Lighttpd secure digest authentication (mod_auth)
The method transfers the username and the password in cleartext over the network (base64 encoded) and might result in security problems if not used in conjunction with a crypted channel between client and server.
The Digest method only transfers a hashed value over the network which performs a lot of work to harden the authentication process in insecure networks.
There are total three steps to configure Lighttpd secure digest authentication:
=> Setup username and password using htdigest (Apache program)
=> Configure lighttpd core directives
=> Apply restrictions to selected directories aka set password protected directory
Step # 1: Setup username and password using htdigest (Apache program)
Command htdigest is used to create and update the flat-files used to store usernames, realm and password for digest authentication of HTTP users. Genreal syntax is as follows:
htdigest -c /path/to/password/file 'Realm' username
For example add a user called tom:
- # htdigest -c /etc/lighttpd/.passwd 'Authorized users only' tom
Where,
- -c: Create the /etc/lighttpd/.passwd
- /etc/lighttpd/.passwd: Password file name. It contain the username, realm and password. If -c is given, this file is created if it does not already exist, or deleted and recreated if it does exist.
- 'Authorized users only': The realm name to which the user name belongs
- tom: The user name (tom) to create or update in /etc/lighttpd/.passwd. If username does not exist is this file, an entry is added. If it does exist, the password is changed.
Step # 2: Configure lighttpd core directives
Open /etc/lighttpd.conf file.
Make sure mod_auth is loaded:
- server.modules += ( "mod_auth" )
Now, append following 3 lines:
- auth.backend = "htdigest"
- auth.backend.htdigest.userfile = "/etc/lighttpd/.passwd"
- auth.debug = 2
Step # 3: Apply restrictions to selected directories aka set password protected directory
Let us say you would like to protect directory called /docs (). Append following directives (/etc/lighttpd.conf file):
- auth.require = ( "/docs/" =>
- (
- "method" => "digest",
- "realm" => "Authorized users only",
- "require" => "valid-user"
- )
- )
Save and close the file.
Restart the lighttpd:
- # /etc/init.d/lighttpd restart
You can always find more debugging information in your error log file -/var/log/lighttpd/error.log
- # tail -f /var/log/lighttpd/error.log
Point a web browser to or or . You should be prompted for a username (for e.g. tom) and password (your password).
For additional security it is recommended that you use SSL configuration.
阅读(1171) | 评论(0) | 转发(0) |
