http://wiki.nginx.org/index.php?title=HttpAuthDigestModule&feed=atom&action=historyHttpAuthDigestModule - Revision history2013-05-22T00:07:01ZRevision history for this page on the wikiMediaWiki 1.19.0http://wiki.nginx.org/index.php?title=HttpAuthDigestModule&diff=1045&oldid=prevCds: rewordings2011-11-26T02:31:48Z<p>rewordings</p>
<p><b>New page</b></p><div>= Name =<br />
<br />
'''ngx_http_auth_digest''' - HTTP Digest Authentication support for Nginx.<br />
<br />
''This module is not distributed with the Nginx source.'' See the [https://github.com/samizdatco/nginx-http-auth-digest/blob/master/readme.rst installation instructions].<br />
<br />
= Status =<br />
<br />
The module is feature-complete with respect to the RFC but is in need of broader testing before it can be considered secure enough for use in production. See the [https://github.com/samizdatco/nginx-http-auth-digest/blob/master/bugs.txt <code>bugs.txt</code>] file and the github [https://github.com/samizdatco/nginx-http-auth-digest/issues issue tracker] for the current set of caveats.<br />
<br />
= Synopsis =<br />
<br />
You can limit access to a directory tree by adding the following lines into<br />
a ''server'' section in your Nginx configuration file:<br />
<br />
<geshi lang="nginx"><br />
auth_digest_user_file /opt/httpd/conf/passwd.digest; # a file created with htdigest<br />
location /private{<br />
auth_digest 'this is not for you'; # set the realm for this location block<br />
}<br />
</geshi><br />
<br />
The other directives control the lifespan defaults for the authentication session. The <br />
following is equivalent to the previous example but demonstrates all the directives:<br />
<br />
<geshi lang="nginx"><br />
auth_digest_user_file /opt/httpd/conf/passwd.digest;<br />
auth_digest_shm_size 4m; # the storage space allocated for tracking active sessions<br />
<br />
location /private {<br />
auth_digest 'this is not for you';<br />
auth_digest_timeout 60s; # allow users to wait 1 minute between receiving the<br />
# challenge and hitting send in the browser dialog box<br />
auth_digest_expires 10s; # after a successful challenge/response, let the client<br />
# continue to use the same nonce for additional requests<br />
# for 10 seconds before generating a new challenge<br />
auth_digest_replays 20; # also generate a new challenge if the client uses the<br />
# same nonce more than 20 times before the expire time limit<br />
}<br />
</geshi><br />
<br />
Adding digest authentication to a location will affect any uris that match that block. To<br />
disable authentication for specific sub-branches off a uri, set <code>auth_digest</code> to <code>off</code>:<br />
<br />
<geshi lang="nginx"><br />
location / {<br />
auth_digest 'this is not for you';<br />
location /pub {<br />
auth_digest off; # this sub-tree will be accessible without authentication<br />
}<br />
}<br />
</geshi><br />
<br />
= Directives =<br />
<br />
== auth_digest ==<br />
<br />
'''Syntax:''' auth_digest [''realm-name'' | <code>off</code> ]<br />
<br />
'''Default:''' <code>off</code><br />
<br />
'''Context:''' ''server, location''<br />
<br />
Enable or disable digest authentication for a server or location block. The realm name<br />
should correspond to a realm used in the user file. Any user within that realm will be<br />
able to access files after authenticating.<br />
<br />
To selectively disable authentication within a protected uri hierarchy, set <code>auth_digest</code> <br />
to “<code>off</code>” within a more-specific location block (see example).<br />
== auth_digest_user_file ==<br />
<br />
'''Syntax:''' auth_digest_user_file ''/path/to/passwd/file''<br />
<br />
'''Default:''' ''none''<br />
<br />
'''Context:''' ''server, location''<br />
<br />
The password file should be of the form created by the apache <code>htdigest</code> command (or the <br />
included <code>[https://github.com/samizdatco/nginx-http-auth-digest/blob/master/htdigest.py htdigest.py]</code> script). Each line of the file is a colon-separated list composed <br />
of a username, realm, and md5 hash combining name, realm, and password. For example:<br />
<br />
joi:enfield:ef25e85b34208c246cfd09ab76b01db7 <br />
== auth_digest_timeout ==<br />
<br />
'''Syntax:''' auth_digest_timeout ''delay-time''<br />
<br />
'''Default:''' <code>60s</code><br />
<br />
'''Context:''' ''server, location''<br />
<br />
When a client first requests a protected page, the server returns a 401 status code along with<br />
a challenge in the <code>WWW-Authenticate</code> header.<br />
<br />
At this point most browsers will present a dialog box to the user prompting them to log in. This<br />
directive defines how long challenges will remain valid. If the user waits longer than this time<br />
before submitting their name and password, the challenge will be considered ‘stale’ and they will<br />
be prompted to log in again.<br />
== auth_digest_expires ==<br />
<br />
'''Syntax:''' auth_digest_expires ''lifetime-in-seconds''<br />
<br />
'''Default:''' <code>10s</code><br />
<br />
'''Context:''' ''server, location''<br />
<br />
Once a digest challenge has been successfully answered by the client, subsequent requests <br />
will attempt to re-use the ‘nonce’ value from the original challenge. To complicate MitM<br />
attacks, it's best to limit the number of times a cached nonce will be accepted. This<br />
directive sets the duration for this re-use period after the first successful authentication.<br />
== auth_digest_replays ==<br />
<br />
'''Syntax:''' auth_digest_replays ''number-of-uses''<br />
<br />
'''Default:''' <code>20</code><br />
<br />
'''Context:''' ''server, location''<br />
<br />
Nonce re-use should also be limited to a fixed number of requests. Note that increasing this<br />
value will cause a proportional increase in memory usage and the shm_size may have to be<br />
adjusted to keep up with heavy traffic within the digest-protected location blocks.<br />
== auth_digest_shm_size ==<br />
<br />
'''Syntax:''' auth_digest_shm_size ''size-in-bytes''<br />
<br />
'''Default:''' <code>4096k</code><br />
<br />
'''Context:''' ''server''<br />
<br />
The module maintains a fixed-size cache of active digest sessions to save state between <br />
authenticated requests. Once this cache is full, no further authentication will be possible<br />
until active sessions expire. <br />
<br />
As a result, choosing the proper size is a little tricky since it depends upon the values set in<br />
the expiration-related directives. Each stored challenge takes up <code>48 + ceil(auth_digest_replays/8)</code> bytes<br />
and will live for up to <code>auth_digest_timeout + auth_digest_expires</code> seconds. When using the<br />
default module settings this translates into allowing around 82k non-replay requests every 70<br />
seconds.<br />
<br />
= Source Repository =<br />
<br />
Available on github at [https://github.com/samizdatco/nginx-http-auth-digest samizdatco/nginx-http-auth-digest].<br />
<br />
= Author =<br />
<br />
Christian Swinehart / [http://samizdat.cc Samizdat Drafting Co.]<br />
<br />
= Copyright & License =<br />
<br />
The basic request-handling and password-file-parsing is based on the <code>ngx_http_auth_basic</code> module in the Nginx 1.0.8 sources. The original code is copyright Igor Sysoev.<br />
<br />
Copyright (c) 2011, Christian Swinehart<br />
<br />
This module is licensed under the terms of the [https://github.com/samizdatco/nginx-http-auth-digest/blob/master/LICENSE BSD license].<br />
<br />
= See Also =<br />
<br />
* The [http://www.ietf.org/rfc/rfc2617.txt RFC 2617] definition of basic and digest authentication.<br />
* Shane Holloway's werkzeug [https://bitbucket.org/shanewholloway/werkzeug-main/src/tip/werkzeug/contrib/authdigest.py module] which was used as a reference implementation.</div>Cds