Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
-
How to customize Plesk URL?
-
How to make Plesk interface accessible over a hostname without entering the port number? For example, https://server.example.com.
Answer
Note: If an existing in Plesk domain is going to be used as an entry point to Plesk, make sure that the option Permanent SEO-safe 301 redirect from HTTP to HTTPS is enabled at Domains > example.com > Hosting Settings and a valid SSL certificate is used. For more information, see this KB article.
-
Go to Tools & Settings > Customize Plesk URL.
-
Specify the domain that will be used as an entry point to Plesk.
-
Save the changes.
-
Connect to the Plesk server via SSH (Linux) / RDP (Windows Server).
-
Use these commands (on Windows Server, use a command prompt as an Administrator):
-
In this case, if there is a website with the specified name, it will become inaccessible because Plesk panel will be shown.
# plesk bin admin --enable-access-domain "server.example.com"
-
In this case, the panel will be accessible on any domain hosted on Plesk and not having website and via IP address on HTTPS.
# plesk bin admin --enable-access-domain ""
-
In this case, the feature will be disabled. Plesk will be accessible via default port 8443 only.
# plesk bin admin --disable-access-domain
-
Notes: If Plesk is used under WHMCS and configuration described below is applied, then login from WHMCS to Plesk will not work.
Warning: Fail2ban will be unable to prevent brute-force attempts because an IP address of a client will be 127.0.0.1, which is white-listed by default in Fail2ban configuration.
-
Enable nginx as a reverse-proxy web-server.
-
In Plesk, create a subscription with desired domain name (usually, the hostname). This domain should be resolved from the Internet. In this example, 'server.example.com' is used.
-
Enable the option Permanent SEO-safe 301 redirect from HTTP to HTTPS at Domains > server.example.com > Hosting Settings:
-
Un-check PHP support at Domains > server.example.com > PHP Settings and apply the changes.
-
Go to Domains > server.example.com > Apache & nginx setting > scroll down to the Additional nginx directives field and add the following lines:
Note: The
proxy_passdirective should contain an IP address of the domain.CONFIG_TEXT: location ~ ^/(?!.well-known).*$ {
proxy_pass https://203.0.113.2:8443;
port_in_redirect off;
proxy_set_header Host $host;
client_max_body_size 2048m;
}
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k; -
Apply the changes.
Comments
59 comments
How do I secure this Domain with Let's Encrypt?
There should be some directive fpr nginx to allow it?
I'm getting this error (domain name changed):
Error: Could not issue a Let's Encrypt SSL/TLS certificate for subdomain.domain.com.
The authorization token is not available at https://subdomain.domain.com/.well-known/acme-challenge/iTqrmucehzz3t4B2YTkaklFXAO4K_qyEkrxecd_w0-Q.
To resolve the issue, make it is possible to download the token file via the above URL.
@Martin Let's Encrypt extension places temporary script to .well-known/acme-challenge/ directory of the website. Therefore, in order to generate Let's Encrypt certificate for the domain, you need to generate it before applying the solution from this article. In other words, the domain should not redirect to somewhere.
@Simeon
I do not see any additional ways to get such errors in test environment.
So, I recommend you to contact Plesk Technical Support (submit a ticket or start chat).
@Konstantin
Thank you for your dedication. I will try to contact the support team and will let you know if I will solve the problem. I can see some comments above that I am not the only one that has this problem (see https://support.plesk.com/hc/en-us/articles/213945625/comments/115000148993 and the final response of his problem here https://support.plesk.com/hc/en-us/articles/213945625/comments/115000149133)
@Simeon,
Jason used the IP instead of domain's name.
As we already confirmed, it is needed to add exactly the same domain name to the additional directives as the name of subscription.
I have already updated the article with correspondence note.
Waiting for you in support.
@Konstantin
It works now! I set my new plesk admin domain "admin.mydomain.com" as the main System Server full hostname and now it works! The interesting thing is if I put again my old main domain that was set before "mydomain.com", it is working anyway. I think it was some kind of Plesk cache or similar so I suggest you to add a last step in this article suggesting to go and re-save the system settings.
Anyway, what hostname should be right to set for the "Full hostname" parameter? The IP, the new admin panel domain (admin.mydomain.com) or the main domain (mydomain.com)?
Thank you very much!
Hello Simeon,
Most probably, a cause of that behaviour was in a browser cache.
As for the hostname, do not use an IP address as your full hostname. Instead of that, feel free to use "admin.mydomain.com" or "mydomain.com". The main point is that it should be resolvable from the server and nginx directive should contain exactly the same hostname.
With Plesk Onyx on Ubuntu 16.04 the config presented here produces "502 Bad gateway" errors on some pages:
Adjusting buffer size seems to fix those:
location / {proxy_pass https://myserver:8443;
port_in_redirect off;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
@Floris,
Did you turned off php support and FastCGI support for the domain completelyl?
@Konstantin
Yes, I did.
And as mentioned, after enlarging the proxy buffer size, the problem page does work.
Watching with Firebug one can see that this particular page tries to set a lot of cookies through "Set-Cookie:" HTTP response headers.
The total size of the HTTP response headers is 2053 bytes.
One would think that 2053 bytes should fit in the default 4 KB nginx buffer size. But for some reason it does not. Perhaps because it proxies to HTTPS it needs twice the space, or something like that?
> @Martin Let's Encrypt extension places temporary script to .well-known/acme-challenge/ directory of the website. Therefore, in order to generate Let's Encrypt certificate for the
> domain, you need to generate it before applying the solution from this article. In other words, the domain should not redirect to somewhere.
Isn't there a way to bypass the proxy for .well-known requests in nginx-settings as there will be renewals of the certificate?
@Floris
Ok, thank you for input. I will add this to article.
@Martin, I am not sure if it is possible at all. But I can say for sure, Plesk cannot make such configuration.
>Isn't there a way to bypass the proxy for .well-known requests in nginx-settings as there will be renewals of the certificate?
nginx uses the configuration inside the longest matching location field.
So you can just add to your nginx directives:
location /.well-known {}
So that the proxy configuration inside the "location /" block is not used, and it will fallback to the document root specified in the block that describes the vhost.
==
Another thing I noticed is that Plesk adds "client_max_body_size 128m;" to the vhost block by default.
Which gives problems if users want to upload a file larger than 128 MB (e.g. a website backup) through the web interface.
Can solve that by adding "client_max_body_size 2048m;" to the "location /" block.
So you end up with:
location / {proxy_pass https://plesk.your-domain.com:8443;
port_in_redirect off;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
client_max_body_size 2048m;
}
location /.well-known {
}
Hello, I've implemented the solution with a subdomain like "admin.mydomain.com" and it is working well but when I go to Website & Domains => Swtich to classic view => Click on a domain, I receive a "502 Bad Gateway" from nginx. But if I use it normally with my main domain and the port (https://mydomain.com:8443........) it works.
Edit:
Ok, I can see that you've updated the article with the solution of 502 errors adding the buffer directives.
It worked for me too. Thank you!
@Martin Check the solution provided by @Floris
location /.well-known {}
@Floris Additionally you can check https://support.plesk.com/hc/en-us/articles/213914565 article regarding client_max_body_size directive.
>@Floris Additionally you can check https://support.plesk.com/hc/en-us/articles/213914565 article regarding client_max_boy_size directive.
That's another way to do it.
Do note that the duplicate directive problem described there does not apply if you stick the parameter inside the "location /" block.
Can have both a parameter at vhost level (added by Plesk) and an overriding one at location level (specified by you).
Just not two at vhost level.
@Floris Thank you - it worked!
We would like to disallow direct access to port 8443 altogether (through iptables rules), so that legitimate users can only login through the main URL without port, and outsiders that do not know the exact hostname of our panel cannot access it.
However I am experiencing the problem that Plesk still sends out e-mails that contain the URL with :8443 in it.
I was able to change "https://<hostname>:8443" to "https://<hostname>" in most e-mail templates under "Tools and settings" -> "Notifications"
However I cannot find the template of the e-mail that is used when resetting passwords. Am I not looking right, or does Plesk intentionally hide this?
@Floris
The email for password resetting is hardcoded. So, there is no template to be able to change the URL.
However, you may suggest this feature at https://plesk.uservoice.com/forums/184549-feature-suggestions
The top-ranked suggestions are likely to be included in the next versions of Plesk.
I don't have the field "Additional nginx directives", just the apache directives:
How can I chance the plesk admin from mydomain.com:8443 to admin.mydomain.com?
@Adrian, it is required to enable nginx first: https://support.plesk.com/hc/en-us/articles/213944825-How-to-enable-Nginx-reverse-proxy-in-Plesk
Does the tutorial above bind the login domain to all IPs of the server, or just some.
I have the weirdest behavior, where the UI sometimes work and sometimes doesn't because of a not trusted certificate and HSTS restrictions.
When I have ssllabs.com test the UI domain, the certificate is okay for ipv4 but not ipv6.
Heinrich Krebs this seems to be another issue. Could you please open a support ticket with us? https://support.plesk.com/hc/en-us/articles/213608509-How-to-submit-a-request-to-Plesk-support-
I use Obsidian and followed the steps above and everthing is working so far. But the login page is now also accessible under http and does not automatically forward to https. I block the port 8443 through a firewall.
Domain is set to 301 redirect and SSL on. On port 8443 it was working.
How can i solve this problem?
Actually I got it fixes once I deleted all certificates until a single wildcard certificate from Let's Encrypt remained. Once I bound that to the Plesk Interface it all worked well.
Hello Christian Guitton,
Sorry for the late response.
In case the issue still takes a place, consider submitting a request for Plesk support.
A closer look is required to understand the cause.
What could be the cause that http://hostname does not redirect to https://hostname ?
http://hostname is displaying the Plesk default page
https://hostname is displaying the username / password page.
Is there a way to stop accessing the Plesk interface via IP when using a domain? I want to drop connections when someone tries to use the IP instead of the domain.
Any ideas? Thanks
Please sign in to leave a comment.