Friday, July 22, 2022

Basic HTTP auth with lighttpd, mod_authn_dbi and stored PLAIN PASSWORDS

First, if you can avoid storing PLAIN PASSWORDS - avoid them and do not read this at all!

Next,
auth.backend = "dbi"
auth.backend.dbi += (
  "sql" => "select md5(concat(username,':MyRealm:',password)) where username = '?'" ,
  "dbtype" => "mysql",
  "dbname" => "mymydb",
  "username" => "mymylogin",
  "password" => "mymypassword"
)
auth.require = (
  "/" => 
  (
   "method" => "basic",
   "realm" => "MyRealm", # The same realm as in sql statement!
   "require" => "valid-user"
  )
)


Generally speaking, I do not understand the authors of lighttpd (which is my web-server of choice for around 10 years) in this exact logic and their love of Digest auth (I prefer Basic+https).
This works at least for lighttpd 1.4.65
Crossposted to linkedin