All posts by steven

App-v Staging script

We are having performance issues with some virtualising some packages in App-v 5. There’s a package that needs it’s entire registry before it performs. When a user runs the starts the packages 3 to 4 times it starts to perform better. We have seen that the registry increased by 200 MB of plain text size. This is quit a lot. Since all our Xenapp servers are virtualised and provisioned will every reboot remove the changes in the registry. So the package remains very slow. We created a script that runs on all servers and starts a CMD.exe in a virtualised process. This will trigger staging and thus loading the entire registry. When this script is ran before any users connect, users will always have a good performance.

#import AppVClient module
ipmo *appv*

#get all appv packages
$apps = Get-AppvClientPackage
$obj = @()

#Get connection group applications
$connApps = (Get-AppvClientConnectionGroup).GetPackages()

#remove connecion-group applications from the list
[System.Collections.ArrayList]$appList = $apps
foreach ($connApp in $connApps) {$appList = $appList | ? { $_.name -ne $connApp.Name }}


#for each (non-connection group) appv package...
foreach ($app in $appList) {
$prop = New-Object System.Object

#get each appv package ID and version ID
$package = ($app.packageID).ToString()
$version = ($app.versionID).ToString()

#start a blank cmd.exe in the environment (this kicks off the AppV5 registry staging)
Start-AppvVirtualProcess -AppvClientObject (Get-AppvClientPackage $app.name) cmd.exe


    do {
    write-host "Testing: " $app.name
        sleep 1
       }
       until (Test-Path "HKLM:\SOFTWARE\Microsoft\AppV\Client\Packages\$package\Versions\$version\RegistryStagingFinished")
       write-host $app.name
       $appvProcess = get-appvVirtualProcess
       stop-process $appvProcess -force
    }

#for each connection group package...
$conGroups = Get-AppvClientConnectionGroup
foreach ($group in $conGroups) {
$prop = New-Object System.Object

#get each connection group package ID and version ID
$package = ($group.groupID).ToString()
$version = ($group.versionID).ToString()

#start a blank cmd.exe in the environment (this kicks off the AppV5 registry staging)
Start-AppvVirtualProcess -AppvClientObject ($group) cmd.exe


    do {
    write-host "Testing: " $group.name
        sleep 1
       }
       until (Test-Path "HKLM:\SOFTWARE\Microsoft\AppV\Client\PackageGroups\$package\Versions\$version\RegistryStagingFinished")
       write-host $group.name
       $appvProcess = get-appvVirtualProcess
       stop-process $appvProcess -force
    }
    

In order to start the above script I used DPAPI to encrypt the password of the service account. I configured a scheduled task to run every day at 6:30 AM. I wrote a article or two about his some time ago. It is important to encrypt the password when logged in to that account. The profile of that service account should not be removed!

The script used to start the script above is shown below

<#Custom Module#>
Import-Module "LocationWhenTheFunctionIsLocated\Function.psm1" -force
<#Script Start#>
Add-PSSnapin Citrix*
#Note that the username is without the domain name
$UserName = "ServiceAccount"
$SecureString = Get-Content -Path "LocationOfTheStoredPassword.txt" | ConvertTo-SecureString -Entropy ([Math]::PI)
$SecureString = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecureString))
#If the server that launch the script is not a Citrix server you have to add -ComputerName COMPUTERNAME
$OnlineServers = Get-XAServer -ZoneName FarmName -OnlineOnly  | ?{$_.ServerName -match "PrefixFromProductionServers" -and $_.ServerName -notmatch "tst" -and $_.ServerName -notmatch "DEV"}
#Line below is for testing purposes
Add-content -Value $OnlineServers -Path "G:\Scheduler_Scripts\GMN\App-V Prelaunch\Test.csv"
Foreach ($Server in $Onlineservers){

$ServerName = $Server.ServerName
$Date = (Get-Date).AddMinutes(30)
schtasks /create /S $ServerName /RU DOMAIN\$Username /RP $SecureString /SC Once /SD $date.ToString('dd"/"MM"/"yyy') /ST $date.ToString('HH":"mm') /TN "App-V 5 Prelaunch Script" /TR "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe \\SharedLocationOfScriptAbove.ps1" /F 
}

A few things are important to make this work. First you need to share the first script on a shared location, let’s say the netlogon or whatever directory works for you. Next you’ll need to have the Xenapp SDK installed on the server that runs the script. This is needed. Only the Powershell CMDlets are required. You need to have a Xenapp server that can be reached over the network. You’ll also need to know the farm name. And of course you’ll need the have the function loaded. I added the function below this post. Check you Execution policy settings before scheduling.

Function

Test TLS version on SMTP

My server had some issues sending mail in a secure manner. Somehow that SASL Authentication failed. After this was fixed I wanted to determine what TLS version and ciphers were used. After some time searching the web for an online tool that would do the job for me I thought about an OpenSSL parameter that could do the job for me. Run the following command:

openssl s_client -connect somedomain.tld:25 -starttls smtp

Of course it should represent the content of the MX record for that domain. In my case the following output was what I wanted to know:

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

 

Good luck!

Find members of a local group

We needed a list of all local admins in the domain. I found some code somewhere and adjusted it to my personal needs.

Import-Module ActiveDirectory

$date = (get-date).AddDays(-35)
$list = (Get-ADComputer -Filter {(OperatingSystem -like "*Server*") -and (PasswordLastSet -ge $Date)} ).Name

$Result = @()

foreach($server in $list){

$computer = [ADSI](”WinNT://” + $server + “,computer”)
$Group = $computer.psbase.children.find(”Administrators”)

function getAdmins

{$members = $Group.psbase.invoke(”Members”) | %{$_.GetType().InvokeMember(”Adspath”, ‘GetProperty’, $null, $_, $null)}
$members}

$Result += $server
$Result += ( getAdmins )
$Result += " "
}
$Result | ac c:\LocalAdmins.csv

Script to check when a XenApp server is set to prohibit logons

It is hard to find out who set a server to Prohibit logons in XenApp. I had some spare time to make a oneliner for the service desk to search the eventlog for any records matching the specifics. The Logon process is run by the ImaService. When you know when to server is set to prohibit logon, you may find the administrator.

$List2 =@() ;$load = (qfarm /load) ;write-host $Load[1];Write-Host $load[2]; Foreach ($item in $load){If ($Item -match "ProhibitLogons"){Write-host $item;$Item2 = $item -split " " ;$item2 = $item2[0] ; $List2 += $Item2}} ;$Date = (Get-Date).AddDays(-1) ; Foreach ($item in $list2){Get-EventLog -LogName Application -after $Date -ComputerName $item -InstanceId 1073751835 | ? {$_.Message -match "Prohibit"} | Select TimeGenerated,MachineName}

Or if you feel more comfortable having a script you can do the following:

$List2 =@() 
$load = (qfarm /load) 
write-host $Load[1]
Write-Host $load[2]
Foreach ($item in $load){If ($Item -match "ProhibitLogons"){
Write-host $item
$Item2 = $item -split " " 
$item2 = $item2[0] 
$List2 += $Item2}} 
$Date = (Get-Date).AddDays(-1) 
Foreach ($item in $list2){
Get-EventLog -LogName Application -after $Date -ComputerName $item -InstanceId 1073751835 | ? {$_.Message -match "Prohibit"} | Select TimeGenerated,MachineName}

This “Script” runs a qfarm /load. Next presenting the users with a table from qfarm. It only lists server that are set to prohibitlogons. It splits the name from the rest and adds that to a array. The date is queried minus one day. You can change that to more or less. Next the Eventlog of the XenApp server is queried for a matching record. You can also set $_.EventID -match “10011” for the matching eventID. At the last step there’s a select-object for the TimeGenerated and MachineName

Export all TNSNames files from all servers in the domain.

A colleague asked me if it was possible to export all servers that have an Oracle directory. I made a script that collects all server from Active Directory. Next I test if the C:\Oracle Directory Exists. That is arrayed. Next I search the directories of tnsnames. Excluding the .sample files of course.

Import-Module ActiveDirectory
$ADComputers = Get-ADComputer -Filter * -Properties * | Where {$_.OperatingSystem -match "Server"}
$Computers =@()
ForEach ($ADComputer in $ADComputers){$ADComputer = $ADComputer.DNSHostName
If((Test-Path "\\$ADComputer\C$\Oracle") -eq $True){$Computers += $ADComputer}}

ForEach ($Computer in $Computers){$Folders =@( gci "\\$Computer\c$\Oracle\" -recurse)
ForEach ($Item in $Folders){if ($item -match "TNSNames.ora" -and $item.fullname -notmatch "sample"){Add-content -Value $item.fullname -Path ".\Export.csv"}}}

Strict security for Plesk mail services

Plesk 12 comes with support voor Dovecot Secure IMAP server. This is a great improvement on the Courier IMAP server. I personally prefer Postfix for SMTP. You can configure Postfix in a very secure manner. In this post I will discuss how to configure Dovecot and Postfix and to configure Roundcube webmail for additional support.

Dovecot
Dovecot supports IMAP4 and POP3. I decided to disable POP3 as it is inferior to IMAP4. If you do want POP3 enabled you should alter the configuration. I disallowed a number of insecure ciphers. I disabled plaintext authentication as it is highly insecure. Note that even though you client is using SSL you can still be vulnerable to attack if Plain text authentication is enabled. Next I changed to directory for the certificate.

First install Dovecot if you haven’t done so. Establish a SSH connection to the server en vi the file:

/etc/dovecot/conf.d/01-servername.conf

01 makes it the last applied file. Adjust the content to your liking:

protocols = imap
ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
ssl_prefer_server_ciphers = yes
disable_plaintext_auth = yes
ssl_cert = </etc/dovecot/private/certificate.pem
ssl_key = </etc/dovecot/private/key.pem

This configuration encrypts IMAP4 traffic, disabled plain text authentication and enables a verifiable certificate. It diables a number of insecure ciphers and prefers better ciphers.

Postfix
Postfix is used by a massive amount of mail servers. Postfix by default is not configured in a safe manner. To enable Postfix to contact the rest of the world in a safe way you should enable certain ciphers. Furthermore you shouldn’t configure your Postfix server with EDH Ephemeral Diffie–Hellman. Most servers don’t support it yet which would lead to undeliverable mails. Instead use the Diffie-Hellman key exchange. You first need to create a 512 bit key exchange parameter file and a 1024 bit key exchange parameter file. Please note that a larger key length will result in a serious CPU penalty. To generate the files enter the commands below.

openssl gendh -out /etc/postfix/dh_512.pem -2 512
openssl gendh -out /etc/postfix/dh_1024.pem -2 1024

Next configure Postfix’s main.cf file:

vi /etc/postfix/main.cf

Remove the conflicting lines and add the lines below:

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/certificate_2014.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_protocols= !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3
smtpd_tls_security_level=encrypt
smtpd_tls_mandatory_ciphers = high
tls_preempt_cipherlist = yes
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtp_tls_security_level = may

This will not be the most secure configuration. But please keep in mind that enforcing very high security standards will come at a high price.

Roundcube
When you altered the configuration above you need to restart the service of Postfix and Dovecot:

/etc/init.d/postfix restart
/etc/init.d/dovecot restart

When that is done your default Roundcube won’t work no more. This can be fixed by doing the following:

vi /usr/share/psa-roundcube/config/defaults.inc.php

Change the following values:

// IMAP
// ----------------------------------

// The mail host chosen to perform the log-in.
// Leave blank to show a textbox at login, give a list of hosts
// to display a pulldown menu or set one host as string.
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// Supported replacement variables:
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %s - domain name after the '@' from e-mail address provided at login screen
// For example %n = mail.domain.tld, %t = domain.tld
// WARNING: After hostname change update of mail_host column in users table is
//          required to match old user data records with the new host.
$config['default_host'] = 'ssl://hostname.TLD';
@include "/etc/psa-webmail/roundcube/mailhosts.php";

// TCP port used for IMAP connections
$config['default_port'] = 993;

// IMAP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or null to use
// best server supported one)
$config['imap_auth_type'] = DIGEST-MD5;


// ----------------------------------
// SMTP
// ----------------------------------

// SMTP server host (for sending mails).
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// If left blank, the PHP mail() function is used
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %t = domain.tld
$config['smtp_server'] = 'tls://hostname.tld';

// SMTP port (default is 25; use 587 for STARTTLS or 465 for the
// deprecated SSL over SMTP (aka SMTPS))
$config['smtp_port'] = 587;

This will restore the Roundcube functionality.

Mod Security for Plesk

One thing that I have learned is that no security measure is solid other than a computer without any ports, no screen and no NIC. If you want to have a connection to the internet you will be exposed to a massive amount of attacks. Therefore it is more important to detect attacks other then desperately trying to avoid vulnerability. You should be well protected but noticing that you have been hacked is just as important.

Plesk 12 has a nice addition as it comes to security. I’ve talked about security in this and this post. Now I will continue with some nice features of Plesk 12.

Modsecurity

If you upgraded your version of Plesk from 11.5, Mod Security will probably be optional. Mod Security is an application firewall that detects malicious code and prevent it from being ran. If you want this protection enable and install Mod Security. You’ll have three options: Disabled, Detect and Prevent.

Disabled needs no explanation

Detect Only will log any detected incident.

Prevent will actively try to prevent code from being run. It has impact on performance so be sure that you’ll enable it only if you server can handle it. You can tweak the settings so that there is a fast check if you have a lot of visitors. If you however want a thorough scan you can select that also.

Mod security works with a set of rules. This ruleset is updated regularly. By default the set of rules present in Plesk is a simple. This makes the effectiveness a little less but  performance is maintained and security is improved over having no mod security. If want a very secure environment you can select to OWASP core set. This is a more thorough set but none the less a very good protection. You can optionally pay for a subscription for a professional service. Use this only if the basic ruleset is not good enough for you.

It is wise to update the ruleset once a day. I often see new updates and 0-day vulnerabilities will be patched quicker. The impact of the update process is small and the gain in security is high.

Fail2Ban

When you have a small server like me, with only a few site and look at the logs, you see a lot malicious traffic. All sorts of port scanning, robots, crawlers and hackers. This traffic only increases on server with a high user load. There are lists of username, password combination that bots are trying at any site. If you have an account on a hacked site and your username and password combination is exposed you do not want this to actually be exploited. Let alone your users. Not all companies disclose security incidents which makes it hard to know if your credentials are on some list. If you don’t have a unique set of username/password combination for every site that risk is real.

Plesk 12 has this incredible feature call Fail2Ban. This extension automatically bans these threats by IP-address. The default settings are very loose but this can be improved.  Fail2Ban can built jails to detect login attempts and so forth. First install this feature and see my config below.

First you’ll have to enable jails. Jails are no more than automatically looking at logs. The logs are scanned and if an IP-address attempts multiple malicious actions in a certain period, that IP gets blocked. I would recommend to enable jails on all available services:

Jails Fail2Ban

Apache jails will check of failed authentication or time traveling. Badbot detects fraudulent bots. You can check what a jail does by looking at the Filters tab.

By default Fail2Ban will detect 7 attempts within 10 minutes and then bans that ip for a period of 15 minutes. I personally think that a 15 minute break is way to weak. Also the 10 minute range is to short. Will users will keep on trying to logon after 7 attempts? They will contact you anyway to reset their passwords. So releasing their IP is then just part of the deal. As I basically work alone on this server I lowered the number of failures. Next I have expanded the time frame in which to look for a attempt to 900 seconds. The ban time should be at least a year. Imagine that those bots are built to try every 10 minutes with 7 login attempts. That will be 144 times 7 login attempts a day. That will be a 367.920 attempts a year when with my settings you’ll only have a small number of no more than 5. Imagine that such a organization has 10 ip-addresses. That is a massive number of attempts without you probably ever noticing one of them if you do not look at the logs. That’s why I configured a ban period of  31536000 seconds. That is precisely one year. Even for a server that has only been up for one week there are already 10 ip-addresses banned. That is a quite large attack surface been taken care of. You can configure a ban period that is there forever to make it negative. So if you configure a ban period of -1 seconds the IP address will not be released.

Of course this impacts performance. You’ll have to decide for yourself if this is worth it for you. In my case it is. But I do not host any high profile sites.

There is another downside for the implementation of Fail2Ban in Plesk. If you whitelist an IP-Address that has been blocked all blocked IP-Addresses will be released. Furthermore if you restart your server the blacklist will be release also.

WordPress toolkit

You may have noticed the new WordPress toolkit icon in the Plesk Admin panel:

Wordpres Toolkit

 

This is a vital new function of Plesk 12. Security flaws in common web application can be exploited because they are not patched. With WordPress Toolkit you can update version of WordPress. You can also update plugins and themes. But it doesn’t stop there. You can also enhance security by removing the built numbers from all relevant files. You can tighten security on the wp-include and wp-content directories. The attack surface will be tremendously reduced. And the best thing is that you can see all installations even though you did not install them using Plesk. Having said that you can thus manage all your WordPress installation in one console. It is an incredible powerful addition and I wouldn’t want to miss it again.

Strict security on a Plesk Apache web server 2

In an addition to my previous post I would like to add a few updates and improvements.

HSTS

While it is possible to add a line in the conf file. You can also use a nifty function in Plesk. Since Plesk 11.5  configuring the web server per site is possible. But before I take you to heaven I would like to add a few side notes. Be sure that if you use the includesubdomains flag, that all your subdomains support HTTPS. You can of course configure this per site, but if a browser connects to the parent site and receives the HSTS header, it will automatically connect for a long time to all subdomain using HTTPS. If one of your subdomain doesn’t support HTTPS and the user visited the parent site you’ll have a problem. You can of course exclude the IncludeSubDomains flag.

When logging in the Plesk Panel site you can configure the webserver. Go to Websites and Domains en click on Expand. Next click on configure webserver.

Schermafbeelding 2014-10-01 om 11.18.55

 

Scroll down to the end of the page and add the following line in the HTTPS settings:

Schermafbeelding 2014-10-01 om 11.22.50

Please mind the includeSubDomains switch

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

CSP

I recently learned about CSP. This make it impossible to have malicious  XSS or other code being run from your site. For example if you have a script that is being referred to in the index of you site, it is harder to exploit the trust that you browser has in your site. You can very basically configure this using the same steps as above by adding another line in you HTTPS config

 

Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src https: 'unsafe-inline' 'unsafe-eval';connect-src https: wss:"

Please note that this is a very basic way to configure CSP. To further tighten CSP you can read this site. To enable full CSP you can replace about code with:

Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src 'self'"

Additional headers

Other headers that can strengthen the security are:

Header always set X-Content-Type-Options: nosniff
Header always set X-Frame-Options: deny
Header always set X-XSS-Protection: "1; mode=block"

Please note that these headers may alter you website functionality. For example X-Frame-Options: limits frame redering. So if you have code that runs in a frame, there will be no output. My advise is to play around with these headers in your test environment. Above headers may be also used in HTTP. So you can add them to the HTTP headers. This is unlike HTST which of course has something to do with secure transfer.

You configure them in the same way as the headers above:

Schermafbeelding 2014-10-01 om 11.43.50

In my next post I will get into HTTP Public Key Pinning. This I still have to figure out myself so if I have some spare time I will test around a little bit. The support for this feature isn’t very broad. Only predefined list are currently supported. As always IE doesn’t support it yet. Firefox supports it since version 32. Chrome supports it since 2011. However there is no mainstream support for it as of now. HPKP will however be supported in the future so I want to be sure that by the time it is supported, I already comply 🙂

The complete header looks like this:

Certificates decode and some details

So I was reading a wonderful book about SSL and TLS. It is really interesting. For a customer I requested my first SHA256 certificate back in december 2012. My first SHA256 certificate have been issued on february 2013. Now I wanted to request a SHA384 certificate which of course belongs to the SHA2 family. The thing is that I saw various CA changing their chain for SHA1 to SHA384 or from SHA256 tot SHA384. An example is Comodo (which is now in the process of reverting to SHA256). I created a CSR which had the algorithm sha384WithRSAEncryption. I have send the certificate to StartSSL an got back a SHA256 certificate. Now nothing  is wrong with that as probably most browsers do not even support SHA384 at the moment of writing. However I do wanted to spend some attention to this. To check what kind of algorithm your certificate have you can run the following code:

openssl x509 -in Certificatefile.cert  -text

 

To check what kind of algorithm your CSR has you can run the following code:

openssl req -in blabla.csr -text

 

Strict security on a Plesk Apache web server

There is an update for this post

To ensure secure SSL traffic you should always protect you server properly. Plesk isn’t really the best solution to handle such tasks. I found a way to protect a Plesk server better using SSL. My configuration is a Ubuntu 14.04 LTS server in combination with Plesk 12. If you have Ubuntu 12.04 LTS you’ll have problem protecting such a server. I’ll discuss this later on.

What you first need to do is to ensure that only secure ciphers are being used. A secure cipher is one that enables Forward Secrecy. If someone captured SSL traffic and succeeds to brute force it’s way into one package, he cannot use that key to decipher all the other packages. In other words if someone cracks open one package he would have to do the same thing for each package. If you use ciphers that don not  enable forward secrecy and someone cracks open one package he can open all the packages. Which makes it highly insecure.

Create a file on the following location:

/etc/apache2/conf-enabled/zz050-psa-disable-weak-ssl-ciphers.conf

Enter the text below to disable the unwanted ciphers. Please note that by disabling SSLv3 your IE6 users will not be able to connect anymore.

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

Please also note that you need to have Apache 2.3 for the EECDH algorithm. Apache 2.3 is not by default installed on Ubuntu 12.04 LTS. So I would recommend to install Ubuntu 14.04 LTS on you server or any other distribution with Apache 2.4 support.

Next you should enable OCSP stapling. This is a lot quicker to check for revocations than CRL. If your server handles a lot of traffic I would definitely  enabled this feature. Open the file:

/etc/apache2/conf-enabled/security.conf

And append the following text:

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLCACertificateFile /etc/ssl/certs/StartCom_Certification_Authority.pem
SSLStaplingCache shmcb:/var/run/ocsp(128000)

I only use one CA. If you have more than one CA your at the moment limited to only enter one. OCSP Stapling doesn’t support more than one CA. There is a new standard that will get rid of this problem. It is however not very well supported. Both clients and servers do rarely support it. You’ll have to wait for a bit.

Next you can enable HSTS (HTTP Strict Transport Security). This only work with Apache 2.2.3 and above. The way Plesk handles website isn’t really efficient for HSTS. Don’t get me wrong I absolutely love the way Plesk handles SNI and other offloading  and features but this is one that could be improved. You have to open each conf file for a website in Plesk.

Please note the update stated above!

First I’ll explain what HSTS is.  Imagine that you site enables HTTP requests and HTTPS requests. You have HTTP enabled to redirect to HTTPS. One of you users browses to you site and fails to directly go to secure site. Someone have created a fraudulent access point and redirects the site to another site. The user doesn’t mind the changes and enters his credentials. Well that account is compromised. Now HSTS tells the browser to connect to the https:// site for the upcoming year. Each time the user browses to that site the timer wil be reset to another year for that date.

Each new website gets a .conf file in the system directory. You will have to make sure that a certain text is added to that file.

If you have a default website for an IP address a file is created like to one below:

/var/www/vhosts/system/domain.tld/conf/httpd_ip_default.conf

If you use SNI Plesk creates the file below for you:

/var/www/vhosts/system/domain.tld/conf/httpd.conf

In the portion of the container below add the following line

 

<VirtualHost x.x.x.x:443 >

</VirtualHost>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

This enables HSTS. But please not any change to you website settings and this file get overwritten. I created a shell script that checks the existence of the text and if it is not enabled it will enable it for you. I post that later on.