SETTING UP HTTP DIGEST AUTHENTICATION
- Layout for this exercise:
- While HTTP Basic Authentication exchanges "username:password" in plain text, just encoded with Base64, however HTTP Digest Authentication sends the credentials encrypted with a MD5 Hash.
- In future posts we'll see how the MD5 is crafted by the Apache server. For now, more information about HTTP Digest Authentication is available here:
https://en.wikipedia.org/wiki/Digest_access_authentication
https://en.wikipedia.org/wiki/Digest_access_authentication
- Let's set up HTTP Digest Authentication at the Apache web server on the folder "digestauth", located in the web root folder "/var/www/html/":
- First of all, the mod_auth_digest must be installed:
- The utility htdigest creates a file (in this case it is a hidden file named .htdigest) used by Apache to establish the credentials. Three parameters are provided by the user:
realm: withelist_authority
username: admin
password: ababa
password: ababa
- Checking the content of the hidden file .htdigest:
- Adding some directives to the virtual host configuration file, located at "/etc/apache2/sites-enabled/000-default.conf":
- Note that the directives are specified for the folder "/digestauth", providing its whole path. Also, AuthName must match the realm provided for .htdigest, in this case "whitelist_authority":
- Restarting the web server:
- Checking that the configuration is correct:
- Checking the status of the server:
- Now, in case of providing bad credentials, the server answers with the Unauthorized message:
- However, authenticating with the correct credentials, access to the web resource is available:
