Status code upon login failures is not 401 when WebApp is behind proxy

fixundfertig123

Hello everyone,

Setup:
Internet -> Nginx Proxy -> Webapp Apache2

Upon log file analysis I observerd that entering incorrect passwords / usernames does not result in 401 response code in the NGINX/Apache2 log file, but only a 200 with an verbal “Logon failed. Please verify your credentials and try again”.

When entering wrong password my reverse proxy recieves from webapp:
AAA.BBB.CCC.EEE - - [11/Apr/2020:12:56:16 +0200] “POST /webapp/?logon HTTP/1.1” 200 3096 “https://XXX/webapp/?logon” “Mozilla/5.0 (Linux; Android 7.0; DEVICENAME) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.xxx.xxx.xxx Safari/537.36”

Looking into the WebAPP Apache2 access log states:
AAA.BBB.CCC.EEE - - [11/Apr/2020:12:56:16 +0200] “POST /webapp/?logon HTTP/1.1” 200 3550 “https://XXX/webapp/?logon” “Mozilla/5.0 (Linux; Android 7.0; DEVICENAME) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.xxx.xxx.xxx Safari/537.36”

Looking into the WebAPP Apache2 error log reveals:
[Sat Apr 11 12:56:16.087556 2020] [:error] [pid 22604] [client AAA.BBB.CCC.EEE:49738] Kopano WebApp user: username@XXX.de: authentication failure at MAPI, referer: https://XXX/webapp/?logon

Anyone else oberserving this? This causes some problems when establishing security mechanism like fail2ban, …

All involved server are:
Description: Debian GNU/Linux 10 (buster)
Release: 10.6
WebApp: 4.6.1.0+154.1
Kopano Core: 8.7.16

I appreciate any help.

A Former User

Try

define("INSECURE_COOKIES", true);

it my help.
Walter

fixundfertig123

Hi Walter,

sorry, did not get notified about your post. Thank you for the tip. I will try and let you know!

Cheers