That's good news. Now you need to set Origin header properly:

RequestHeader set Origin "http://yourdomain.com"

Unfortunately, it looks like this is not quite possible: http://serverfault.com/questions/290121/configurin...

However you might try adding similar proxypass statement for /ajenti:socket and Ajenti should fallback to XHR polling instead of websockets.

What if you add ProxyPass /ajenti:auth http://localhost:8000

Does the Plugins section indicate that CSF plugin was properly loaded? I.e. no warning sign near the plugin name.

Oh, I thought that you used NGINX. The Apache code was contributed by a user, and I don't really have the Apache experience to tackle with it. Do you get to the login page when being redirected to /ajenti:auth? If the form doesn't work there, check whether the POST requests to /ajenti:auth actually reach Ajenti through Apache. 

Just add this option in GUI (as a custom option). You don't have to edit the raw file. Also you don't need to put "iptables" before the lines there.

The manual has been recently updated, double-check that you're using correct location ~ /ajenti.*

You can use src-range iptables option: http://www.cyberciti.biz/tips/linux-iptables-how-to-specify-a-range-of-ip-addresses-or-ports.html

Set up your webserver (e.g.: NGINX http://support.ajenti.org/topic/349870-ajenti-behind-nginx/) to forward requests on a subdomain/subpath to Ajenti.