Mercurial > hg > nginx-site
view xml/en/docs/http/ngx_http_auth_basic_module.xml @ 2769:16f6fa718be2
Updated TLSv1.3 support notes.
Previous notes described some early development snapshot of OpenSSL 1.1.1
with disabled TLSv1.3 by default. It was then enabled in the first alpha.
Further, the updated text covers later major releases such as OpenSSL 3.0.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Thu, 30 Sep 2021 16:29:20 +0300 |
parents | eeed494bba51 |
children | 4add6ae1296f |
line wrap: on
line source
<?xml version="1.0"?> <!-- Copyright (C) Igor Sysoev Copyright (C) Nginx, Inc. --> <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> <module name="Module ngx_http_auth_basic_module" link="/en/docs/http/ngx_http_auth_basic_module.html" lang="en" rev="10"> <section id="summary"> <para> The <literal>ngx_http_auth_basic_module</literal> module allows limiting access to resources by validating the user name and password using the “HTTP Basic Authentication” protocol. </para> <para> Access can also be limited by <link doc="ngx_http_access_module.xml">address</link>, by the <link doc="ngx_http_auth_request_module.xml">result of subrequest</link>, or by <link doc="ngx_http_auth_jwt_module.xml">JWT</link>. Simultaneous limitation of access by address and by password is controlled by the <link doc="ngx_http_core_module.xml" id="satisfy"/> directive. </para> </section> <section id="example" name="Example Configuration"> <para> <example> location / { auth_basic "closed site"; auth_basic_user_file conf/htpasswd; } </example> </para> </section> <section id="directives" name="Directives"> <directive name="auth_basic"> <syntax><value>string</value> | <literal>off</literal></syntax> <default>off</default> <context>http</context> <context>server</context> <context>location</context> <context>limit_except</context> <para> Enables validation of user name and password using the “HTTP Basic Authentication” protocol. The specified parameter is used as a <value>realm</value>. Parameter value can contain variables (1.3.10, 1.2.7). The special value <literal>off</literal> cancels the effect of the <literal>auth_basic</literal> directive inherited from the previous configuration level. </para> </directive> <directive name="auth_basic_user_file"> <syntax><value>file</value></syntax> <default/> <context>http</context> <context>server</context> <context>location</context> <context>limit_except</context> <para> Specifies a file that keeps user names and passwords, in the following format: <example> # comment name1:password1 name2:password2:comment name3:password3 </example> The <value>file</value> name can contain variables. </para> <para> The following password types are supported: <list type="bullet"> <listitem> encrypted with the <c-func>crypt</c-func> function; can be generated using the “<command>htpasswd</command>” utility from the Apache HTTP Server distribution or the “<command>openssl passwd</command>” command; </listitem> <listitem> hashed with the Apache variant of the MD5-based password algorithm (apr1); can be generated with the same tools; </listitem> <listitem> specified by the “<literal>{</literal><value>scheme</value><literal>}</literal><value>data</value>” syntax (1.0.3+) as described in <link url="https://tools.ietf.org/html/rfc2307#section-5.3">RFC 2307</link>; currently implemented schemes include <literal>PLAIN</literal> (an example one, should not be used), <literal>SHA</literal> (1.3.13) (plain SHA-1 hashing, should not be used) and <literal>SSHA</literal> (salted SHA-1 hashing, used by some software packages, notably OpenLDAP and Dovecot). <note> Support for <literal>SHA</literal> scheme was added only to aid in migration from other web servers. It should not be used for new passwords, since unsalted SHA-1 hashing that it employs is vulnerable to <link url="http://en.wikipedia.org/wiki/Rainbow_attack">rainbow table</link> attacks. </note> </listitem> </list> </para> </directive> </section> </module>