Take an in-depth look at nGINx basic login authentication (including configuration steps)

Click to visit MSY. plus for a better experience

Functions of HTTP basic authentication

  1. HTTP basic authentication will bring up the login window from the browser,
  2. Simple, clear, easy to understand,
  3. Not friendly enough for end-user-oriented receptionists,
  4. But it is useful for the back end of internal staff operations and is often used as a layer of security.

Is this login authentication secure?

Auth_basic is an authentication module commonly used in Apache and Nginx. In many systems that do not have built-in authentication, it is common to use nginx’s auth_BASIC to perform a simple authentication. The user name and password will be prompted for authentication.

One tool commonly used with Auth_Basic is htpasswd, which comes from the Httpd-tools package and is used to generate encrypted files for users and their passwords

Possible problems

But there is a problem with htpasswd generating passwords

In httpD-Tools 2.2, the default password encryption algorithm is CRYPT. In httpD-Tools 2.4, the default password encryption algorithm is CRYPT. In httpD-Tools 2.2, the default password encryption algorithm is CRYPT. By default, passwords are encrypted using MD5

Some people say that SHA is more secure than MD5 encryption. Why does the new version use MD5 as the default encryption algorithm?

The SHA algorithm does not use a salt and is less secure than The MD5 algorithm. SHA without salt is not MD5 secure

In cryptography, the name salt is a randomly generated string. In unsalted hashing, one method of cracking the original password is the rainbow table collision. By adding salt and then hashing, the original password can be effectively prevented from brute force cracking the rainbow table attack

The solution

The safe way to handle this is to update httpD-Tools to version 2.4 and regenerate the user password pair, or select md5 encryption when htpasswd generates the key by using the -m parameter

Simulation verification demonstration

Let’s create a new site for example

Domain name: nginx_basic_auth.msy.plus Login name: admin Password: 12345678Copy the code

For demonstration purposes only, this very simple password cannot be used in a production environment

Generate files for testing

echo "<h1>welcome to nginx_basic_auth.msy.plus</h1>" >> ./nginx_basic_auth/index.html
Copy the code

Configure basic HTTP authentication for NGINx

Check for support for the conf.d directory in nginx.conf. If it does not exist, add it

Include/usr/local/soft/nginx - 1.18.0 / conf/conf. D / *. Conf.Copy the code

Note: In the production environment, in order to facilitate management, will put each server into a special conf file, do not mix together and write all to nginx.conf, modify and search are not convenient

Create the server file for the web site

server { auth_basic "lhdtest.com admin"; Auth_basic_user_file/usr/local/soft/nginx - 1.18.0 / conf/conf. D/admin. PWD. listen 80; server_name nginx_basic_auth.msy.plus root /data/site/admin/html; index index.html index.shtml index.htm; access_log /data/nginx/logs/admin.access_log; error_log /data/nginx/logs/admin.error_log; }Copy the code

Generate the password

Nginx only requires a password file for authentication, and it doesn’t matter where the password file is generated, so you just need a way to generate the key

You can do it in Python you can do it in GO or you can do it in C

Here I am using Windows centos subsystem, directly generate the key and upload it to the server

Htpasswd is a command tool of the open source HTTP server Apache HTTPD. It is used to generate the password file for HTTP basic authentication.

Install the htpasswd

Ubuntu installation:

sudo apt-get install apache2-utils
Copy the code

Centos installation:

yum -y install httpd
Copy the code

Key generation options

The following build options are used here

#-n:Don't update file; Display results on stdout // Do not update files; #-m:Force MD5 encryption of the password #-m:Force MD5 encryption of the passwordCopy the code

Enter a command to generate the key

htpasswd -nbm admin 12345678
Copy the code

You can see that the output has a key

admin:$apr1$nkxLxBPa$EGa.u5yKuQ08m6g/8bGb9.
Copy the code

In the password file you specified earlier, enter the generated content

Auth_basic_user_file/usr/local/soft/nginx - 1.18.0 / conf/conf. D/admin. PWD. // For Windows Server users, the path may be slightly differentCopy the code

The test results

Enter the correct user name and password to enter the website

Refer to the article

Is your NGINX login authentication secure? Configure HTTP Basic Auth. Centos install htpasswd_Nginx and use htpasswd