The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSL access to proxy domains (whm/cpanel/webmail)

Discussion in 'Security' started by tomi1122, Jul 14, 2010.

  1. tomi1122

    tomi1122 Member

    Joined:
    Aug 31, 2008
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    I have enabled proxy domains and these work fine. However if I try to hit one of the proxy domains over ssl it returns an error. It appears the server returns plain http and not https, as in:

    https://webmail.mydomain.com - SSL error

    http://webmail.mydomain.com:443 - this works fine and shows webmail interface

    How do I get port 443 for proxy domain to respond with SSL/HTTPS.

    Thank you,

    Tom
     
  2. Miraenda

    Miraenda Well-Known Member

    Joined:
    Jul 28, 2004
    Messages:
    242
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Coralville, Iowa USA
    What specific SSL error does it return?
     
  3. tomi1122

    tomi1122 Member

    Joined:
    Aug 31, 2008
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    The browser error is: SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)

    The reason I get this error though because plain HTTP is responding on 443 and not HTTPS. So the SSL handshake fails.

    Tom
     
  4. Miraenda

    Miraenda Well-Known Member

    Joined:
    Jul 28, 2004
    Messages:
    242
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Coralville, Iowa USA
    Just to confirm, the cPanel/WHM/Webmail SSL has been installed using WHM > Manage Service SSL Certificates area? Since that SSL is the one being served for any of the proxy subdomains, that SSL is required for the proxy subdomain to work.

    If you cannot get it to work with either installing or re-installing that SSL certificate for WHM/cPanel/Webmail in WHM's Manage Service SSL Certificates area, you might well simply want to open a ticket with cPanel using WHM > Support Center > Contact cPanel area.
     
  5. tomi1122

    tomi1122 Member

    Joined:
    Aug 31, 2008
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Cert has been installed and working without a problem at all. However, I was hitting the site on a secondary IP associated with customer account. If however I hit the host on primary IP it works...

    https://webmail.hostdomain.com - works because its on primary IP

    https://webmail.customerdomain.com - works only if set to host to primary IP

    https://webmail.customerdomain.com - does not work on secondary, account dedicated IP, returns plain HTTP and not HTTPS

    The problem with this is that if a customer buys a dedicated IP from me and I setup a domain wildecard cert for that IP, then I cannot use it because I have to go on host IP and HTTPS bound to that IP has a wrong cert (one for the host domain). So you get a mismatch warning.

    My question then is: how do I get https://webmail.customerdomain.com working with customer supplied cert and account designated IP.

    Tom
     
  6. Miraenda

    Miraenda Well-Known Member

    Joined:
    Jul 28, 2004
    Messages:
    242
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Coralville, Iowa USA
    I'm not certain this is possible to fix. Your initial post didn't clarify this issue as it stated proxy subdomains weren't working at all for https, but proxy subdomains are working for those domains on the shared IP and only dedicated IP sites aren't working for proxy subdomains for https.

    The reason these other domains don't work is that the service SSLs only allow one certificate (the hostname) rather than multiple certificates. Apache can have multiple SSLs under the cPanel setup, but the services such as exim, ftp and the cPanel services can only have that one SSL certificate. When you try to use the proxy subdomains with a domain not on the shared IP, then it cannot work under that setup due to the one SSL certificate from how I understand it. If there's any workaround, I'm not certain what it would be.
     
  7. tomi1122

    tomi1122 Member

    Joined:
    Aug 31, 2008
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Again the problem here is not with mismatched certs. The problem is that for proxied domains:
    a) by default they are setup on domain/account dedicated IP
    b) on that IP they respond with HTTP on an HTTPS port.

    I think the correct setup for proxied domains is:
    a) respond with HTTPS on 443 port for all proxied domains
    b) use domain assigned cert on domain/account specific IP

    And that is what I am trying to figure out how to do. It would seems to me that this type of setup would OOTB and that the proxy entries in httpd.conf right now as generated by cPanel are not quite correct.

    Tom
     
  8. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Please try the following two steps, in the exact order listed, to see if this helps alleviate the difficulty; these are commands you may enter on a command-line, via root SSH access:
    Code:
    # /scripts/rebuildhttpdconf
    # /scripts/restartsrv_httpd
     
    #8 cPanelDon, Jul 14, 2010
    Last edited: Jul 14, 2010
  9. tomi1122

    tomi1122 Member

    Joined:
    Aug 31, 2008
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    So I did that but I don't think it helps. Here is the virtual host entry for the proxy hosts (not the actual IPs):

    <VirtualHost 55.1.1.32:80 55.1.1.34:80 64.1.1.87:443 *>

    Here the 64.1.1.87 is the primary host IP and 55.*.*.* are secondary. So it appears 443 is only being mapped to primary and never to secondary.

    Tom
     
  10. sirdopes

    sirdopes Well-Known Member
    PartnerNOC

    Joined:
    Sep 25, 2007
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    One way to do this is to add an include to the wildcard vhost with the following info:

    SSLProxyEngine On

    ServerAlias cpanel.* whm.* webmail.* webdisk.*
    ServerAlias cpanelsecure.* whmsecure.* webmailsecure.*

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^cpanel\.
    RewriteRule ^/(.*) http://%{HTTP_HOST}:2082/$1 [P]
    RewriteCond %{HTTP_HOST} ^webmail\.
    RewriteRule ^/(.*) http://%{HTTP_HOST}:2095/$1 [P]
    RewriteCond %{HTTP_HOST} ^whm\.
    RewriteRule ^/(.*) http://%{HTTP_HOST}:2086/$1 [P]
    RewriteCond %{HTTP_HOST} ^webdisk\.
    RewriteRule ^/(.*) http://%{HTTP_HOST}:2077/$1 [P]

    RewriteCond %{HTTP_HOST} ^cpanelsecure\.
    RewriteRule ^/(.*) https://%{HTTP_HOST}:2083/$1 [P]

    RewriteCond %{HTTP_HOST} ^whmsecure\.
    #RewriteRule ^/(.*) https://%{HTTP_HOST}:2087/$1 [P]
    RewriteRule ^/(.*) https://tonyx.be:2087/$1 [P]


    RewriteCond %{HTTP_HOST} ^webmailsecure\.
    RewriteRule ^/(.*) https://%{HTTP_HOST}:2096/$1 [P]
    </IfModule>
     
  11. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Are you using this on a productive server already?

    I wonder why Cpanel won't make the adjustment? Is the port firewall problem that uncommon?

    I would prefer to have a special account added to every server to allow
    the design of a webmail portal which a different name than the server hostname and allow SSL Cert installation like the normal accounts. But I think it is too late since most will go to gmail and are happy. No ports, no firewall problems. HTTPS out of the box. The demand on this board for GoogleApp integration into cpanel is an indicator for that.
    Sorry for getting a bit offtopic.

    Question for clarification:
    Is it possible to set a global webmail access with SSL and the standardport 443 via the hostserver domain.

    https://host.server.tld:2096 is working.

    https://host.server.tld isn't. The "Great Success ! Apache is working on your cPanel" default page is working on Port 80.

    Since the demand for that (on this board) seems to be low I still hope I am just to blind to see.
     
  12. m0rpheu5

    m0rpheu5 Well-Known Member

    Joined:
    Jun 16, 2005
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brazil, Curitiba/PR
    cPanel Access Level:
    Root Administrator
    It´s working if I use /http://www.myclient.com/webmail then i configure on the tweak to always use SSL, them it´s redirect to my hostname SSL cert, works fine, but my clients are used to use the webmail.myclient.com them i got error in the SSL, how can i fix this?

    Thanks
     
Loading...

Share This Page