最後更新: 2023-08-13

目錄

• .htaccess 內的 htpasswd
• CLI - htpasswd
• Authentication
• Authorization
• Apache digest authentication (mod_auth_digest)
   - htdigest
• Multi htpasswd file
• Embedded Credentials
• Logout

 

---

.htaccess 內的 htpasswd

 

.htaccess

# Authentication Type: Basic / Digest
AuthType Basic

AuthName "Restricted Area"
AuthBasicProvider file

AuthUserFile /securefiles/.htpasswd           <-- full path
AuthGroupFile /dev/null

# 這句才是指定所在 Folder 要 user login
Require valid-user

"Require" Usage:

Require [not] entity-name

.htpasswd

user:password

對於某些 IP 不用 Password login, 加上

Satisfy Any

 

---

CLI - htpasswd

 

# Install htpasswd

yum install httpd-tools

# 常用 Opts

• -c     Create the passwdfile (If passwdfile already exists, it is rewritten and truncated)
• -b     Use batch mode (get the password from the command line)

# Password type

• -m     # Use MD5 encryption for passwords (Default)
           ("$apr1$" + the result of an Apache-specific algorithm)
• -s     # Use SHA encryption for passwords
           ("{SHA}" + Base64-encoded SHA-1 digest of the password)
• -d     # Use crypt() encryption for passwords
• -B     # Use bcrypt encryption for passwords.
           ("$2y$" + the result of the crypt_blowfish algorithm)

# Other

• -v     Verify  password
• -D     Delete user

e.g.

htpasswd -b -c -s passwd.masterusers username password

 

---

Authentication(auth)

 

• Basic
• digest (mod_auth_digest)

mod_auth_basic:

AuthType Basic

mod_auth_digest:

- password is not transmitted as cleartext

- password storage on the server is much less secure

- A man-in-the-middle attacker can trivially force the browser to downgrade to basic authentication.

AuthType Digest

# 由於只有 MD5, 而且它是 default value, 所以此行非必須
AuthDigestAlgorithm MD5

AuthDigestDomain URI [URI]

URIs that are in the same protection space for digest authentication

<Location /private/>
    AuthDigestDomain /private/ http://mirror.my.dom/private2/
</Location>

Omitting to do so will cause the client to send the Authorization header for every request sent to this server. Apart from increasing the size of the request, it may also have a detrimental effect on performance if AuthDigestNcCheck is on.

AuthDigestNonceLifetime Directive

The AuthDigestNonceLifetime directive controls how long the server nonce is valid. When the client contacts the server using an expired nonce the server will send back a 401 with stale=true. If seconds is greater than 0 then it specifies the amount of time for which the nonce is valid; this should probably never be set to less than 10 seconds. If seconds is less than 0 then the nonce never expires.

 

---

Authorization(authz)

 

module provides authorization capabilities so that authenticated users can be allowed or denied access to portions of the web site.

Auth*Provider (authn)

file provider <-- mod_authn_file

Providers are queried in order until a provider finds a match for the requested username,

at which point this sole provider will attempt to check the password.

 

---

Apache digest authentication (mod_auth_digest)

 

RFC2617

 * password is not transmitted as cleartext
 * password storage on the server is much less secure ( digest(MD5) <  basic(MD5+Seed) )
 * this does not lead to a significant security advantage over basic authentication (用 basic + ssl 最好)

remark

Basic 所用的 password encrypt 係

"$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password.

.htaccess

<Files mailreport.txt>
  AuthType Digest
  AuthName "users"                       # 對應 realm
  AuthDigestProvider file
  AuthUserFile "/var/www/htdigest.users"
  Require valid-user
  # Require valid-user
</Files>

htdigest

htdigest [ -c ] passwdfile REALM username

-c             #Create the passwdfile.

REALM       # The authentication realm for which the user's credentials are being stored.
                 # The realm is a string that is displayed to the user when they are prompted for authentication.
                 # It helps the user understand the context of the authentication request.
                    (http://tools.ietf.org/html/rfc2617#section-3.2.1)

i.e.

# 對應 AuthName

htdigest -c /var/www/htdigest.users users admin

File: /var/www/htdigest.users

# USERNAME:REALM:PASSWORD
admin:users:????

AuthDigestNonceLifetime

Controls how long the server nonce is valid.
(expired => 401 with stale=true )

Default: 300

Browser submit 上有有

name

Authorization

value

Digest username="admin", realm="users", nonce="?=?"
, uri="/mailreport/mailreport.txt", algorithm=MD5, response="?", qop=auth
, nc=00000004, cnonce="?"

nc 每次加 1

 

---

Multi htpasswd file

 

<AuthnProviderAlias file global.pw>
    AuthUserFile "htpasswd/global.pw"
</AuthnProviderAlias>

<AuthnProviderAlias file datahunter.pw>   
    AuthUserFile "htpasswd/datahunter.pw"
</AuthnProviderAlias>

<VirtualHost *:443>
  ...
  <Directory "/var/web/pages/secure">
    # 先 check global.pw 再 check datahunter.pw
    AuthBasicProvider global.pw datahunter.pw
    AuthType Basic
    AuthName "Protected Area"
    Require valid-user
    ...
  </Directory>
</VirtualHost>

 

---

Embedded Credentials

 

Error

Subresource requests whose URLs contain embedded credentials (e.g. `https://user:pass@host/`) are blocked.

page 的 link 以 https://user:pass@host/file.txt format 存放係會被 block 的

 

---

Logout

 

logout BASIC authentication

.htaccess

AuthType Basic
Require valid-user
...

# 方法 1: Server

當 Browser 收到 Server 返回的 401(Unauthorized), 佢會問 user 的 credentials, 這時相當 Logout 了.

原因: 當 Browser 收到 401 後就會假設之前的 Login 錯誤, Server 再問過一次 Login

# 方法 2: Client

http://[email protected]/