Apache常见的用户认证可以分为下面三种:
- 基于IP,子网的访问控制(ACL)
- 基本用户验证(Basic Authentication)
- 消息摘要式身份验证(Digest Authentication)
消息摘要式身份验证(Digest Authentication)
Digest Authentication在基本身份验证上面扩展了安全性。服务器为每一连接生成一个唯一的随机数,客户端对用这个随机数对密码进行MD5加密,然后发送到服务器,服务器端也用此随机数对密码加密,然后和客户端传送过来的加密数据进行比较。
1. 发送页面访问请求
Request URL:http://localhost/config/
Request method:GET
2. Web服务器要求用书输入用户凭据(服务器返回401响应头和’realm’域)
HTTP/1.1 401 Unauthorized
Date: Tue, 01 Jun 2021 07:17:51 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1;mode=block
WWW-Authenticate: Digest realm="Digest Encrypt", nonce="C9zdI6/DBQA=b6e73f0db8e3966873cc961fc22031b43e02aab6", algorithm=MD5, qop="auth"
Content-Length: 381
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
3. 浏览器弹出登录窗口(包含’realm’), 要求用提供用户名/密码
4.输入用户名密码后的请求
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Authorization: Digest username="Admin", realm="Digest Encrypt", nonce="C9zdI6/DBQA=b6e73f0db8e3966873cc961fc22031b43e02aab6", uri="/config/", algorithm=MD5, response="ae7dc868b37313788a24d2e6e0094154", qop=auth, nc=00000001, cnonce="001945ca0da1ba75"
5.服务器将用户输入加密后的凭据和服务器端加密后的的凭据进行比较,如果一致则返回所请求页面的响应
HTTP/1.1 200 OK
Date: Tue, 01 Jun 2021 08:26:28 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1;mode=block
Authentication-Info: rspauth="a04006ede76a798709c2ea1c5c7533bb", cnonce="777276a0e05dcab9", nc=00000002, qop=auth
Content-Length: 5089
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
配置Apache
1. 创建密码文件
htdiget [-c] passwordfile realm username
D:\Softwares\Apache24\bin> htdigest.exe -c \ "Digest Encrypt" Admin
Adding password for Admin in realm Digest Encrypt.
New password: ********
Re-type new password: ********
-c = create file
常规添加不要使用-c选项,,因为它会覆盖现有的文件。
文件内容格式:Admin:Digest Encrypt:ded139b4abeb56c14a30ff0a07e27010
2. 配置httpd.conf
# The 'AuthName' and the 'Realm' must be the same (BASIC validation can be different).
# Otherwise correct user password still will not pass the authentication.
<Directory "${DocumentRoot}\config">
Options Indexes FollowSymLinks
AuthType Digest
AuthName "Digest Encrypt"
AuthUserFile "D:\digest.txt"
require valid-user
AllowOverride None
</Directory>
3. 认证模块配置
查看httpd.conf里面是否有
LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule auth_basic_module modules/mod_auth_basic.so
首先确认要有mod_auth_digest.so,这个没有就要重新编译apache。
其次确保把mod_auth_basic.so这行给注释掉。因为apache默认是用basic来认证的,如果不注释的话,即使配置好了digest认证,也不会成功。两种认证方法只能二选一。
WWW-Authenticate Response Header
If a server receives a request for an access-protected object, and an acceptable Authorization header is not sent, the server responds with a "401 Unauthorized" status code, and a WWW-Authenticate header as per the framework defined above, which for the digest scheme is utilized as follows.
如果服务器收到对受访问保护对象的请求,并且没有发送可接受的授权头,则服务器会以 "401未授权 "状态代码和WWW-Authenticate头作为回应。
challenge = "Digest" digest-challenge digest-challenge = 1#( realm | [ domain ] | nonce | [ opaque ] |[ stale ] | [ algorithm ] | [ qop-options ] | [auth-param] ) domain = "domain" "=" <"> URI ( 1*SP URI ) <"> URI = absoluteURI | abs_path nonce = "nonce" "=" nonce-value nonce-value = quoted-string opaque = "opaque" "=" quoted-string stale = "stale" "=" ( "true" | "false" ) algorithm = "algorithm" "=" ( "MD5" | "MD5-sess" | token ) qop-options = "qop" "=" <"> 1#qop-value <"> qop-value = "auth" | "auth-int" | token
scheme | 说明 |
---|---|
realm | 显示给用户的一个字符串,以便他们知道使用哪一个用户名和密码。这个字符串至少应该包含的名称,还可能包括表示可能有权限的用户集合。 例:"registered_users@gotham.news.com"。 |
nonce | 服务器每次作出401响应时生成的唯一数据字符串。 nonce对客户端来说是不透明的。 |
参考链接
1. The WWW-Authenticate Response Header