WHM subdomain with proxy, mixed content problem

Nicola Urbinati

Well-Known Member
Feb 1, 2017
76
11
8
Italy
cPanel Access Level
Root Administrator
Hi,

Only on some WHM pages (terminal, Manage AutoSSL and a few others), when using a proxy in front of apache (engintron), some content gets requested over HTTP, breaking security and page.
By the way, I'm offloading all SSL traffic to nginx, passing all as http to apache.

This is what chrome dev console shows:

Code:
Mixed Content: The page at 'https://whm.example.com/cpsess1604554776/scripts12/terminal' was loaded over HTTPS, but requested an insecure stylesheet 'http://srvcp01.example.net:8080/cPanel_magic_revision_1538601071/styles/master-ltr.cmb.min.css'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at 'https://whm.example.com/cpsess1604554776/scripts12/terminal' was loaded over HTTPS, but requested an insecure stylesheet 'http://srvcp01.example.net:8080/cPanel_magic_revision_1523488009/libraries/xtermjs/xterm.min.css'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at 'https://whm.example.com/cpsess1604554776/scripts12/terminal' was loaded over HTTPS, but requested an insecure script 'http://srvcp01.example.net:8080/cPanel_magic_revision_1533675475/templates/menu/header_and_navigation.cmb.min.js'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at 'https://whm.example.com/cpsess1604554776/scripts12/terminal' was loaded over HTTPS, but requested an insecure script 'http://srvcp01.example.net:8080/cPanel_magic_revision_1415404035/libraries/requirejs/optimized/require.min.js'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at 'https://whm.example.com/cpsess1604554776/scripts12/terminal' was loaded over HTTPS, but requested an insecure stylesheet 'http://srvcp01.example.net:8080/cPanel_magic_revision_1538601071/styles/master-ltr.cmb.min.css'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at 'https://whm.example.com/cpsess1604554776/scripts12/terminal' was loaded over HTTPS, but requested an insecure stylesheet 'http://srvcp01.example.net:8080/cPanel_magic_revision_1523488009/libraries/xtermjs/xterm.min.css'. This request has been blocked; the content must be served over HTTPS.
Is there something so different in the way those pages are built, so as some content gets requested via HTTP? Is there a way to get it standardised?
or
Is there a way to make the request managed well?
 
Last edited by a moderator:

Nicola Urbinati

Well-Known Member
Feb 1, 2017
76
11
8
Italy
cPanel Access Level
Root Administrator
Hi,

I disabled Engintron and the content is correctly loaded in HTTPS.

Re-abled Engintron (as a particular setting, I am offloading all HTTPS traffic to Nginx, as per the Engintron wiki walkthrough), and those pages are loading mixed content again.

Thing is: only those pages have this behaviour, so knowing why this happens (how are those different from other pages) could help me managing them through Engintron.

Thank you,

Nicola.
 

LucasRolff

Well-Known Member
Community Guide Contributor
May 27, 2013
143
94
78
cPanel Access Level
Root Administrator
I'd advise you to wait for an update on the issue you've created on the Enginetron github page about it, meanwhile use example.com/whm :)2087) to access WHM, this should bypass Enginetron.

The issue in this very specific case, is that it's very "easy" to get wrong because you have nginx doing a proxy to Apache, and then Apache has to do a proxy to cpanelsrvd to load up WHM - I can see that there might be translation issues of URL's due to the double proxy part - however. it should really cause WHM to not load at all if that was the case.

I cannot see why it proxies to port 8080 when it should, in reality, be requesting things over port 8443.
 
  • Like
Reactions: cPanelLauren

Nicola Urbinati

Well-Known Member
Feb 1, 2017
76
11
8
Italy
cPanel Access Level
Root Administrator
Hi,

Thank you for your answer.

It's proxing to 8080 beacause actually I'm using the "Offload HTTPS to Nginx" walktrhouh on the Engintron Wiki, so that the SSL thing will be done only once by Nginx, and the load on the server will be lighter.

Let's see if the guys on Engintron can help me some way.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,298
1,279
313
Houston
HI @Nicola Urbinati

I've had a bit of time to contemplate this and I really can't see a way that these are called differently that would result in this. I would assume if there was an issue with the request it would come over http on apache as well which leads me to believe it's something specific to the way it's being requested through nginx. If you talk to the folks at engintron and they're able to get you an answer please let us know here, I'd wager it would help someone else in the long run.


Thanks!
 

LucasRolff

Well-Known Member
Community Guide Contributor
May 27, 2013
143
94
78
cPanel Access Level
Root Administrator
I could also recommend looking into LiteSpeed, it's even "officially supported" by cPanel and doesn't cause any issues - additionally, it does a better job at solving what you're trying to solve by using a set of (rather unsupported) software together.
 
  • Like
Reactions: cPanelMichael