Plesk Archives - Page 3 of 4

More and more sites are only available via https, now with the Let’s Encrypt extension available in Plesk 12.5 it’s even easier to make your site secure. As such I thought it would be a good time to write this guide.

This guide assumes…

- You have already setup your SSL Certificate in Plesk for your domain,
- You are using Apache (FastCGI or FPM) and Nginx is serving static files,
- You want your site to be https only, redirecting all http requests to https
- You have set preferred domain in Plesk to www.domain.tld

Apache

I’ll start with Apache, browse to your domain in Plesk and click on Additional Apache & Nginx settings. under Additional directives for HTTP use this redirect..

<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{HTTPS} off
	RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,QSA]
</IfModule>

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,QSA]

</IfModule>

And Additional directives for HTTPS…

<IfModule mod_headers.c>
       Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

</IfModule>

If you use Plesk’s built in SEO Safe redirect (preferred domain) from domain.tld to www.domain.tld, you will need to turn this off and add the following in the Additional HTTPS directives…

<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{HTTP_HOST} ^domain.tld$ [NC]
	RewriteRule ^(.*)$ https://www.domain.tld$1 [L,R=301]
</IfModule>

RewriteEngine On

RewriteCond %{HTTP_HOST} ^domain.tld$ [NC]

RewriteRule ^(.*)$ https://www.domain.tld$1 [L,R=301]

</IfModule>

Nginx

Now onto the Nginx directives…

if ($scheme != https) {
    return 301 https://$host$request_uri;
}

if ($scheme != https) {

return 301 https://$host$request_uri;

}

Notice I’m using $scheme rather than the more common $host, as using the $host rewrite affected ssllabs scores in that domain.tld and www.domain.tld would score differently after adding HPKP and HSTS headers in Apache.

I hope that helps someone.

Updated to reflect changes at: https://hstspreload.org/

Here’s how I install SSL certificates for Horde and Roundcube bundled with Plesk 12.0.18 to remove chain issues, and keep the certificate in scope of Plesk backups.

INSTALL

Firstly, install your webmail certificate in…

Plesk -> Tools & Settings -> SSL Certificates

1	Plesk -> Tools & Settings -> SSL Certificates

And then go to…

Plesk -> Tools & Settings -> Database Servers -> PHPMyAdmin -> psa -> certificates

1	Plesk -> Tools & Settings -> Database Servers -> PHPMyAdmin -> psa -> certificates

Get the file names for the webmail certificate and CA certificate and make a custom horde and roundcube template (paths to follow) adding the following directives.

THE DIRECTIVES

Apache files (horde.php and roundcube.php)

SSLCertificateKeyFile "/opt/psa/var/certificates/cert-name"
SSLCertificateFile "/opt/psa/var/certificates/cert-name"
SSLCACertificateFile "/opt/psa/var/certificates/ca-name"

SSLCertificateKeyFile "/opt/psa/var/certificates/cert-name"

SSLCertificateFile "/opt/psa/var/certificates/cert-name"

SSLCACertificateFile "/opt/psa/var/certificates/ca-name"

Nginx File (nginxWebmailPartial.php)

ssl_certificate             /opt/psa/var/certificates/cert-name;
ssl_certificate_key         /opt/psa/var/certificates/cert-name;
ssl_client_certificate      /opt/psa/var/certificates/ca-name;

ssl_certificate /opt/psa/var/certificates/cert-name;

ssl_certificate_key /opt/psa/var/certificates/cert-name;

ssl_client_certificate /opt/psa/var/certificates/ca-name;

I do this because the CA directives are missing from the default Apache2 templates.

TEMPLATE LOCATION

Templates are located here..

/opt/psa/admin/conf/templates/default/horde.php
/opt/psa/admin/conf/templates/default/roundcube.php
/opt/psa/admin/conf/templates/default/nginxWebmailPartial.php

/opt/psa/admin/conf/templates/default/horde.php

/opt/psa/admin/conf/templates/default/roundcube.php

/opt/psa/admin/conf/templates/default/nginxWebmailPartial.php

copy the above files to

/opt/psa/admin/conf/templates/custom

1	/opt/psa/admin/conf/templates/custom

and then edit the files..

EDITING THE TEMPLATES

You need to find and replace the SSL directive/s in the template files and replace with the ones above.

horde.php line 83, and roundcube.php line 86

SSLCertificateFile "<?php echo $ipAddress->sslCertificate->ceFilePath ?>"

1	SSLCertificateFile "<?php echo $ipAddress->sslCertificate->ceFilePath ?>"

become…

SSLCertificateKeyFile "/opt/psa/var/certificates/cert-name"
SSLCertificateFile "/opt/psa/var/certificates/cert-name"
SSLCACertificateFile "/opt/psa/var/certificates/ca-name"

SSLCertificateKeyFile "/opt/psa/var/certificates/cert-name"

SSLCertificateFile "/opt/psa/var/certificates/cert-name"

SSLCACertificateFile "/opt/psa/var/certificates/ca-name"

nginxWebmailPartial.php, there’s a big chunk you need to remove, lines 10 to 26 (in your file)…

<?php if ($OPT['ssl']): ?>
<?php $sslCertificate = $ipAddress->sslCertificate; ?>
<?php   if ($sslCertificate->ce): ?>
    ssl_certificate             <?php echo $sslCertificate->ceFilePath ?>;
    ssl_certificate_key         <?php echo $sslCertificate->ceFilePath ?>;
<?php       if ($sslCertificate->ca): ?>
    ssl_client_certificate      <?php echo $sslCertificate->caFilePath ?>;
<?php       endif ?>
    ssl_session_timeout         5m;

<?php if (get_param('disablesslv3')): ?>
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
<?php else: ?>
    ssl_protocols               SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
<?php endif ?>
    ssl_ciphers                 HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;
<?php   endif ?>
<?php endif ?>

<?php if ($OPT['ssl']): ?>

<?php $sslCertificate = $ipAddress->sslCertificate; ?>

<?php if ($sslCertificate->ce): ?>

ssl_certificate <?php echo $sslCertificate->ceFilePath ?>;

ssl_certificate_key <?php echo $sslCertificate->ceFilePath ?>;

<?php if ($sslCertificate->ca): ?>

ssl_client_certificate <?php echo $sslCertificate->caFilePath ?>;

<?php endif ?>

ssl_session_timeout 5m;

<?php if (get_param('disablesslv3')): ?>

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

<?php else: ?>

ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;

<?php endif ?>

ssl_ciphers HIGH:!aNULL:!MD5;

ssl_prefer_server_ciphers on;

<?php endif ?>

Becomes something like…

<?php if ($OPT['ssl']): ?>
    ssl_ecdh_curve              secp384r1;
    ssl_dhparam                 /etc/ssl/dh/RSA4096.pem;
    
    ssl_certificate             /opt/psa/var/certificates/cert-name;
    ssl_certificate_key         /opt/psa/var/certificates/cert-name;
    ssl_client_certificate      /opt/psa/var/certificates/ca-name;
    
    ssl_session_timeout                           5m;
    ssl_session_cache                  shared:SSL:5m;
    
    ssl_prefer_server_ciphers                     on;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;   
    ssl_ciphers             EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate     /etc/ssl/ocsp/domainCA.pem;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 10s;
    
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
<?php endif ?>

<?php if ($OPT['ssl']): ?>

ssl_ecdh_curve secp384r1;

ssl_dhparam /etc/ssl/dh/RSA4096.pem;

ssl_certificate /opt/psa/var/certificates/cert-name;

ssl_certificate_key /opt/psa/var/certificates/cert-name;

ssl_client_certificate /opt/psa/var/certificates/ca-name;

ssl_session_timeout 5m;

ssl_session_cache shared:SSL:5m;

ssl_prefer_server_ciphers on;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;

ssl_stapling on;

ssl_stapling_verify on;

ssl_trusted_certificate /etc/ssl/ocsp/domainCA.pem;

resolver 8.8.8.8 8.8.4.4 valid=300s;

resolver_timeout 10s;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

<?php endif ?>

You can see I have also added ssl_session_cache in there along with HSTS, OCSP, dhparam and ECDH Curve.
Now regenerate the conf files with…

/opt/psa/admin/bin/httpdmng --reconfigure-all

1	/opt/psa/admin/bin/httpdmng --reconfigure-all

Your webmail will now be properly secured and you won’t get any chain issues when testing your site at ssllabs.

Please note CentOS paths are different. The psa folder is located in /usr/local/.

Thanks for reading, I am working on formatting this article better so you can copy and paste directives like previous guides, unfortunately the code tags wouldn’t wrap the above php sections.

My Blog

Category Archives: Plesk

Secure Redirects in Plesk

Apache

Nginx

Add DHParam to Plesk Panel

Secure Plesk Webmail

Servers and Security