blob: 0dd5d8deb3d28af7c7392e62eafb3c0a524dfd92 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
=encoding utf-8
=head1 NAME
ngx_http_auth_basic_module - Module ngx_http_auth_basic_module
=head1
The C<ngx_http_auth_basic_module> module allows
limiting access to resources by validating the user name and password
using the “HTTP Basic Authentication” protocol.
Access can also be limited by
L<address|ngx_http_access_module>, by the
L<result of subrequest|ngx_http_auth_request_module>,
or by L<JWT|ngx_http_auth_jwt_module>.
Simultaneous limitation of access by address and by password is controlled
by the L<ngx_http_core_module> directive.
=head1 Example Configuration
location / {
auth_basic "closed site";
auth_basic_user_file conf/htpasswd;
}
=head1 Directives
=head2 auth_basic
B<syntax:> auth_basic I<I<C<string>> E<verbar> C<off>>
B<default:> I<off>
B<context:> I<http>
B<context:> I<server>
B<context:> I<location>
B<context:> I<limit_except>
Enables validation of user name and password using the
“HTTP Basic Authentication” protocol.
The specified parameter is used as a I<C<realm>>.
Parameter value can contain variables (1.3.10, 1.2.7).
The special value C<off> cancels the effect
of the C<auth_basic> directive
inherited from the previous configuration level.
=head2 auth_basic_user_file
B<syntax:> auth_basic_user_file I<I<C<file>>>
B<context:> I<http>
B<context:> I<server>
B<context:> I<location>
B<context:> I<limit_except>
Specifies a file that keeps user names and passwords,
in the following format:
# comment
name1:password1
name2:password2:comment
name3:password3
The I<C<file>> name can contain variables.
The following password types are supported:
=over
=item *
encrypted with the C<crypt> function; can be generated using
the “C<htpasswd>” utility from the Apache HTTP Server
distribution or the “C<openssl passwd>” command;
=item *
hashed with the Apache variant of the MD5-based password algorithm (apr1);
can be generated with the same tools;
=item *
specified by the
“C<{>I<C<scheme>>C<}>I<C<data>>”
syntax (1.0.3+) as described in
L<RFC 2307|https://datatracker.ietf.org/doc/html/rfc2307#section-5.3>;
currently implemented schemes include C<PLAIN> (an example one,
should not be used), C<SHA> (1.3.13) (plain SHA-1
hashing, should not be used) and C<SSHA> (salted SHA-1 hashing,
used by some software packages, notably OpenLDAP and Dovecot).
B<NOTE>
Support for C<SHA> scheme was added only to aid
in migration from other web servers.
It should not be used for new passwords, since unsalted SHA-1 hashing
that it employs is vulnerable to
L<rainbow table|http://en.wikipedia.org/wiki/Rainbow_attack>
attacks.
=back
|
