SETTING UP HTTP BASIC AUTHENTICATION
- Layout for this exercise:
- Web applications may provide their own access control methods, but a web server can also restrict access by using two types of authentications that are part of the HTTP standard: Basic and Digest authentication.
- HTTP Basic Authentication (BA) is the simplest way to enforce access control to web resources. When making a request, the user agent provides credentials (username and password) to the web server.
- BA uses standard fields in the HTTP header, not providing confidentiality because the credentials are sent just encoded with Base64, but not encrypted or hashed at all.
- For further information about HTTP Basic Authentication:
https://en.wikipedia.org/wiki/Basic_access_authentication
- To implement Basic Authentication on an Apache web server, first of all a password file must be created, so that Apache can read it whenever the web page is requested.
- The utility htpasswd (part of the apache2-utils package) manages user files for basic authentication. As an example, let's take:
username: admin (very common as default username in many devices)
password: ababa (simple, for the purpose of ease in this exercise)
- The hidden file .htpasswd has been created and stored encrypted on the server side:
- The default encryption format to store the credentials is "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password.
https://httpd.apache.org/docs/2.4/misc/password_encryptions.html
- See source file apr_md5.c for the details of the algorithm:
http://svn.apache.org/viewvc/apr/apr/trunk/crypto/apr_md5.c?view=markup
- Editing the Ubuntu default virtual host file (000-default.conf):
- Adding the HTTP BA restriction for the directory called "basicauth", where the web page is contained. The <Directory> block specifies that the type of authentication is Basic, the name of the realm (the realm name defines a protection space for a web resource in combination with the canonical root URL of the server being accessed), the path to the .htpasswd file, and the requirement of "valid-user" credentials:
- In this way, we have established a per-directory basis HTTP BA specific for the directory "basicauth" that we are interested in.
- After editing the virtual host file, let's restart the web server:
- Configtest command checks that the syntax of the configuration file is correct:
- Reviewing the status of the web server:
- Now, a user is prompted to enter credentials when trying to access the web resources contained in the directory "basicauth".
- In case of introducing bad credentials, the server answers with the default "Unauthorized" message:
- Introducing the correct credentials, the web resources are finally available:
