nginx auth_basic 是否发送明文密码?
does nginx auth_basic send the password plaintext?
我正在按照这些说明安装 netdata (https://www.digitalocean.com/community/tutorials/how-to-set-up-real-time-performance-monitoring-with-netdata-on-ubuntu-16-04)
接近尾声时,它使用 htpasswd 创建了一个 user:password 文件,该文件看起来已经以某种方式进行了哈希处理。如果我查看我看到的文件...
username:$somekindofpasswordhashandnotthepasswordientered
说明然后告诉我像这样制作一个服务器块...
server {
listen your_server_ip:80;
server_name example.com;
auth_basic "Authentication Required";
auth_basic_user_file netdata-access;
netdata-access是nginx conf目录下的密码文件。所以当我访问这个页面并输入密码时,我是通过网络发送我的密码明文,还是 nginx 模块以某种方式加密它?服务器块位于端口 80 而不是 443...
编辑:我快速阅读了这两件事的文档,但没有找到关于我的问题的信息
auth_basic 在连接到服务器时打开的相同连接上工作,因此它在 http 上是纯文本,在 https 上是加密的 SSL/TLS。在 user/pass 组合上发生的唯一处理是在发送到服务器之前的 Base64 编码。
您可以使用 curl 查看 headers:
$ curl -v -u your_user_name "http://......."
查找 > Authorization: Basic ... 行,其中包含 user:pass 的 Base64 编码。
您可以使用以下方法解码字符串:
printf auth_string | base64 --decode
更多详情here。
关于密码文件,nginx可以在密码文件中使用明文和散列密码(info here):
1.纯文本:
# comment
name1:password1
name2:password2:comment
name3:password3
2。 Encrypted/hashed:
encrypted with the crypt() function; can be generated using the “htpasswd” utility from the Apache HTTP Server distribution or the
“openssl passwd” command;
hashed with the Apache variant of the MD5-based password algorithm (apr1); can be generated with the same tools;
specified by the “{scheme}data” syntax (1.0.3+) as described in RFC 2307; currently implemented schemes include PLAIN (an
example one, should not be used), SHA (1.3.13) (plain SHA-1
hashing, should not be used) and SSHA (salted SHA-1 hashing, used
by some software packages, notably OpenLDAP and Dovecot).
$ htpasswd
Usage:
htpasswd [-cimBdpsDv] [-C cost] passwordfile username
htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password
htpasswd -n[imBdps] [-C cost] username
htpasswd -nb[mBdps] [-C cost] username password
-c Create a new file.
-n Don't update file; display results on stdout.
-b Use the password from the command line rather than prompting for it.
-i Read password from stdin without verification (for script usage).
-m Force MD5 encryption of the password (default).
-B Force bcrypt encryption of the password (very secure).
-C Set the computing time used for the bcrypt algorithm
(higher is more secure but slower, default: 5, valid: 4 to 31).
-d Force CRYPT encryption of the password (8 chars max, insecure).
-s Force SHA encryption of the password (insecure).
-p Do not encrypt the password (plaintext, insecure).
-D Delete the specified user.
-v Verify password for the specified user.
On other systems than Windows and NetWare the '-p' flag will probably not work.
The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.
我正在按照这些说明安装 netdata (https://www.digitalocean.com/community/tutorials/how-to-set-up-real-time-performance-monitoring-with-netdata-on-ubuntu-16-04)
接近尾声时,它使用 htpasswd 创建了一个 user:password 文件,该文件看起来已经以某种方式进行了哈希处理。如果我查看我看到的文件...
username:$somekindofpasswordhashandnotthepasswordientered
说明然后告诉我像这样制作一个服务器块...
server {
listen your_server_ip:80;
server_name example.com;
auth_basic "Authentication Required";
auth_basic_user_file netdata-access;
netdata-access是nginx conf目录下的密码文件。所以当我访问这个页面并输入密码时,我是通过网络发送我的密码明文,还是 nginx 模块以某种方式加密它?服务器块位于端口 80 而不是 443...
编辑:我快速阅读了这两件事的文档,但没有找到关于我的问题的信息
auth_basic 在连接到服务器时打开的相同连接上工作,因此它在 http 上是纯文本,在 https 上是加密的 SSL/TLS。在 user/pass 组合上发生的唯一处理是在发送到服务器之前的 Base64 编码。
您可以使用 curl 查看 headers:
$ curl -v -u your_user_name "http://......."
查找 > Authorization: Basic ... 行,其中包含 user:pass 的 Base64 编码。
您可以使用以下方法解码字符串:
printf auth_string | base64 --decode
更多详情here。
关于密码文件,nginx可以在密码文件中使用明文和散列密码(info here):
1.纯文本:
# comment name1:password1 name2:password2:comment name3:password3
2。 Encrypted/hashed:
encrypted with the crypt() function; can be generated using the “htpasswd” utility from the Apache HTTP Server distribution or the
“openssl passwd” command;hashed with the Apache variant of the MD5-based password algorithm (apr1); can be generated with the same tools;
specified by the “{scheme}data” syntax (1.0.3+) as described in RFC 2307; currently implemented schemes include PLAIN (an example one, should not be used), SHA (1.3.13) (plain SHA-1 hashing, should not be used) and SSHA (salted SHA-1 hashing, used by some software packages, notably OpenLDAP and Dovecot).
$ htpasswd
Usage:
htpasswd [-cimBdpsDv] [-C cost] passwordfile username
htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password
htpasswd -n[imBdps] [-C cost] username
htpasswd -nb[mBdps] [-C cost] username password
-c Create a new file.
-n Don't update file; display results on stdout.
-b Use the password from the command line rather than prompting for it.
-i Read password from stdin without verification (for script usage).
-m Force MD5 encryption of the password (default).
-B Force bcrypt encryption of the password (very secure).
-C Set the computing time used for the bcrypt algorithm
(higher is more secure but slower, default: 5, valid: 4 to 31).
-d Force CRYPT encryption of the password (8 chars max, insecure).
-s Force SHA encryption of the password (insecure).
-p Do not encrypt the password (plaintext, insecure).
-D Delete the specified user.
-v Verify password for the specified user.
On other systems than Windows and NetWare the '-p' flag will probably not work.
The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.