cPanel + reverse proxy = invalid security token

EternalGlory

Registered
Jul 21, 2018
1
0
1
Earth
cPanel Access Level
DataCenter Provider
The system almost works, but I get the error in various places when logging into webmail and performing certain actions on WHM:

HTTP error 401
Invalid Security Token

Lots of XSRF errors in the console:
Code:
Blocked a frame with origin "https://webmail.example.com" from accessing a frame with origin "https://cpanel.example.com". Protocols, domains, and ports must match.

Refused to display 'https://cpanel.example.com/cpsess12345678/3rdparty/squirrelmail/src/webmail.php?login=1&post_login=12345678' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
Additionally, I get unstyled pages in WHM where it is attempting to pull styles and content from cPanel but fails to do so due to the aforementioned errors.


So far tried:
  • Old hack for disabling XSS (xsrftoken=false), doesn't work on new cpanel
  • Disable cookie based IP validation
  • Force update
  • Strip xss related headers using nginx
  • Delete cache directory
  • Praying to Lord Krishna
Still doesn't work.
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,205
363
Hello @EternalGlory,

It looks to relate to the use of your third-party reverse proxy application and proxy subdomains. The easiest way to solve the issue is to disable proxy subdomains and access cPanel/WHM/Webmail using the traditional ports (e.g. 2083, 2087, 2096). Beyond that, I recommend reporting this issue to the developer of the specific reverse proxy application you are using to see if they can offer a solution or workaround to solve the issue.

Thank you.