Thursday, 4 October 2012

Setting up digest authentication in Apache on Ubuntu

I've set up a noddy demo site on Apache but didn't want it open to the world. Although you can do this with HtAuth and basic auth but then the password is sent in the clear so is very easy for someone to snoop into. If you use digest authentication, it sends the password hashed and most (all?) modern browsers support this so I thought I would enable it.
I am working with an Ubuntu appliance on Amazon web services so it comes with a few basic tools and I installed apache myself from the command line. The following lists the steps you need to use in order to enable digest auth on a directory.
Firstly some context. I wanted to use a simple alias in the url (/demo/) to point to a differently named directory in my home directory (/acmedemo/) and lock it down to a single web user called demouser. Also note that the default username for the Ubuntu appliances on aws is ubuntu.

  1. Run sudo a2enmod auth_digest since it is likely it was not installed in the base install
  2. Run htdigest -c pwdfilename realmname demouser NOT as sudo in your home directory. The realm name can be anything but will need to match the apache config for this restricted area. This will ask for a password for demouser and then create a file with the user name, realm and hashed password in it. If you want to add additional users, run the same command without the -c
  3. Put your web site into a sub-directory of home (or anywhere else but this is good enough and easier to backup!), in my case /acmedemo/. This means the first file will be /home/ubuntu/acmedemo/index.html
  4. Edit /etc/apache2/sites-available/default (or other server configs, these can be set locally in htaccess and other places but this is the simplest case). Add in the following section:
 Alias /demo/ "/home/ubuntu/pixelpindemo/"
    <Directory "/home/ubuntu/pixelpindemo/">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride AuthConfig
        Order allow,deny
        Allow from all
        AuthType Digest
        AuthName "pixelpin"
        AuthDigestProvider file
        AuthUserFile /home/ubuntu/basicpwd
        Require user demouser
    </Directory>
The settings should be fairly obvious and the names need to match what you have done. If you are struggling to get it working, from experience, start with what I've done and just change one thing at a time. Changing the password filename and the realm and the web user etc. all at the same time makes it harder to debug. If you want to require any valid user, change the last entry to Require valid-user Once you're done, run sudo service apache2 restart and if you get any errors, use tail /var/log/apache2/error.log
Post a Comment