HTTP Basic Authentication fails

Question

HTTP Basic Authentication fails

Closed this issue 7 years ago · 4 comments

Hi, thank you for your work.

My ulogger server sits behind an nginx webserver with basic access authentication. The only way to use this in the application is to encode it as https://username:password@server. However, the serverlogs show, that the application does not receive the credentials at all.

Could you please enable HTTP Basic auth support?

Answer 1 · 2018-04-11T07:24:38.000Z

Why don't you just turn it off? Just for ulogger subdir if you need basic auth globally.
Ulogger provides its own password protection. It doesn't make sense to duplicate it.

Answer 2 · 2018-04-26T10:12:18.000Z

Since ulogger-server requires PHP an non-protected directory opens up a large attack vector. I am not prepared to do that.

Secondly, removing BasicAuth from the ulogger directory/path circumvents fine grained logging and therefore banning malicious users from accessing my server (e.g. fail2ban).

Answer 3 · 2018-05-18T07:01:15.000Z

I consider ulogger-server password protection to be safe. So I don't plan to support additional HTTP authentication on top of it.
The largest attack vector I see in your setup would be storing username and password in URL form field https://username:password@server, visible to others.

Answer 4 · 2018-05-22T08:37:23.000Z

Sadly, this is not acceptable. An open PHP instance is inherently unfit for this scenario. I will have to look into a different tracking solution.