SSL access to proxy domains (whm/cpanel/webmail)

**tomi1122** · 07-14-2010 01:07 PM

I have enabled proxy domains and these work fine. However if I try to hit one of the proxy domains over ssl it returns an error. It appears the server returns plain http and not https, as in:

https://webmail.mydomain.com - SSL error

http://webmail.mydomain.com:443 - this works fine and shows webmail interface

How do I get port 443 for proxy domain to respond with SSL/HTTPS.

Thank you,

Tom

**Miraenda** · 07-14-2010 01:13 PM

What specific SSL error does it return?

**tomi1122** · 07-14-2010 01:14 PM

The browser error is: SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)

The reason I get this error though because plain HTTP is responding on 443 and not HTTPS. So the SSL handshake fails.

Tom

**Miraenda** · 07-14-2010 01:20 PM

Just to confirm, the cPanel/WHM/Webmail SSL has been installed using WHM > Manage Service SSL Certificates area? Since that SSL is the one being served for any of the proxy subdomains, that SSL is required for the proxy subdomain to work.

If you cannot get it to work with either installing or re-installing that SSL certificate for WHM/cPanel/Webmail in WHM's Manage Service SSL Certificates area, you might well simply want to open a ticket with cPanel using WHM > Support Center > Contact cPanel area.

**tomi1122** · 07-14-2010 01:39 PM

Cert has been installed and working without a problem at all. However, I was hitting the site on a secondary IP associated with customer account. If however I hit the host on primary IP it works...

https://webmail.hostdomain.com - works because its on primary IP

https://webmail.customerdomain.com - works only if set to host to primary IP

https://webmail.customerdomain.com - does not work on secondary, account dedicated IP, returns plain HTTP and not HTTPS

The problem with this is that if a customer buys a dedicated IP from me and I setup a domain wildecard cert for that IP, then I cannot use it because I have to go on host IP and HTTPS bound to that IP has a wrong cert (one for the host domain). So you get a mismatch warning.

My question then is: how do I get https://webmail.customerdomain.com working with customer supplied cert and account designated IP.

Tom

**Miraenda** · 07-14-2010 02:03 PM

I'm not certain this is possible to fix. Your initial post didn't clarify this issue as it stated proxy subdomains weren't working at all for https, but proxy subdomains are working for those domains on the shared IP and only dedicated IP sites aren't working for proxy subdomains for https.

The reason these other domains don't work is that the service SSLs only allow one certificate (the hostname) rather than multiple certificates. Apache can have multiple SSLs under the cPanel setup, but the services such as exim, ftp and the cPanel services can only have that one SSL certificate. When you try to use the proxy subdomains with a domain not on the shared IP, then it cannot work under that setup due to the one SSL certificate from how I understand it. If there's any workaround, I'm not certain what it would be.

**tomi1122** · 07-14-2010 03:58 PM

Again the problem here is not with mismatched certs. The problem is that for proxied domains:
a) by default they are setup on domain/account dedicated IP
b) on that IP they respond with HTTP on an HTTPS port.

I think the correct setup for proxied domains is:
a) respond with HTTPS on 443 port for all proxied domains
b) use domain assigned cert on domain/account specific IP

And that is what I am trying to figure out how to do. It would seems to me that this type of setup would OOTB and that the proxy entries in httpd.conf right now as generated by cPanel are not quite correct.

Tom

**cPanelDon** · 07-14-2010 05:41 PM

Please try the following two steps, in the exact order listed, to see if this helps alleviate the difficulty; these are commands you may enter on a command-line, via root SSH access:

Code:

# /scripts/rebuildhttpdconf
# /scripts/restartsrv_httpd

**tomi1122** · 07-15-2010 04:01 PM

So I did that but I don't think it helps. Here is the virtual host entry for the proxy hosts (not the actual IPs):

<VirtualHost 55.1.1.32:80 55.1.1.34:80 64.1.1.87:443 *>

Here the 64.1.1.87 is the primary host IP and 55.*.*.* are secondary. So it appears 443 is only being mapped to primary and never to secondary.

Tom

**sirdopes** · 07-27-2010 06:36 PM

One way to do this is to add an include to the wildcard vhost with the following info:

SSLProxyEngine On

ServerAlias cpanel.* whm.* webmail.* webdisk.*
ServerAlias cpanelsecure.* whmsecure.* webmailsecure.*

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^cpanel\.
RewriteRule ^/(.*) http://%{HTTP_HOST}:2082/$1 [P]
RewriteCond %{HTTP_HOST} ^webmail\.
RewriteRule ^/(.*) http://%{HTTP_HOST}:2095/$1 [P]
RewriteCond %{HTTP_HOST} ^whm\.
RewriteRule ^/(.*) http://%{HTTP_HOST}:2086/$1 [P]
RewriteCond %{HTTP_HOST} ^webdisk\.
RewriteRule ^/(.*) http://%{HTTP_HOST}:2077/$1 [P]

RewriteCond %{HTTP_HOST} ^cpanelsecure\.
RewriteRule ^/(.*) https://%{HTTP_HOST}:2083/$1 [P]

RewriteCond %{HTTP_HOST} ^whmsecure\.
#RewriteRule ^/(.*) https://%{HTTP_HOST}:2087/$1 [P]
RewriteRule ^/(.*) https://tonyx.be:2087/$1 [P]

RewriteCond %{HTTP_HOST} ^webmailsecure\.
RewriteRule ^/(.*) https://%{HTTP_HOST}:2096/$1 [P]
</IfModule>

**lorio** · 08-10-2010 06:06 AM

Originally Posted by sirdopes

One way to do this is to add an include to the wildcard vhost with the following info:

Are you using this on a productive server already?

I wonder why Cpanel won't make the adjustment? Is the port firewall problem that uncommon?

I would prefer to have a special account added to every server to allow
the design of a webmail portal which a different name than the server hostname and allow SSL Cert installation like the normal accounts. But I think it is too late since most will go to gmail and are happy. No ports, no firewall problems. HTTPS out of the box. The demand on this board for GoogleApp integration into cpanel is an indicator for that.
Sorry for getting a bit offtopic.

Question for clarification:
Is it possible to set a global webmail access with SSL and the standardport 443 via the hostserver domain.

https://host.server.tld:2096 is working.

https://host.server.tld isn't. The "Great Success ! Apache is working on your cPanel" default page is working on Port 80.

Since the demand for that (on this board) seems to be low I still hope I am just to blind to see.

**m0rpheu5** · 05-11-2011 09:07 AM

It´s working if I use /http://www.myclient.com/webmail then i configure on the tweak to always use SSL, them it´s redirect to my hostname SSL cert, works fine, but my clients are used to use the webmail.myclient.com them i got error in the SSL, how can i fix this?

Thanks

LinkBack

Thread Tools

SSL access to proxy domains (whm/cpanel/webmail)

Re: SSL access to proxy domains (whm/cpanel/webmail)

whm, cpanel, webmail and webdisk proxy subdomains and ModSecurity [Case 51819]

cpanel non-ssl access to webmail?

USe proxy only to access cpanel, whm and webmail

Disabling non-SSL access to cpanel/whm/webmail