Archive | Plesk

Diffie–Hellman (DHE) Ciphers On Nginx

By admin on November 6, 2020 in Nginx, Plesk

In some cases you may wish to allow Diffie–Hellman (DHE) ciphers in order to support older clients like IE on Windows 7. On Plesk we often use the “intermediate” level in the Mozilla cipher set as described here:

https://wiki.mozilla.org/Security/Server_Side_TLS

The “intermediate” level includes:

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384

Of course the “ECDSA” or “Elliptic Curve Digital Signature Algorithm” ciphers will only be available if you are using ECC signed certificates.

Additionally the “DHE” ciphers will not be available by default if you are using Nginx releases greater then 1.11. With the 1.11 release Nginx moved the DHE key to an external setting instead of an internally generated key. The stock Nginx packages on Ubuntu and CentoOS do not setup a DHE key which results in the DHE ciphers not being available.

To address this problem, start by generating a key:

cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096

1 2	cd /etc/ssl/certs openssl dhparam -out dhparam.pem 4096

Next tell Nginx where to find the key:

echo "ssl_dhparam /etc/ssl/certs/dhparam.pem;" > /etc/nginx/conf.d/ssl_dh.conf

1	echo "ssl_dhparam /etc/ssl/certs/dhparam.pem;" > /etc/nginx/conf.d/ssl_dh.conf

Verify Nginx config and restart:

nginx -t
systemctl restart nginx

1 2	nginx -t systemctl restart nginx

Now the DHE ciphers will be offered to clients and Window 7 / IE clients will be able to connect to the sites hosted on the server.

Mixing Plesk open_basedir path syntax

By admin on February 12, 2019 in Plesk

Plesk uses a convoluted syntax for open_basedir settings in Plesk. You can find this setting on a per-domain basis by navigating the Plesk GUI like this:

Domains -> example.com -> PHP Settings -> Common settings -> open_basedir

The default setting looks like this:

{WEBSPACEROOT}{/}{:}{TMP}{/}

1	{WEBSPACEROOT}{/}{:}{TMP}{/}

This breaks down as follows:

The first part, {WEBSPACEROOT}{/} means the the entire webspace root, /var/www/vhosts/example.com/ in this case. This includes httpdocs and any folder in this path.

The second part {:} is the delimiter.

The third part {TMP}{/} means the /tmp directory

Any additional paths can be added by appending a normal UNIX-style path syntax as in this example:

{WEBSPACEROOT}{/}{:}{TMP}{/}:/opt/plesk/php/7.2/share/pear

1	{WEBSPACEROOT}{/}{:}{TMP}{/}:/opt/plesk/php/7.2/share/pear

In this case the default plus the PHP 7.2 pear directory is allowed. You can add as many directories as needed using the UNIX style path syntax in combination with the Plesk default. Be sure to use a colon as your delimiter.

Disable Basic Auth For Virtual Path On Plesk

By admin on February 16, 2018 in Apache, Nginx, Plesk

In a recent case we needed to allow request to a particular virtual URL path on a site that was password protected with HTTP Basic Auth. The site was hosted on a Linux server with Plesk, nginx and Apache. Typically this problem is solved by adding a “Satisfy Any” to the .htaccess in the directory that you want to remove authentication. But this does not work if the path is virtual instead of a physical directory path. Additionally we needed to allow access for a list of IP addresses. We tried an number of different solutions and ended up with the following:

Step 1 – The HTTP Basic Auth and IP access controls are configured in the .htaccess file like this:

# basic auth
AuthName "Authorized Only"
AuthType Basic
# password file is maintained from Plesk
AuthUserFile /var/www/vhosts/system/stage.acme.com/pd/d..httpdocs@donotremove
require valid-user

# set an environment variable if there is an AUTH_OVERRIDE header
SetEnvIf AUTH_OVERRIDE ^true AUTH_REQUEST

# set IP controls
order deny,allow
deny from all
allow from 1.1.1.1
allow from 2.2.2.2
# allow request if the environment variable is set
allow from env=AUTH_REQUEST

# require either Basic Auth or IP controls
Satisfy Any

# basic auth

AuthName "Authorized Only"

AuthType Basic

# password file is maintained from Plesk

AuthUserFile /var/www/vhosts/system/stage.acme.com/pd/d..httpdocs@donotremove

require valid-user

# set an environment variable if there is an AUTH_OVERRIDE header

SetEnvIf AUTH_OVERRIDE ^true AUTH_REQUEST

# set IP controls

order deny,allow

deny from all

allow from 1.1.1.1

allow from 2.2.2.2

# allow request if the environment variable is set

allow from env=AUTH_REQUEST

# require either Basic Auth or IP controls

Satisfy Any

Step 2 – In Plesk under:

Subscriptions -> stage.acme.com -> Apache & nginx settings -> Additional nginx directives

1	Subscriptions -> stage.acme.com -> Apache & nginx settings -> Additional nginx directives

Add the following block:

location ~ /excluded/path {
  proxy_set_header AUTH_OVERRIDE true;
  proxy_pass http://x.x.x.x:7080;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Accel-Internal /internal-nginx-static-location;
  access_log on;
}

location ~ /excluded/path {

proxy_set_header AUTH_OVERRIDE true;

proxy_pass http://x.x.x.x:7080;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Accel-Internal /internal-nginx-static-location;

access_log on;

}

where “/excluded/path” is the virtual URL to be allowed access and “x.x.x.x” is the IP address assigned to the site.

When a request comes is received, nginx looks for the path and adds the AUTH_OVERRIDE header. Then the request is passed to Apache which processes the .htaccess file. The AUTH_OVERRIDE header is converted to an “AUTH_REQUEST” environment variable and allow without authentication by the “allow from env=” rule.

There may be better ways to accomplish this solution but this is one that we successfully implemented.

Mitigate SWEET32 On Plesk Panel

By admin on November 21, 2016 in Plesk

Here’s a great article on the SWEET32 vulnerability and how to mitigate:

SWEET32 Birthday attack : How to fix TLS vulnerability (CVE-2016-2183) in OpenSSL, Apache, Nginx and IIS in RedHat, CentOS, Ubuntu, Debian, OpenSUSE and Windows

If you have a Plesk server then you’ll need adjust the panel ciphers by editing:

/etc/sw-cp-server/conf.d/ssl.conf

1	/etc/sw-cp-server/conf.d/ssl.conf

and change the contents to:

ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;

ssl_prefer_server_ciphers On;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;

The restart the panel:

service sw-cp-server restart

1	service sw-cp-server restart

Plesk – Bulk Reset Subscription Expire Date

By admin on August 18, 2016 in Plesk

Here’s a one liner to set the expire date on all subscriptions to unlimited:

for SUBSCRIPTION in `/usr/local/psa/bin/subscription --list`; 
 do /usr/local/psa/bin/subscription_settings --update $SUBSCRIPTION -expiration -1; 
done;

for SUBSCRIPTION in `/usr/local/psa/bin/subscription --list`;

do /usr/local/psa/bin/subscription_settings --update $SUBSCRIPTION -expiration -1;

done;

← Previous 1 2 3 … 8 Next →

Need help immediately?

$100/hour
Satisfaction Guaranteed

Top Nav

Navigation