2009/08/23

How to enable digest authentication (Apache2)

Want to secure your Apache web server? Digest authentication (mod_auth_digest) is a much more secure way to authenticate HTTP (versus basic authentication, which sends the authentication information plaintext to the client-- not secure at all, really). To start with, you need to create a password file. First figure out where you want this file stored. Probably it would be best not to store it anywhere in the wwwroot path. Create the password file with the following command (repeat as necessary to add additional users, but leave off the -c argument):

sudo htdigest -c filename realm username

Above, the "realm" argument needs to match AuthName in sites-available/default (add -ssl if you use SSL). You will be prompted to input and verify the password for the user you created.

Next, create the rules in your Apache config. On more modern distributions, you will usually find your site's config in /etc/apache2/sites-available/. If you have only one site and no virtualhosts, you're probably just running off the "default" in the above-mentioned directory, so do:

sudo nano /etc/apache2/sites-available/default

or, if your site is SSL-secured:

sudo nano /etc/apache2/sites-available/default-ssl

and enter the following lines in the config (I placed mine below the <Directory /var/www/>... section):

<Directory /wwwpath>
AuthType Digest
AuthName "REALM"
AuthUserFile passwordfile
Require valid-user
</Directory>

It is important to note that Apache's own docs say to use AuthDigestFile to point to where your password file is located, but this produces an error when trying to reload/restart apache2 which results in a failure to load. Using AuthUserFile instead fixes this.

The world REALM in quotes for AuthName can be anything but MUST MATCH the "realm" argument in the htdigest command when adding a user to the password file. If anyone finds out otherwise, please let me know (give me as much details as you can), though for me it wouldn't request authentication at all if they didn't match.

The example in Apache2 docs also shows the use of AuthDigestDomain which is actually not required (use it if you actually need it, otherwise leave it out). Leaving it out will force authentication for the entire web server. If this is not desired, use AuthDigestDomain. Ex:

<Directory wwwpath>
AuthType Digest
AuthName "REALM"
AuthDigestDomain /private-area/
AuthUserFile passwordfile
Require valid-user
</Directory>

Where "/private-area/" = /var/www/private-area/ directory on your web server.

Once you have the Directory section saved in your config, do:

sudo /etc/init.d/apache2 reload

You should see:



If all went as expected, you should now get a login prompt when accessing your web server, according to how you configured it.

You can also do more advanced things with digest auth, which I won't be covering in this post. For more information on digest auth, please refer to Apache docs: http://httpd.apache.org/docs/2.0/mod/mod_auth_digest.html.



No comments: