I’ve been looking to make my apache server available on the web from time to time so I can have others look at things I’m working on. I didn’t want to just hang everything out there unsecured, so I took a look into setting up Digest authentication since Basic sounds quite insecure. I dug around for a while and found several guides that showed different ways to set it up but none of them contained all of what I needed to get a global password protection.
The first step was to stop loading the basic auth module
sudo rm /etc/apache2/mods-enabled/auth_basic.load
Now I needed to include the digest auth module
sudo ln -s /etc/apache2/mods-available/auth_digest.load /etc/apache2/mods-enabled/auth_digest.load
Pretty straight-forward, though none of the guides I looked at mentioned it. Next I needed to use the ‘htdigest’ command to create the text file to store the username and password. It is highly recommended (for obvious reasons) that this file not be within a directory apache makes available to the web. Create a new directory outside of /var/www and change to it.
htdigest -c digest main rwaters
The htdigest command takes 3 parameters (and an optional -c flag to create a new file), the first param is the filename, second is the realm (more on this in a bit), and the third is the username. The command then prompts you to enter and re-enter the password, it hashes it and creates a text file. The last required bit is to modify the apache config to actually use auth-digest and point it to the digest text file. If you left everything as the default Ubuntu settings then the config file that defines directories and access to them is in /etc/apache2/sites-enabled/000-default. To make the settings global I applied them within the
Pretty straight-forward, the AuthName setting matches up to the realm you defined when generating the password. The one thing that kept throwing me was that the guides I looked at said to use AuthDigestFile instead of AuthUserFile and apache kept claiming that AuthDigestFile was not a valid configuration option. Anyway, you can add as many username and password combinations as you like to the digest text file. Next up for me is to enable SSL and force all urls to redirect to HTTPS.