Back to the main page
Apache Basic and Digest Authentication
Apache is using three ways to determine if request for a page will be allowed or not.
1. Authentication - verification that user is really he/she (providing username/password)
2. Authorization - once user is verified, check if he/she has permissions to access a page (member of group).
3. Access control - grant/deny access based on IP, subnet, etc.
Basic authentication
How it works?
1. There is a request for accessing a page
2. Web server asks for user credentials (401 response header and 'realm')
3. Browser shows pop-up window (with 'realm') asking user to provide username/password
4. Server compares username/password and if okay returns the requested page
How to configure - example of protecting Nagios pages
Create password file and add first user.
/opt/csw/apache/bin> ./htpasswd -c /opt/csw/apache/password/apache-password monalisa
New password: this password will travel in clear text over network
Re-type new password: type password again
Adding password for user monalisa
|
-c = create file
When adding additional used do not use -c since it will overwrite existing file
Set ownership and permissions (only root can write and group that run Apache can read)
/opt/csw/apache/password> ls
-rw-r----- 1 root webservd 21 Aug 17 15:25 apache-password
|
Note: in this file password is stored in encrypted form (example: monalisa:cqwsnwCuEAG0k) but travels over network as clear text.
The "Basic authentication" Nagios directives in /opt/csw/apache/conf/httpd.conf are (red ones)
<Directory "/opt/csw/nagios/sbin/">
AllowOverride AuthConfig
Options ExecCGI
Order allow,deny
Allow from all
AuthType Basic
# realm (AuthName) associated with cashed username/passwd
AuthName "LOGIN TO COMPANY'S NAGIOS 2.1"
AuthUserFile /opt/csw/apache/password/apache-password
Require valid-user
</Directory>
|
Verify Apache configuration
/opt/csw/apache/bin> ./apachectl configtest
Reset Apache: /etc/init.d/cswapache restart or /opt/csw/apache/bin/apachectl restart
Digest Authentication
Since Basic authentication sends password over network in clear text, it is much better using Digest one.
This one send password as MD5 digest/hash which is actually 32 digit hexadecimal (base 16) number.
How to configure - example of protecting Nagios pages
Create password file and add first user
# /opt/csw/apache/bin> ./htdigest -c /opt/csw/apache/password/digest "Nagios-Login-Digest" monalisa
Adding password for monalisa in realm Nagios-Login.
New password:
Re-type new password:
|
"Nagios-Login-Digest" = realm
monalisa = username
-c = creates file, when adding other users omit this, otherwise will overwrite the existing file.
Example of digest file:
# /opt/csw/apache/password> cat digest
monalisa:Nagios-Login-Digest:f7ef8f08d8b26369f0ea20fb5400c4b8
|
Setup ownership as root (read/write) and group that runs Apache (read).
-rw-r----- 1 root webservd 55 Aug 17 17:23 digest
|
The "Digest authentication" Nagios directives in /opt/csw/apache/conf/httpd.conf are (red ones)
<Directory "/opt/csw/nagios/sbin/">
AllowOverride AuthConfig
Options ExecCGI
Order allow,deny
Allow from all
AuthType Digest
# realm associated with digest passwd
AuthName "Nagios-Login-Digest"
AuthDigestFile /opt/csw/apache/password/digest
Require valid-user
</Directory>
|
Verify Apache configuration
/opt/csw/apache/bin> ./apachectl configtest
Reset Apache: /etc/init.d/cswapache restart or /opt/csw/apache/bin/apachectl restart
Note that web site data still travels to your browser as clear text (same as with Basic Authentication).
Access control
Sometimes you are not interested to authenticate user, but restrict access from say subnet, specific IP or host name.
Directives like Allow/Deny help here. They work together with directive Order (defines in which order to apply filter).
Usage of these directives is very intuitive; you can play around, just an example - restrict access from one specific IP:
Order allow,deny
Allow from all
Deny from 172.21.17.15
|
Also check directive Satisfy that can be either "all" or "any" - all/any of specified criteria are met in order to allow access.
Back to the main page