Top Nav

Archive | Webservers

Clearing PHP opcache

Great article on how to clear the PHP opcache:

https://ma.ttias.be/how-to-clear-php-opcache/

To facilitate use on a Plesk server created script and mapped into namespace:

https://acme.com/opcache_clear

Here’s the script:

And here’s the Apache config to map into a virtual host:

This above config should be placed in the “Apache & nginx setting” screen in the “Additional directives for https” field. In addition to setting the alias path we’re also setting the PHP handler.

Additionally under “Password protected directories” added password protection for “/opcache_clear”. This is just a placeholder for the password file which is referenced in the above config.

0

Apply Basic Auth To Site With Excluded Virtual Path Under Plesk With Apache 2.4

We want to password protect a WordPress development site but allow unauthenticated access to the wp-json/ path. Hosting platform is Plesk with Apache 2.4. We’ll assume the domain is “acme.com” and the assigned IP is “w.x.y.z”.

There are probably better ways to accomplish the goal but this approach seems to work.

Step 1. – In Plesk add a Protected Directory named “/donotremove” and add appropriate user/passwords.

Step 2. – In Plesk on the “Apache & nginx Setting” screen under “Additional nginx directives” add the following:

Step 3. – In Plesk on the “Apache & nginx Setting” screen under “Additional directives for HTTP” and “Additional directives for HTTPS” add the following:

 

 

 

0

Diffie–Hellman (DHE) Ciphers On Nginx

In some cases you may wish to allow Diffie–Hellman (DHE) ciphers in order to support older clients like IE on Windows 7.  On Plesk we often use the “intermediate” level in the Mozilla cipher set as described here:

https://wiki.mozilla.org/Security/Server_Side_TLS

The “intermediate” level includes:

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-RSA-CHACHA20-POLY1305
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES256-GCM-SHA384

Of course the “ECDSA” or “Elliptic Curve Digital Signature Algorithm” ciphers will only be available if you are using ECC signed certificates.

Additionally the “DHE” ciphers will not be available by default if you are using Nginx releases greater then 1.11. With the 1.11 release Nginx moved the DHE key to an external setting instead of an internally generated key. The stock Nginx packages on Ubuntu and CentoOS do not setup a DHE key which results in the DHE ciphers not being available.

To address this problem, start by generating a key:

Next tell Nginx where to find the key:

Verify Nginx config and restart:

Now the DHE ciphers will be offered to clients and Window 7 / IE clients will be able to connect to the sites hosted on the server.

 

 

 

0

.htaccess – negative file type match

Here’s an example of how to block all files extensions not listed in the regular expression:

 

0

Disable OPTIONS method in NGINX

To disable the OPTIONS method in Nginx add the following config:

The result can be tested with curl:

 

1