Configuring Apache digest authentication

Apache Common user authentication can be divided into the following three types ：

• be based on IP, Access control of subnets (ACL)
• Basic user authentication (Basic Authentication)
• Message digest authentication (Digest Authentication)

Message digest authentication (Digest Authentication)

Digest Authentication Extended security over basic authentication . The server generates a unique random number for each connection , The client will use this random number to set the password MD5 encryption , Then send it to the server , The server also encrypts the password with this random number , And then compare it with the encrypted data sent by the client .

1. Send a page access request

Request URL:http://localhost/config/

Request method:GET

2. Web The server requires user credentials to be entered in a book （ Server return 401 Response head and ’realm’ Domain ）

HTTP/1.1 401 Unauthorized
Date: Tue, 01 Jun 2021 07:17:51 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1;mode=block
WWW-Authenticate: Digest realm="Digest Encrypt", nonce="C9zdI6/DBQA=b6e73f0db8e3966873cc961fc22031b43e02aab6", algorithm=MD5, qop="auth"
Content-Length: 381
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

3.  The browser pops up a login window ( contain ’realm’), User name is required / password

4. Request after entering user name and password

Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Authorization: Digest username="Admin", realm="Digest Encrypt", nonce="C9zdI6/DBQA=b6e73f0db8e3966873cc961fc22031b43e02aab6", uri="/config/", algorithm=MD5, response="ae7dc868b37313788a24d2e6e0094154", qop=auth, nc=00000001, cnonce="001945ca0da1ba75"

5. The server compares the encrypted credentials entered by the user with the encrypted credentials of the server , If consistent, return the response of the requested page

HTTP/1.1 200 OK
Date: Tue, 01 Jun 2021 08:26:28 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1;mode=block
Authentication-Info: rspauth="a04006ede76a798709c2ea1c5c7533bb", cnonce="777276a0e05dcab9", nc=00000002, qop=auth
Content-Length: 5089
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8

To configure Apache

1.  Create password file

htdiget [-c] passwordfile realm username

D:\Softwares\Apache24\bin> htdigest.exe -c \ "Digest Encrypt" Admin

Adding password for Admin in realm Digest Encrypt.

New password: ********
Re-type new password: ********

-c = create file

Do not use for regular addition -c Options ,, Because it will overwrite the existing file .

File content format ：Admin:Digest Encrypt:ded139b4abeb56c14a30ff0a07e27010

2. To configure httpd.conf

# The 'AuthName' and the 'Realm' must be the same (BASIC validation can be different). 
# Otherwise correct user password still will not pass the authentication.
<Directory "${DocumentRoot}\config">
    Options Indexes FollowSymLinks
    AuthType Digest
    AuthName "Digest Encrypt"
    AuthUserFile "D:\digest.txt"
    require valid-user
    AllowOverride None
</Directory>

3. Authentication module configuration

see httpd.conf Is there any  

LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule auth_basic_module modules/mod_auth_basic.so    

First of all, make sure you have mod_auth_digest.so, This is not necessary to recompile apache. 

Second, make sure that mod_auth_basic.so This line is commented out . because apache The default is to use basic To certify , If not annotated , Even if configured digest authentication , It's not going to work . Only one of the two authentication methods can be selected .

WWW-Authenticate Response Header

If a server receives a request for an access-protected object, and an acceptable Authorization header is not sent, the server responds with a "401 Unauthorized" status code, and a WWW-Authenticate header as per the framework defined above, which for the digest scheme is utilized as follows.

If the server receives a request to access the protected object , And no acceptable authorization header was sent , The server will "401 unauthorized " Status codes and WWW-Authenticate Header as response .

      challenge        =  "Digest" digest-challenge

      digest-challenge  = 1#( realm | [ domain ] | nonce |
                          [ opaque ] |[ stale ] | [ algorithm ] |
                          [ qop-options ] | [auth-param] )


      domain            = "domain" "=" <"> URI ( 1*SP URI ) <">
      URI               = absoluteURI | abs_path
      nonce             = "nonce" "=" nonce-value
      nonce-value       = quoted-string
      opaque            = "opaque" "=" quoted-string
      stale             = "stale" "=" ( "true" | "false" )
      algorithm         = "algorithm" "=" ( "MD5" | "MD5-sess" |
                           token )
      qop-options       = "qop" "=" <"> 1#qop-value <">
      qop-value         = "auth" | "auth-int" | token

nonce

Reference link

1. The WWW-Authenticate Response Header