最後更新: 2023-08-13
目錄
- .htaccess 內的 htpasswd
- CLI - htpasswd
- Authentication
- Authorization
-
Apache digest authentication (mod_auth_digest)
- htdigest - Multi htpasswd file
- Embedded Credentials
- Logout
.htaccess 內的 htpasswd
.htaccess
# Authentication Type: Basic / Digest
AuthType Basic
AuthName "Restricted Area"
AuthBasicProvider file
AuthUserFile /securefiles/.htpasswd <-- full path
AuthGroupFile /dev/null
# 這句才是指定所在 Folder 要 user login
Require valid-user
"Require" Usage:
Require [not] entity-name
.htpasswd
user:password
對於某些 IP 不用 Password login, 加上
Satisfy Any
CLI - htpasswd
# Install htpasswd
yum install httpd-tools
# 常用 Opts
- -c Create the passwdfile (If passwdfile already exists, it is rewritten and truncated)
- -b Use batch mode (get the password from the command line)
# Password type
-
-m # Use MD5 encryption for passwords (Default)
("$apr1$" + the result of an Apache-specific algorithm) -
-s # Use SHA encryption for passwords
("{SHA}" + Base64-encoded SHA-1 digest of the password) - -d # Use crypt() encryption for passwords
-
-B # Use bcrypt encryption for passwords.
("$2y$" + the result of the crypt_blowfish algorithm)
# Other
- -v Verify password
- -D Delete user
e.g.
htpasswd -b -c -s passwd.masterusers username password
Authentication(auth)
- Basic
- digest (mod_auth_digest)
mod_auth_basic:
AuthType Basic
mod_auth_digest:
- password is not transmitted as cleartext
- password storage on the server is much less secure
- A man-in-the-middle attacker can trivially force the browser to downgrade to basic authentication.
AuthType Digest # 由於只有 MD5, 而且它是 default value, 所以此行非必須 AuthDigestAlgorithm MD5
AuthDigestDomain URI [URI]
URIs that are in the same protection space for digest authentication
<Location /private/> AuthDigestDomain /private/ http://mirror.my.dom/private2/ </Location>
Omitting to do so will cause the client to send the Authorization header for every request sent to this server. Apart from increasing the size of the request, it may also have a detrimental effect on performance if AuthDigestNcCheck is on.
AuthDigestNonceLifetime Directive
The AuthDigestNonceLifetime directive controls how long the server nonce is valid. When the client contacts the server using an expired nonce the server will send back a 401 with stale=true. If seconds is greater than 0 then it specifies the amount of time for which the nonce is valid; this should probably never be set to less than 10 seconds. If seconds is less than 0 then the nonce never expires.
Authorization(authz)
module provides authorization capabilities so that authenticated users can be allowed or denied access to portions of the web site.
Auth*Provider (authn)
file provider <-- mod_authn_file
Providers are queried in order until a provider finds a match for the requested username,
at which point this sole provider will attempt to check the password.
Apache digest authentication (mod_auth_digest)
RFC2617
* password is not transmitted as cleartext
* password storage on the server is much less secure ( digest(MD5) < basic(MD5+Seed) )
* this does not lead to a significant security advantage over basic authentication (用 basic + ssl 最好)
remark
Basic 所用的 password encrypt 係
"$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password.
.htaccess
<Files mailreport.txt>
AuthType Digest
AuthName "users" # 對應 realm
AuthDigestProvider file
AuthUserFile "/var/www/htdigest.users"
Require valid-user
# Require valid-user
</Files>
htdigest [ -c ] passwdfile REALM username
-c #Create the passwdfile.
REALM # The authentication realm for which the user's credentials are being stored.
# The realm is a string that is displayed to the user when they are prompted for authentication.
# It helps the user understand the context of the authentication request.
(http://tools.ietf.org/html/rfc2617#section-3.2.1)
i.e.
# 對應 AuthName
htdigest -c /var/www/htdigest.users users admin
File: /var/www/htdigest.users
# USERNAME:REALM:PASSWORD admin:users:????
AuthDigestNonceLifetime
Controls how long the server nonce is valid.
(expired => 401 with stale=true )
Default: 300
Browser submit 上有有
name
Authorization
value
Digest username="admin", realm="users", nonce="?=?" , uri="/mailreport/mailreport.txt", algorithm=MD5, response="?", qop=auth , nc=00000004, cnonce="?"
nc 每次加 1
Multi htpasswd file
<AuthnProviderAlias file global.pw> AuthUserFile "htpasswd/global.pw" </AuthnProviderAlias> <AuthnProviderAlias file datahunter.pw> AuthUserFile "htpasswd/datahunter.pw" </AuthnProviderAlias> <VirtualHost *:443> ... <Directory "/var/web/pages/secure"> # 先 check global.pw 再 check datahunter.pw AuthBasicProvider global.pw datahunter.pw AuthType Basic AuthName "Protected Area" Require valid-user ... </Directory> </VirtualHost>
Embedded Credentials
Error
Subresource requests whose URLs contain embedded credentials (e.g. `https://user:pass@host/`) are blocked.
page 的 link 以 https://user:pass@host/file.txt format 存放係會被 block 的
Logout
logout BASIC authentication
.htaccess
AuthType Basic Require valid-user ...
# 方法 1: Server
當 Browser 收到 Server 返回的 401(Unauthorized), 佢會問 user 的 credentials, 這時相當 Logout 了.
原因: 當 Browser 收到 401 後就會假設之前的 Login 錯誤, Server 再問過一次 Login
# 方法 2: Client
http://[email protected]/