• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Plesk penetration test security

S

Seba

Basic Pleskian
Hello everyone,
we are going to submit out system to a penetration testing and we are trying to fix some minor problems before to do it but I have some problems with this configuration for Apache

Code: 
ServerTokens ProductOnly
ServerSignature Off
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

I think that the first 2 lines has to be put in the normal httpd.conf file while the others in the conf.d/ssl.conf is that right?

later I need to insert this one

Code: 
Header set Content-Security-Policy: default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'

I insert it in the vhost (through Plesk Additional directives for HTTP/S) of one domain, is also working if I put in in a subdomain though if I put in another domain it say:

Code: 
Invalid Apache configuration: AH00526: Syntax error on line 1 of /path/to/conf/vhost.conf: Header has too many arguments

what is the correct way to do it?
 
Last edited:
Additionals headers for apache can be added using Apache & nginx Settings > Apache > Additional headers. Just add headers one by one on new string each like this
Code: 
X-XSS-Protection: "1; mode=block"
X-Content-Type-Options: nosniff
Strict-Transport-Security: "max-age=63072000; includeSubdomains;"

ServerTokens ProductOnly already included into plesk config
ServerSignature Off is disabled by default
 
thanks, I just tried this morning to insert them in the additional headers and was working.

About:
ServerTokens ProductOnly already included into plesk config
ServerSignature Off is disabled by default

where exactly they reside? in the normal httpd.conf file? if I insert them at the end of that file I just basically overwrite them no?
 
First one is included into /etc/apache2/plesk.conf.d/server.conf (or /etc/httpd/... on centos/rhel)
Second one is just Off by default and not included anywhere.

You can override any global settings adding your into the end of /etc/apache2/apache2.conf file and then you need to restart apache
 
Hello,

what is the correct placement of the headers, when using Apache with Nginx reverse Proxy? additional Apache directives or Nginx additional directives?

Thx
Sally
 
Hello, adding headers to the front proxy (nginx) is preferred (single responsibility). But i suppose adding headers to apache should work too.
 
Sally1 said:
Hello,

what is the correct placement of the headers, when using Apache with Nginx reverse Proxy? additional Apache directives or Nginx additional directives?

Thx
Sally
Click to expand...

@Sally1

The answer provided in the post of @mrsombre

mrsombre said:
Hello, adding headers to the front proxy (nginx) is preferred (single responsibility). But i suppose adding headers to apache should work too.
Click to expand...

is not very clear and -essentially- it is a bit weird.

It is required to add headers to Nginx conf, if and whenever using Nginx as a reverse proxy in front of the Apache webserver.

In fact, any tuning of Apache config will not or will barely work or will not be efficient when using Nginx as a proxy.

In the past, Plesk used to be vulnerable to Nginx bypasses (read: requests bypassing Nginx and aiming directly at Apache), but that is not the case anymore.

Sure, there are a number of clients (read: web, http, ftp or similar types of clients) that still can bypass Nginx and directly aim at Apache - that is not a reason to strengthen a security levels with headers alone, for that purpose one should use a firewall ruleset that blocks direct access to Apache.

Moreover, the whole point of Nginx is the specific advantage of offloading workloads from Apache, with this being a true advantage since Apache is resource hungry.

It might become clear from the above that it does not make any sense to headers related config to Apache : this would increase workloads for Apache, which is not efficient.

In general, it is highly recommended to add headers related config to Nginx related config, if and whenever using Nginx as a proxy for Apache.

In summary, the golden rule is : what can be done in Nginx config, should be done in Nginx config - that is the most efficient.

Hope the above helps and explains a bit.

Kind regards......
 
Thanks for the reply, so basically if you work with Nginx as a reverse proxy just add header there else just Apache
 
You must log in or register to reply here.

Similar threads

adocsys
Resolved How to add HTTP Security Header on port 80?
Replies
3
Views
2K
adocsys
adocsys
A
Question How to use Clear-Site-Data header rule to clear browser cache
Replies
2
Views
3K
AntoineW
A
D
Resolved rel="canonical" response header is lost between Apache and Nginx proxy
Replies
6
Views
2K
Deleted member 209767
D
N
Question NGINX & Wordpress(Woocommerce) Setup
Replies
0
Views
2K
nikosvl97
N
D
Input How to run Magento 2 on Plesk Obsidian 18 without Docker
Replies
7
Views
5K
grizlyadams
G
Back
Top