Configuration of SSL/TLS on CentOS server running Plesk

When we have ssl enabled on our plesk panel then still there is need to configure SSL/TLS properly so your server/site can much secure. In this article you ‘ll see how to configure SSL/TLS on centos server running plesk.

When you test your site on https://www.ssllabs.com/ssltest/analyze.html and you find that your site SSL grade below than B Grade because of not configured TLS and some ciphers. Then there is a need to configure your server with TLS 1.2 and some ciphers enable.

Here i am going to briefly define the configuration of SSL/TLS on Centos server running Plesk Panel

Steps to Configure SSL/TLS on CentOS server running Plesk

Firstly make a dhparam pem file for nginx server so execute below command which make a pem file.

linuxtweaks ~]# cd /etc/nginx
linuxtweaks ~]# openssl dhparam -out dhparam.pem 4096

Above step can take some minutes to make pem file so wait for some time.

In our next step make copy of ssl conf template for domain specific and server which are required for SSL/TLS settings.

linuxtweaks ~]# mkdir -p /usr/local/psa/admin/conf/templates/custom/domain
linuxtweaks ~]# mkdir -p /usr/local/psa/admin/conf/templates/custom/server
linuxtweaks ~]# cp /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php /usr/local/psa/admin/conf/templates/custom/
linuxtweaks ~]# cp /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/domain/
linuxtweaks ~]# cp /usr/local/psa/admin/conf/templates/default/server/nginxVhosts.php /usr/local/psa/admin/conf/templates/custom/server/

Above we have copied three files 1st for mail server, 2nd for domain specific, 3rd for server core virtual host.Next we have to update SSL Protocol, SSL Ciphers and prefer server cipher. So find below line of code from all three files.

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

Replace it with –

ssl_session_cache shared:SSL:50m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;

The above configuration is basically for ciphers which are compatible for browsers on this time so may be later this have to update as per need.

Finally we can reload nginx to take effect of those configuration.

linuxtweaks ~]# /usr/local/psa/admin/bin/httpdmng --reconfigure-all
linuxtweaks ~]# nginx -s reload

Now you can check your site on the same link which was given above for ssl security testing.

https://www.ssllabs.com/ssltest/analyze.html

You will definitely get A or A+ for your site security and ssl installation.

To know more abount SSL/TLS please click here

It’s Done!

Balvinder Singh

Hello, I am Balvinder Singh - DevOps Engineer with 2.5+ year of working experience with different server environments. Tag Line:-Linux | AWS| WHM |Monitoring | Virtualization | Optimization | Performance | Security | Release & Deployment. I love helping companies / clients to deploy their code / applicateions to well managed, optimized, secure server and can go extra mile to satisfy.

You may also like...

Leave a Reply

Your email address will not be published.