I noticed when locking down my server that php.ini's session.referer_check cannot be set to anything other than nothing (which is the same as commenting the line out) otherwise the Magento Admin > System > Web Setup Wizard returns 401 Unauthorised.
Could someone/a few someones please confirm this behavior? I believe the referer isn't set at one step of the way and thus it fails.
Note: This is a different issue to all of the doc root "pub" threads of similar symptoms. I've scoured the web to diagnose this one but nobody seems to have answered it anywhere so after my testing I have determined session.referer_check being set to be the root cause.
As I asked in your other topic, were you able to find a solution?
My post was the solution to the problem, i just wanted someone here to confirm whether PHP's session.referer_check value causes the "unlogin" when attempting to access the Web Setup Wizard from the Magento Admin. Nobody as yet appears to be interested in helping, but that's okay!
Solution for me was:
Base URLs (Secure)
-> Use Secure URLs on Storefront -> Yes
-> Use Secure URLs in Admin -> Yes
-> Enable HTTP Strict Transport Security (HSTS) -> Yes
-> Upgrade Insecure Requests -> Yes
php bin/magento cache:clean
I SOLVE THIS.