cPanel SSL Proxy Subdomain - 500 Error

[tina]

Hello,

Please try the following recipe on your CentOS (no CloudLinux!) cPanel test server:

1. Login to WHM

2. Go to 'Tweak Settings' and make sure the following are enabled:

- Proxy subdomains
- Proxy subdomain creation

3. Go to 'LiteSpeed Web Server' and switch to 'Apache'

4. Create a cPanel account on the *shared IP* with a real domain that resolves to the server. We will call it test-domain.com in this example.

5. Go to 'Generate an SSL Certificate and Signing Request', and create a new certificate

6. Go to 'Install an SSL Certificate and Setup the Domain', and paste the new certificate, and also the new key. Change the user to 'nobody', then click 'Submit'

7. Visit https://cpanel.test-domain.com/ (use the actual domain, take note of the 'https' and the 'cpanel.', and also do not enter any port number).

8. A certificate message should appear, allow it, and you will be able to log into cPanel.

9. Now log into WHM again and go to 'LiteSpeed Web Server' and switch to 'LiteSpeed'

10. Once again, visit https://cpanel.test-domain.com/ (use the actual domain, take note of the 'https' and the 'cpanel.', and also do not enter any port number).

11. You will now see a 500 error message instead!

Please advise - is this a LiteSpeed setting issue, or something that you can fix ASAP for the next version?

 

[webizen]

in my lab testing, i am getting 500 error in Apache with the following message in step 8 after certificate message appear.

SoftException in Application.cpp:427: Mismatch between target UID (501) and UID (99) of file "/home/..."

 

[tina]

in my lab testing, i am getting 500 error in Apache with the following message in step 8 after certificate message appear.

From the error message it looks like the cPanel proxy subdomain is not working, because Apache is trying to load the website instead (that's why the '/home/user' path is involved).

Try and see if you can get the cPanel proxy subdomain to work correctly, which might resolve the error with Apache.

 

[tina]

Okay, we just tried the same steps with another cPanel CentOS machine, and Apache is loading the domain's website (instead of loading cPanel), but there are no errors.

We have no idea why the SSL proxy on the shared IP is working on one machine (with Apache), but not another.

So it seems there may be some missing steps, and we will need to spend some more time to find out all the steps for making Apache load cPanel on the shared IP.

 

[stormy]

Funny, I just googled "cpanel proxy subdomains 500 error" and this is the first result. And I'm using Litespeed!

I have a 500 error on any proxy subdomain:
https://cpanel . domain . com

They were working with Apache, so there must be something with Litespeed.

Any ideas on what to try?

I checked the error log /usr/local/apache/logs/error_log and this is what happens:

2013-12-20 10:07:15.975 [ERROR] [REWRITE] Absolute URL with leading 'http://' is required for proxy, URL: https://127.0.0.1:2083/
2013-12-20 10:07:15.975 [ERROR] [REWRITE] Absolute URL with leading 'http://' is required for proxy, URL: https://127.0.0.1:2083/500.shtml

 

[mistwang]

LSWS wont proxy a backend via https, so have to use HTTP backend, what you need to do is:
You need to update cpanel templates
under /var/cpanel/templates/apache.../main.default

comment out
RewriteCond %{HTTP_HOST} ^cpanel\.
RewriteCond %{HTTPS} on
RewriteRule ^/(.*) https://127.0.0.1:2083/$1 [P]
RewriteCond %{HTTP_HOST} ^webmail\.
RewriteCond %{HTTPS} on
RewriteRule ^/(.*) https://127.0.0.1:2096/$1 [P]
RewriteCond %{HTTP_HOST} ^whm\.
RewriteCond %{HTTPS} on
RewriteRule ^/(.*) https://127.0.0.1:2087/$1 [P]
RewriteCond %{HTTP_HOST} ^webdisk\.
RewriteCond %{HTTPS} on
RewriteRule ^/(.*) https://127.0.0.1:2078/$1 [P]

read more about customizing templates at
http://docs.cpanel.net/twiki/bin/view/EasyApache/EasyApacheCustomDirectivesOutsideVirtualHost#Custom Templates

disable the option force redirect to https for cpanel access.

If you want to disable access to cpanel http port directly,
add iptables rule to block direct access to port 2082 other than 127.0.0.1 .

 

[stormy]

The whole point of this is to allow https access only.

Does this mean this won't ever work in Litespeed?

 

[mistwang]

no plan to support HTTPS proxy backend anytime soon.

The solution I suggested still only allow https access from outside if you configure iptables.

 

[stormy]

Would it be possible to consider changing this behaviour in a future update? Litespeed is breaking a standard cPanel feature that we rely on, and the fix is very involved.