whm, cpanel, webmail and webdisk proxy subdomains and ModSecurity [Case 51819]

[chirpy]

Because the whm, cpanel, webmail and webdisk proxy subdomains run through Apache before being routed to cPanel/WHM, etc, all traffic is processed through any configured ModSecurity rules. This causes problems for legitimate functions, especially in root WHM, which trigger such rules.

To avoid this and to maintain consistency for the various ways to access WHM, it would be a best to have the following within the VirtualHost in httpd.conf for the proxy subdomain container:

# CPANEL/WHM/WEBMAIL/WEBDISK PROXY SUBDOMAINS
<VirtualHost ... *>
...
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
...
</VirtualHost>


A side-effect of this problem when a ModSecurity rule is triggered is that the browser is redirected to a 403/406 page which strips the URL of the security token. Because this is going through Apache and not the cPanel server it results in a spurious "security token missing" error.

I raised this with support in ticket ID 1774258.

[VeZoZ]

Brought this up in 2008 and haven't heard from them since. It was acknowledged as a problem in a ticket, forum topic and even in bugzilla: http://bugzilla.cpanel.net/show_bug.cgi?id=8089

I'm not sure what is so difficult about fixing this.

[chirpy]

This has an internal dev case #51819 now.

[cPanelDavidG]

We're hoping to get this resolved soon, we currently anticipate this will be resolved in version 11.32.

VeZoZ, your input has been noted in our internal case. Thank you!

[cPanelDavidG]

This is resolved in version 11.31.1.2 and later. To see if this version has propagated to your update tier, visit Downloads - cPanel Inc.

[cPanelDavidG]

This functionality has propagated to all update tiers so I am now closing and archiving this thread.