Top Nav

Archive | Webservers

Diffie–Hellman (DHE) Ciphers On Nginx

In some cases you may wish to allow Diffie–Hellman (DHE) ciphers in order to support older clients like IE on Windows 7.  On Plesk we often use the “intermediate” level in the Mozilla cipher set as described here:

The “intermediate” level includes:


Of course the “ECDSA” or “Elliptic Curve Digital Signature Algorithm” ciphers will only be available if you are using ECC signed certificates.

Additionally the “DHE” ciphers will not be available by default if you are using Nginx releases greater then 1.11. With the 1.11 release Nginx moved the DHE key to an external setting instead of an internally generated key. The stock Nginx packages on Ubuntu and CentoOS do not setup a DHE key which results in the DHE ciphers not being available.

To address this problem, start by generating a key:

Next tell Nginx where to find the key:

Verify Nginx config and restart:

Now the DHE ciphers will be offered to clients and Window 7 / IE clients will be able to connect to the sites hosted on the server.





.htaccess – negative file type match

Here’s an example of how to block all files extensions not listed in the regular expression:



Disable OPTIONS method in NGINX

To disable the OPTIONS method in Nginx add the following config:

The result can be tested with curl:



Disable Basic Auth For Virtual Path On Plesk

In a recent case we needed to allow request to a particular virtual URL path on a site that was password protected with HTTP Basic Auth. The site was hosted on a Linux server with Plesk, nginx and Apache.  Typically this problem is solved by adding a “Satisfy Any” to the .htaccess in the directory that you want to remove authentication. But this does not work if the path is virtual instead of a physical directory path. Additionally we needed to allow access for a list of IP addresses. We tried an number of different solutions and ended up with the following:

Step 1 – The HTTP Basic Auth and IP access controls are configured in the .htaccess file like this:

Step 2 – In Plesk under:

Add the following block:

where “/excluded/path” is the virtual URL to be allowed access and “x.x.x.x” is the IP address assigned to the site.

When a request comes is received, nginx looks for the path and adds the AUTH_OVERRIDE header. Then the request is passed to Apache which processes the .htaccess file. The AUTH_OVERRIDE header is converted to an “AUTH_REQUEST” environment variable and allow without authentication by the “allow from env=” rule.

There may be better ways to accomplish this solution but this is one that we successfully implemented.




Test CORS with curl

Is your CDN returning the proper CORS headers? One way to test is with curl. Here’s a simple CORS request:

You should get a successful response that includes and “Access-Control-Allow-Origin” header.

And here’s a pre-flight request:

You should get a successful response that includes and “Access-Control-Allow-Origin”, “Access-Control-Allow-Methods”, and “Access-Control-Allow-Headers” headers.