Sunday, September 26, 2010

Securing apache Basic authentication

The easiest way to secure your apache webserver is using Basic authentication. Users wanting to access your webserver will be prompted to enter a username/password pair to do that. However, Basic authentication is not secure as it does not encrypt these credentials, nor the content itself. The solution comes in Digest authentication. This is how to migrate your server configuration from Basic to Digest authentication.

In Basic authentication, you create a passwords file (using htpasswd command) then configure apache as in the link above. To migrate to Digest authentication all you have to do is to:
  1. Use the command htdigest instead of htpasswd to create users
    htdigest -c /path/to/your/passwords/file "Authentication Realm" username
  2. Configure apache by adding the following:
    AuthType Digest
    AuthName "Authentication Realm"
    AuthUserFile /path/to/your/passwords/file
    Require valid-user

  3. If you have SELinux running, enable httpd to access the passwords file:
    setsebool -P httpd_enable_homedirs 1
  4. Restart apache:
    service httpd restart
Note: the apache user (usually apache) needs to have read access to the passwords file, apparently!

It is worth nothing that Digest authentication only encrypts your password, but not the content. Moreover, anyone sniffing on the packets, having the encrypted password, can use it directly to access your content. To overcome these issues, you have to put your content under SSL, but this is another story.



Read more...