2

I have 2 questions regarding Apache Basic Auth that i currently am utilising. I have a website that after a certain action, the website will produce a Basic Auth username and password for the user to use to access a service.

This is working OK at the moment - but the website is picking up traffic rapidly so there are many many entries in the basic auth file now.

Question 1) Is there a limit on the amount of basic auth users apache can handle?

Question 2) is there a better way to manage basic auth users? Or some type of username/password access

Thanks

Tom Burman
  • 123
  • 4

1 Answers1

3

Is there a limit on the amount of basic auth users apache can handle?

No, You can have as much values as you want inside .htpasswd but with time your server performance will suffer due to high disk I/O reads.

is there a better way to manage basic auth users?

Yes, use a mysql db to store the user/pass and access it with mod_authn_dbd.
Alternatively, you can use php to "emulate" HTTP authentication and query a db with the login info i.e.:

<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
} else {
    //place the query logic here
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
?>
Pedro Lobito
  • 479
  • 1
  • 5
  • 13
  • The .htpasswd file will be cached in RAM the vast majority of the time, and as such, this will not cause undue disk IO. There may be other reasons to not use basic auth, but disk IO concerns are not one of them. – EEAA May 24 '16 at 00:40
  • Thank you pointing that. Could you please provide an article that confirms that information? I tried to search for it but couldn't find it – Pedro Lobito May 24 '16 at 00:43
  • This is nothing specific to Apache - it's how nearly **all** file access works in Linux. Once a file is read, it is cached in RAM so it is able to be accessed very quickly the next time. The memory consumed by disk cache will be immediately given up if that RAM is needed by an application. – EEAA May 24 '16 at 00:45
  • Thank you for the explanation. Are you talking about `tmpfs` or the actual ram ? – Pedro Lobito May 24 '16 at 00:46
  • System memory. This has absolutely nothing to do with tmpfs. – EEAA May 24 '16 at 00:47
  • That's what I'm trying to understand. Based on what you said, a file is read from disk and put into memory, then, when the memory is low, put on `tmpfs`. Is this right ? – Pedro Lobito May 24 '16 at 00:50
  • No, again, this has nothing to do with tmpfs. The files are *cached* in RAM. If the kernel or application needs that RAM, the kernel simply un-allocates those memory pages. The files still exist on disk. – EEAA May 24 '16 at 00:52
  • Then, you may want to update the Wikipedia page about `tmpfs` . https://en.wikipedia.org/wiki/Tmpfs ***"Everything stored in tmpfs is temporary in the sense that no files will be created on the hard drive; however, swap space is used as backing store in case of low memory situations."*** – Pedro Lobito May 24 '16 at 00:54
  • You are confusing two completely different things here. The kernel's cache and tmpfs are two different technologies, used for completely different purposes. Again, tmpfs is completely orthogonal to this discussion. – EEAA May 24 '16 at 00:56
  • I agree, `tmpfs` doesn't fit in this discussion but what you're saying differs from wikipedia. Nevertheless, I've updated my answer. Once again, thank you. – Pedro Lobito May 24 '16 at 00:59
  • You are misunderstanding that Wikipedia page. – EEAA May 24 '16 at 00:59
  • Ok, I probably am, it's late here and I'm not an expert on the subject. Based on this, I'm sure you're right, have a good night ;) – Pedro Lobito May 24 '16 at 01:01
  • 2
    Sounds good! Read up on this subject when you have a chance. – EEAA May 24 '16 at 01:01