HTTP Basic/Digest Authentication

HTTP Authentication

HTTP Authentication with apache provides a very quick way to protect pages from unauthorized access. The two main types of HTTP authentication are:

HTTP Basic is very unsecure. Passwords are transfered to the server in plain text format. It is possible for someone to ease drop on the connection and steal the password.  HTTP Digest is a more secure scheme because it hashes the password before it is transfered to the server using MD5 hashing. However there are some weaknesses with MD5 that may allow brute for attack to determine the password. However, it is not very easy. The best solution is when using HTTP authentication, do so over an SSL connection when possible.

This article shows how to configure apache to apache to do both HTTP Basic Authentication and HTTP Digest Authentication. We'll use htpasswd to create a user/pass file to store user crendentials. However, another method would be to use apache's mod_authn_dbd module to store the user credentials in a database.

htpasswd may not be install. To install on Ubuntu run sudo apt-get install apache2-utils.
Don't forget to enable the mod_auth_basic module for apache

CREATE A USER AND PASSWORD FOR BASIC AUTHENTICATION

Create a user along with a password using htpasswd. With this method the username/password are store in a file. 

#create a new password file called "passwordfilename" in the directory
#/path/to/store/passwords and adds a new user "david"
htpasswd -c /path/to/store/passwords/passwordfilename david 
#you will be prompted for a password and to re-type it.

HTTP BASIC AUTHENTICATION

Now, to enable HTTP Basic Authentication add the following to the start of your .htaccess or to your virutal host configuration. Accessing this page on the server will now require the credentials for david.
To allow any valid-user in the password file to log in change Require user david to Require valid-user NOTE: To use HTTP Basic Authentication, apache's mod_auth_basic module must be enabled.

AuthUserFile /path/to/store/passwords/passwordfilename
AuthType Basic
AuthName "Test Server"
Require user david
htdigest may not be install. To install on Ubuntu run sudo apt-get install apache2-utils.
Don't forget to enable the mod_auth_digest module for apache

CREATE A USER AND PASSWORD FOR HTTP DIGEST

Create a user along with a password using htdigest. With this method the username/password are store in a file.

#create a new password file called "passwordfilename" in the current directory 
#SYNTAX: htdigest [-c] [passwordfile] [realm] [username] 
#creates /path/to/store/passwords and add a new user "david" 
htdigest -c /path/to/store/passwords/passwordfilename 'Protected Zone' ryan 
#you will be prompted for a password and to re-type it.

HTTP DIGEST AUTHENTICATION

As previously stated HTTP Basic Authentication is not secure. To enable HTTP Digest Authentication instead add the follwoing to the start of your .htaccess or to your virutal host configuration. Accessing this page on the server will now require the credentials for david. To allow any valid-user in the password file to log in change Require user david to Require valid-user. NOTE: To use HTTP Basic Authentication, apache's mod_auth_basic module must be enabled.

AuthUserFile /path/to/store/passwords/passwordfilename
AuthType Digest
AuthName "Test Server"
Require user david
Cookbook Category: 

Add new comment

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.