basic_auth plain text password
Darius Damalakas
darius.damalakas at gmail.com
Fri Sep 10 11:02:24 MSD 2010
Hi,
I am running nginx/0.8.50, and i am using "auth_basic" for basic
authentication. Now what i have found so far is that it looks like
nginx is treating the passwords as plain text. My basic idea is that
Nginx does not encrypt the password that it gets with MD5 or any other
algorithm, and simply checks password that is sent as plain text.
is this true or am i missing something?
Here is part of my configuration:
location / {
limit_except POST { # do this for all requests but GETS
auth_basic "Restricted";
auth_basic_user_file passwd;
proxy_pass http://localhost:8250;
}
Configuration is valid:
C:\ProgramFiles\nginx>nginx.exe -t
the configuration file C:\ProgramFiles\nginx/conf/nginx.conf syntax is ok
configuration file C:\ProgramFiles\nginx/conf/nginx.conf test is successful
Contents of passswd file:
aaa:hxd1LrV11sUPs
bbb:/vtymnRvQGh52
qqq:aaa
ccc:ccc
What i have found is that if i try user aaa, or bbb, for which
passwords are generated with Apache htpasswd utility i get log error
2010/09/09 19:46:46 [error] 5596#560: *3 user "aaa": password
mismatch, client: 9.183.126.52, server: myserver, request: "GET
/shortlog/d6b56cc4c6d1 HTTP/1.1", host: "myhost"
2010/09/09 19:47:16 [error] 5596#560: *3 user "bbb": password
mismatch, client: 9.183.126.52, server: myserver, request: "GET
/shortlog/d6b56cc4c6d1 HTTP/1.1", host: "myhost"
If i try connecting with user ccc and password ccc, user is allowed.
I've found on google some mails in mailing lists that tell that this
might not yet be implemented (can't find that URL now).
And, by the way, OS is WinXP.
--
Linkėjimai, Best Regards
Darius Damalakas
More information about the nginx
mailing list