Resolved XFrame Options / X-XSS-Protection / X-Content-Type-Options / HSTS

[G J Piper]

I did a

find /etc/nginx -type f -name \*.conf -exec http -il plesklin {} \;[\CODE]

And the only place where it's added is in forwarding sites. Where does Plesk add that header for you?
That may be the reason why more is working on my servers.

You are also referring to a server-wide nginx place to add directives. I don't know of any such place. In the Plesk interface??

This directory is where you can add custom configuration files to add global settings for nginx (not in the UI):
/etc/nginx/conf.d/

Every configuration file found here has the "add_header X-Powered-By PleskLin;" in it, twice:
/etc/nginx/plesk.conf.d/vhosts/*.conf

I have about 30 domains hosted so there are 60 occurrences in my settings files. Deleting all of them in the config files, and making sure there are no "add_header" directives at all in the UI allows an add_header directive in "/etc/nginx/conf.d/custom-config.conf" to work. However, every time a setting is saved in the UI, all the "add_header X-Powered-By PleskLin;" occurrences are restored again. So, there really isn't a good fix other than for Plesk to add a truly global configuration field to the Plesk settings (using my recommended "include" in my previous post).

Try this:
grep -r 'PleskLin' /etc/nginx/plesk.conf.d/vhosts/*.conf

 

[mr-wolf]

This way you will get rid of it....

ln -s /usr/local/sbin/noplesklin /etc/cron.hourly/
cat /usr/local/sbin/noplesklin

#!/bin/bash
TMP=`mktemp`
LINE='add_header .* PleskLin'
if grep -il "${LINE}" /var/www/vhosts/system/*/conf/nginx.conf >${TMP} ; then
  while read CONF ; do
    sed -i "/${LINE}/d" ${CONF}
  done<${TMP}
  /etc/init.d/nginx restart
fi
rm -f ${TMP}

 

[learning_curve]

.......If you don't do any "add_header" directives in the UI "Additional headers" section, and you manually delete the "add_header X-Powered-By PleskLin;" from the two places in the vhost config file, and you don't have any add_header directives in the "Additional nginx directives" area, then the custom config file will allow add_header directives....."

.....but only on the 2nd Tuesday in August, with a following wind.... Joking aside that a great post.

Unless we're mistaken, this also means that placing "add_header" directives in the UI Additional nginx directives section (on each individual domain) completely ignoring any "add_header X-Powered-By PleskLin;" directives .....in the vhost config file and, not including any add_header" directives in any file added to "/etc/nginx/conf.d/" will result in a comparatively easy, but fully effective way to "add_header" customization. However, this only is on a domain by domain basis and not on a server wide basis, as was previously achieved prior to this thread being posted.

That's the setup we switched too (late last Thursday in this thread) after some very quick tests and not having lots of time to reseach things before fixing the situation that we noticed had suddenly arrived (!) and which drove us to start this thread.

Probably non-intentional.... but collateral damage was the term we used previoulsy, it's close to that as we see it know.

 

[mr-wolf]

You are not using this???

cat /etc/nginx/conf.d/aa400_own_tweaks.conf

map $scheme $hsts_header {
    https   'max-age=15768000; preload';
}

ssl_session_timeout     10m;
ssl_session_cache       shared:SSL:50m;

ssl_dhparam             /etc/dhparam/dhparam4096.pem;

 

[G J Piper]

@mr-wolf: While I understand your solution to remove the PleskLin header continuously, I believe the proper solution to this problem would be to allow extra headers on a domain-by-domain basis, while still having some headers added globally. Also, your solution doesn't allow any special headers of any kind to be added to a single domain -- you end up with only global headers.

The only way to achieve global and domain-by-domain header additions at this point is to create another global file that has an "include" for it in every vhost config, as I proposed in this post:
Issue - XFrame Options / X-XSS-Protection / X-Content-Type-Options / HSTS

@learning_curve: Without using a new global file and including the file in each vhost config, the only other solution is as you have relented to using -- setting all the headers manually on each vhost, domain-by-domain. (essentially this is not having a "global" config, but rather simulating a global config)
The problem with this method is that after you've added a few hundred domains to the server, discovering you need to add or change one of the "global" headers becomes a "pull-your-hair-out" situation lol.

 

[learning_curve]

You are not using this???

Are you asking us or @G J Piper? If youre asking us, No we're not. We've already posted why and how we've altered our setup, so there's no need or any incentive (for us) to switch back to using this method now. Especially after the recent posts / findings

 

[G J Piper]

You are not using this???

cat /etc/nginx/conf.d/aa400_own_tweaks.conf

map $scheme $hsts_header {
    https   'max-age=15768000; preload';
}

ssl_session_timeout     10m;
ssl_session_cache       shared:SSL:50m;

ssl_dhparam             /etc/dhparam/dhparam4096.pem;

Not sure what this is... Does it add custom headers from your custom config file? It doesn't appear so. Isn't this what we've been discussing doesn't work?

Just for info... I'm using:
Plesk 17.5.3 u#15
CentOS 6.9
Nginx 1.11.10

 

[learning_curve]

: @learning_curve: Without using a new global file and including the file in each vhost config, the only other solution is as you have relented to using -- setting all the headers manually on each vhost, domain-by-domain. (essentially this is not having a "global" config, but rather simulating a global config)
The problem with this method is that after you've added a few hundred domains to the server, discovering you need to add or change one of the "global" headers becomes a "pull-your-hair-out" situation lol.

Yep agreed. However with only 34 domains (currently) in our case, we're quite happy to stick to this method until future Plesk 'Server Managment Updates' allow a UI Global Solution

 

[mr-wolf]

I was using and recommending nginx directives in the site itself all this time.

The plesk team probably added the PleskLin to each vhost to deliberately get rid of the header that PHP was adding.

 

[mr-wolf]

Not sure what this is... Does it add custom headers from your custom config file? It doesn't appear so. Isn't this what we've been discussing doesn't work?

You indeed made clear why Learning_Curve was losing his HSTS, but I had it working on all sites where I needed it all this time.

I noticed I was getting a warning from that test-site when connecting to http.
It turns out that according to the RFC you should NOT send the Strict-Transport-Security over plain http. That should only happen after the reconnect on https

You can achieve that by having this in the global config

map $scheme $hsts_header {
    https   'max-age=15768000; preload';
}

ssl_session_timeout     10m;
ssl_session_cache       shared:SSL:50m;
ssl_dhparam             /etc/dhparam/dhparam4096.pem;

I have this on my https-only sites:

add_header Strict-Transport-Security $hsts_header always;
add_header Referrer-Policy strict-origin-when-cross-origin always;

add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options nosniff always;

 

[learning_curve]

.....I have this on my https-only sites......

All the sites / domains we have / host are https only

 

[mr-wolf]

This "https-only" is ambiguous.
If you have sites that will immediately redirect to https you should use this.

 

[learning_curve]

This "https-only" is ambiguous.
If you have sites that will immediately redirect to https you should use this.

Everyone has a right to an opinion, including their own view on "https only IS or IS NOT ambiguous" We've moved on to focusing on HPKP and the challenges that brings....

 

[learning_curve]

Unless there's any more impactive information on the original subject of this thread, we're pretty sure it's resolved?
i.e. there is a clear answer now, with effective workarounds in the interim.
Albeit none are ideal, but the original situation/problem can only be changed by a future Plesk update

 

[learning_curve]

Okay. It's done then. Thanks for everyone's input. Off we go then.....

 

[Fahad Javaid]

Hello,
Plesk Onyx
Version 17.5.3 Update #70,

Apache and nginx running as reverse proxy.

We are in desperate need of your help.
We have several shared hosting servers using plesk and in each server we have several website hosted.

Recently, our Secuirty Team conducted an audit of servers and now they want us to enable secure headers for all website on every server.

Apache - How to setup the httpd.conf file to send HTTP Security Headers with your web site (and score an A on securityheaders.io)

As per the information in the above link I added the secure headers in httpd.conf file of the server and then tried to run the scan on each website one by one to see if the changes have taken effect.

However, I am surprised to see that changes have worked on few website on the same server and on few websites they have not worked.

This server has got Apache, and nginx as reverse proxy both installed.

Changes made in httpd.conf file:
***********************************************
<IfModule mod_headers.c>
<Directory />
Header always set X-XSS-Protection "1; mode=block"
Header always set x-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;"
Header always set Referrer-Policy "strict-origin"
Header always set Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker

'none'; vibrate 'none'; fullscreen 'none'; payment 'none';"
Header always set Expect-CT max-age=0
Header unset Last-Modified
Header unset X-Powered-By
</Directory>
</IfModule>
**************

I have also tried setting headers in /etc/nginx/conf.d and ssl.conf file but no luck.

Any help would be much appreciated

 

[learning_curve]

...Plesk Onyx Version 17.5.3 Update #70, Apache and nginx running as reverse proxy...d

This thread is very, very old now @Fahad Javaid Not sure about all the other forum members who posted there, but in our case, we've changed both servers and server OS since way back then and... Plesk has had lots and lots of updates / new add-ons / new releases since then too. Some data may still be relevant, but data some may not. Maybe, you'd be better off starting a new thread and just adding this thread in as a link within it - if needed?

If it helps, we apply our own security changes (e.g. SSL Cipher Suite / SSLHonorCipherOrder / DHParam Rule etc etc) within ~/etc/apache2/mods-available/ssl.conf We apply more of our own security changes (e.g. SSL Sessions / SSL ECDH Curve / SSL Protocol / SSL DHParam / SSL Ciphers / OCSP Stapling etc etc) within ~/etc/nginx/conf.d/ssl.conf too. BUT... individually by domain, we make many other security changes (including all the header related ones) via individually written entries within My Domain / Apache & Nginx Settings / Aditional Nginx Directives that's available within the Plesk Panel.

There may now be, far better ways of applying all these modifications but, using this setup on our current servers / OS It's A+ everywhere (Qualys SSL Labs / HT Bridge / SecurityHeaders etc ) and unlike your own current issue, this works on all domains, all of the time. This is true, even when some of the security changes (including header related ones) via individually written entries within My Domain / Apache & Nginx Settings / Aditional Nginx Directives are different, between some of the domains.

So as a pure guess, the issue that you current;y can only be related to your current configuration / setup somewhere? If you do start a new thread, posting a lot more detail of all the changes you've made so far / server spec details etc would possibly allow other foum members to assist you a lot quicker

 

[Fahad Javaid]

Hello Learning_curv,

Thank You very much for the reply.

So ,If I have understood your update properply you are suggesting that the best way to apply secure headers for each website on a shared hosting server is to declare this under Additional Nginx directives using Plesk?

Please confirm ?

Below is my current http.conf and nginx ssl.conf file. (nginx is running as reverse proxy).

This is my current /etc/httpd/conf
httpd.conf
***********************************************
<IfModule mod_headers.c>
<Directory />
Header always set X-XSS-Protection "1; mode=block"
Header always set x-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;"
Header always set Referrer-Policy "strict-origin"
Header always set Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'none'; payment 'none';"
Header always set Expect-CT max-age=0
Header unset Last-Modified
Header unset X-Powered-By
</Directory>
</IfModule>
********************************
This is my current nginx settings /etc/nginx/conf.d
ssl.conf
**********************************************************************
add_header X-XSS-Protection "1; mode=block";
add_header x-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;";
add_header Referrer-Policy "strict-origin";
#add_header Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'none'; payment 'none';";
add_header unset Last-Modified;
add_header unset X-Powered-By;
add_header Strict-Transport-Security "max-age=86400; includeSubDomains";
add_header Expect-CT 'max-age=0';
*********************************************************************

Runng scan from Analyse your HTTP response headers on few website on same server it shows new headers are in place where as few website are showing F failed in scan.

Regards,
Fahad Javaid

 

[learning_curve]

....So, If I have understood your update properply you are suggesting that the best way to apply secure headers for each website on a shared hosting server is to declare this under Additional Nginx directives using Plesk? Please confirm?

NO @Fahad Javaid

What we suggested, was that you started a NEW thread, because all the preceeding data in this thread, is now very old and so not all of it / certain parts of it may not be of any use at all now.

To try and assist you a little in the interim, we gave you examples of our own, current menthods of security related changes, including, all of our header related changes being applied via individually written entries within My Domain / Apache & Nginx Settings / Aditional Nginx Directives that's available within the Plesk Panel. The previous discussions in this old thread, do explain why this was the easiest option at the time, back then, depending on the number of domains that you are hosting

Posts in this old thread by others, do also explain why making header changes via /etc/httpd/conf/httpd.conf and/or /etc/nginx/conf.d/ssl.conf appeared to be completely pointless and in-effective at the time, back then! So just out of interest, as a test, why have you not tried using the alternative method shown above / in previous old posts / our previous recent post, instead of using both of the methods that you're currently using? Youv'e presumably read all of this old thread in detail now?

Regardless and perhaps most importantly, we also mentioned, that there may well be other, better methods that are more suitable for you now. Especially as you're using an older version of Plesk Onyx than we are and, it's not shown anywhere (your forum signature / your thread post data etc) what your OS and other related setups are.