• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved How check HSTS

L

LucaB.

Basic Pleskian
Hi,
I'd like to know how i check if in my Plesk 12.5.30 #60 (Centos 7) Header HSTS is enabled.
I used let's encrypt to encrypt my sites and i added this configuration in Apache & nginx settings:
Additional Apache directives for HTTP
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301]
</IfModule>

Additional Apache directives for HTTPS
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
SetEnv modHeadersAvailable true
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>

when i try to test them with www.ssllabs.com i get a Overall Rating A but read:

Strict Transport Security (HSTS) No
HSTS Preloading Not in: Chrome Edge Firefox IE

Thank you!

Luca
 
Hi LucaB.,

pls. consider to REMOVE all your previous modifications and create ONE SINGLE configuration file ( in case your use the combination apache2+nginx! ):

Code: 
touch /etc/nginx/conf.d/001_MY-ONW_Additional_SSL_.conf
and insert there:
Code: 
    ssl_session_timeout         10m;
    ssl_session_cache shared:SSL:50m;

    ssl_dhparam /etc/dhparam/dhparam4096.pem;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header Strict-Transport-Security 'max-age=15768000;includeSubDomains';

Afterwards, pls. restart nginx and test your configuration with the command "nginx -t", before your restart. :)


"ssl_dhparam /etc/dhparam/dhparam4096.pem;" is optional, but if you like, you may create WEEKLY new DH-PARAM - files as an automatic cronjob for security reasons:

Example:
Code: 
mkdir -p /etc/dhparam

FILE=`mktemp` ; openssl dhparam 512 -out $FILE && mv -f $FILE /etc/dhparam/dhparam512.pem && FILE=`mktemp` ; openssl dhparam 1024 -out $FILE && mv -f $FILE /etc/dhparam/dhparam1024.pem && FILE=`mktemp` ; openssl dhparam 2048 -out $FILE && mv -f $FILE /etc/dhparam/dhparam2048.pem && FILE=`mktemp` ; openssl dhparam 4096 -out $FILE && mv -f $FILE /etc/dhparam/dhparam4096.pem
As you can see, there are TWO commands, you only have to setup the command "FILE=`mktemp` ; openssl dhparam 512 -out $FILE && ..." as a scheduled task at "Home > Tools & Settings > Scheduled Tasks". ;)
 
Thank you very much UFHH01,
can i try this configurations for only one website?
and this configuration works on centos 6 (plesk 12.5.30 #60) ?

Thank you again.

Luca

UFHH01 said:
Hi LucaB.,

pls. consider to REMOVE all your previous modifications and create ONE SINGLE configuration file ( in case your use the combination apache2+nginx! ):

Code: 
touch /etc/nginx/conf.d/001_MY-ONW_Additional_SSL_.conf
and insert there:
Code: 
    ssl_session_timeout         10m;
    ssl_session_cache shared:SSL:50m;

    ssl_dhparam /etc/dhparam/dhparam4096.pem;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header Strict-Transport-Security 'max-age=15768000;includeSubDomains';

Afterwards, pls. restart nginx and test your configuration with the command "nginx -t", before your restart. :)


"ssl_dhparam /etc/dhparam/dhparam4096.pem;" is optional, but if you like, you may create WEEKLY new DH-PARAM - files as an automatic cronjob for security reasons:

Example:
Code: 
mkdir -p /etc/dhparam

FILE=`mktemp` ; openssl dhparam 512 -out $FILE && mv -f $FILE /etc/dhparam/dhparam512.pem && FILE=`mktemp` ; openssl dhparam 1024 -out $FILE && mv -f $FILE /etc/dhparam/dhparam1024.pem && FILE=`mktemp` ; openssl dhparam 2048 -out $FILE && mv -f $FILE /etc/dhparam/dhparam2048.pem && FILE=`mktemp` ; openssl dhparam 4096 -out $FILE && mv -f $FILE /etc/dhparam/dhparam4096.pem
As you can see, there are TWO commands, you only have to setup the command "FILE=`mktemp` ; openssl dhparam 512 -out $FILE && ..." as a scheduled task at "Home > Tools & Settings > Scheduled Tasks". ;)
Click to expand...
 
Hi LucaB.,

LucaB. said:
can i try this configurations for only one website?
Click to expand...
Sure! You may indeed try it for a single (sub)domain only, but in this case, you would not place the modification at "/etc/nginx/conf.d/001_MY-ONW_Additional_SSL_.conf", you would add the modification to

HOME > Domains > (sub)domain > Apache & nginx Settings > (textbox) Additional nginx directives

LucaB. said:
and this configuration works on centos 6 (plesk 12.5.30 #60) ?
Click to expand...
This modification works ON EACH Plesk - controlled server, where you use the webserver - combination apache2+nginx. ;)


Pls. be informed, that when you use the webserver - combination apache2+nginx, nginx will be IN FRONT of your apache2 - webserver and the "add_header" - setting is only allowed in ONE PLACE of your whole webserver - configuration. :)
 
Thanks UFHH01,
now one of our site has HSTS enable and for ssllabs has A+ of rating.
But I don't understand why I have to generate four pem keys when I use only one in configuration nginx.

Another question: I did not remove my first apache directive
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301]
</IfModule>

it's right?

Luca



UFHH01 said:
Hi LucaB.,


Sure! You may indeed try it for a single (sub)domain only, but in this case, you would not place the modification at "/etc/nginx/conf.d/001_MY-ONW_Additional_SSL_.conf", you would add the modification to

HOME > Domains > (sub)domain > Apache & nginx Settings > (textbox) Additional nginx directives


This modification works ON EACH Plesk - controlled server, where you use the webserver - combination apache2+nginx. ;)


Pls. be informed, that when you use the webserver - combination apache2+nginx, nginx will be IN FRONT of your apache2 - webserver and the "add_header" - setting is only allowed in ONE PLACE of your whole webserver - configuration. :)
Click to expand...
 
Hi LucaB.,

LucaB. said:
But I don't understand why I have to generate four pem keys when I use only one in configuration nginx.
Click to expand...
Actually, the answer is pretty simple. For some services/devices/configuration, I ( !! ) need for example the 512 - er DH-Params ( postfix ) and I use the 2048 - er DH-Params for "dovecot" AND again for "postfix", on my servers, so I just copied and pasted my longterm-usage - command. :p
Pls. feel free to adjust the example(s) I suggest, to your very own needs and desires. :)

LucaB. said:
now one of our site has HSTS enable and for ssllabs has A+ of rating.
Click to expand...
Perfect! :):D:)

LucaB. said:
Another question: I did not remove my first apache directive
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301]
</IfModule>

it's right?
Click to expand...
This is again your very own desired choice. It can't harm your apache2 - configuration and will not conflict with the nginx - HSTS - settings. :)
 
Although implementing HSTS this way for a long time, checking and rechecking my config, I was unable to get SSLLabs to show more than A.
It kept showing HSTS disabled.

After finding this page I found out it was caused by my page starting with a login and therefore causing an error.
HSTS header not being set by NGINX on error | Qualys Community

After I added "always" to the header entry it started to work:
Code: 
add_header Strict-Transport-Security 'max-age=15768000;includeSubDomains' always;

I think it's more of an SSLLabs thing than an actual improvement.


@UFHH01 Many thanks for your idea of weekly generating the dhparam keys in that folder. I hope you don't mind that I couldn't resist rewriting your oneliner:

cat /usr/local/sbin/gen_dhparam
ln -s /usr/local/sbin/gen_dhparam /etc/cron.weekly/
Code: 
#!/bin/bash

mkdir -p /etc/dhparam 2>/dev/null
FILE=`mktemp`

N=512
while [ $N -le 4096 ] ; do
  openssl dhparam $N -out $FILE && cat $FILE >/etc/dhparam/dhparam${N}.pem
  let N*=2
done
rm -f ${FILE}
 
Last edited:
@UFHH01
I Am correct in thinking that I shouldn't implement this server-wide if many of the sites I'm hosting have mixed content (https/http) in them?
 
;)
I would have thought you had reasons to like my previous post....
I for one think it was a useful addition to this thread (adding "always").
 
You must log in or register to reply here.

Similar threads

M
Resolved Domain name issue -- certificate for a domain uses server domain. But can't see how or why
Replies
9
Views
4K
MHC_1
M
P
Resolved Nginx HTTP3 cause invalid redirect on WordPress
Replies
2
Views
2K
Paulo_o
P
A
Question How to use Clear-Site-Data header rule to clear browser cache
Replies
2
Views
2K
AntoineW
A
T
Issue Host settings and htaccess behavior in nginx proxy mode
Replies
3
Views
2K
Peter Debik
P
N
Question NGINX & Wordpress(Woocommerce) Setup
Replies
0
Views
2K
nikosvl97
N
Back
Top