我正在按照这些说明安装 netdata ( https://www.digitalocean.com/community/tutorials/how-to-set-up-real-time-performance-monitoring-with-netdata-on-ubuntu-16-04 )
最后它使用 htpasswd
创建一个 user:password 文件,该文件看起来已经以某种方式进行了哈希处理。如果我查看该文件,我会看到...
username:$somekindofpasswordhashandnotthepasswordientered
然后指令告诉我制作一个像这样的服务器 block ......
server {
listen your_server_ip:80;
server_name example.com;
auth_basic "Authentication Required";
auth_basic_user_file netdata-access;
netdata-access
是nginxconf目录下的密码文件。那么,当我访问此页面并输入密码时,我是通过网络发送密码明文,还是 nginx 模块以某种方式对其进行加密?服务器 block 位于端口 80 而不是 443...
编辑:我快速阅读了这两件事的文档,但没有找到有关我的问题的信息
最佳答案
auth_basic
在连接到服务器时打开的同一连接上工作,因此它在 http
上是纯文本,在 https
上是加密的 SSL/TLS 。对用户/密码组合进行的唯一处理是在发送到服务器之前进行Base64
编码。
您可以使用curl
来查看标题:
$ curl -v -u your_user_name "http://......."
查找 > Authorization: Basic ...
行,其中包含 user:pass
的 Base64
编码。
您可以使用以下方法解码字符串:
printf auth_string | base64 --decode
更多详情here .
<小时/>关于密码文件,nginx
可以在密码文件中使用明文和哈希密码( info here ):
<强>1。纯文本:
# comment name1:password1 name2:password2:comment name3:password3
<强>2。加密/散列:
encrypted with the crypt() function; can be generated using the “htpasswd” utility from the Apache HTTP Server distribution or the
“openssl passwd” command;hashed with the Apache variant of the MD5-based password algorithm (apr1); can be generated with the same tools;
specified by the “{scheme}data” syntax (1.0.3+) as described in RFC 2307; currently implemented schemes include PLAIN (an example one, should not be used), SHA (1.3.13) (plain SHA-1 hashing, should not be used) and SSHA (salted SHA-1 hashing, used by some software packages, notably OpenLDAP and Dovecot).
$ htpasswd
Usage:
htpasswd [-cimBdpsDv] [-C cost] passwordfile username
htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password
htpasswd -n[imBdps] [-C cost] username
htpasswd -nb[mBdps] [-C cost] username password
-c Create a new file.
-n Don't update file; display results on stdout.
-b Use the password from the command line rather than prompting for it.
-i Read password from stdin without verification (for script usage).
-m Force MD5 encryption of the password (default).
-B Force bcrypt encryption of the password (very secure).
-C Set the computing time used for the bcrypt algorithm
(higher is more secure but slower, default: 5, valid: 4 to 31).
-d Force CRYPT encryption of the password (8 chars max, insecure).
-s Force SHA encryption of the password (insecure).
-p Do not encrypt the password (plaintext, insecure).
-D Delete the specified user.
-v Verify password for the specified user.
On other systems than Windows and NetWare the '-p' flag will probably not work.
The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.
关于security - nginx auth_basic 是否发送明文密码?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/41031810/