• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved How check HSTS

LucaB.

Basic Pleskian
Hi,
I'd like to know how i check if in my Plesk 12.5.30 #60 (Centos 7) Header HSTS is enabled.
I used let's encrypt to encrypt my sites and i added this configuration in Apache & nginx settings:
Additional Apache directives for HTTP
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301]
</IfModule>


Additional Apache directives for HTTPS
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
SetEnv modHeadersAvailable true
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>


when i try to test them with www.ssllabs.com i get a Overall Rating A but read:

Strict Transport Security (HSTS) No
HSTS Preloading Not in: Chrome Edge Firefox IE

Thank you!

Luca
 
Hi LucaB.,

pls. consider to REMOVE all your previous modifications and create ONE SINGLE configuration file ( in case your use the combination apache2+nginx! ):

Code:
touch /etc/nginx/conf.d/001_MY-ONW_Additional_SSL_.conf
and insert there:
Code:
    ssl_session_timeout         10m;
    ssl_session_cache shared:SSL:50m;

    ssl_dhparam /etc/dhparam/dhparam4096.pem;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header Strict-Transport-Security 'max-age=15768000;includeSubDomains';

Afterwards, pls. restart nginx and test your configuration with the command "nginx -t", before your restart. :)


"ssl_dhparam /etc/dhparam/dhparam4096.pem;" is optional, but if you like, you may create WEEKLY new DH-PARAM - files as an automatic cronjob for security reasons:

Example:
Code:
mkdir -p /etc/dhparam

FILE=`mktemp` ; openssl dhparam 512 -out $FILE && mv -f $FILE /etc/dhparam/dhparam512.pem && FILE=`mktemp` ; openssl dhparam 1024 -out $FILE && mv -f $FILE /etc/dhparam/dhparam1024.pem && FILE=`mktemp` ; openssl dhparam 2048 -out $FILE && mv -f $FILE /etc/dhparam/dhparam2048.pem && FILE=`mktemp` ; openssl dhparam 4096 -out $FILE && mv -f $FILE /etc/dhparam/dhparam4096.pem
As you can see, there are TWO commands, you only have to setup the command "FILE=`mktemp` ; openssl dhparam 512 -out $FILE && ..." as a scheduled task at "Home > Tools & Settings > Scheduled Tasks". ;)
 
Thank you very much UFHH01,
can i try this configurations for only one website?
and this configuration works on centos 6 (plesk 12.5.30 #60) ?

Thank you again.

Luca

Hi LucaB.,

pls. consider to REMOVE all your previous modifications and create ONE SINGLE configuration file ( in case your use the combination apache2+nginx! ):

Code:
touch /etc/nginx/conf.d/001_MY-ONW_Additional_SSL_.conf
and insert there:
Code:
    ssl_session_timeout         10m;
    ssl_session_cache shared:SSL:50m;

    ssl_dhparam /etc/dhparam/dhparam4096.pem;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header Strict-Transport-Security 'max-age=15768000;includeSubDomains';

Afterwards, pls. restart nginx and test your configuration with the command "nginx -t", before your restart. :)


"ssl_dhparam /etc/dhparam/dhparam4096.pem;" is optional, but if you like, you may create WEEKLY new DH-PARAM - files as an automatic cronjob for security reasons:

Example:
Code:
mkdir -p /etc/dhparam

FILE=`mktemp` ; openssl dhparam 512 -out $FILE && mv -f $FILE /etc/dhparam/dhparam512.pem && FILE=`mktemp` ; openssl dhparam 1024 -out $FILE && mv -f $FILE /etc/dhparam/dhparam1024.pem && FILE=`mktemp` ; openssl dhparam 2048 -out $FILE && mv -f $FILE /etc/dhparam/dhparam2048.pem && FILE=`mktemp` ; openssl dhparam 4096 -out $FILE && mv -f $FILE /etc/dhparam/dhparam4096.pem
As you can see, there are TWO commands, you only have to setup the command "FILE=`mktemp` ; openssl dhparam 512 -out $FILE && ..." as a scheduled task at "Home > Tools & Settings > Scheduled Tasks". ;)
 
Hi LucaB.,

can i try this configurations for only one website?
Sure! You may indeed try it for a single (sub)domain only, but in this case, you would not place the modification at "/etc/nginx/conf.d/001_MY-ONW_Additional_SSL_.conf", you would add the modification to

HOME > Domains > (sub)domain > Apache & nginx Settings > (textbox) Additional nginx directives

and this configuration works on centos 6 (plesk 12.5.30 #60) ?
This modification works ON EACH Plesk - controlled server, where you use the webserver - combination apache2+nginx. ;)


Pls. be informed, that when you use the webserver - combination apache2+nginx, nginx will be IN FRONT of your apache2 - webserver and the "add_header" - setting is only allowed in ONE PLACE of your whole webserver - configuration. :)
 
Thanks UFHH01,
now one of our site has HSTS enable and for ssllabs has A+ of rating.
But I don't understand why I have to generate four pem keys when I use only one in configuration nginx.

Another question: I did not remove my first apache directive
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301]
</IfModule>


it's right?

Luca



Hi LucaB.,


Sure! You may indeed try it for a single (sub)domain only, but in this case, you would not place the modification at "/etc/nginx/conf.d/001_MY-ONW_Additional_SSL_.conf", you would add the modification to

HOME > Domains > (sub)domain > Apache & nginx Settings > (textbox) Additional nginx directives


This modification works ON EACH Plesk - controlled server, where you use the webserver - combination apache2+nginx. ;)


Pls. be informed, that when you use the webserver - combination apache2+nginx, nginx will be IN FRONT of your apache2 - webserver and the "add_header" - setting is only allowed in ONE PLACE of your whole webserver - configuration. :)
 
Hi LucaB.,

But I don't understand why I have to generate four pem keys when I use only one in configuration nginx.
Actually, the answer is pretty simple. For some services/devices/configuration, I ( !! ) need for example the 512 - er DH-Params ( postfix ) and I use the 2048 - er DH-Params for "dovecot" AND again for "postfix", on my servers, so I just copied and pasted my longterm-usage - command. :p
Pls. feel free to adjust the example(s) I suggest, to your very own needs and desires. :)

now one of our site has HSTS enable and for ssllabs has A+ of rating.
Perfect! :):D:)

Another question: I did not remove my first apache directive
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301]
</IfModule>


it's right?
This is again your very own desired choice. It can't harm your apache2 - configuration and will not conflict with the nginx - HSTS - settings. :)
 
Although implementing HSTS this way for a long time, checking and rechecking my config, I was unable to get SSLLabs to show more than A.
It kept showing HSTS disabled.

After finding this page I found out it was caused by my page starting with a login and therefore causing an error.
HSTS header not being set by NGINX on error | Qualys Community

After I added "always" to the header entry it started to work:
Code:
add_header Strict-Transport-Security 'max-age=15768000;includeSubDomains' always;

I think it's more of an SSLLabs thing than an actual improvement.


@UFHH01 Many thanks for your idea of weekly generating the dhparam keys in that folder. I hope you don't mind that I couldn't resist rewriting your oneliner:

cat /usr/local/sbin/gen_dhparam
ln -s /usr/local/sbin/gen_dhparam /etc/cron.weekly/
Code:
#!/bin/bash

mkdir -p /etc/dhparam 2>/dev/null
FILE=`mktemp`

N=512
while [ $N -le 4096 ] ; do
  openssl dhparam $N -out $FILE && cat $FILE >/etc/dhparam/dhparam${N}.pem
  let N*=2
done
rm -f ${FILE}
 
Last edited:
@UFHH01
I Am correct in thinking that I shouldn't implement this server-wide if many of the sites I'm hosting have mixed content (https/http) in them?
 
;)
I would have thought you had reasons to like my previous post....
I for one think it was a useful addition to this thread (adding "always").
 
Back
Top