How to make Plesk interface accessible over a hostname without entering the port number on a Linux server

Follow

Comments

52 comments

  • Avatar
    Martin

    How do I secure this Domain with Let's Encrypt?
    There should be some directive fpr nginx to allow it?

    I'm getting this error (domain name changed):

    Error: Could not issue a Let's Encrypt SSL/TLS certificate for subdomain.domain.com.

    The authorization token is not available at https://subdomain.domain.com/.well-known/acme-challenge/iTqrmucehzz3t4B2YTkaklFXAO4K_qyEkrxecd_w0-Q.
    To resolve the issue, make it is possible to download the token file via the above URL.

    0
    Comment actions Permalink
  • Avatar
    Bulat Tsydenov

    @Martin Let's Encrypt extension places temporary script to .well-known/acme-challenge/ directory of the website. Therefore, in order to generate Let's Encrypt certificate for the domain, you need to generate it before applying the solution from this article. In other words, the domain should not redirect to somewhere.

    0
    Comment actions Permalink
  • Avatar
    Konstantin Annikov

    @Simeon

    I do not see any additional ways to get such errors in test environment. 

    So, I recommend you to contact Plesk Technical Support (submit a ticket or start chat). 

    0
    Comment actions Permalink
  • Avatar
    Simeon Ivaylov Petrov (Edited )

    @Konstantin

    Thank you for your dedication. I will try to contact the support team and will let you know if I will solve the problem. I can see some comments above that I am not the only one that has this problem (see https://support.plesk.com/hc/en-us/articles/213945625/comments/115000148993 and the final response of his problem here https://support.plesk.com/hc/en-us/articles/213945625/comments/115000149133)

    0
    Comment actions Permalink
  • Avatar
    Konstantin Annikov

    @Simeon, 

    Jason used the IP instead of domain's name. 

    As we already confirmed, it is needed to add exactly the same domain name to the additional directives as the name of subscription. 

    I have already updated the article with correspondence note. 

    Waiting for you in support.

    0
    Comment actions Permalink
  • Avatar
    Simeon Ivaylov Petrov

    @Konstantin

    It works now! I set my new plesk admin domain "admin.mydomain.com" as the main System Server full hostname and now it works! The interesting thing is if I put again my old main domain that was set before "mydomain.com", it is working anyway. I think it was some kind of Plesk cache or similar so I suggest you to add a last step in this article suggesting to go and re-save the system settings.

    Anyway, what hostname should be right to set for the "Full hostname" parameter? The IP, the new admin panel domain (admin.mydomain.com) or the main domain (mydomain.com)?

     

     

    Thank you very much!

    0
    Comment actions Permalink
  • Avatar
    Andrey Ivanov

    Hello Simeon,

    Most probably, a cause of that behaviour was in a browser cache.

    As for the hostname, do not use an IP address as your full hostname. Instead of that, feel free to use "admin.mydomain.com" or "mydomain.com". The main point is that it should be resolvable from the server and nginx directive should contain exactly the same hostname.

    0
    Comment actions Permalink
  • Avatar
    Floris (Edited )

    With Plesk Onyx on Ubuntu 16.04 the config presented here produces "502 Bad gateway" errors on some pages:

     

    502 GET /smb/web/overview/id/d:2 HTTP/2.0 
    12748#0: *2655 upstream sent too big header while reading response header from upstream

     

    Adjusting buffer size seems to fix those:

     

    location / {
       proxy_pass https://myserver:8443;
       port_in_redirect off;
       proxy_buffer_size 128k;
       proxy_buffers 4 256k;
       proxy_busy_buffers_size 256k;
    }

     

     

    0
    Comment actions Permalink
  • Avatar
    Konstantin Annikov

    @Floris, 

    Did you turned off php support and FastCGI support for the domain completelyl?

    0
    Comment actions Permalink
  • Avatar
    Floris (Edited )

    @Konstantin

    Yes, I did.

    And as mentioned, after enlarging the proxy buffer size, the problem page does work.

     

    Watching with Firebug one can see that this particular page tries to set a lot of cookies through "Set-Cookie:" HTTP response headers.

    The total size of the HTTP response headers is 2053 bytes.

    One would think that 2053 bytes should fit in the default 4 KB nginx buffer size. But for some reason it does not. Perhaps because it proxies to HTTPS it needs twice the space, or something like that?

     

    0
    Comment actions Permalink
  • Avatar
    Martin

    > @Martin Let's Encrypt extension places temporary script to .well-known/acme-challenge/ directory of the website. Therefore, in order to generate Let's Encrypt certificate for the

    > domain, you need to generate it before applying the solution from this article. In other words, the domain should not redirect to somewhere.

    Isn't there a way to bypass the proxy for .well-known requests in nginx-settings as there will be renewals of the certificate?

    0
    Comment actions Permalink
  • Avatar
    Konstantin Annikov

    @Floris

    Ok, thank you for input. I will add this to article. 

    0
    Comment actions Permalink
  • Avatar
    Bulat Tsydenov

    @Martin, I am not sure if it is possible at all. But I can say for sure, Plesk cannot make such configuration.

    0
    Comment actions Permalink
  • Avatar
    Floris (Edited )

    >Isn't there a way to bypass the proxy for .well-known requests in nginx-settings as there will be renewals of the certificate?

     

    nginx uses the configuration inside the longest matching location field.

    So you can just add to your nginx directives:

     

    location /.well-known {
    }

     

    So that the proxy configuration inside the "location /" block is not used, and it will fallback to the document root specified in the block that describes the vhost.

     

    ==

     

    Another thing I noticed is that Plesk adds "client_max_body_size 128m;" to the vhost block by default.

    Which gives problems if users want to upload a file larger than 128 MB (e.g. a website backup) through the web interface.

    Can solve that by adding "client_max_body_size 2048m;" to the "location /" block.

    So you end up with:

     

    location / {
       proxy_pass https://plesk.your-domain.com:8443;
       port_in_redirect off;
       proxy_buffer_size 128k;
       proxy_buffers 4 256k;
       proxy_busy_buffers_size 256k;
       client_max_body_size 2048m;
    }
    location /.well-known {
    }
    1
    Comment actions Permalink
  • Avatar
    Simeon Ivaylov Petrov (Edited )

    Hello, I've implemented the solution with a subdomain like "admin.mydomain.com" and it is working well but when I go to Website & Domains => Swtich to classic view => Click on a domain, I receive a "502 Bad Gateway" from nginx. But if I use it normally with my main domain and the port (https://mydomain.com:8443........) it works.

    Edit:
    Ok, I can see that you've updated the article with the solution of 502 errors adding the buffer directives.
    It worked for me too. Thank you!

    0
    Comment actions Permalink
  • Avatar
    Nikolay Zhmuk (Edited )

    @Martin Check the solution provided by @Floris

    location /.well-known {
    }

    @Floris Additionally you can check https://support.plesk.com/hc/en-us/articles/213914565 article regarding client_max_body_size directive.

    0
    Comment actions Permalink
  • Avatar
    Floris (Edited )

    >@Floris Additionally you can check https://support.plesk.com/hc/en-us/articles/213914565 article regarding client_max_boy_size directive.

     

    That's another way to do it.

     

    Do note that the duplicate directive problem described there does not apply if you stick the parameter inside the "location /" block.

    Can have both a parameter at vhost level (added by Plesk) and an overriding one at location level (specified by you).

    Just not two at vhost level.

    0
    Comment actions Permalink
  • Avatar
    Martin

    @Floris Thank you - it worked!

    0
    Comment actions Permalink
  • Avatar
    Floris (Edited )

    We would like to disallow direct access to port 8443 altogether (through iptables rules), so that legitimate users can only login through the main URL without port, and outsiders that do not know the exact hostname of our panel cannot access it.

     

    However I am experiencing the problem that Plesk still sends out e-mails that contain the URL with :8443 in it.

    I was able to change "https://<hostname>:8443" to "https://<hostname>" in most e-mail templates under "Tools and settings" -> "Notifications"

    However I cannot find the template of the e-mail that is used when resetting passwords. Am I not looking right, or does Plesk intentionally hide this?

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    @Floris

    The email for password resetting is hardcoded. So, there is no template to be able to change the URL.

    However, you may suggest this feature at https://plesk.uservoice.com/forums/184549-feature-suggestions

    The top-ranked suggestions are likely to be included in the next versions of Plesk.

    0
    Comment actions Permalink
  • Avatar
    Adrian Bedrunka

    I don't have the field "Additional nginx directives", just the apache directives:


    How can I chance the plesk admin from mydomain.com:8443 to admin.mydomain.com?

    0
    Comment actions Permalink
  • Avatar
    Alexandr Tumanov

    @Adrian, it is required to enable nginx first: https://support.plesk.com/hc/en-us/articles/213944825-How-to-enable-Nginx-reverse-proxy-in-Plesk 

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request