basic_auth plain text password

Darius Damalakas darius.damalakas at gmail.com
Fri Sep 10 11:02:24 MSD 2010


Hi,

I am running nginx/0.8.50, and i am using "auth_basic" for basic
authentication.   Now what i have found so far is that it looks like
nginx is treating the passwords as plain text.  My basic idea is that
Nginx does not encrypt the password that it gets with MD5 or any other
algorithm, and simply checks password that is sent as plain text.
is this true or am i missing something?


Here is part of my configuration:

location / {
            limit_except POST { # do this for all requests but GETS
                auth_basic           "Restricted";
                auth_basic_user_file passwd;
                proxy_pass http://localhost:8250;
            }


Configuration is valid:

C:\ProgramFiles\nginx>nginx.exe -t
the configuration file C:\ProgramFiles\nginx/conf/nginx.conf syntax is ok
configuration file C:\ProgramFiles\nginx/conf/nginx.conf test is successful


Contents of passswd file:
aaa:hxd1LrV11sUPs
bbb:/vtymnRvQGh52
qqq:aaa
ccc:ccc


What i have found is that if i try user aaa, or bbb, for which
passwords are generated with Apache htpasswd utility i get log error

2010/09/09 19:46:46 [error] 5596#560: *3 user "aaa": password
mismatch, client: 9.183.126.52, server: myserver, request: "GET
/shortlog/d6b56cc4c6d1 HTTP/1.1", host: "myhost"
2010/09/09 19:47:16 [error] 5596#560: *3 user "bbb": password
mismatch, client: 9.183.126.52, server: myserver, request: "GET
/shortlog/d6b56cc4c6d1 HTTP/1.1", host: "myhost"

If i try connecting with user ccc and password ccc,  user is allowed.

I've found on google some mails in mailing lists that tell that this
might not yet be implemented (can't find that URL now).
And, by the way, OS is WinXP.

-- 
Linkėjimai, Best Regards

Darius Damalakas



More information about the nginx mailing list