• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved How can I adjust HSTS in Plesk?

Dukemaster

Dukemaster

Regular Pleskian
Hello Plesk-friends,

Refering to this article by @UFHH01 in How can I adjust HSTS in Plesk?.

I use nginx with apache. First part of UFHH01's help worked great. I also enabled http2.0 by HTTP/2 Support in Plesk

Everything works great. In SSL Labs I get A, the first two entries have 100% the last two 90%.
So I wanted to enable HSTS.
But for Apache the help didn't work.
I think I can't create ssl.config for /etc/apache/config.d because of changes related to the Onyx upgrade.

Do you know what my mistake is?
 
Last edited:
Hi Dukemaster,

if you use the combination "Apache+NGINX", you can't set global HSTS - options twice without issues, described at for example: => #2 ( hint: see "Last step to achieve your requested goal:" ). As you can read, I described the solution for Apache and left out the possibility to use a NGINX - configuration.

If you would like to choose the option, to define HSTS globally for NGINX, you could use for example:
  1. Create a custom nginx - configuration file, as for example:
    Code: 
    touch /etc/nginx/conf.d/001_own_additional_ssl_hsts_.conf
  2. Add for example at "/etc/nginx/conf.d/001_own_additional_ssl_hsts_.conf" :
    Code: 
        ssl_session_timeout         10m;
    ssl_session_cache shared:SSL:50m;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header Strict-Transport-Security 'max-age=15768000;includeSubDomains';
  3. Finally, test your new NGINX - configuration and when you don't experience issues/errors/problems, restart NGINX:
    Code: 
    nginx -t

service nginx restart

or

systemctl start nginx.service
 
Thanks a lot, @UFHH01, You are an amazing expert. Vielen Dank an Dich und alle Entwickler von Plesk aus Berlin und Rüsselsheim!

P.S.: Es fehlen trotzdem noch je 10% in der 3. Zeile Key Exchange und 4. Zeile Cipher Strength, aber A+ reicht vollends zum glücklich sein!

GREAT SUPPORT
 
UFHH01 said:
Hi Dukemaster,

if you use the combination "Apache+NGINX", you can't set global HSTS - options twice without issues, described at for example: => #2 ( hint: see "Last step to achieve your requested goal:" ). As you can read, I described the solution for Apache and left out the possibility to use a NGINX - configuration.

If you would like to choose the option, to define HSTS globally for NGINX, you could use for example:
  1. Create a custom nginx - configuration file, as for example:
    Code: 
    touch /etc/nginx/conf.d/001_own_additional_ssl_hsts_.conf
  2. Add for example at "/etc/nginx/conf.d/001_own_additional_ssl_hsts_.conf" :
    Code: 
        ssl_session_timeout         10m;
    ssl_session_cache shared:SSL:50m;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header Strict-Transport-Security 'max-age=15768000;includeSubDomains';
  3. Finally, test your new NGINX - configuration and when you don't experience issues/errors/problems, restart NGINX:
    Code: 
    nginx -t

service nginx restart

or

systemctl start nginx.service
Click to expand...

Hi

I followed the configuration above on Plesk 17 / apache + nginx / centos 7.2

This does not work: Strict Transport Security (HSTS) No :(
 
Hi FAPM,

FAPM said:
This does not work:
Click to expand...
well, sorry to answer like that, but "This does not work" is nothing which can be investigated. :rolleyes: Pls. consider to include facts ( log - file - entries, configuration files, ... ), because no one is able to guess WHY something "doesn't work", if you don't provide informations about it. :(
In addition, it is as well a good idea to inform us about your depending FQDN, because we are then able to test and see some results. ;)
 
Last edited by a moderator:
Code: 
2016-11-25 17:46:09    Error    64.41.200.101    400    GET /?SSL_Labs_Renegotiation_Test=User_Agent_May_Not_Show HTTP/1.0        SSL Labs (https://www.ssllabs.com/about/assessment.html)    0     Accès SSL/TLS Nginx
2016-11-25 17:46:10    Error    64.41.200.101    400    GET /?SSL_Labs_Renegotiation_Test=User_Agent_May_Not_Show HTTP/1.0        SSL Labs (https://www.ssllabs.com/about/assessment.html)    0     Accès SSL/TLS Nginx
2016-11-25 17:47:37    Error    64.41.200.101        [crit] 18758#0: *594 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking                Erreur Nginx
2016-11-25 17:47:38    Error    64.41.200.101        [crit] 18758#0: *595 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking                Erreur Nginx
2016-11-25 17:48:12    Access    64.41.200.101    200    GET / HTTP/1.0        Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0    508     Accès SSL/TLS Apache
2016-11-25 17:48:12    Access    64.41.200.101    200    GET / HTTP/1.0        Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0    5.42 K    Accès SSL/TLS Nginx
2016-11-25 17:48:24    Error    64.41.200.101    400    GET /?SSL_Labs_Renegotiation_Test=User_Agent_May_Not_Show HTTP/1.0        SSL Labs (https://www.ssllabs.com/about/assessment.html)    0     Accès SSL/TLS Nginx
2016-11-25 17:48:24    Error    64.41.200.101    400    GET /?SSL_Labs_Renegotiation_Test=User_Agent_May_Not_Show HTTP/1.0        SSL Labs (https://www.ssllabs.com/about/assessment.html)    0     Accès SSL/TLS Nginx
2016-11-25 17:49:52    Error    64.41.200.101        [crit] 18758#0: *901 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking                Erreur Nginx
2016-11-25 17:49:52    Error    64.41.200.101        [crit] 18758#0: *902 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking                Erreur Nginx
 
Hi FAPM,

( pls. note, that you can EDIT one of your posts as well... there is mostly no need to use additional own posts right after your previous one! ;) )


Pls. post the result of the following commands:
Code: 
ls -lah /etc/nginx
ls -lah /etc/nginx/conf.d

In addition, pls. post the content of the files:

/etc/nginx/nginx.conf
/etc/nginx/conf.d/001_own_additional_ssl_hsts_.conf ( or whatever you named the file ! )
/var/www/vhosts/system/lesmeilleurestechnologies.com/conf/nginx.conf
OR
/var/www/vhosts/system/lesmeilleurestechnologies.com/conf/nginx_ip_default.conf

Pls. confirm as well, that you RESTARTED nginx, after you made the suggested changes and/or added an additional configuration file for nginx at "/etc/nginx/conf.d/"
 
Last edited by a moderator:
Hi :)

Code: 
ls -lah /etc/nginx
total 88K
drwxr-xr-x  5 root root 4,0K 24 nov.  13:19 .
drwxr-xr-x 94 root root  12K 25 nov.  18:15 ..
drwxr-xr-x  2 root root 4,0K 25 nov.  18:17 conf.d
-rw-r--r--  1 root root 1,2K  5 oct.  13:27 fastcgi.conf
-rw-r--r--  1 root root 1,2K  5 oct.  13:27 fastcgi.conf.default
-rw-r--r--  1 root root 1,1K  5 oct.  13:27 fastcgi_params
-rw-r--r--  1 root root 1,1K  5 oct.  13:27 fastcgi_params.default
-rw-r--r--  1 root root 2,8K  5 oct.  13:27 koi-utf
-rw-r--r--  1 root root 2,2K  5 oct.  13:27 koi-win
-rw-r--r--  1 root root 3,9K  5 oct.  13:27 mime.types
-rw-r--r--  1 root root 3,9K  5 oct.  13:27 mime.types.default
drwxr-xr-x  2 root root 4,0K  5 oct.  13:27 modules.conf.d
-rw-r--r--  1 root root  980  5 oct.  13:27 nginx.conf
-rw-r--r--  1 root root  980  5 oct.  13:27 nginx.conf.default
drwxr-xr-x  7 root root 4,0K 25 nov.  16:59 plesk.conf.d
-rw-r--r--  1 root root  636  5 oct.  13:27 scgi_params
-rw-r--r--  1 root root  636  5 oct.  13:27 scgi_params.default
-rw-r--r--  1 root root  664  5 oct.  13:27 uwsgi_params
-rw-r--r--  1 root root  664  5 oct.  13:27 uwsgi_params.default
-rw-r--r--  1 root root 3,6K  5 oct.  13:27 win-utf

Code: 
ls -lah /etc/nginx/conf.d
total 20K
drwxr-xr-x 2 root root  4,0K 25 nov.  18:17 .
drwxr-xr-x 5 root root  4,0K 24 nov.  13:19 ..
-rw-r--r-- 1 root root   270 25 nov.  17:32 001_own_additional_ssl_hsts_.conf
-rw-r--r-- 1 root root   507 25 nov.  16:59 ssl.conf
-rw------- 1 root nginx  391 25 nov.  18:17 zz010_psa_nginx.conf
 
001_own_additional_ssl_hsts_.conf

Code: 
ssl_session_timeout         10m;
ssl_session_cache shared:SSL:50m;

add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security 'max-age=15768000;includeSubDomains';
 
nginx.conf

Code: 
#user  nginx;
worker_processes  1;

#error_log  /var/log/nginx/error.log;
#error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;

#pid        /var/run/nginx.pid;

include /etc/nginx/modules.conf.d/*.conf;

events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;
    #tcp_nodelay        on;

    #gzip  on;
    #gzip_disable "MSIE [1-6]\.(?!.*SV1)";

    server_tokens off;

    include /etc/nginx/conf.d/*.conf;
}

# override global parameters e.g. worker_rlimit_nofile
include /etc/nginx/*global_params;
 
Yes, Im RESTARTED nginx

And :

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
 
Hi FAPM,

pls. see:


As you might notice, www has HSTS NOT enabled, while non-www has HSTS enabled.



You issue depends on yout current domain - configuration at "Home > Subscriptions > lesmeilleurestechnologies.com > Hosting Settings"

Pls. check for example with the help of "curl" your current headers for the URLs:


You will notice, that ONLY "https://www.lesmeilleurestechnologies.com" has HSTS NOT enabled. ;)
 
Code: 
curl -v https://lesmeilleurestechnologies.com



* About to connect() to lesmeilleurestechnologies.com port 443 (#0)
*   Trying 164.132.149.191...
* Connected to lesmeilleurestechnologies.com (164.132.149.191) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=www.lesmeilleurestechnologies.com,OU=PositiveSSL,OU=Domain Control Validated
*       start date: nov. 25 00:00:00 2016 GMT
*       expire date: nov. 25 23:59:59 2017 GMT
*       common name: www.lesmeilleurestechnologies.com
*       issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: lesmeilleurestechnologies.com
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Fri, 25 Nov 2016 19:52:40 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
< Location: https://www.lesmeilleurestechnologies.com/
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Strict-Transport-Security: max-age=15768000;includeSubDomains
<
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host lesmeilleurestechnologies.com left intact
 
Code: 
curl -v https://www.lesmeilleurestechnologies.com



* About to connect() to www.lesmeilleurestechnologies.com port 443 (#0)
*   Trying 164.132.149.191...
* Connected to www.lesmeilleurestechnologies.com (164.132.149.191) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=www.lesmeilleurestechnologies.com,OU=PositiveSSL,OU=Domain Control Validated
*       start date: nov. 25 00:00:00 2016 GMT
*       expire date: nov. 25 23:59:59 2017 GMT
*       common name: www.lesmeilleurestechnologies.com
*       issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.lesmeilleurestechnologies.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 25 Nov 2016 19:54:16 GMT
< Content-Type: text/html
< Content-Length: 5548
< Last-Modified: Fri, 25 Nov 2016 15:28:04 GMT
< Connection: keep-alive
< Vary: Accept-Encoding
< ETag: "58385884-15ac"
< X-Powered-By: PleskLin
< Accept-Ranges: bytes
<
<!DOCTYPE html>
<html lang="en" dir="ltr" class="sid-plesk">
<head>
    <title>Domain Default page</title>
    <meta name='copyright' content='Copyright 1999-2015. Parallels IP Holdings GmbH. All Rights Reserved.'>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0">
    <meta http-equiv="Cache-Control" content="no-cache">
    <link rel="shortcut icon" href="favicon.ico">
    <link rel="stylesheet" href="css/style.css">
</head>
<body>

<div class="page-container">
    <!-- start: PAGE HEADER-->
    <div class="page-header-wrapper">
        <div class="page-header">
            <a class="product-logo" href="http://www.plesk.com/" target="_blank"><img src="img/logo.png" alt="Plesk"></a>
        </div>
    </div>
    <!-- end: PAGE HEADER-->

    <!-- start: PAGE CONTENT-->
    <div class="page-content-wrapper">
        <div class="page-content">

            <div class="page-info-wrapper">
                <div class="page-info">
                    <div class="page-info-heading">If you are seeing this message, the website for <script>document.write('<a href="http://' + (location.hostname.indexOf(':')>=0?'['+location.hostname+']':location.hostname) + '">' + location.hostname + '</a>');</script> is not available at this time.</div>
                    <p>If you are the owner of this website, one of the following things may be occurring:</p>
                    <ul>
                        <li>You have not put any content on your website.</li>
                        <li>Your provider has suspended this page.</li>
                    </ul>
                    <p><b>Please login to <script>document.write('<a href="https://' + (location.hostname.indexOf(':')>=0?'['+location.hostname+']':location.hostname) + ':8443">https://' + (location.hostname.indexOf(':')>=0?'['+location.hostname+']':location.hostname) +':8443</a>');</script> to receive instructions on setting  up your website.</b></p>
                </div>
            </div>

            <div class="product-info-wrapper">
                <div class="col">
                    <div class="product-info">
                        <div class="product-info-heading">What is Plesk</div>
                        <div class="product-info-content">
                            <p><strong><a href="http://www.plesk.com" target="_blank">Plesk</a></strong> is a hosting control panel with simple and secure web server and website management tools. It was specially designed to help IT specialists manage web, DNS, mail and other services through a comprehensive and user-friendly GUI. <a class="more" href="http://www.plesk.com" target="_blank">Learn more about Plesk</a>.</p>
                            <ul class="links">
                                <li><a class="blog" href="http://devblog.plesk.com/" target="_blank"><span>Developer Blog</span></a></li>
                                <li><a class="forum" href="http://talk.plesk.com/" target="_blank"><span>Forum</span></a></li>
                                <li><a class="knowledge-base" href="http://kb.plesk.com/" target="_blank"><span>Knowledge Base</span></a></li>
                                <li><a class="facebook" href="https://www.facebook.com/Plesk" target="_blank"><span>Facebook</span></a></li>
                                <li><a class="twitter" href="https://twitter.com/PleskOfficial" target="_blank"><span>Twitter</span></a></li>
                                <li><a class="google-plus" href="https://plus.google.com/communities/109881979300958500728" target="_blank"><span>Google+</span></a></li>
                            </ul>
                        </div>
                    </div>
                </div>
                <div class="col">
                    <div class="product-info">
                        <div class="product-info-heading">Test pages</div>
                        <div class="product-info-content">
                            <p>Plesk provides several test pages that you can use for checking the scripting features, testing database connections and mail sending.</p>
                            <p>Click an icon to see test pages for different scripts:</p>
                            <ul class="links">
                                <li><a class="fastcgi" href="test/fcgi/test.html"><span>FastCGI</span></a></li>
                                <li><a class="python" href="test/python/test.html"><span>Python</span></a></li>
                                <li><a class="php" href="test/php/test.html"><span>PHP</span></a></li>
                                <li><a class="perl" href="test/perl/test.html"><span>Perl</span></a></li>
                                <li><a class="ssi" href="test/ssi/test.html"><span>SSI</span></a></li>
                            </ul>
                        </div>
                    </div>
                </div>
            </div> <!-- /.product-info-wrapper -->

        </div>
    </div>
    <!-- end: PAGE CONTENT-->

    <!-- start: PAGE FOOTER-->
    <div class="page-footer-wrapper">
        <div class="page-footer">
            This page was generated by <a href="http://www.plesk.com" target="_blank">Plesk</a>
            <span class="separator"></span>
            <a href="http://www.plesk.com" target="_blank" class="copyright">© 2015 Parallels IP Holdings GmbH. All rights reserved.</a>
        </div>
    </div>
    <!-- end: PAGE FOOTER-->
</div>

</body>
</html>
* Connection #0 to host www.lesmeilleurestechnologies.com left intact
 
When I disable my domain name settings:

Prefered Domain: None
Redirect 301: None

I get :

curl -v https://lesmeilleurestechnologies.com

Code: 
HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 25 Nov 2016 20:04:36 GMT
< Content-Type: text/html
< Content-Length: 5548
< Last-Modified: Fri, 25 Nov 2016 15:28:04 GMT
< Connection: keep-alive
< Vary: Accept-Encoding
< ETag: "58385884-15ac"
< X-Powered-By: PleskLin
< Accept-Ranges: bytes


curl -v https://www.lesmeilleurestechnologies.com

Code: 
< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 25 Nov 2016 20:04:02 GMT
< Content-Type: text/html
< Content-Length: 5548
< Last-Modified: Fri, 25 Nov 2016 15:28:04 GMT
< Connection: keep-alive
< Vary: Accept-Encoding
< ETag: "58385884-15ac"
< X-Powered-By: PleskLin
< Accept-Ranges: bytes
 
You must log in or register to reply here.

Similar threads

A
Resolved How to add response headers to the port 8443?
Replies
3
Views
1K
Alex Bosch
A
H
Question Adjusting default Plesk landing page doesn't work
Replies
2
Views
670
Hielko
H
Quinten
Resolved Reverse Proxy server (Nginx) won't start after renewing a domains certificate
Replies
7
Views
6K
Quinten
Quinten
D
Input How to run Magento 2 on Plesk Obsidian 18 without Docker
Replies
6
Views
3K
WebHostingAce
WebHostingAce
H
Issue Plesk Edition Web Host Edition 1*run-parts: 2*repair Plesk
Replies
0
Views
722
hosting22
H
Back
Top