SETTING UP HTTP BASIC AUTHENTICATION
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOX20V_A9gm-TziOTcNOKj28dTodw_PD7FVT-xb7ZH6wjy_JLKxkKuQVct0I9BPGGNPGV6q7JqzNo3haStbc1Z5S8HqbUe1soewApDJijCJUD3Bg2F8Sn7rEM-QCJcTxuyigagqitOtNcm/s640/screenshot.24.jpg)
- Web applications may provide their own access control methods, but a web server can also restrict access by using two types of authentications that are part of the HTTP standard: Basic and Digest authentication.
- HTTP Basic Authentication (BA) is the simplest way to enforce access control to web resources. When making a request, the user agent provides credentials (username and password) to the web server.
- BA uses standard fields in the HTTP header, not providing confidentiality because the credentials are sent just encoded with Base64, but not encrypted or hashed at all.
- For further information about HTTP Basic Authentication:
https://en.wikipedia.org/wiki/Basic_access_authentication
- To implement Basic Authentication on an Apache web server, first of all a password file must be created, so that Apache can read it whenever the web page is requested.
- The utility htpasswd (part of the apache2-utils package) manages user files for basic authentication. As an example, let's take:
username: admin (very common as default username in many devices)
password: ababa (simple, for the purpose of ease in this exercise)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBt4_XnxNG1Tr10xE2FxJ7QdqLfGIYSqkDbwd8I19mMyxb-qKNPb9z19ZFuqJsIlrBtcOKQyJBTBg0yFPL6yKwfzyD4eVoI_1Ifc_C-LObC446n0v_35CoG-q7xjsqICpUd4hUqNFSOU4U/s1600/screenshot.1.jpg)
- The hidden file .htpasswd has been created and stored encrypted on the server side:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBR0ePjRSrTzLKfZbgaraQdEj2eladV-UA4e7EhQtuxBiKva5xVUE-pxkj8_CbOsgqObBQ0RPzGKSdoaLy7GJXQbmjv5fRgtc_TS9R_SKV0pBbcV-jB6tCA4ug0d8XKYKz0Dk5AkpAQ1Y9/s1600/screenshot.2.jpg)
- The default encryption format to store the credentials is "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password.
https://httpd.apache.org/docs/2.4/misc/password_encryptions.html
- See source file apr_md5.c for the details of the algorithm:
http://svn.apache.org/viewvc/apr/apr/trunk/crypto/apr_md5.c?view=markup
- Editing the Ubuntu default virtual host file (000-default.conf):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfqUsKGLQjY0GGBLasHe5I4Cu7uDasYCjFt6RnWbwq2l-PxcBt622f7dxAvXmJsTiOIcowj7JwkPuBpHzN44OaBOxewSsmwvt_I6PErb5Eazg2lA4XQcuwazgq7eJ7Bz_elNnfn9F6nnSC/s1600/screenshot.10.jpg)
- Adding the HTTP BA restriction for the directory called "basicauth", where the web page is contained. The <Directory> block specifies that the type of authentication is Basic, the name of the realm (the realm name defines a protection space for a web resource in combination with the canonical root URL of the server being accessed), the path to the .htpasswd file, and the requirement of "valid-user" credentials:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRr5EioGd5xyeoD-Og4LMmJdU57uFcXGkyo6pt6_YVgNPMbdFti8x1HAanFCSQgBK68f3MTKEI93NgNFuywAux0tO6S1PoBm_r6EGfrW44-hNO9BpuRAvc_jsUQO7Wxk5MiPvYN_K1RruX/s1600/screenshot.11.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4hYx5jjRdFDv6ZHyrL9jTxWI8mRnbC_VWJth6wXC542Kh6HnCgYgg3OSsq9os6JLdTWPQkWz6vr9Dmj_irJ-3g7znqk5SK89hXgntLhrmlZXFfX5NM9wVPDlH6fnHBH-s0-WMWK0W9Mo6/s1600/screenshot.12.jpg)
- In this way, we have established a per-directory basis HTTP BA specific for the directory "basicauth" that we are interested in.
- After editing the virtual host file, let's restart the web server:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpnqvP_ko8EQTtJ-QaIle7AOmScqhCcnKgsNnAAKWJ_vCfi4c2dNFojcAJcmAp9T0pA2FDIh0GUWR-51BjjnfQ3v7RpMEP-4DtFMBYeic3C5ruML5DdEJbuv9mDYJfPEr7ch704xf-Wq-H/s1600/screenshot.5.jpg)
- Configtest command checks that the syntax of the configuration file is correct:
- Reviewing the status of the web server:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGO7xhEU5Puua_qrumUh2f1tNsqN4_fwWsK1zlJ-9zTgytYhiUAr7Zag3bvj9OxgzonQ2Ro7wuAdcrsEElAw3kPxav0HIYuCRqLjxY0epn0_S0PnHngJPEr1zO3b0lGhDdVxBxNNnyVZtm/s1600/screenshot.6.jpg)
- Now, a user is prompted to enter credentials when trying to access the web resources contained in the directory "basicauth".
- In case of introducing bad credentials, the server answers with the default "Unauthorized" message:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXbrseI4tMu6CU7ypOy5PnBF4TM6gk5NJjzwIc1oVIg4nnpYvLpUA562jrTK__sF-23ahhUahFwYzPv47bLYux8DBaWseqMtP6kGqSse-rocvU0DT8d3T5mU-g7VfpW-wCeJABGkRDMV12/s1600/screenshot.36.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaMQ1V20mNYamU5kMgFbE2v5fT45sfE_6Qt1HdM6hsc0e-1bSQMJqNwa3LaQ6IPzWE81XI1lOuA0fnXfbadMwffmnQ0NNTeHeRjzvSM2Z4hCKnLmvxhG3EA68rETA3sTul1msT9xpAd-HF/s1600/screenshot.37.jpg)
- Introducing the correct credentials, the web resources are finally available:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJPOZLLZbAD-FYw_6LbWvWSziEv1YiwsBlqqpUmyxZoVCVppy3Yz6dk_iajLemmYSLkmetuCiQ6uc771xFXORbHyI9NwrvRbQyZqrsPYuzTO2tdee5Bwy7CHoKpotaJtBAsqpNz4QE56GS/s1600/screenshot.26.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFZJH2-Wp60lyCnzk1AlG11Uif17KNQUagDrc6eDdXHdnRgPH2GrV3vgw8260F3OZIQmV8SInmTCqJNkibdGPH3IjIGfJJw-GqriMfX_tQvJPIeysf_-mf2_u5KkCzdacqUtGBhBOD7NPO/s1600/screenshot.27.jpg)