GUI returning HTTP status 200 instead of 401 on failed login

dzany · September 03, 2021, 11:51:31 AM

Hi all, I hope I got to the correct subforum, and hello to all, this is my first post here :)

I have a reverse proxy in front of the Opnsense GUI for some specific reasons. I want to use fail2ban as an additional guard against failed logins to the Opnsense GUI because it needs to be accessible from the outside of the network, so the users can change their own VPN passwords and get their TOTP QRcode by themselves.

I have a problem that Opnsense GUI is actually returning HTTP status 200 instead of 401 when the username/password combination is incorrect. Is there any quick fix available, or could it be requested to get fixed in some next release?

Thank you!

fabian · September 03, 2021, 07:32:11 PM

OPNsense logs failed attempts to Syslog. You can use that to trigger a reaction.

GUI returning HTTP status 200 instead of 401 on failed login

dzany

September 03, 2021, 11:51:31 AM Last Edit: September 03, 2021, 12:01:44 PM by dzany

fabian

September 03, 2021, 07:32:11 PM #1