You’ve no doubt discovered massive amounts of 404 errors in your main Apache error log that go something like:
File does not exist: /var/www/vhosts/default/htdocs/....
The requests may appear to be legitimate requests for page on the the primary virtualhost, but are returning 404 errors. Or, they may be crap requests to /var/www/vhosts/default/htdocs/phpMyAdmin etc made by script kiddies looking for vulnerabilities. Sound familiar?
Chances are you have SSL disabled for the domain in Plesk, & these requests to vhosts/default/htdocs/ are from HTTPS requests.
Plesk handles this use case in the most asinine way possible.
Since you have SSL disabled for your virtualhost, Plesk doesn’t route HTTPS requests to any virtualhost. Instead, it’s using the default host settings in /etc/httpd/conf/plesk.conf.d
which can be something like:
<VirtualHost your_ip_here:7081 127.0.0.1:7081> ServerName "default-your_underscored_ip_here" DocumentRoot "/var/www/vhosts/default/htdocs" .... </VirtualHost>
Little-known (to me) Plesk fact: For SSL requests, Apache listens to port 7081 when it’s running behind nginx, per /etc/httpd/conf.d/ssl.conf
How do you know this is going on? Enable servername & port logging in access_log so you can tell exactly what these requests are coming in as. To set that up, in /etc/httpd/conf/httpd.conf
look for where your main access_log is defined, like:
CustomLog logs/access_log combined
Then look for a LogFormat
line that defines the log format nickname “combined”:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
Add %v %V %p
in there — right after %t
is a good spot. Doing this adds the servername in two flavors, & the port of the original request. The servername helps you to determine which section of your Apache config is getting used, if you aren’t sure. The port shows the original — not mapped — port of the request. HTTPS starts out as a port 443 request so you’ll see that in the access log, not port 7081.
Restart Apache, either through Plesk, or apachectl restart
. Then go tail -f access_log
to watch the log with that additional data.
How do you fix how Plesk handles these SSL requests? In Plesk…
- In Hosting Settings for your domain, check the box to enable (…yep) SSL.
- In the Apache & nginx settings for your domain, under “Additional directives for HTTPS “, add this RewriteRule to redirect HTTPS requests to HTTP:
RewriteEngine On RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
That’s the best way I know how to fix this, anyway.
Any other suggestions? Normally you could set up a “black hole” entry, but I’m not sure how to overwrite the default Apache server settings, since server.conf is auto-generated by Plesk.
I’m off to bang some rocks together.
Leave a Reply