.htaccess 密码保护有多安全? [英] How secure is .htaccess password protection?
问题描述
使用 .htaccess 密码保护目录是防止未授权用户看到其文件的最佳方法吗?是否有任何替代方法可以保护目录的内容,同时仍然让经过身份验证的人可以访问它?
Is password protecting a directory with .htaccess the best way to prevent its files from being seen by unauthorized users? Are there any alternatives to protecting a directory's content while still making it accessible to people that are authenticated to view it?
另外,难道有人不能试图强行进入,从而导致服务器紧张吗?
Also, couldn't someone try to bruteforce their way in, causing strain on the server?
推荐答案
需要注意的几点:
在 .htaccess 中添加安全性总是可以在没有 .htaccess 的情况下完成,通过在主配置(或虚拟主机配置)中使用 AllowOverride None 完全取消对 .htaccess 的支持)并且您不会冒有人更改您的 .htaccess 的风险.
Adding security in a .htaccess can always be done without the .htaccess, by using <Directory> instructions in the main configuration (or the virtualhost configuration). It will go faster (if you remove completly support for .htaccess with AllowOverride None) and you wont get the risk of someone altering your .htaccess.
有多种方法可以在 .htaccess 文件中添加安全性,其中一种方法是使用带有 .htpasswd 文件的基本 HTTP 身份验证.这些 .htpasswd 文件不应位于 Web 目录根目录中.另一种可能性是使用 HTTP Digest Authentification,限制是非常老的浏览器不会t 支持它(如 IE6).
There's several ways of adding security in .htaccess files, one of these ways is by using Basic HTTP Authentification with .htpasswd files. These .htpasswd files shouldn't be in the web directory root. One of the other possibility is using HTTP Digest Authentification, with the restriction that very old browsers won't support it (like IE6).
我们通常会遇到 HTTP 基本身份验证.这是一种非常弱的保护,仅仅是因为它的工作方式.在第一次请求您被拒绝时,您的浏览器会要求您输入密码并登录,并记住请求的网络服务器的此密码登录关联.然后对于发送到此网络服务器的每个请求,直到您关闭浏览器登录名和密码将添加到请求标头中,未加密.只需将 base64 编码应用于字符串Yourlogin:Yourpassword",使其看起来像纯 ASCII7 字符串并防止出现编码问题.
We usually encounter HTTP Basic Authentification. This is a very weak protection, simply because of the way it works. At the 1st request you're rejected, then your browser ask you for a password and login, and memorize this password login association for the webserver requested. Then for every request sent to this webserver until you close your browser the login and password will be added in the request header, unencrypted. There's simply a base64 encoding applied to the string 'Yourlogin:Yourpassword', to make it look like a pure ASCII7 strings and prevent encoding problems.
因此,任何嗅探您请求的人(wifi 热点、中间人、本地网络、回声开关等)都会知道您的密码并登录.坏的.规则是:
So anyone sniffing your request (wifi hotspot, man in the middle, local network, echo switch, etc) will know your password and login. Bad. The rule is ":
永远不要使用基本 HTTP验证是否连接不是 HTTPS (SSL).
never ever use Basic HTTP Authentification if the connection isn't HTTPS (SSL).
如果您的网络服务器完全在 HTTPS 中没问题(请参阅底部的编辑),明文/密码由 SSL 加密.
If your webserver is completly in HTTPS no problem (see edit on the bottom), the clear text/password are encrypted by SSL.
对于暴力破解问题(是的,有些人可以尝试暴力破解登录名/密码,除非您调整了 mod_security 模块 以防止这种情况发生)htpasswd 页面的安全考虑 很清楚:
For the brute force problem (and yes, some people can try to brute force the login/password, except if you tune a mod_security module to prevent that) the Security Consideration of the htpasswd page is quite clear:
使用 crypt() 算法时,请注意仅使用密码的前 8 个字符来构成密码.如果提供的密码更长,多余的字符将被静默丢弃
When using the crypt() algorithm, note that only the first 8 characters of the password are used to form the password. If the supplied password is longer, the extra characters will be silently discarded
和:
在 Windows 和 MPE 平台上,使用 htpasswd 加密的密码长度限制为不超过 255 个字符.较长的密码将被截断为 255 个字符.
On the Windows and MPE platforms, passwords encrypted with htpasswd are limited to no more than 255 characters in length. Longer passwords will be truncated to 255 characters.
所以对密码使用 SHA 编码 散列(即使它没有加盐).
So use SHA encoding hashing for passwords (even if it's not salted).
让经过身份验证的用户浏览目录内容的另一种方法是处理应用程序中的目录列表和文件上传(PHP、Tomcat 等),而不是使用 apache 自动列表.在安全性方面,自动列表模块 (mod_autoindex) 是您在运行的 apache 上甚至不应该有的东西.
Another way to let authenticated user browse a directory content is to handle the directory listing and file upload within your application (PHP, Tomcat, etc) and not with the apache automatic listing. In term of security the automatic listing module (mod_autoindex) is something you shouldn't even have on your running apache.
编辑
如果您只想使用 HTTP 身份验证保护某些 url,则不需要完整的 HTTPS 服务器.您真正需要的是所有这些受保护的 url 都应该在 https 中,如果不受保护的 url 在 http 域中,则不会使用身份验证标头,因为这是一个不同的域(并且身份验证标头由域发送).所以你可以在 http 域中为这些 url 添加基本的重定向规则,也许是这样的:
Full HTTPS server is not required if you want to protect only some url with HTTP authentification. What you really need is that all these protected url should be in https, if non-protected url are in the http domain the authentification headers won't be used as this is a different domain (and the authentification headers are sent by domain). So you could add basic redirection rules in the http domain for these url, maybe something like that:
RedirectMatch 301 ^/secure/(.*)$ https://www.example.com/secure/$1
这篇关于.htaccess 密码保护有多安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
