1

Hoping someone can let me know if im on the right track.

I use IIS on my file server within my network. I have an apache2 server which takes all HTTP and HTTPS requests and by way of reverse proxy sends them to the correct server.

Within the network you can access IIS though HTTP and it will prompt for UN/PW based on Windows Authentication. Obviously that isnt safe across the internet and especially when accessing from untrusted networks.

So my solution is:

remote network connects on SSL to my reverse proxy server. Reverse proxy connects on HTTP to my IIS server remote client gets the basic authentication dialog box though the reverse proxy using its SSL connection which i assume means its secure?

EEAA
  • 109,363
  • 18
  • 175
  • 245
allabouteve
  • 13
  • 3

1 Answers1

1

Assuming your clients always connect remotely via TLS, then yes, using basic authentication is reasonably secure.

Caveat: one significant drawback of basic auth is that it requires the password be stored in cleartext (or some other easily-reversible encryption) on the server. For this reason, you may want to consider SSL client certs or at the very least http digest authentication instead of basic auth.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • Awesome. ill look into http digest. Many thanks. Im still trying to get fail2ban working ATM, its next on my list :) – allabouteve Jun 28 '14 at 04:15