cPanel + reverse proxy = invalid security token

[EternalGlory]

The system almost works, but I get the error in various places when logging into webmail and performing certain actions on WHM:

HTTP error 401
Invalid Security Token

Lots of XSRF errors in the console:

Blocked a frame with origin "https://webmail.example.com" from accessing a frame with origin "https://cpanel.example.com". Protocols, domains, and ports must match.

Refused to display 'https://cpanel.example.com/cpsess12345678/3rdparty/squirrelmail/src/webmail.php?login=1&post_login=12345678' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

Additionally, I get unstyled pages in WHM where it is attempting to pull styles and content from cPanel but fails to do so due to the aforementioned errors.


So far tried:

• Old hack for disabling XSS (xsrftoken=false), doesn't work on new cpanel
• Disable cookie based IP validation
• Force update
• Strip xss related headers using nginx
• Delete cache directory
• Praying to Lord Krishna

Still doesn't work.

 

[cPanelMichael]

Hello @EternalGlory,

It looks to relate to the use of your third-party reverse proxy application and proxy subdomains. The easiest way to solve the issue is to disable proxy subdomains and access cPanel/WHM/Webmail using the traditional ports (e.g. 2083, 2087, 2096). Beyond that, I recommend reporting this issue to the developer of the specific reverse proxy application you are using to see if they can offer a solution or workaround to solve the issue.

Thank you.