search cancel

401 Authentication headers displaying Proxy private IP address

book

Article ID: 174301

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

When performing a wget or curl request against the proxy, it is showing the authentication realm as the private IP address of the proxy instead of the authentication realm configured for users. This could be a security vulnerability since someone performing the request does not necessarily need the private IP address to make the request, but can find the ip within the response along with a description of what the device is(Server: BlueCoat-Security-Appliance).

 

Example:

$ wget -d https://10.xxx.xxx.xxx:8082 --no-check-certificate

..........

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 401 Unauthorized
Server: BlueCoat-Security-Appliance
Date: Mon, 08 Apr 2019 14:33:15 GMT
Cache-Control: private, no-cache, no-store, max-age=0
Connection: close
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: sameorigin
WWW-Authenticate: Basic realm="10.xxx.xxx.xxx"
Refresh: 0;URL="/Secure/Local/console/logout.htm"

Resolution

This happens because you are performing the request against the console of the proxy and not a web access layer where domain authentication would typically be performed. 

To configure a Console Realm Name on the proxy, go to Configuration --> Authentication --> Console Access --> Console realm name and enter a value. The response will then show this value as in the response.

 

Example with console realm name set to "restricted-realm":

wget -d https://10.xxx.xxx.xxx:8082 --no-check-certificate

.....................

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 401 Unauthorized
Server: BlueCoat-Security-Appliance
Date: Mon, 08 Apr 2019 14:50:06 GMT
Cache-Control: private, no-cache, no-store, max-age=0
Connection: close
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: sameorigin
WWW-Authenticate: Basic realm="restricted-realm"
Refresh: 0;URL="/Secure/Local/console/logout.htm"