation_Test=User_Agent_May_Not_Show HTTP/1.0        SSL Labs (https://www.ssllabs.com/about/assessment.html)    0     Accès SSL/TLS Nginx
2016-11-25 17:48:24    Error    64.41.200.101    400    GET /?SSL_Labs_Renegotiation_Test=User_Agent_May_Not_Show HTTP/1.0        SSL Labs (https://www.ssllabs.com/about/assessment.html)    0     Accès SSL/TLS Nginx
2016-11-25 17:49:52    Error    64.41.200.101        [crit] 18758#0: *901 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking                Erreur Nginx
2016-11-25 17:49:52    Error    64.41.200.101        [crit] 18758#0: *902 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking                Erreur Nginx
 
Hi FAPM,

( pls. note, that you can EDIT one of your posts as well... there is mostly no need to use additional own posts right after your previous one! ;) )


Pls. post the result of the following commands:
Code: 
ls -lah /etc/nginx
ls -lah /etc/nginx/conf.d

In addition, pls. post the content of the files:

/etc/nginx/nginx.conf
/etc/nginx/conf.d/001_own_additional_ssl_hsts_.conf ( or whatever you named the file ! )
/var/www/vhosts/system/lesmeilleurestechnologies.com/conf/nginx.conf
OR
/var/www/vhosts/system/lesmeilleurestechnologies.com/conf/nginx_ip_default.conf

Pls. confirm as well, that you RESTARTED nginx, after you made the suggested changes and/or added an additional configuration file for nginx at "/etc/nginx/conf.d/"
 
Last edited by a moderator:
Hi :)

Code: 
ls -lah /etc/nginx
total 88K
drwxr-xr-x  5 root root 4,0K 24 nov.  13:19 .
drwxr-xr-x 94 root root  12K 25 nov.  18:15 ..
drwxr-xr-x  2 root root 4,0K 25 nov.  18:17 conf.d
-rw-r--r--  1 root root 1,2K  5 oct.  13:27 fastcgi.conf
-rw-r--r--  1 root root 1,2K  5 oct.  13:27 fastcgi.conf.default
-rw-r--r--  1 root root 1,1K  5 oct.  13:27 fastcgi_params
-rw-r--r--  1 root root 1,1K  5 oct.  13:27 fastcgi_params.default
-rw-r--r--  1 root root 2,8K  5 oct.  13:27 koi-utf
-rw-r--r--  1 root root 2,2K  5 oct.  13:27 koi-win
-rw-r--r--  1 root root 3,9K  5 oct.  13:27 mime.types
-rw-r--r--  1 root root 3,9K  5 oct.  13:27 mime.types.default
drwxr-xr-x  2 root root 4,0K  5 oct.  13:27 modules.conf.d
-rw-r--r--  1 root root  980  5 oct.  13:27 nginx.conf
-rw-r--r--  1 root root  980  5 oct.  13:27 nginx.conf.default
drwxr-xr-x  7 root root 4,0K 25 nov.  16:59 plesk.conf.d
-rw-r--r--  1 root root  636  5 oct.  13:27 scgi_params
-rw-r--r--  1 root root  636  5 oct.  13:27 scgi_params.default
-rw-r--r--  1 root root  664  5 oct.  13:27 uwsgi_params
-rw-r--r--  1 root root  664  5 oct.  13:27 uwsgi_params.default
-rw-r--r--  1 root root 3,6K  5 oct.  13:27 win-utf

Code: 
ls -lah /etc/nginx/conf.d
total 20K
drwxr-xr-x 2 root root  4,0K 25 nov.  18:17 .
drwxr-xr-x 5 root root  4,0K 24 nov.  13:19 ..
-rw-r--r-- 1 root root   270 25 nov.  17:32 001_own_additional_ssl_hsts_.conf
-rw-r--r-- 1 root root   507 25 nov.  16:59 ssl.conf
-rw------- 1 root nginx  391 25 nov.  18:17 zz010_psa_nginx.conf
 
001_own_additional_ssl_hsts_.conf

Code: 
ssl_session_timeout         10m;
ssl_session_cache shared:SSL:50m;

add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security 'max-age=15768000;includeSubDomains';
 
nginx.conf

Code: 
#user  nginx;
worker_processes  1;

#error_log  /var/log/nginx/error.log;
#error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;

#pid        /var/run/nginx.pid;

include /etc/nginx/modules.conf.d/*.conf;

events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;
    #tcp_nodelay        on;

    #gzip  on;
    #gzip_disable "MSIE [1-6]\.(?!.*SV1)";

    server_tokens off;

    include /etc/nginx/conf.d/*.conf;
}

# override global parameters e.g. worker_rlimit_nofile
include /etc/nginx/*global_params;
 
Yes, Im RESTARTED nginx

And :

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
 
Hi FAPM,

pls. see:


As you might notice, www has HSTS NOT enabled, while non-www has HSTS enabled.



You issue depends on yout current domain - configuration at "Home > Subscriptions > lesmeilleurestechnologies.com > Hosting Settings"

Pls. check for example with the help of "curl" your current headers for the URLs:


You will notice, that ONLY "https://www.lesmeilleurestechnologies.com" has HSTS NOT enabled. ;)
 
Code: 
curl -v https://lesmeilleurestechnologies.com



* About to connect() to lesmeilleurestechnologies.com port 443 (#0)
*   Trying 164.132.149.191...
* Connected to lesmeilleurestechnologies.com (164.132.149.191) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=www.lesmeilleurestechnologies.com,OU=PositiveSSL,OU=Domain Control Validated
*       start date: nov. 25 00:00:00 2016 GMT
*       expire date: nov. 25 23:59:59 2017 GMT
*       common name: www.lesmeilleurestechnologies.com
*       issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: lesmeilleurestechnologies.com
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Fri, 25 Nov 2016 19:52:40 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
< Location: https://www.lesmeilleurestechnologies.com/
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Strict-Transport-Security: max-age=15768000;includeSubDomains
<
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host lesmeilleurestechnologies.com left intact
 
Code: 
curl -v https://www.lesmeilleurestechnologies.com



* About to connect() to www.lesmeilleurestechnologies.com port 443 (#0)
*   Trying 164.132.149.191...
* Connected to www.lesmeilleurestechnologies.com (164.132.149.191) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=www.lesmeilleurestechnologies.com,OU=PositiveSSL,OU=Domain Control Validated
*       start date: nov. 25 00:00:00 2016 GMT
*       expire date: nov. 25 23:59:59 2017 GMT
*       common name: www.lesmeilleurestechnologies.com
*       issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.lesmeilleurestechnologies.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 25 Nov 2016 19:54:16 GMT
< Content-Type: text/html
< Content-Length: 5548
< Last-Modified: Fri, 25 Nov 2016 15:28:04 GMT
< Connection: keep-alive
< Vary: Accept-Encoding
< ETag: "58385884-15ac"
< X-Powered-By: PleskLin
< Accept-Ranges: bytes
<
<!DOCTYPE html>
<html lang="en" dir="ltr" class="sid-plesk">
<head>
    <title>Domain Default page</title>
    <meta name='copyright' content='Copyright 1999-2015. Parallels IP Holdings GmbH. All Rights Reserved.'>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0">
    <meta http-equiv="Cache-Control" content="no-cache">
    <link rel="shortcut icon" href="favicon.ico">
    <link rel="stylesheet" href="css/style.css">
</head>
<body>

<div class="page-container">
    <!-- start: PAGE HEADER-->
    <div class="page-header-wrapper">
        <div class="page-header">
            <a class="product-logo" href="http://www.plesk.com/" target="_blank"><img src="img/logo.png" alt="Plesk"></a>
        </div>
    </div>
    <!-- end: PAGE HEADER-->

    <!-- start: PAGE CONTENT-->
    <div class="page-content-wrapper">
        <div class="page-content">

            <div class="page-info-wrapper">
                <div class="page-info">
                    <div class="page-info-heading">If you are seeing this message, the website for <script>document.write('<a href="http://' + (location.hostname.indexOf(':')>=0?'['+location.hostname+']':location.hostname) + '">' + location.hostname + '</a>');</script> is not available at this time.</div>
                    <p>If you are the owner of this website, one of the following things may be occurring:</p>
                    <ul>
                        <li>You have not put any content on your website.</li>
                        <li>Your provider has suspended this page.</li>
                    </ul>
                    <p><b>Please login to <script>document.write('<a href="https://' + (location.hostname.indexOf(':')>=0?'['+location.hostname+']':location.hostname) + ':8443">https://' + (location.hostname.indexOf(':')>=0?'['+location.hostname+']':location.hostname) +':8443</a>');</script> to receive instructions on setting  up your website.</b></p>
                </div>
            </div>

            <div class="product-info-wrapper">
                <div class="col">
                    <div class="product-info">
                        <div class="product-info-heading">What is Plesk</div>
                        <div class="product-info-content">
                            <p><strong><a href="http://www.plesk.com" target="_blank">Plesk</a></strong> is a hosting control panel with simple and secure web server and website management tools. It was specially designed to help IT specialists manage web, DNS, mail and other services through a comprehensive and user-friendly GUI. <a class="more" href="http://www.plesk.com" target="_blank">Learn more about Plesk</a>.</p>
                            <ul class="links">
                                <li><a class="blog" href="http://devblog.plesk.com/" target="_blank"><span>Developer Blog</span></a></li>
                                <li><a class="forum" href="http://talk.plesk.com/" target="_blank"><span>Forum</span></a></li>
                                <li><a class="knowledge-base" href="http://kb.plesk.com/" target="_blank"><span>Knowledge Base</span></a></li>
                                <li><a class="facebook" href="https://www.facebook.com/Plesk" target="_blank"><span>Facebook</span></a></li>
                                <li><a class="twitter" href="https://twitter.com/PleskOfficial" target="_blank"><span>Twitter</span></a></li>
                                <li><a class="google-plus" href="https://plus.google.com/communities/109881979300958500728" target="_blank"><span>Google+</span></a></li>
                            </ul>
                        </div>
                    </div>
                </div>
                <div class="col">
                    <div class="product-info">
                        <div class="product-info-heading">Test pages</div>
                        <div class="product-info-content">
                            <p>Plesk provides several test pages that you can use for checking the scripting features, testing database connections and mail sending.</p>
                            <p>Click an icon to see test pages for different scripts:</p>
                            <ul class="links">
                                <li><a class="fastcgi" href="test/fcgi/test.html"><span>FastCGI</span></a></li>
                                <li><a class="python" href="test/python/test.html"><span>Python</span></a></li>
                                <li><a class="php" href="test/php/test.html"><span>PHP</span></a></li>
                                <li><a class="perl" href="test/perl/test.html"><span>Perl</span></a></li>
                                <li><a class="ssi" href="test/ssi/test.html"><span>SSI</span></a></li>
                            </ul>
                        </div>
                    </div>
                </div>
            </div> <!-- /.product-info-wrapper -->

        </div>
    </div>
    <!-- end: PAGE CONTENT-->

    <!-- start: PAGE FOOTER-->
    <div class="page-footer-wrapper">
        <div class="page-footer">
            This page was generated by <a href="http://www.plesk.com" target="_blank">Plesk</a>
            <span class="separator"></span>
            <a href="http://www.plesk.com" target="_blank" class="copyright">© 2015 Parallels IP Holdings GmbH. All rights reserved.</a>
        </div>
    </div>
    <!-- end: PAGE FOOTER-->
</div>

</body>
</html>
* Connection #0 to host www.lesmeilleurestechnologies.com left intact
 
When I disable my domain name settings:

Prefered Domain: None
Redirect 301: None

I get :

curl -v https://lesmeilleurestechnologies.com

Code: 
HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 25 Nov 2016 20:04:36 GMT
< Content-Type: text/html
< Content-Length: 5548
< Last-Modified: Fri, 25 Nov 2016 15:28:04 GMT
< Connection: keep-alive
< Vary: Accept-Encoding
< ETag: "58385884-15ac"
< X-Powered-By: PleskLin
< Accept-Ranges: bytes


curl -v https://www.lesmeilleurestechnologies.com

Code: 
< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 25 Nov 2016 20:04:02 GMT
< Content-Type: text/html
< Content-Length: 5548
< Last-Modified: Fri, 25 Nov 2016 15:28:04 GMT
< Connection: keep-alive
< Vary: Accept-Encoding
< ETag: "58385884-15ac"
< X-Powered-By: PleskLin
< Accept-Ranges: bytes
 
You must log in or register to reply here.

Similar threads

brother4
Question Optimizing PHP FPM Handler Settings for Apache and Nginx in Plesk
Replies
0
Views
222
brother4
brother4
A
Resolved How to add response headers to the port 8443?
Replies
3
Views
2K
Alex Bosch
A
O
Question Where in Plesk can I configure 301 redirect for non-existing subdomains?
Replies
2
Views
487
olegos76
O
H
Question Adjusting default Plesk landing page doesn't work
Replies
2
Views
998
Hielko
H
S
Question Issue with Multilingual SvelteKit Website on Plesk: Nginx Proxy to Apache Configuration
Replies
0
Views
485
st3v3y
S
Back
Top