I finally got Apache’s Digest authentication, and since there’s a serious dearth of information online about getting Digest working, I decided I’d write up a bit. It’s not difficult, but I’ve had far more trouble than I should have, and most of that’s due to nonexistant documentation.
Why Digest?
Standard HTTP auth sends the password in plaintext, which is generally bad. On sites with an SSL cert, this is less of a problem, since the traffic is encrypted to begin with, but on smaller sites, it’s a lot of overhead to set up SSL.
Digest authentication hashes the password before sending it – it’s an MD5, which isn’t great, but it’s also not your password flapping in the breeze, so to speak. It’s a good intermediate step to make sure you’re not transmitting plaintext passwords anywhere.
What’s the drawback?
There’s a very small performance hit, and it’s not as easy to set up, but the biggest drawback is that you have to rebuild your apache users file.
So how do I do it?
Digest is very similar to standard Apache access configuration, with just a couple changes.
- Make sure you have digest enabled – if you have shell access, type:
a2enmod auth_digest
otherwise, in your httpd.conf or apache2.conf file, include the line:
LoadModule auth_digest_module modules/mod_auth_digest.so - Create your new Digest authentication file. At the shell, type:
cd /var/www/
htdigest -c .digest Internal Admin
Note: This code creates a user named Admin in the realm “Internal” – we’ll get to realms later.
You’ll be asked for a password, and then asked to confirm the password. - Create your .htaccess file in the directory you want to protect – in this case, we’ll assume it’s http://(yourdomain)/Private:
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
AuthType Digest
AuthName "Internal"
AuthDigestDomain /Private
AuthUserFile /var/www/.digest
Require user valid-user
The first line is necessary to make Digest work for IE6. IE7 seems fine.
AuthName is the realm you chose earlier – Digest allows you to make multiple “realms” to protect different directories.
Also, note the AuthUserFile line – Apache docs swear that line should read AuthDigestFile. It shouldn’t.
That’s it – you’re using Digest!
The code is interchangeable anywhere you’d normally use standard Apache password auth, and you can use all the other normal .htaccess commands as well. It’s just a mildly more secure, and horrendously documented, alternative to standard HTTP authentication.
Apache.org: Authentication, Authorization and Access Control
Apache.org: Apache Module mod_auth_digest
It’s working very well with FF und IE8. Thanks a lot for the easy-understanding post.
Hi Eric, I tried the above, but there’s no login box appear when access my site. Am I missing something or the auth process doesn’t appear for LAN access? My site is local and I access it from local ip eg. 192.168…
Check your apache config file – in the section, you should put:
AllowOverride All
Otherwise Apache won’t read the .htaccess files.
If it’s still not working, check your logs.
Cheers,
Eric
Very nice, very straight to the point but with an evil nasty typo in your instruction which left me struggling for one (stupid) hour, i.e. because googleling for the error message “Digest: invalid nonce length is not 52″ didn’t help at all:
Hint:
It’s not
“Require valid-user”
instead it’s
“Require user valid-user”
Best regards,
Herr Irrtum!
Fixed – Thanks!