Resolved HTTP Keep-Alive not working on CSS and X-Powered-By not unsettable

[M3 Prestitichiari]

Goodmorning to all,

today i've got a problem on my Linux server with Plesk Onyx installed, version 17.5.3 #18: i've tried to check if keep-alive for https connection is working correctly but it seems it doesn't... If i check it with Google Chrome i can't see the connection header, so i tried with some benchmark site like pingdom e gtmetrix, both showing that all files are loaded with keep-alive but CSS files keep doing the handshake for SSL connection... anyone can help me? These are my settings on apache and nginx.

APACHE HTTP
--------------------
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
ServerSignature Off

APACHE HTTPS
---------------------
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
ServerSignature Off

NGINX
----------
etag off;
gzip on;
gzip_min_length 1100;
gzip_buffers 4 32k;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
gzip_vary on;
proxy_http_version 1.1;
proxy_set_header Connection "";
keepalive_requests 100;
keepalive_timeout 15s;
proxy_hide_header X-Powered-By;

I've also had a problem with the X-Powered-By header... i had two of this headers showing on chrome inspector, so i updated my settings to hide them but the "X-Powered-By: Plesklin" disappeared while "x-powered-by: Plesklink" did not. I've also set php expose to the right setting... Any Suggestions?

Thank you in advance for your help,
Domenico

 

[M3 Prestitichiari]

I'm still fighting with this problem... can anyone help me?

 

[Dukemaster]

Hi, @M3 Prestitichiari, I can't help you very much. I wonder a little about your very very special configuration with keep alive.
Why do so many customer/member want to eliminate Plesklink? Some weeks ago I read an interesting posting from someone here who said it's a kind of insecure to tell the world which system you use. That would mean Plesk is insecure.
But nobody wants to eliminate Nginx or Apache in headers.
Plesk is secure ! ! ! My server was never compromissed in 11 years. Okay, I had good co-admins, competent developer helping hands from Woltlab.
Sorry that I make such a hype to that. I carry "Plesk" and "Woltlab" and 1and1 with proudness on my breast. I have no fear to show the world which system I use.
But it is everyones own choice and decision.
I'm sure I read somewhere how you can change your output. But I can't remember where it was. Take a look over search, sometimes it's easier to search over Google with "Plesk" or "Talk-Plesk" as first search name to get what you want, instead forum search. That's the same also in my forum and in all systems. Google has more power in connecting search entries, words, numbers, tags, labels.

Don't worry, you will get your help as soon as possible. Lots of greets.

 

[M3 Prestitichiari]

Hi Dukemaster,
I think my problems with keep-alive are only on benchmark 'cause in Google Network Console it seems to work like a charm. I've also enabled HTTP2 protocol wich is helping me a lot on performance thanks to parallels load and lighter headers.

Regarding "X-Powered-By", i've been searching a lot for a solution and maybe i've found it with an NGINX module called HTTP Headers More. For me, the goal is to remove both "server: nginx" and "X-Powered-By: Plesklin". I really know that both NGINX and Plesk are really secure and that is nearly impossible to get your site compromised, but it's better to stay safe than to hope that nothing goes wrong. I'm doing this only for 0-day exploits and to prevent attacks.

Thank you for your intresting post on your experience, best regards
Domenico

 

[Linulex]

Why do so many customer/member want to eliminate Plesklink?

Because is it standard and good sys-admin practice to give potential hackers as less information as possible. Yes there are ways hackers can find out what system you have, but why hand it to them? Let them look for it.

That would mean Plesk is insecure.

Yes, plesk is insecure. EVERY software is insecure. Every time a security leak is fixed, means that up to that point in time that software had that security leak.

Change Log for Plesk
Plesk Onyx 17.5.3 Update 17
Security improvements.
Plesk Onyx 17.0.17 Update 31
Security improvements.

Up to the moment that plesk released update 17, there was a security issue in plesk 17.5.3. Plesk doesn't reveal what issue was fixed and that is good. Not everyone updates right away and if plesk tells you what they fixed, then they also tell the hacker what is wrong with every plesk running MU 16 and below and that's not a good idea.

regards
Jan

 

[Dukemaster]

Hi @Linulex from your point of view you are absolutely right. Nothing is absolutely secure and there will be never a guarantee. But it's also a lil senseless. For exactly this reason you and everyone must remove everything on output. There must be no and nothing published to public.
No IP, no domain, no headers, no version of PHP, nothing what could be seen on Qualys or sniffed by other tools.
Reality is something else. One guy who was familiar with this scene told me the great words:
Script kiddies steal passwords, a lil better ones try to get your bank account, but the real hackers get satellites, economy, states and governments.
The last ones get what they need alone, the informations were are talking about, e.g. Plesklink, Nginx, Apache, PHP, MySQL, OpenSSL, whatever...they won't need it at all.
To avoid scipt-kiddies and the middle-class of hungry hackers, Plesk does a good job. My opinion. Everone is free to remove whatever he wants.

Lots of greets