Forum Discussion

Srj73's avatar
Srj73
Icon for Altostratus rankAltostratus
May 29, 2023

Login failed because of invalid referer header

I am deploying F5 after Azure Application Gateway:

My setup:

internet > Azure Application Gateway (http://<Public IP:8443>) > F5 (https://Private IP:8443)

I am able to access the F5 default login page through Azure App GW . But, when i put the user and password it is giving below error :

"

Unauthorized

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

"

 

When i check the console F5 log in tail -f /var/log/httpd/httpd_errors it is giving below error:

May 29 13:07:45 localhost.localdomain err httpd[11975]: [f5_auth_cookie:error] [pid 11975] [client x.x.x.x:29516] Login failed because of invalid referer header., referer: http://<PUBLIC IP of APPGW>:8443/tmui/login.jsp

1. I am able to login F5 bypassing Application Gateway without any issue.

2. I got this article https://my.f5.com/manage/s/article/K81809012 and tried multiple value for referer header but no luck.

3. I am runinng 17.x version software

Can someone please help if i am missing something here 

 

6 Replies

  • Hi Srj73,

    Can you change the service to https on Azure Application Gateway? This warning seems to occur because there is no TLS and referer header contains http.

    • Srj73's avatar
      Srj73
      Icon for Altostratus rankAltostratus

      Now, I changed to HTTPS  on AzureGW

      Same error i am getting:

       

      May 29 14:49:31 localhost.localdomain err httpd[3993]: [f5_auth_cookie:error] [pid 3993] [client <private ip>:47018] Login failed because of invalid referer header., referer: https://<Public IP of AZGW>/tmui/login.jsp

  • Hi Srj73,

    I tested using a different proxy instead of AzureGW.

    • There was no problem with the default settings.
    • When I changed the referer header in proxy, I got the same error.
    err httpd[28597]: [f5_auth_cookie:error] [pid 28597] [client 172.22.101.205:41795] Login failed because of invalid referer header., referer: https://172.22.199.1/tmui/logmein.html?
    • When I deleted the referer header in proxy, I got the below error.
    err httpd[29765]: [f5_auth_cookie:error] [pid 29765] [client 172.22.101.205:34778] Login is not permitted without a valid referer header or forwarded header when sys db variable systemauth.permitloginwithoutheaders is disabled.

    The following method can be applied as a workaround.

    • Remove Referer header on AzureGW.
    • Change db parameter.
    tmsh modify sys db systemauth.permitloginwithoutheaders value enable
    • Save config and restart httpd service.
    tmsh save sys config
    tmsh restart sys service httpd

     

    • Srj73's avatar
      Srj73
      Icon for Altostratus rankAltostratus

      Now, I have done few change

      1. AppGW (port:https [earlier http on 8443]) > F5 (port:https[earlier https on 8443]) (This step is different and New Today)

      2. Enabled systemauth.permitloginwithoutheaders (yesterday i enabled it during troubleshooting)

      3. deleted the Refereal Header, (yesterday, i tried this step)

       

      then it started giving below error

       

      "May 29 17:02:31 localhost.localdomain err httpd[17412]: [auth_pam:error] [pid 17412] [client 10.21.0.4:19958] AUTHCACHE Error processing cookie VKJ4PU96LUgjepNSy1L6HUVOWJNWwr0v7s3C69RO - Cookie impersonation detected from client IP 10.21.0.4 to client IP 10.21.0.6"

       

      4. Then as per article https://my.f5.com/manage/s/article/K13048 i done the step

      5. Now, I am able to access the device