More and more sites are only available via https, now with the Let’s Encrypt extension available in Plesk 12.5 it’s even easier to make your site secure. As such I thought it would be a good time to write this guide.
This guide assumes…
-
- You have already setup your SSL Certificate in Plesk for your domain,
- You are using Apache (FastCGI or FPM) and Nginx is serving static files,
- You want your site to be https only, redirecting all http requests to https
- You have set preferred domain in Plesk to www.domain.tld
Apache
I’ll start with Apache, browse to your domain in Plesk and click on Additional Apache & Nginx settings. under Additional directives for HTTP use this redirect..
|
1 2 3 4 5 |
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,QSA] </IfModule> |
And Additional directives for HTTPS…
|
1 2 3 |
<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" </IfModule> |
If you use Plesk’s built in SEO Safe redirect (preferred domain) from domain.tld to www.domain.tld, you will need to turn this off and add the following in the Additional HTTPS directives…
|
1 2 3 4 5 |
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_HOST} ^domain.tld$ [NC] RewriteRule ^(.*)$ https://www.domain.tld$1 [L,R=301] </IfModule> |
Nginx
Now onto the Nginx directives…
|
1 2 3 |
if ($scheme != https) { return 301 https://$host$request_uri; } |
Notice I’m using $scheme rather than the more common $host, as using the $host rewrite affected ssllabs scores in that domain.tld and www.domain.tld would score differently after adding HPKP and HSTS headers in Apache.
I hope that helps someone.
Updated to reflect changes at: https://hstspreload.org/