Disable/Enable TLS v1.0 v1.1 and v1.2 for plesk

This actually applies to any website, but is specifically aimed at plesk. Today a customer had complained that we’d disabled both tls 1 and 1.1, they wanted 1.1 for compatibility in the meantime, so it requires doing 1 of 2 things.

plesk bin server_pref -u -ssl-protocols 'TLSv1.1 TLSv1.2'

Or alternatively it can be done directly from within the conf.d ssl.conf for plesk in /etc/httpd/conf.d/ssl.conf, this also applies to httpd users not using plesk.

[root@888426-WEB3 ~]# cat /etc/httpd/conf.d/ssl.conf | grep TLS
#SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
##     This exports the standard SSL/TLS related `SSL_*' environment variables.
##   The safe and default but still SSL/TLS standard compliant shutdown
##     the SSL/TLS standard but is needed for some brain-dead browsers. Use
##     alert of the client. This is 100% SSL/TLS standard compliant, but in
SSLProtocol +TLSv1.1 +TLSv1.2

A pretty simple operation here.

Redirect HTTP to HTTPS

It’s pretty simple after adding a HTTPS site in apache, to forward your existing HTTP website traffic to HTTPS. There might be reasons why you don’t forward everything, but in this case today I was asked to forward everything. Here is how I achieved it:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] 

It could be configured for a specific directory tho

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?somedir/(.*) https://%{SERVER_NAME}/secure/$1 [R,L] 

Pretty simple stuff.

Setting X-Frame-Options HTTP Header to allow SAME or NON SAME ORIGINS

It’s possible to increase the security of a webserver running a website, by ensuring that the X-FRAME-OPTIONS header pushes a header to the browser, which enforces the origin (server) serving the site. It prevents the website then providing objects which are not local to the site, in the stream. An admirable option for those which wish to increase their server security.

Naturally, there are some reasons why you might want to disable this, and in proper context, it can be secure. Always be sure to discuss with your pentester or PCI compliance officer, such considerations before proceeding, especially making sure that if you do not want to use SAME ORIGIN you always use the most secure option for the required task. Always check if there is a better way to achieve what your trying to do, when making such changes to your server configuration.

Insecure X-Frame-Option allows remote non matching origins

Header always append X-Frame-Options ALLOWALL

Secure X-Frame-Option imposes on the browser to not allow non origin(al) connections for the domain, which can prevent clickjack and other attacks.

Header always append X-Frame-Options SAMEORIGIN