Configuration of SSL/TLS on CentOS server running Plesk
When we have ssl enabled on our plesk panel then still there is need to configure SSL/TLS properly so your server/site can much secure. In this article you ‘ll see how to configure SSL/TLS on centos server running plesk.
When you test your site on https://www.ssllabs.com/ssltest/analyze.html and you find that your site SSL grade below than B Grade because of not configured TLS and some ciphers. Then there is a need to configure your server with TLS 1.2 and some ciphers enable.
Here i am going to briefly define the configuration of SSL/TLS on Centos server running Plesk Panel
Steps to Configure SSL/TLS on CentOS server running Plesk
Firstly make a dhparam pem file for nginx server so execute below command which make a pem file.
linuxtweaks ~]# cd /etc/nginx linuxtweaks ~]# openssl dhparam -out dhparam.pem 4096
Above step can take some minutes to make pem file so wait for some time.
In our next step make copy of ssl conf template for domain specific and server which are required for SSL/TLS settings.
linuxtweaks ~]# mkdir -p /usr/local/psa/admin/conf/templates/custom/domain linuxtweaks ~]# mkdir -p /usr/local/psa/admin/conf/templates/custom/server linuxtweaks ~]# cp /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php /usr/local/psa/admin/conf/templates/custom/ linuxtweaks ~]# cp /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/domain/ linuxtweaks ~]# cp /usr/local/psa/admin/conf/templates/default/server/nginxVhosts.php /usr/local/psa/admin/conf/templates/custom/server/
Above we have copied three files 1st for mail server, 2nd for domain specific, 3rd for server core virtual host.Next we have to update SSL Protocol, SSL Ciphers and prefer server cipher. So find below line of code from all three files.
ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;
Replace it with –
ssl_session_cache shared:SSL:50m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/dhparam.pem;
The above configuration is basically for ciphers which are compatible for browsers on this time so may be later this have to update as per need.
Finally we can reload nginx to take effect of those configuration.
linuxtweaks ~]# /usr/local/psa/admin/bin/httpdmng --reconfigure-all linuxtweaks ~]# nginx -s reload
Now you can check your site on the same link which was given above for ssl security testing.
https://www.ssllabs.com/ssltest/analyze.html
You will definitely get A or A+ for your site security and ssl installation.
To know more abount SSL/TLS please click here
It’s Done!