WHM subdomain with proxy, mixed content problem

[Nicola Urbinati]

Hi,

Only on some WHM pages (terminal, Manage AutoSSL and a few others), when using a proxy in front of apache (engintron), some content gets requested over HTTP, breaking security and page.
By the way, I'm offloading all SSL traffic to nginx, passing all as http to apache.

This is what chrome dev console shows:

Mixed Content: The page at 'https://whm.example.com/cpsess1604554776/scripts12/terminal' was loaded over HTTPS, but requested an insecure stylesheet 'http://srvcp01.example.net:8080/cPanel_magic_revision_1538601071/styles/master-ltr.cmb.min.css'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at 'https://whm.example.com/cpsess1604554776/scripts12/terminal' was loaded over HTTPS, but requested an insecure stylesheet 'http://srvcp01.example.net:8080/cPanel_magic_revision_1523488009/libraries/xtermjs/xterm.min.css'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at 'https://whm.example.com/cpsess1604554776/scripts12/terminal' was loaded over HTTPS, but requested an insecure script 'http://srvcp01.example.net:8080/cPanel_magic_revision_1533675475/templates/menu/header_and_navigation.cmb.min.js'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at 'https://whm.example.com/cpsess1604554776/scripts12/terminal' was loaded over HTTPS, but requested an insecure script 'http://srvcp01.example.net:8080/cPanel_magic_revision_1415404035/libraries/requirejs/optimized/require.min.js'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at 'https://whm.example.com/cpsess1604554776/scripts12/terminal' was loaded over HTTPS, but requested an insecure stylesheet 'http://srvcp01.example.net:8080/cPanel_magic_revision_1538601071/styles/master-ltr.cmb.min.css'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at 'https://whm.example.com/cpsess1604554776/scripts12/terminal' was loaded over HTTPS, but requested an insecure stylesheet 'http://srvcp01.example.net:8080/cPanel_magic_revision_1523488009/libraries/xtermjs/xterm.min.css'. This request has been blocked; the content must be served over HTTPS.

Is there something so different in the way those pages are built, so as some content gets requested via HTTP? Is there a way to get it standardised?
or
Is there a way to make the request managed well?

 

[cPanelLauren]

Hi @Nicola Urbinati

Do the pages load with mixed content over apache alone or only when using nginx to load https traffic?

 

[Nicola Urbinati]

Hi,

I disabled Engintron and the content is correctly loaded in HTTPS.

Re-abled Engintron (as a particular setting, I am offloading all HTTPS traffic to Nginx, as per the Engintron wiki walkthrough), and those pages are loading mixed content again.

Thing is: only those pages have this behaviour, so knowing why this happens (how are those different from other pages) could help me managing them through Engintron.

Thank you,

Nicola.

 

[LucasRolff]

I'd advise you to wait for an update on the issue you've created on the Enginetron github page about it, meanwhile use example.com/whm 2087) to access WHM, this should bypass Enginetron.

The issue in this very specific case, is that it's very "easy" to get wrong because you have nginx doing a proxy to Apache, and then Apache has to do a proxy to cpanelsrvd to load up WHM - I can see that there might be translation issues of URL's due to the double proxy part - however. it should really cause WHM to not load at all if that was the case.

I cannot see why it proxies to port 8080 when it should, in reality, be requesting things over port 8443.

 

[Nicola Urbinati]

Hi,

Thank you for your answer.

It's proxing to 8080 beacause actually I'm using the "Offload HTTPS to Nginx" walktrhouh on the Engintron Wiki, so that the SSL thing will be done only once by Nginx, and the load on the server will be lighter.

Let's see if the guys on Engintron can help me some way.

 

[cPanelLauren]

HI @Nicola Urbinati

I've had a bit of time to contemplate this and I really can't see a way that these are called differently that would result in this. I would assume if there was an issue with the request it would come over http on apache as well which leads me to believe it's something specific to the way it's being requested through nginx. If you talk to the folks at engintron and they're able to get you an answer please let us know here, I'd wager it would help someone else in the long run.


Thanks!

 

[LucasRolff]

I could also recommend looking into LiteSpeed, it's even "officially supported" by cPanel and doesn't cause any issues - additionally, it does a better job at solving what you're trying to solve by using a set of (rather unsupported) software together.

 

[Anoop P Alias]

I believe the issue is with how the whm subdomain configuration is handled here.