Troubleshooting 401 Unauthorized error during admin console access after upgrading to 5.8 or later
This article is applicable for:
Product edition: inSync On-Premise 5.8 and later
Problem description
After upgrading inSync server to 5.8, admin console is not accessible using 127.0.0.1/admin OR https://localhost/admin and fails with below error.
Error on page: "401 Unauthorized"
No Permission.
You may also notice following error in the logs.
{snip}[2016-05-27 02:18:21,515] [ERROR] Host Header validation failed for /slide_session with Host header 127.0.0.1
[2016-05-27 02:18:21,516] [ERROR] [27/May/2016:02:18:21] Traceback (most recent call last):
File "cherrypy/_cprequest.py", line 102, in run
File "cherrypy/_cprequest.py", line 62, in __call__
File "__main__inSyncCPortal__.py", line 217, in validate_hostheader
SyncError: Bad Request. (#1000000bf)[2016-05-27 02:18:21,516] [ERROR] [27/May/2016:02:18:21] HTTP Traceback (most recent call last):
File "cherrypy/_cprequest.py", line 653, in respond
File "cherrypy/_cprequest.py", line 112, in run
SyncError: Bad Request. (#1000000bf)[2016-05-27 02:18:21,519] [ERROR] {'csrf_token': u'XXKhEdsUqynFKQJKoUPiPSSxKFboak5Q'}
{snip}.
Many times, the HTTP host header value is trusted and used to generate links, import scripts, and even generate password resets links with its value. This can be exploited using web-cache poisoning and through the abuse of alternative channels such as password reset emails. An attacker can manipulate the host header and cause the application to behave in unexpected ways.
Resolution
Starting 5.8, inSync honors only IP address or the fully qualified domain name (FQDN) for the inSync Master that is configured under the Sever IP/FQDN in the Network Settings. Any IP address/FQDN that is not listed in the Server IP / FQDN address does not work.
Note: FQDN added in the network settings should be mentioned in the lower case. The filed is case sensitive.
See the following images to access inSync using loopback or localhost, add the same in the Sever IP/FQDN settings.
References
For more information, contact Druva technical support.