Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
-
How to customize Plesk URL?
-
How to make Plesk interface accessible over a hostname without entering the port number? For example, https://server.example.com.
Answer
Note: If an existing in Plesk domain is going to be used as an entry point to Plesk, make sure that the option Permanent SEO-safe 301 redirect from HTTP to HTTPS is enabled at Domains > example.com > Hosting Settings and a valid SSL certificate is used. For more information, see this KB article.
-
Go to Tools & Settings > Customize Plesk URL.
-
Specify the domain that will be used as an entry point to Plesk.
-
Save the changes.
-
Connect to the Plesk server via SSH (Linux) / RDP (Windows Server).
-
Use these commands (on Windows Server, use a command prompt as an Administrator):
-
In this case, if there is a website with the specified name, it will become inaccessible because Plesk panel will be shown.
# plesk bin admin --enable-access-domain "server.example.com"
-
In this case, the panel will be accessible on any domain hosted on Plesk and not having website and via IP address on HTTPS.
# plesk bin admin --enable-access-domain ""
-
In this case, the feature will be disabled. Plesk will be accessible via default port 8443 only.
# plesk bin admin --disable-access-domain
-
Notes: If Plesk is used under WHMCS and configuration described below is applied, then login from WHMCS to Plesk will not work.
Warning: Fail2ban will be unable to prevent brute-force attempts because an IP address of a client will be 127.0.0.1, which is white-listed by default in Fail2ban configuration.
-
Enable nginx as a reverse-proxy web-server.
-
In Plesk, create a subscription with desired domain name (usually, the hostname). This domain should be resolved from the Internet. In this example, 'server.example.com' is used.
-
Enable the option Permanent SEO-safe 301 redirect from HTTP to HTTPS at Domains > server.example.com > Hosting Settings:
-
Un-check PHP support at Domains > server.example.com > PHP Settings and apply the changes.
-
Go to Domains > server.example.com > Apache & nginx setting > scroll down to the Additional nginx directives field and add the following lines:
Note: The
proxy_passdirective should contain an IP address of the domain.CONFIG_TEXT: location ~ ^/(?!.well-known).*$ {
proxy_pass https://203.0.113.2:8443;
port_in_redirect off;
proxy_set_header Host $host;
client_max_body_size 2048m;
}
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k; -
Apply the changes.
Comments
59 comments
@Jason, I see the point, reproduced the same on the test server. Thank you for your notification, the article requires internal review. We will re-check the article and update it with required information.
After I followed all the steps I get back redirected to the login page after trying to login. Using the incognito mode doesnt work.
>Isn't there a way to bypass the proxy for .well-known requests in nginx-settings as there will be renewals of the certificate?
nginx uses the configuration inside the longest matching location field.
So you can just add to your nginx directives:
location /.well-known {}
So that the proxy configuration inside the "location /" block is not used, and it will fallback to the document root specified in the block that describes the vhost.
==
Another thing I noticed is that Plesk adds "client_max_body_size 128m;" to the vhost block by default.
Which gives problems if users want to upload a file larger than 128 MB (e.g. a website backup) through the web interface.
Can solve that by adding "client_max_body_size 2048m;" to the "location /" block.
So you end up with:
location / {proxy_pass https://plesk.your-domain.com:8443;
port_in_redirect off;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
client_max_body_size 2048m;
}
location /.well-known {
}
I'm using Plesk Onyx v17.5.3_build1705170317.16 and added only the one directive that was given for Onyx in this article. I changed only the domain to the IP-Address.
location / {
proxy_pass https://IPv4-Address:8443;
port_in_redirect off;
}
Does the tutorial above bind the login domain to all IPs of the server, or just some.
I have the weirdest behavior, where the UI sometimes work and sometimes doesn't because of a not trusted certificate and HSTS restrictions.
When I have ssllabs.com test the UI domain, the certificate is okay for ipv4 but not ipv6.
@Konstantin, as I said 3 comments above, I've already done it, but it continuously redirects me to the login page. I've followed all the steps in this article (version: psa-17.5.3-cos7.build1705170317.16.x86_64).
@Konstantin
Yes, I did.
And as mentioned, after enlarging the proxy buffer size, the problem page does work.
Watching with Firebug one can see that this particular page tries to set a lot of cookies through "Set-Cookie:" HTTP response headers.
The total size of the HTTP response headers is 2053 bytes.
One would think that 2053 bytes should fit in the default 4 KB nginx buffer size. But for some reason it does not. Perhaps because it proxies to HTTPS it needs twice the space, or something like that?
Thanks, Lev! When I type in my new Plesk hostname before the port 'plesk.mydomain.com:8447...' it works just fine. Would that be possible to make the Upades&Upgrades redirect relative to the hostname then, not the localhost? Hiding a port number for the updates will, of course, not be possible but still better than typing in a custom hostname every time.
On the other note, I have noticed that proxying port 80 to 8880 or 8443 opens the port for everyone on the Internet. I suggest blocking that with nginx:
location / {
if ($remote_addr = 0.0.0.0) {
proxy_pass https://127.0.0.1:8443;
}
if ($remote_addr != 0.0.0.0) {
return 404;
}
}
I'm using Plesk Onyx v17.5.3_build1705170317.16 os_CentOS 7 and the steps are a little different, the firewall is a Plesk component not an extension, so make sure the component is enabled.
But my main problem is that I'm unable to login after following these steps. The login page is displayed correctly but when I login i get redirected to the login page like I haven't logged in at all.
EDIT: It was a browser problem for me. Works when I try it in incognito
@Adrian, it is required to enable nginx first: https://support.plesk.com/hc/en-us/articles/213944825-How-to-enable-Nginx-reverse-proxy-in-Plesk
Unable to find the last step:
What do I do?
Hello Christian Guitton,
Sorry for the late response.
In case the issue still takes a place, consider submitting a request for Plesk support.
A closer look is required to understand the cause.
@Martin Check the solution provided by @Floris
location /.well-known {}
@Floris Additionally you can check https://support.plesk.com/hc/en-us/articles/213914565 article regarding client_max_body_size directive.
Oh, yes, I see.
The last part of the link could not be hidden.
However it occurs on the login page only and it (last part) is grayed out in the status bar in most of modern browsers (For example Chrome and Safari).
So, i believe that it is not a big problem.
However if you think that such functionality should be implemented in Plesk as a native one (function to add a domain to access Plesk without entering port number), you can create corresponding feature request here:
https://plesk.uservoice.com/forums/184549-feature-suggestions
The top-ranked suggestions are likely to be included in the next versions of Plesk.
Worked fine, but when I click "Updates & Upgrades" it redirects me to https://127.0.0.1:8447/?secret=&locale=en-US. How to fix this?
Hello I have the psa-17.5.3-cos7.build1705170317.16.x86_64 version installed and I followed the article, but when I try to login into "http://plesk.mydomain.tld" I always get a redirect to the same page (url: "https://plesk.mydomain.tld/login_up.php?success_redirect_url=https%3A%2F%2Fplesk.mydomain.tld%3A8443%2F").
When I add the port there is no problem (http://plesk.mydomain.tld:8443), but without the port I get always redirected. Can I use it without the port or it is required for working?
@Simeon
I do not see any additional ways to get such errors in test environment.
So, I recommend you to contact Plesk Technical Support (submit a ticket or start chat).
@Lev lurev Do you have a more detailed explanation as to why this happens? I used this method and it works fine for the Plesk login. However, I do have the same redirect problem as @Webmaster when trying to reach the "Updates & Upgrades" page.
After the redirect fails I can change 127.0.0.1 back to sub.domain.ext and reach the page, so it does still work.
Is there any way to fix the redirect so it doesn't change the host name initially and redirects to https://sub.domain.ext:8447?
>@Floris Additionally you can check https://support.plesk.com/hc/en-us/articles/213914565 article regarding client_max_boy_size directive.
That's another way to do it.
Do note that the duplicate directive problem described there does not apply if you stick the parameter inside the "location /" block.
Can have both a parameter at vhost level (added by Plesk) and an overriding one at location level (specified by you).
Just not two at vhost level.
@Simeon
Could you please watch this video?
Here you can see the solution on how to "use the login page (and so login to the admin panel) without entering the port"
I just performed the steps from the article and as a result I can use the plain URL as a login page to Plesk.
Does it meet your expectations?
@Konstantin
It works now! I set my new plesk admin domain "admin.mydomain.com" as the main System Server full hostname and now it works! The interesting thing is if I put again my old main domain that was set before "mydomain.com", it is working anyway. I think it was some kind of Plesk cache or similar so I suggest you to add a last step in this article suggesting to go and re-save the system settings.
Anyway, what hostname should be right to set for the "Full hostname" parameter? The IP, the new admin panel domain (admin.mydomain.com) or the main domain (mydomain.com)?
Thank you very much!
@Martin, I am not sure if it is possible at all. But I can say for sure, Plesk cannot make such configuration.
@Lev thank you for the fast reply. I will wait for the fix.
@Webmaster I suppose that it will be better to restrict access via allow/deny
location / {
allow 192.168.1.0/24;
# drop rest of the world
deny all;
proxy_pass ...
}
So there is no solution to have a clean url for my clients without obligating them to put the port every time?
Edit: In fact, the topic of this thread says "...without entering the port?"
@Floris
Ok, thank you for input. I will add this to article.
I don't have the field "Additional nginx directives", just the apache directives:
How can I chance the plesk admin from mydomain.com:8443 to admin.mydomain.com?
Heinrich Krebs this seems to be another issue. Could you please open a support ticket with us? https://support.plesk.com/hc/en-us/articles/213608509-How-to-submit-a-request-to-Plesk-support-
Hello Simeon,
Most probably, a cause of that behaviour was in a browser cache.
As for the hostname, do not use an IP address as your full hostname. Instead of that, feel free to use "admin.mydomain.com" or "mydomain.com". The main point is that it should be resolvable from the server and nginx directive should contain exactly the same hostname.
@Webmaster unfortunatelly it does not work for "Updates & Upgrades" as it is listening on another port.
Please sign in to leave a comment.