The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

can't get http://cpanel.example.com working

Discussion in 'General Discussion' started by simonpearce, May 29, 2008.

  1. simonpearce

    simonpearce Well-Known Member

    Joined:
    Jun 20, 2003
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    Our servers have upgraded and have the:

    "** Add proxy VirtualHost to httpd.conf to automatically redirect unconfigured cpanel, webmail, webdisk and whm subdomains to the correct port (requires mod_rewrite and mod_proxy)"

    option already ticked, but I can't seem to get http://cpanel.example.com working (obviously using a valid domain!)

    Any tips?

    Cheers

    Simon
     
  2. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
  3. JIKOmetrix

    JIKOmetrix Well-Known Member

    Joined:
    Apr 3, 2007
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    Did you see this in tweak setting:

    Automatically create cpanel, webmail, webdisk and whm proxy subdomain DNS entries for new accounts. When this is initially enabled it will add appropriate proxy subdomain DNS entries to all existing accounts. (Use /scripts/proxydomains to reconfigure the DNS entries manually)

    Mostly this point that this does not effect existing domains on the system and would require manual configuration:

    Use /scripts/proxydomains to reconfigure the DNS entries manually

    Mike
     
  4. rligg

    rligg Well-Known Member

    Joined:
    Sep 16, 2003
    Messages:
    277
    Likes Received:
    0
    Trophy Points:
    16
    I did this. The domain zone file has all the entries. None of the them work however.
     
  5. JIKOmetrix

    JIKOmetrix Well-Known Member

    Joined:
    Apr 3, 2007
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    Then Nick is right you should open a ticket. It sounds like the httpd.conf does not have the redirect setup properly.

    Personally I'm waiting a bit before trying to use this feature, But I can see where something like this is a must have for access through firewalls that will not open the port needed.


    Mike
     
  6. gudjon

    gudjon Registered

    Joined:
    May 20, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    I had the same problem.
    I disabled "Add proxy VirtualHost to httpd.conf to automatically redirect unconfigured cpanel, webmail, webdisk and whm subdomains to the correct port (requires mod_rewrite and mod_proxy)" and "Automatically create cpanel, webmail, webdisk and whm proxy subdomain DNS entries for new accounts. When this is initially enabled it will add appropriate proxy subdomain DNS entries to all existing accounts. (Use /scripts/proxydomains to reconfigure the DNS entries manually)" under Tweak settings and enabled it again and then this was working fine.

    Regards
    Gudjon
     
  7. JIKOmetrix

    JIKOmetrix Well-Known Member

    Joined:
    Apr 3, 2007
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Hi gudjon,

    Just to be clear in my head, You disabled both entries then enabled both entries and used the script to modify existing domains?

    Was that the steps you pretty much took?

    Mike
     
  8. gudjon

    gudjon Registered

    Joined:
    May 20, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    Well, I did run the script first.
    And when that did not work I disabled both entries and then enabled them. That is all.
    I got message saying that the script will be running in the background after I enabled.
    - took about 5min and all my domains had cpanl/webdisk/whm/webmail in dns.

    /Gudjon
     
  9. JIKOmetrix

    JIKOmetrix Well-Known Member

    Joined:
    Apr 3, 2007
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    I just tested this on one of my servers. All I did was disable both items tweak setting, click save. then enabled both items and clicked save. Then is worked properly for HTTP. Is does not appear to work for HTTPS. It throws and error:

    "cpanel.example.com has sent incorrect or unexpected message. error code -12263"

    Other than that it appears to work.

    Thanks for the post.

    Mike
     
  10. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    seeing this too, although intermittently from FF (works 9 out of 10 times), IE7 & IE8 refuse to even error - just getting 'Cannot Display This Page' even though I have 'display friendly http error messages off'
     
  11. jdlightsey

    jdlightsey Perl Developer III
    Staff Member

    Joined:
    Mar 6, 2007
    Messages:
    126
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Houston Texas
    cPanel Access Level:
    Root Administrator
    Do you have a SSL VirtualHost installed on the same IP address? The Proxy VirtualHost can use SSL, but only if you have a cert installed on the same IP address.

    Here's a quick rundown of what you need to check if this feature doesn't work..

    1) Do you have all three options in TweakSettings enabled? One controls creation of the DNS entries, one controls adding the VirtualHost to httpd.conf, the third just lets accounts create subdomains with the same names (optional.)

    2) Do you have mod_proxy compiled into Apache? As the note in TweakSettings indicates, it's required.

    3) Are you going to the main domain of the account? The Proxy DNS entries aren't created for Addon domains. (Use /scripts/proxydomains --domain=whatever.com to set up an addon.)

    4) If you're going to use SSL, do you have a SSL VirtualHost set up on the same IP address? The proxy domains can use SSL, but they're going to reuse whatever cert you've already installed on that IP address (you'll probably get warnings about the cert not matching, but the connection will be secure.) If you haven't set up a SSL host on that IP though, going to the SSL port will just generate error messages in the browser and Apache log files.

    5) Are you using Apache 1.3 or 2.x? For some reason mod_proxy on Apache 1.3 tends to hang at the end of proxied connections waiting on a connection timeout. It does work and these hanging connections tend to be fairly infrequent, but you will get a better experience using Apache 2.0 or 2.2.
     
  12. JIKOmetrix

    JIKOmetrix Well-Known Member

    Joined:
    Apr 3, 2007
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    Thanks for the troubleshooting list. You are correct. There was no SSL virtual host setup when I tested it with an account that did have SSL it threw the domain does not match error, but did connect. I'm using Apache 2.x.

    So to make this seamless for people they either need to use the HTTP connection or they / I have to buy an SSL certificate for the proxy access. It's too bad that the system does not redirect the proxy subdomain to the server host sub-domain so you can buy one certificate or wild card certificate for the server and prevent the "domain does not match error" for all domains on the server.

    Mike
     
  13. jdlightsey

    jdlightsey Perl Developer III
    Staff Member

    Joined:
    Mar 6, 2007
    Messages:
    126
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Houston Texas
    cPanel Access Level:
    Root Administrator
    You can, of course, suggest that all of your users connect to a specific set of proxy domains and set up a matching wildcard SSL subdomain on that IP address. That should eliminate warnings about the SSL cert not matching the domain. IMHO, this would be the best possible approach. The system is set up to be as flexible as possible for administrators that don't want to take that much of a hands-on approach though.

    So if you really wanted to do everything in the best possible way....

    Set up an account with myhosting.com as the main domain.

    Add a wildcard subdomain *.myhosting.com

    Add a wildcard SSL cert on the wildcard subdomain

    Tell your users to connect to https://cpanel.myhosting.com, https://whm.myhosting.com, https://webmail.myhosting.com, https://webdisk.myhosting.com.

    If you're using a real signed wildcard SSL cert, these connections will not generate any warnings.
     
  14. JIKOmetrix

    JIKOmetrix Well-Known Member

    Joined:
    Apr 3, 2007
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    Thanks. That makes sense.

    Mike
     
  15. a.post

    a.post Member

    Joined:
    Mar 23, 2005
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    The Netherlands
    cPanel Access Level:
    Root Administrator
    Unfortunately this doesn't work. I tried this using a selfsigned certificate, but the problem is all queries to subdomains will be served from the directory set for the wildcard subdomain (i.e. /home/mydomain.com/public_html/wildcarddomainfolder ).

    Because the proxy additions made by the settings in "Tweak settings" are below the wildcard directive in httpd.conf, it will not reach the proxy directives and serve from the set html folder.

    I'm looking at the possibility to at least assign a certificate per proxy redirect, hopefully more on this later (Unless someone has any advice on this :cool:)
     
  16. jdlightsey

    jdlightsey Perl Developer III
    Staff Member

    Joined:
    Mar 6, 2007
    Messages:
    126
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Houston Texas
    cPanel Access Level:
    Root Administrator
    Yes, you're absolutely correct. What you'd need to do is set up a Wildcard cert on a matching non-wildcard subdomain (WHM will let you perform this type of SSL installation.)

    So remove the *.myhosting.com SSL subdomain

    Add unused.myhosting.com as a SSL subdomain on the same IP using the *.myhosting.com cert.

    Then when you go to https://cpanel.myhosting.com it should end up in the Proxy VirtualHost using the *.myhosting.com SSL cert.
     
  17. a.post

    a.post Member

    Joined:
    Mar 23, 2005
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    The Netherlands
    cPanel Access Level:
    Root Administrator
    Isn't it possible to let customers make a webmail.subdomain with their own certificate, and place the proxy directive above the SSL section in httpd.conf so each domain has a matching certificate and all webmail.* requests are proxied to mainIP:2095?
     
  18. a.post

    a.post Member

    Joined:
    Mar 23, 2005
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    The Netherlands
    cPanel Access Level:
    Root Administrator
    I'm not in to Perl of other forms of scripting around cPanel, but I would think if there would be the possibility to activate an extra option under the cPanel domain Subdomains:

    Instead of just setting a Document Root, the ability to redirect the subdomain using a proxy directive. Redirection is possible, just without proxy right now.

    When this is programmed to insert the rewrite/proxy directives inside this VirtualHost entry, it should work.

    Because the customer is already able to assign a certificate to a subdomain, they can use their own certificates.

    There should be some security checks before a customer should be able to activate this, for example only redirects to own domains and only to predefined ports (to prevent customer acces to other webapplications on the same server like ASSP).
     
  19. jdlightsey

    jdlightsey Perl Developer III
    Staff Member

    Joined:
    Mar 6, 2007
    Messages:
    126
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Houston Texas
    cPanel Access Level:
    Root Administrator
    The problem is that you can only do one SSL cert per IP address until TLS with SNI is available in all of the commonly used browsers and the commonly available versions of OpenSSL on cPanel servers. Even if you have a dedicated IP assigned to an account, if you use the IP for webmail.domain.com you can't also set up SSL for cpanel.domain.com, whm.domain.com, etc.

    Unfortunately it may be years before those two conditions are met. Even if we switched from mod_ssl to mod_gnutls we'd still come up short on browser support (along with the fact that mod_gnutls suffers a 60+% performance penalty compared to mod_ssl and isn't available for Apache 1.3.)

    Reusing existing SSL certs to secure the Proxy vhost is about the best that can be done without SNI. The only tricky part is that it's still left to the admin to decide how they want to allocate the available IP address space in terms of SSL certificates.
     
  20. a.post

    a.post Member

    Joined:
    Mar 23, 2005
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    The Netherlands
    cPanel Access Level:
    Root Administrator
    jd,

    next to the SNI discussion in this thread, isn't there another way to get things working?

    I would be really happy if the whm, cpanel and webmail deamon could be tranfered to normal 443 ports, but on a specific IPs. This way I can offer my customers access to these services with correct certificates (e.g. webmail.ourhostingcompany.com etc.).

    I would be willing to give up 3 extra IPaddresses for this. This way at least all subdomains work for 1 domain, instead of 1 subdomain for 1 domain without buying an expensive wildcard certificate.

    I had this running on my former Plesk machine. Customers just get warnings if they want to use webmail.customer.com, when they call our support desk they tell them to use webmail.ourhostingcompany.com instead, or upgrade from shared to fixed IP with their own certificates. Most of the times the smaller customers are shocked about the prices for this, but some bigger companies just want it. So why not offer it...
     
    #20 a.post, Jun 26, 2008
    Last edited: Jun 26, 2008
Loading...

Share This Page