Securing apache Basic authentication

The easiest way to secure your apache webserver is using Basic authentication. Users wanting to access your webserver will be prompted to enter a username/password pair to do that. However, Basic authentication is not secure as it does not encrypt these credentials, nor the content itself. The solution comes in Digest authentication. This is how to migrate your server configuration from Basic to Digest authentication.

In Basic authentication, you create a passwords file (using htpasswd command) then configure apache as in the link above. To migrate to Digest authentication all you have to do is to:

1. Use the command htdigest instead of htpasswd to create users
   

   htdigest -c /path/to/your/passwords/file "Authentication Realm" username

2. Configure apache by adding the following:
   

   AuthType Digest
   AuthName "Authentication Realm"
   AuthUserFile /path/to/your/passwords/file
   Require valid-user

   
   
3. If you have SELinux running, enable httpd to access the passwords file:
   

   setsebool -P httpd_enable_homedirs 1

4. Restart apache:
   

   service httpd restart

Note: the apache user (usually apache) needs to have read access to the passwords file, apparently!

It is worth nothing that Digest authentication only encrypts your password, but not the content. Moreover, anyone sniffing on the packets, having the encrypted password, can use it directly to access your content. To overcome these issues, you have to put your content under SSL, but this is another story.

Read more...