Question
How can I use the new feature in Plesk 18.0.56 that allows Apache Web Server to listen on localhost on ports 7080 and 7081?
Answer
In Plesk 18.0.56, we introduced a new feature (PPP-43250) that allows Apache Web Server to listen on localhost on ports 7080 and 7081. This feature was introduced as a security improvement to reduce the attack surface by ensuring that Apache is no longer publicly accessible on these ports, thereby enhancing the overall security of your server.
Description of the new CLI command
The new CLI command plesk bin apache --listen-on-localhost <true|false> can be used to turn on/off Apache localhost mode.
The option value is stored in psa.misc.apacheListenLocalhost.
Default behavior for new Plesk installations
For fresh Plesk installations, the localhost mode is turned on by default.
The option value in psa.misc.apacheListenLocalhost is undefined and webserver.apacheListenLocalhost provides the default value.
Behavior for Plesk upgrades
For Plesk upgrades, the localhost mode is turned off by default.
The option value psa.misc.apacheListenLocalhost = false is stored explicitly during the upgrade.
Notice about custom hosting templates
Existing custom hosting templates may not work in localhost mode depending on modifications made in the template and should be adjusted accordingly.
Comments
7 comments
Should you not explain here how to set it on/off?
> The new CLI command
plesk bin apache --listen-on-localhostcan be used to turn on/off Apache localhost mode.Is here true/false missing? And set this command the default behavior permanent or only temporary?
And the hint where to find the "panel.ini" file is missing. Like linked to https://docs.plesk.com/de-DE/obsidian/administrator-guide/plesk-administration/konfigurationsdatei-panelini.78509/
If apacheListenLocalhost is set to true Plesk AW-Stats feature does not work anymore, because the IP in Serverlogs ist always 127.0.0.1
The external IP that hits the NGINX Reverse-Proxy should be parsed to the logs, otherwise it will never work because all visitors come from the same IP adress.
Please fix this and use X-Real-IP or something else.
With that feature turned on, I am not able to retrieve visitor's ip address via
PHP $_SERVER[ 'REMOTE_ADDR' ]
"Allow from xxx.xxx.xxx.xxx" via .htaccess is not possible, too.
Any solution for that?
Thanks for the recommendations Karl May, implemented accordingly.
TorbHo and concedra gmbh, thank you for reporting the described behavior. This will be fixed in the next hotfix for version 18.0.56.2.
For reference. PPPM-14170, Change Log for Plesk Obsidian
Does this really provide much additional security benefit? In any normal circumstance, wouldn't port 7080 and 7081 be closed at the firewall anyway? They certainly are on all my Plesk servers, so in that case - what benefit does this really offer?
Hi Gavin, while it's a good idea to close ports 7080 and 7081 on your firewall, it's important to remember that firewall configurations can vary widely from system to system. Not all users may have these ports closed on their firewalls.
The additional security benefit comes from the principle of "defense in depth". This is the use of multiple layers of security controls throughout an information technology (IT) system. The intent is to provide redundancy in the event that a security control fails or a vulnerability is exploited. In this context, even if a firewall fails or is misconfigured and these ports are left open, closing them at the application level provides an additional layer of security.
This approach helps reduce the risk of unauthorized access and potential attacks. It's always better to have multiple security measures in place, even if some of them may seem redundant in certain configurations.
Please sign in to leave a comment.