More and more sites are only available via https, now with the Let’s Encrypt extension available in Plesk 12.5 it’s even easier to make your site secure. As such I thought it would be a good time to write this guide.
This guide assumes…
-
- You have already setup your SSL Certificate in Plesk for your domain,
- You are using Apache (FastCGI or FPM) and Nginx is serving static files,
- You want your site to be https only, redirecting all http requests to https
- You have set preferred domain in Plesk to www.domain.tld
Apache
I’ll start with Apache, browse to your domain in Plesk and click on Additional Apache & Nginx settings. under Additional directives for HTTP use this redirect..
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,QSA]
</IfModule>
And Additional directives for HTTPS…
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>
If you use Plesk’s built in SEO Safe redirect (preferred domain) from domain.tld to www.domain.tld, you will need to turn this off and add the following in the Additional HTTPS directives…
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^domain.tld$ [NC]
RewriteRule ^(.*)$ https://www.domain.tld$1 [L,R=301]
</IfModule>
Nginx
Now onto the Nginx directives…
if ($scheme != https) {
return 301 https://$host$request_uri;
}
Notice I’m using $scheme rather than the more common $host, as using the $host rewrite affected ssllabs scores in that domain.tld and www.domain.tld would score differently after adding HPKP and HSTS headers in Apache.
I hope that helps someone.
Updated to reflect changes at: https://hstspreload.org/