Top Nav

Archive | Plesk

Mixing Plesk open_basedir path syntax

Plesk uses a convoluted syntax for open_basedir settings in Plesk. You can find this setting on a per-domain basis by navigating the Plesk GUI like this:

Domains -> -> PHP Settings -> Common settings ->  open_basedir

The default setting looks like this:

This breaks down as follows:

The first part, {WEBSPACEROOT}{/} means the the entire webspace root, /var/www/vhosts/ in this case. This includes httpdocs and any folder in this path.

The second part {:} is the delimiter.

The third part {TMP}{/} means the /tmp directory

Any additional paths can be added by appending a normal UNIX-style path syntax as in this example:

In this case the default plus the PHP 7.2 pear directory is allowed. You can add as many directories as needed using the UNIX style path syntax in combination with the Plesk default. Be sure to use a colon as your delimiter.


Disable Basic Auth For Virtual Path On Plesk

In a recent case we needed to allow request to a particular virtual URL path on a site that was password protected with HTTP Basic Auth. The site was hosted on a Linux server with Plesk, nginx and Apache.  Typically this problem is solved by adding a “Satisfy Any” to the .htaccess in the directory that you want to remove authentication. But this does not work if the path is virtual instead of a physical directory path. Additionally we needed to allow access for a list of IP addresses. We tried an number of different solutions and ended up with the following:

Step 1 – The HTTP Basic Auth and IP access controls are configured in the .htaccess file like this:

Step 2 – In Plesk under:

Add the following block:

where “/excluded/path” is the virtual URL to be allowed access and “x.x.x.x” is the IP address assigned to the site.

When a request comes is received, nginx looks for the path and adds the AUTH_OVERRIDE header. Then the request is passed to Apache which processes the .htaccess file. The AUTH_OVERRIDE header is converted to an “AUTH_REQUEST” environment variable and allow without authentication by the “allow from env=” rule.

There may be better ways to accomplish this solution but this is one that we successfully implemented.




Mitigate SWEET32 On Plesk Panel

Here’s a great article on the SWEET32 vulnerability and how to mitigate:

SWEET32 Birthday attack : How to fix TLS vulnerability (CVE-2016-2183) in OpenSSL, Apache, Nginx and IIS in RedHat, CentOS, Ubuntu, Debian, OpenSUSE and Windows

If you have a Plesk server then you’ll need adjust the panel ciphers by editing:

and change the contents to:

The restart the panel:


Plesk – Bulk Reset Subscription Expire Date

Here’s a one liner to set the expire date on all subscriptions to unlimited:



Install New Relic With Plesk 12.5

Plesk 12.5 allow for multiple PHP versions and integration methods. This is a great feature but it makes installing New Relic more difficult. New Relic by default installs to the Linux distribution’s version of PHP. With Plesk 12.5, there are multiple PHP versions in different locations. Also New Relic uses a unix socket to facilitate communication between the newrelic-daemon and the PHP component. When running PHP under php-fpm there are permission problems with multiple sites using New Relic. Here are the steps to get New Relic working on CentOS or RedHat. Other Linux distributions will be similar.

1. Install New Relic for the operating system following the standard instructions:

2. Set the newrelic-daemon to run independently by copying the config file template:

3. Configure the newrelic-daemon to listen on a TCP port instead of a UNIX socket:

4. Start the newrelic-daemon:

5. Configure distribution provided PHP to use newrelic-daemon:

6. Restart Apache

7. Install New Relic on Plesk provided PHP installations using the instructions here:

We’ll start with PHP 5.6:

8. Set the TCP port

9. Restart cooresponding php-fpm process:

10. Repeat steps 7, 8 and 9 for each additional PHP version installed on the server.