Roundcube Webmail SSL

[KamalG]

Oh yes, there was two ssl_certificate lines, I didn't notice I just copied and pasted. Thank you very much it's solved.
Do you know how to Enable TLS 1.2, I have seen your other post went through it but I don't get any idea. I have everything done but am seeing Protocol support rating as 70 in qualys.com

Kindly help.

 

[Lloyd_mcse]

Lovely, yeah you just need to change the ssl_protocols directive from..

ssl_protocols               SSLv2 SSLv3 TLSv1;

to

ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;

Assuming your version of OpenSSL is capable.
Hope that helps mate.
Kind regards

Lloyd

 

[KamalG]

Thank you Llyod

I am trying to remove the Session resumption (caching) error in the ssl test
when I put
ssl_session_cache shared:SSL:10m;

nginxvirtualdomainhost.php

and reconfigure all domains I get the following error:

Details: [2014-08-04 21:47:21] ERR [util_exec] proc_close() failed
Error occured while sending feedback. HTTP code returned: 502
[2014-08-04 21:47:23] ERR [util_exec] proc_close() failed
Error occured while sending feedback. HTTP code returned: 502
[2014-08-04 21:47:24] ERR [panel] Apache config (14071681400.78077300) generation failed: Template_Exception: nginx: [alert] mmap(MAP_ANON|MAP_SHARED, 10485760) failed (28: No space left on device)
nginx: configuration file /etc/nginx/nginx.conf test failed

file: /usr/local/psa/admin/plib/Template/Writer/Webserver/Abstract.php
line: 75
code: 0
Error occured while sending feedback. HTTP code returned: 502
nginx: [alert] mmap(MAP_ANON|MAP_SHARED, 10485760) failed (28: No space left on device)
nginx: configuration file /etc/nginx/nginx.conf test failed

Also I saw your post about Strict Transport Security (HSTS) but doing the same I couldn't get success for my site.

Please help

 

[Lloyd_mcse]

Sorry haven't been able to log in.

You want to add it on all of your domains automatically yeah?

There are a couple of different templates you need to edit

/opt/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
and
/opt/psa/admin/conf/templates/default/server/nginxVhost.php

so copy them to..

/opt/psa/admin/conf/templates/custom/domain
and
/opt/psa/admin/conf/templates/custom/server

And then edit them.
You'll notice that we have kept the same folder structure as in the "Default" template folder.
Hope that helps
Kind regards

Lloyd

 

[KamalG]

Thank you very much once again Lloyd.
It's working properly now. I got A+ finally.

but for the main domain the contents are saved in nginx_ip_default.conf and nginx_ip is blank with the message that it's generated automatically
the main domain doesn't produce postiive result for Strict Transport Security (HSTS)

but subdomains have the contents in nginx.conf

I am very grateful for your kind support.

 

[Lloyd_mcse]

In the case of HSTS, I've only added it to the webmail template so I can control it from the panel on a domain basis.

Plesk -> Domains -> domain.tld -> Webserver Settings -> Additional nginx directives

Hope that helps

Kind regards

Lloyd

 

[KamalG]

I had created domain and server folder and places the files in them and reconfigured all

when I try to update the SSL Certificate in my Admin panel I get the following error

Unable to generate the web server configuration file on the host <server.mydomain.com> because of the following errors:

Template_Exception: nginx: [emerg] BIO_new_file("/usr/local/psa/var/certificates/cert-7afbAI") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/psa/var/certificates/cert-7afbAI','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

file: /usr/local/psa/admin/plib/Template/Writer/Webserver/Abstract.php
line: 75
code: 0

Please resolve the errors in web server configuration templates and generate the file again.

 

[Lloyd_mcse]

/domain/nginxDomainVirtualHost.php should look like this after editing

<?php if ($OPT['ssl']): ?>
<?php $sslCertificate = $VAR->server->sni && $VAR->domain->physicalHosting->sslCertificate ?
    $VAR->domain->physicalHosting->sslCertificate :
    $OPT['ipAddress']->sslCertificate; ?>
<?php   if ($sslCertificate->ce): ?>
    ssl_certificate             <?php echo $sslCertificate->ceFilePath ?>;
    ssl_certificate_key         <?php echo $sslCertificate->ceFilePath ?>;
<?php       if ($sslCertificate->ca): ?>
    ssl_client_certificate      <?php echo $sslCertificate->caFilePath ?>;
<?php       endif ?>
    ssl_session_timeout                      5m;
    ssl_session_cache        shared:SSL:5m;
    ssl_prefer_server_ciphers               on;
    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;   
    ssl_ciphers                 EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL;   
<?php   endif ?>
<?php endif ?>

And /server/nginxVhosts.php

<?php if ($OPT['ssl']): ?>
<?php $sslCertificate = $ipAddress->sslCertificate; ?>
<?php   if ($sslCertificate->ce): ?>
    ssl_certificate             <?php echo $sslCertificate->ceFilePath ?>;
    ssl_certificate_key         <?php echo $sslCertificate->ceFilePath ?>;
<?php       if ($sslCertificate->ca): ?>
    ssl_client_certificate      <?php echo $sslCertificate->caFilePath ?>;
<?php       endif ?>
    ssl_session_timeout                      5m;
    ssl_session_cache        shared:SSL:5m;
    ssl_prefer_server_ciphers               on;
    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;   
    ssl_ciphers                EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL;  
<?php   endif ?>
<?php endif ?>

Like that, as you want to be able to assign the correct certificate in Plesk for each domain.

 

[KamalG]

I think I accidentally removed the file nginxDomainVirtualHost.php

New configuration files for the Apache web server were not created due to the errors in configuration templates: Template processing failed: file = /usr/local/psa/admin/conf/templates/default/nginxDomainVhostIpDefault.php, error = Template_Exception: Template domain/nginxDomainVirtualHost.php doesn't exists file: /usr/local/psa/admin/plib/Template/Processor.php line: 28 code: 0 Previous error: Template_Exception: Template domain/nginxDomainVirtualHost.php doesn't exists file: /usr/local/psa/admin/plib/Template/Finder.php line: 25 code: 0. Detailed error descriptions were sent to you by email. Please resolve the issues and click here to generate broken configuration files once again or here to generate all configuration files.

I don't know what I have done please help

 

[Lloyd_mcse]

That file contains...

nginxDomainVhostIpDefault.php

<?php echo AUTOGENERATED_CONFIGS; ?>

<?php
/**
 * @var Template_VariableAccessor $VAR
 */
?>
<?php if ($VAR->domain->disabled): ?>
# Domain is disabled
<?php return ?>
<?php endif ?>

<?php if ($VAR->domain->physicalHosting->ssl): ?>
<?php foreach ($VAR->domain->physicalHosting->ipAddresses as $ipAddress): ?>
<?php if ($ipAddress->defaultDomainId == $VAR->domain->id): ?>

<?php echo $VAR->includeTemplate('domain/nginxDomainVirtualHost.php',
    array(
        'ssl' => true,
        'frontendPort' => $VAR->server->nginx->httpsPort,
        'backendPort' => $VAR->server->webserver->httpsPort,
        'documentRoot' => $VAR->domain->physicalHosting->httpsDir,
        'ipAddress' => $ipAddress,
        'default' => true,
    )) ?>

<?php endif ?>
<?php endforeach ?>
<?php endif ?>

<?php foreach ($VAR->domain->physicalHosting->ipAddresses as $ipAddress): ?>
<?php if ($ipAddress->defaultDomainId == $VAR->domain->id): ?>

<?php echo $VAR->includeTemplate('domain/nginxDomainVirtualHost.php',
    array(
        'ssl' => false,
        'frontendPort' => $VAR->server->nginx->httpPort,
        'backendPort' => $VAR->server->webserver->httpPort,
        'documentRoot' => $VAR->domain->physicalHosting->httpDir,
        'ipAddress' => $ipAddress,
        'default' => true,
    )) ?>

<?php endif ?>
<?php endforeach ?>

 

[KamalG]

Hey Llyod thanks,

It had other options such as ssl_proto etc.. anyway I can get the file from plesk source.

 

[Lloyd_mcse]

Hey Llyod thanks,

It had other options such as ssl_proto etc.. anyway I can get the file from plesk source.

Ah yeah, it may be different on CentOS. I only have Ubuntu templates to go on.

 

[Lloyd_mcse]

Sorry I posted the wrong file.

/opt/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php

has..

<?php
/**
 * @var Template_VariableAccessor $VAR
 * @var array $OPT
 */
?>
server {
    listen <?php echo $OPT['ipAddress']->escapedAddress . ':' . $OPT['frontendPort'] .
        ($OPT['default'] ? ' default_server' : '') . ($OPT['ssl'] ? ' ssl' : '') ?>;

    server_name <?php echo $VAR->domain->asciiName ?>;
<?php if ($VAR->domain->isWildcard): ?>
    server_name ~^<?php echo $VAR->domain->pcreName ?>$;
<?php else: ?>
    server_name www.<?php echo $VAR->domain->asciiName ?>;
<?php   if ($OPT['ipAddress']->isIpV6()): ?>
    server_name ipv6.<?php echo $VAR->domain->asciiName ?>;
<?php   else: ?>
    server_name ipv4.<?php echo $VAR->domain->asciiName ?>;
<?php   endif ?>
<?php endif ?>
<?php if ($VAR->domain->webAliases): ?>
<?php   foreach ($VAR->domain->webAliases as $alias): ?>
    server_name <?php echo $alias->asciiName ?>;
    server_name www.<?php echo $alias->asciiName ?>;
<?php   endforeach ?>
<?php endif ?>
<?php if ($VAR->domain->previewDomainName): ?>
    server_name "<?php echo $VAR->domain->previewDomainName ?>";
<?php endif ?>

<?php if ($OPT['ssl']): ?>
<?php $sslCertificate = $VAR->server->sni && $VAR->domain->physicalHosting->sslCertificate ?
    $VAR->domain->physicalHosting->sslCertificate :
    $OPT['ipAddress']->sslCertificate; ?>
<?php   if ($sslCertificate->ce): ?>
    ssl_certificate             <?php echo $sslCertificate->ceFilePath ?>;
    ssl_certificate_key         <?php echo $sslCertificate->ceFilePath ?>;
<?php       if ($sslCertificate->ca): ?>
    ssl_client_certificate      <?php echo $sslCertificate->caFilePath ?>;
<?php       endif ?>
    ssl_session_timeout         5m;

    ssl_protocols               SSLv2 SSLv3 TLSv1;
    ssl_ciphers                 HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;
<?php   endif ?>
<?php endif ?>

<?php if (!empty($VAR->domain->physicalHosting->proxySettings['nginxClientMaxBodySize'])): ?>
    client_max_body_size <?php echo $VAR->domain->physicalHosting->proxySettings['nginxClientMaxBodySize'] ?>;
<?php endif; ?>

<?php if ($VAR->domain->physicalHosting->scriptTimeout): ?>
    proxy_read_timeout <?php echo $VAR->domain->physicalHosting->scriptTimeout; ?>;
<?php endif; ?>

    root "<?php echo $OPT['ssl'] ? $VAR->domain->physicalHosting->httpsDir : $VAR->domain->physicalHosting->httpDir ?>";
    access_log "<?php echo $VAR->domain->physicalHosting->logsDir . '/' . ($OPT['ssl'] ? 'proxy_access_ssl_log' : 'proxy_access_log') ?>";
    error_log "<?php echo $VAR->domain->physicalHosting->logsDir . '/proxy_error_log' ?>";

<?php echo $VAR->domain->physicalHosting->proxySettings['allowDeny'] ?>

<?php echo $VAR->includeTemplate('domain/service/nginxSeoSafeRedirects.php', array('ssl' => $OPT['ssl'])); ?>

    location / {
<?php echo $VAR->includeTemplate('domain/service/proxy.php', $OPT); ?>
    }

<?php if (!$VAR->domain->physicalHosting->proxySettings['nginxTransparentMode'] && !$VAR->domain->physicalHosting->proxySettings['nginxServeStatic']): ?>
    location /internal-nginx-static-location/ {
        alias <?php echo $OPT['documentRoot'] ?>/;
        add_header X-Powered-By PleskLin;
        internal;
    }
<?php endif ?>

<?php if ($VAR->domain->active && !$VAR->domain->physicalHosting->proxySettings['nginxTransparentMode']): ?>

<?php if ($VAR->domain->physicalHosting->php && $VAR->domain->physicalHosting->proxySettings['nginxServePhp']
            || $VAR->domain->physicalHosting->proxySettings['nginxServeStatic']): ?>

<?php if ($VAR->domain->physicalHosting->proxySettings['fileSharingPrefix']): ?>
    location ~ ^/<?php echo $VAR->domain->physicalHosting->proxySettings['fileSharingPrefix'] ?>/ {
<?php echo $VAR->includeTemplate('domain/service/proxy.php', $OPT); ?>
    }
<?php endif; ?>

<?php endif; ?>

<?php if ($VAR->domain->physicalHosting->proxySettings['nginxServeStatic']): ?>

    location @fallback {
<?php echo $VAR->includeTemplate('domain/service/proxy.php', $OPT); ?>
    }

<?php echo $VAR->includeTemplate('domain/service/nginxProtectedDirectories.php', $OPT); ?>

    location ~ ^/(.*\.(<?php echo $VAR->domain->physicalHosting->proxySettings['nginxStaticExtensions'] ?>))$ {
        try_files $uri @fallback;
    }
<?php endif ?>

<?php if ($VAR->domain->physicalHosting->php && $VAR->domain->physicalHosting->proxySettings['nginxServePhp']): ?>
    location ~ ^/~(.+?)(/.*?\.php)(/.*)?$ {
        alias <?php echo $VAR->domain->physicalHosting->webUsersDir ?>/$1/$2;
<?php echo $VAR->includeTemplate('domain/service/fpm.php'); ?>
    }

    location ~ ^/~(.+?)(/.*)?$ {
<?php echo $VAR->includeTemplate('domain/service/proxy.php', $OPT); ?>
    }

    <?php echo $VAR->includeTemplate('domain/service/nginxWordpress.php'); ?>

    location ~ \.php(/.*)?$ {
<?php echo $VAR->includeTemplate('domain/service/fpm.php'); ?>
    }

    <?php echo $VAR->includeTemplate('domain/service/nginxWordpressIndexing.php'); ?>

    location ~ /$ {
        <?php echo $VAR->domain->physicalHosting->proxySettings['directoryIndex'] ?>
    }
<?php endif ?>

<?php endif ?>

<?php if (is_file($VAR->domain->physicalHosting->customNginxConfigFile)): ?>
    include "<?php echo $VAR->domain->physicalHosting->customNginxConfigFile ?>";
<?php endif; ?>
}

If you need it.

View attachment nginxDomainVirtualHost.zip

 

[novamxd]

Hey Guys,

I figured I would just post this quick update to securing your webmail with your SSL certificate on your Plesk installation.

Step 1
Go to Server -> SSL Certificates
Add your SSL certificate here if you haven't already.

Step 2
Go to Server -> IP Addresses -> [your public IP]
Change the SSL certificate to the certificate you added in Step 1

Step 3
As per @KamalG add

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

To /etc/apache2/plesk.conf.d/roundcube.htaccess.inc somewhere after "RewriteEngine On"

Like so:

That's it!

 

[patrickf]

Nice solution.

But i think i gets difficult if you host more than one domain on a public IP. Hope this gets implementet soon

Regards,
Patrick