security - nginx auth_basic 是否发送明文密码？

Question

我正在按照这些说明安装 netdata ( https://www.digitalocean.com/community/tutorials/how-to-set-up-real-time-performance-monitoring-with-netdata-on-ubuntu-16-04 )

最后它使用 htpasswd 创建一个 user:password 文件，该文件看起来已经以某种方式进行了哈希处理。如果我查看该文件，我会看到...

username:$somekindofpasswordhashandnotthepasswordientered

然后指令告诉我制作一个像这样的服务器 block ......

server {
    listen your_server_ip:80;
    server_name example.com;

    auth_basic "Authentication Required";
    auth_basic_user_file netdata-access; 

netdata-access是nginxconf目录下的密码文件。那么，当我访问此页面并输入密码时，我是通过网络发送密码明文，还是 nginx 模块以某种方式对其进行加密？服务器 block 位于端口 80 而不是 443...

编辑:我快速阅读了这两件事的文档，但没有找到有关我的问题的信息

Answer 1

auth_basic 在连接到服务器时打开的同一连接上工作，因此它在 http 上是纯文本，在 https 上是加密的 SSL/TLS 。对用户/密码组合进行的唯一处理是在发送到服务器之前进行Base64编码。

您可以使用curl来查看标题:

$ curl -v -u your_user_name "http://......."

查找 > Authorization: Basic ... 行，其中包含 user:pass 的 Base64 编码。

您可以使用以下方法解码字符串:

printf auth_string | base64 --decode

更多详情here .

<小时/>

关于密码文件，nginx 可以在密码文件中使用明文和哈希密码( info here ):

<强>1。纯文本:

    # comment
    name1:password1
    name2:password2:comment
    name3:password3

<强>2。加密/散列:

• encrypted with the crypt() function; can be generated using the “htpasswd” utility from the Apache HTTP Server distribution or the
  “openssl passwd” command;

• hashed with the Apache variant of the MD5-based password algorithm (apr1); can be generated with the same tools;

• specified by the “{scheme}data” syntax (1.0.3+) as described in RFC 2307; currently implemented schemes include PLAIN (an example one, should not be used), SHA (1.3.13) (plain SHA-1 hashing, should not be used) and SSHA (salted SHA-1 hashing, used by some software packages, notably OpenLDAP and Dovecot).

$ htpasswd 
Usage:
    htpasswd [-cimBdpsDv] [-C cost] passwordfile username
    htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password

    htpasswd -n[imBdps] [-C cost] username
    htpasswd -nb[mBdps] [-C cost] username password
 -c  Create a new file.
 -n  Don't update file; display results on stdout.
 -b  Use the password from the command line rather than prompting for it.
 -i  Read password from stdin without verification (for script usage).
 -m  Force MD5 encryption of the password (default).
 -B  Force bcrypt encryption of the password (very secure).
 -C  Set the computing time used for the bcrypt algorithm
     (higher is more secure but slower, default: 5, valid: 4 to 31).
 -d  Force CRYPT encryption of the password (8 chars max, insecure).
 -s  Force SHA encryption of the password (insecure).
 -p  Do not encrypt the password (plaintext, insecure).
 -D  Delete the specified user.
 -v  Verify password for the specified user.
On other systems than Windows and NetWare the '-p' flag will probably not work.
The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.