Shulou(Shulou.com)06/02 Report--

The basic auth configuration of nginx is provided by the ngx_http_auth_basic_module, which supports the HTTP Basic Authentication protocol. Users can set usernames and passwords through this configuration for simple access control to web sites.

Basic auth configuration example:

location / { auth_basic "closed site"; auth_basic_user_file conf/htpasswd;}

Description:

auth_basic can be set to off or other strings, when off means not to open password authentication auth_basic_user_file is a file containing user name and password, file content such as elastic:YsEm9Tb4.RwB6

The place where the pit was stepped on was this password. The official documentation explained the supported password types:

Passwords encrypted with the system function crypt(); the MD5-based variant encryption algorithm (apr1) provided by Apache can be generated by htpasswd or openssl passwd command, and encrypted passwords in the format "{scheme}data" can also be generated by htpasswd or openssl passwd command, which are described in RFC 2307. Scheme refers to encryption algorithms, and the schemes supported by nginx include PLAIN, SHA, and SSHA algorithms.

The password generated by htpasswd or openssl passwd command can make the configuration take effect, nginx can perform password security verification normally, if the password type is not supported, nginx or error:

crypt_r() failed (22: Invalid argument)

However, because of the needs of the business, we need to use code to generate nginx configuration and deliver the configuration to each cloud host, and then pull up the nginx process. The project code is written in go language, so you need to find a corresponding function or library to generate a password supported by nginx.

Go language generates passwords supported by nginx

Before proceeding with auto-generated password development, I thought about three possible scenarios:

Install htpasswd tool or openssl on the project server, generate encryption password by executing local command code, directly call Linux system function crypt() encryption password use go standard library crypto encryption password

First of all, the first way is not very desirable, because it needs to rely heavily on the server environment, so it is directly passed. Let's look at the implementation of the second and third methods.

Call system function crypt() directly

The crypt function in Linux takes two parameters and is defined as:

char *crypt(const char *key, const char *salt);

The parameter key is the content to be encrypted, and the salt parameter has two types:

String of length 2, values range [a-zA-Z0-9./], If more than two bits will be ignored, and can only support the longest 8-bit key, if the key exceeds 8 bits, then the 8-bit will be ignored $id$salt$encrypted format, used to support other encryption algorithms, id indicates the algorithm type, specific values are: ID| Method ───────────────────────────────────────────── 1 | MD5 2a | Blowfish (not in mainline glibc; added in some | Linux distributions) 5 | SHA-256 (since glibc 2.7) 6 | SHA-512 (since glibc 2.7)

In go language, you can directly call the library function of c language through import "C" mode. The following is the specific implementation of encapsulating crypt function:

package crypt/*#define _GNU_SOURCE#include */import "C"import ( "sync" "unsafe")var ( mu sync.Mutex)func Crypt(pass, salt string) (string, error) { c_pass := C.CString(pass) defer C.free(unsafe.Pointer(c_pass)) c_salt := C.CString(salt) defer C.free(unsafe.Pointer(c_salt)) mu.Lock() c_enc, err := C.crypt(c_pass, c_salt) mu.Unlock() if c_enc == nil { return "", err } defer C.free(unsafe.Pointer(c_enc)) return C.GoString(c_enc), err}

Specific implementation of password generation:

func main() { des, err := crypt.Crypt("Elastic123", "in") if err != nil { fmt.Errorf("error:", err) return } sha512, err := crypt.Crypt("Elastic123", "$6$SomeSaltSomePepper$") if err != nil { fmt.Errorf("error:", err) return } fmt.Println("des:", des) fmt.Println("SHA512:", sha512)}

After measurement, the encryption password supported by nginx generated by calling crypt function is actually available, but it should be noted that if the password length exceeds 8 digits, the salt parameter can only select the $id$salt$encrypted type. In the test process, it is because of stepping on this pit that nginx can only verify the first 8 digits of the password and is speechless.

Because the C library is called in the process of writing the go code, this method also depends on the environment of the server, so the best way is to encrypt the password using the functions in the go standard library.

Using crypto library

Go's crypto standard library encapsulates many encryption algorithms. The code for encryption using SHA encryption algorithm is as follows:

package utilimport ( "crypto/sha1" "encoding/base64")func GetSha(password string) string { s := sha1.New() s.Write([]byte(password)) passwordSum := []byte(s.Sum(nil)) return base64.StdEncoding.EncodeToString(passwordSum)}

During the test process, the password encryption string was generated by calling GetSha() function, but it was directly configured in the conf/htpasswd file of nginx. After reloading nginx configuration, the test verified whether the password was valid, and the result was still an error. As mentioned above, SHA encrypted passwords must have the prefix "{SHA}". After modifying the configuration again, the password encryption string supported by nginx was successfully generated with code.

The above is all the content of this article, I hope to help everyone's study, but also hope that everyone a lot of support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.