Login failed because of invalid referer header

Srj73 · ‎29-May-2023

I am deploying F5 after Azure Application Gateway:

My setup:

internet > Azure Application Gateway (http://<Public IP:8443>) > F5 (https://Private IP:8443)

I am able to access the F5 default login page through Azure App GW . But, when i put the user and password it is giving below error :

"

Unauthorized

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

"

When i check the console F5 log in tail -f /var/log/httpd/httpd_errors it is giving below error:

May 29 13:07:45 localhost.localdomain err httpd[11975]: [f5_auth_cookie:error] [pid 11975] [client x.x.x.x:29516] Login failed because of invalid referer header., referer: http://<PUBLIC IP of APPGW>:8443/tmui/login.jsp

1. I am able to login F5 bypassing Application Gateway without any issue.

2. I got this article https://my.f5.com/manage/s/article/K81809012 and tried multiple value for referer header but no luck.

3. I am runinng 17.x version software

Can someone please help if i am missing something here

Enes_Afsin_Al · ‎29-May-2023

Hi Srj73,

Can you change the service to https on Azure Application Gateway? This warning seems to occur because there is no TLS and referer header contains http.

Srj73 · ‎29-May-2023

Now, I changed to HTTPS on AzureGW

Same error i am getting:

May 29 14:49:31 localhost.localdomain err httpd[3993]: [f5_auth_cookie:error] [pid 3993] [client <private ip>:47018] Login failed because of invalid referer header., referer: https://<Public IP of AZGW>/tmui/login.jsp

Enes_Afsin_Al · ‎29-May-2023

Hi Srj73,

I tested using a different proxy instead of AzureGW.

There was no problem with the default settings.
When I changed the referer header in proxy, I got the same error.

err httpd[28597]: [f5_auth_cookie:error] [pid 28597] [client 172.22.101.205:41795] Login failed because of invalid referer header., referer: https://172.22.199.1/tmui/logmein.html?

When I deleted the referer header in proxy, I got the below error.

err httpd[29765]: [f5_auth_cookie:error] [pid 29765] [client 172.22.101.205:34778] Login is not permitted without a valid referer header or forwarded header when sys db variable systemauth.permitloginwithoutheaders is disabled.

The following method can be applied as a workaround.

Remove Referer header on AzureGW.
Change db parameter.

tmsh modify sys db systemauth.permitloginwithoutheaders value enable

Save config and restart httpd service.

tmsh save sys config
tmsh restart sys service httpd

Srj73 · ‎29-May-2023

Now, I have done few change

1. AppGW (port:https [earlier http on 8443]) > F5 (port:https[earlier https on 8443]) (This step is different and New Today)

2. Enabled systemauth.permitloginwithoutheaders (yesterday i enabled it during troubleshooting)

3. deleted the Refereal Header, (yesterday, i tried this step)

then it started giving below error

"May 29 17:02:31 localhost.localdomain err httpd[17412]: [auth_pam:error] [pid 17412] [client 10.21.0.4:19958] AUTHCACHE Error processing cookie VKJ4PU96LUgjepNSy1L6HUVOWJNWwr0v7s3C69RO - Cookie impersonation detected from client IP 10.21.0.4 to client IP 10.21.0.6"

4. Then as per article https://my.f5.com/manage/s/article/K13048 i done the step

5. Now, I am able to access the device

Leslie_Hubertus · ‎07-Jun-2023

So everything works properly, now?

Srj73 · ‎19-Jun-2023

yes..

DevCentral

Login failed because of invalid referer header

Unauthorized

MFA required on DevCentral