安全性如何的.htaccess密码保护？ [英] How secure is .htaccess password protection?

问题描述

时的密码保护与目录的.htaccess prevent的最佳方式，从被视为未经授权的用户的文件吗？是否有保护目录的内容，同时还使之获得通过验证的人才能看到任何的替代品？

Is password protecting a directory with .htaccess the best way to prevent its files from being seen by unauthorized users? Are there any alternatives to protecting a directory's content while still making it accessible to people that are authenticated to view it?

此外，不能有人尝试暴力破解他们的方式，从而在服务器上的应变？

Also, couldn't someone try to bruteforce their way in, causing strain on the server?

推荐答案

几件事情需要注意：

在的.htaccess添加安全性总是可以不用的.htaccess完成，通过使用＆LT;目录＆gt;在主要配置（或虚拟主机的配置）的说明。它会走得更快（如果你删除了的.htaccess完全地支持与的AllowOverride无），你不会得到别人改变你的.htaccess的风险。

Adding security in a .htaccess can always be done without the .htaccess, by using <Directory> instructions in the main configuration (or the virtualhost configuration). It will go faster (if you remove completly support for .htaccess with AllowOverride None) and you wont get the risk of someone altering your .htaccess.

有在.htaccess文件中添加安全功能的方法，这些方法之一是使用基本HTTP身份认证与 htpasswd的文件。这些htpasswd文件不应该在网页根目录。其中的另一种可能性是使用 HTTP摘要身份认证，与非常古老的浏览器荣获限制科技支撑它（如IE6）。

There's several ways of adding security in .htaccess files, one of these ways is by using Basic HTTP Authentification with .htpasswd files. These .htpasswd files shouldn't be in the web directory root. One of the other possibility is using HTTP Digest Authentification, with the restriction that very old browsers won't support it (like IE6).

我们平时遇到的HTTP基本身份认证。这是简单，因为它的工作方式非常弱的保护。在你拒绝了第一个请求，然后浏览器要求您输入密码和登录，记录所请求的web服务器这个密码登录关联。然后发送到该网络服务器，直到你关闭浏览器的每个请求的的登录名和密码将在请求添加标题 解密。有根本应用于字符串base64编码。Yourlogin：你的密码'，使它看起来像一个纯粹的ASCII7字符串和prevent编码问题

We usually encounter HTTP Basic Authentification. This is a very weak protection, simply because of the way it works. At the 1st request you're rejected, then your browser ask you for a password and login, and memorize this password login association for the webserver requested. Then for every request sent to this webserver until you close your browser the login and password will be added in the request header, unencrypted. There's simply a base64 encoding applied to the string 'Yourlogin:Yourpassword', to make it look like a pure ASCII7 strings and prevent encoding problems.

因此​​，任何人嗅你的要求（wifi热点，中间人，本地网络，回声开关等）就会知道你的密码和登录。坏。规则是

So anyone sniffing your request (wifi hotspot, man in the middle, local network, echo switch, etc) will know your password and login. Bad. The rule is ":

永远不会使用基本的HTTP   如果身份认证的连接   不是HTTPS（SSL）。

never ever use Basic HTTP Authentification if the connection isn't HTTPS (SSL).

如果你的Web服务器是完全地在HTTPS没有问题（见底部的编辑），明文/密码是由SSL加密。

If your webserver is completly in HTTPS no problem (see edit on the bottom), the clear text/password are encrypted by SSL.

对于蛮力问题（是的，有些人可以尝试暴力破解登录/密码，除非你调一个<一个href="http://www.modsecurity.org/documentation/modsecurity-apache/2.5.9/modsecurity2-apache-reference.html#N11721">mod_security模块以prevent的）htpasswd的页面的安全代价很清楚的：

For the brute force problem (and yes, some people can try to brute force the login/password, except if you tune a mod_security module to prevent that) the Security Consideration of the htpasswd page is quite clear:

当使用隐窝（）算法，注意，仅前8个字符的密码的用于形成的密码。如果提供的密码越长，多余的字符将被丢弃。

When using the crypt() algorithm, note that only the first 8 characters of the password are used to form the password. If the supplied password is longer, the extra characters will be silently discarded

和

在Windows和MPE平台，htpasswd加密的密码被限制为长度不超过255个字符。较长的密码会被截断为255个字符。

On the Windows and MPE platforms, passwords encrypted with htpasswd are limited to no more than 255 characters in length. Longer passwords will be truncated to 255 characters.

因此​​，使用SHA <打击>编码散列的口令（即使它不是咸）。

So use SHA encoding hashing for passwords (even if it's not salted).

另一种方式让认证的用户浏览目录中的内容是为在应用程序中处理目录列表和文件上传（PHP，Tomcat的，等等），而不是与Apache自动上市。在安全性方面的长期自动列表模块（mod_autoindex）是你甚至不应该对你运行的Apache。

Another way to let authenticated user browse a directory content is to handle the directory listing and file upload within your application (PHP, Tomcat, etc) and not with the apache automatic listing. In term of security the automatic listing module (mod_autoindex) is something you shouldn't even have on your running apache.

修改

如果你想只保护某些URL使用HTTP认证方式完全HTTPS服务器不需要。你真正需要的是，所有这些受保护的URL应该在HTTPS ，如果不受保护的URL是在HTTP域中的鉴别标题将不能使用，因为这是一个不同的域（和鉴别头由域发送）。所以，你可以在HTTP域添加基本的重定向规则对于这些网址，也许这样的事情：

Full HTTPS server is not required if you want to protect only some url with HTTP authentification. What you really need is that all these protected url should be in https, if non-protected url are in the http domain the authentification headers won't be used as this is a different domain (and the authentification headers are sent by domain). So you could add basic redirection rules in the http domain for these url, maybe something like that:

RedirectMatch 301 ^/secure/(.*)$ https://www.example.com/secure/$1

这篇关于安全性如何的.htaccess密码保护？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！