PLESK 12.5 - NGINX Redirect https / Let's Encrypt

Discussion in 'Plesk Automation Suggestions and Feedback' started by P_heck, Feb 18, 2016.

  1. P_heck

    P_heck Kilo Poster

    Messages:
    60
    Hello!

    I have searched for a solution, but didn't found one - so if this question has already been answered, please just direct me to the thread.

    Plesk 15.5.30 Update 21 running on Debian Wheezy, using NGINX with fpm-php on PHP 7.0.2

    I have now updated all my customer websites to SSL using the Let's Encrypt extension which works fine.

    Now I want to redirect all http traffic to https. First try was to use the following statement:

    Code:
    if ($scheme = http) {
    return 301 https://$server_name$request_uri;
    }
    This one works fine for the redirect, but breaks the renewal of certificate within the Let's Encrypt extensions as it looks at http and seems not to follow the redirection. Error code I got (customer data blacklisted):

    Code:
    Domain: domain.tld
    Type: unauthorized
    Detail: Invalid response from http://domain.tld/.well-known
    /acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    [xxx.xxx.xxx.xxx]: 404
    I also tried to put the following directive in the Plesk Panel:

    Code:
    location ^~ /.well-known/acme-challenge/ {
            default_type "text/plain";
            root /path/to/your/root/dir;
        }
       
        location / {
            return 301 https://$server_name$request_uri;
        }
    But got the error, that I can't define the root ("/") location as it's already defined.

    Don't think it's a good idea to edit the nginx.conf file by myself as Plesk will revert the change at the next update.

    In the meanwhile, I'm using below statement, which only redirects the root to https, but I'm not happy with it as it still allows unencrypted traffic outside the root directory.

    Code:
    if ($request_uri = /) {
    set $test A;
    }
    if ($scheme = 'http') {
    set $test "${test}B";
    }
    if ($test = AB) {
    rewrite ^/(.*)$ https://domain.tld/$1 permanent;
    }
    So anybody has an idea, how to redirect all http traffic to https but not the one for "/.weel-know/acme-challenge" ?

    Cheers Peter
     
  2. Nibbels

    Nibbels Kilo Poster

    Messages:
    14
    Hello, maybe this helps you, if you want to stick to the Plesk-configuration-level:

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{HTTPS} !=on
    RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,QSA]
    </IfModule>

    and maybe

    <IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Robots-Tag "none"
    Header set X-Frame-Options "SAMEORIGIN"
    SetEnv modHeadersAvailable true
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    </IfModule>

    If you play with HTTPs you should know https://www.ssllabs.com/ssltest/ which is really really good to know!
    This site helps you to fix those many many configuration flaws and weaknesses you still can experience when having https on (such as weak ciphers, configuration problems ..).

    EDIT: OK well.. you mensioned nginx, but there should be something like this too.
    EDIT: This are examples about what I ment about configuration: https://cipherli.st/

    Greetings
     

    Attached Files:

    Last edited: Feb 18, 2016
  3. Nibbels

    Nibbels Kilo Poster

    Messages:
    14
    This is what I have in one nginx-domain:

    But I cannot remember if this is relaying all http to https or if this shop does it by its own.
    Maybe you can try this:

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header Content-Security-Policy "upgrade-insecure-requests";

    In every case it is hardening your https behaviour.
     

    Attached Files:

  4. P_heck

    P_heck Kilo Poster

    Messages:
    60
    Hello Nibbles,

    I am using NGINX - yours looks like Apache rewrites.

    Cheers Peter
     
  5. Nibbels

    Nibbels Kilo Poster

    Messages:
    14
    What I am trying to remember is this special header which tells your browser to switch to https only. That could solve your problem at most of the clients. I think it was something like
    Content-Security-Policy "upgrade-insecure-requests";
    or
    I remember playing around with those headers and no visitor was able to switch to http again...
    https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security did this probably.

    Greetings
     
  6. P_heck

    P_heck Kilo Poster

    Messages:
    60
    Yes - this one is already implemented on my websites - here the code:

    Code:
    add_header Strict-Transport-Security max-age=31536000;
    add_header X-Frame-Options DENY;
    Problem here - not all browsers (except newer ones) support HSTS. Especially on the mobile browsers, there are still some not supporting it - see http://caniuse.com/#feat=stricttransportsecurity

    Cheers Peter
     
  7. Nibbels

    Nibbels Kilo Poster

    Messages:
    14
    Ok, then maybe another person should bring suggestions. My website is "just a game". It is not very urgent to my visitors to switch to HTTPS so i made it optional.
    In some situations I just get the HTTPS-Flag within PHP and send the user to HTTPS in specific php-applications. They normally stay there if once sent.
    <?
    if($_SERVER['HTTPS'] != 'on') Header('Location: https://........);

    [But this is PHP.]
    I wonder what the final answer is!
     
  8. Alex.V

    Alex.V Kilo Poster

    Messages:
    36
    Hi
    You need to use the plesk forum, not the Odin Automation forum
     
  9. P_heck

    P_heck Kilo Poster

    Messages:
    60
    Problem solved:

    Code:
    if ($scheme != https) {
        return 301 https://domain.tld$request_uri;
    }
    
     

Share This Page