Apache Digest Authenticaion on Ubuntu 7.10

I’ve been looking to make my apache server available on the web from time to time so I can have others look at things I’m working on. I didn’t want to just hang everything out there unsecured, so I took a look into setting up Digest authentication since Basic sounds quite insecure. I dug around for a while and found several guides that showed different ways to set it up but none of them contained all of what I needed to get a global password protection.

The first step was to stop loading the basic auth module

sudo rm /etc/apache2/mods-enabled/auth_basic.load

Now I needed to include the digest auth module

sudo ln -s /etc/apache2/mods-available/auth_digest.load /etc/apache2/mods-enabled/auth_digest.load

Pretty straight-forward, though none of the guides I looked at mentioned it. Next I needed to use the ‘htdigest’ command to create the text file to store the username and password. It is highly recommended (for obvious reasons) that this file not be within a directory apache makes available to the web. Create a new directory outside of /var/www and change to it.

htdigest -c digest main rwaters

The htdigest command takes 3 parameters (and an optional -c flag to create a new file), the first param is the filename, second is the realm (more on this in a bit), and the third is the username. The command then prompts you to enter and re-enter the password, it hashes it and creates a text file. The last required bit is to modify the apache config to actually use auth-digest and point it to the digest text file. If you left everything as the default Ubuntu settings then the config file that defines directories and access to them is in /etc/apache2/sites-enabled/000-default. To make the settings global I applied them within the directive.

AuthType Digest
AuthName “main”
AuthUserFile /path/to/the/digest/file/from/above
Require valid-user

Pretty straight-forward, the AuthName setting matches up to the realm you defined when generating the password. The one thing that kept throwing me was that the guides I looked at said to use AuthDigestFile instead of AuthUserFile and apache kept claiming that AuthDigestFile was not a valid configuration option. Anyway, you can add as many username and password combinations as you like to the digest text file. Next up for me is to enable SSL and force all urls to redirect to HTTPS.

Posted in Misc