{"id":2315,"date":"2023-01-08T19:34:30","date_gmt":"2023-01-08T18:34:30","guid":{"rendered":"https:\/\/www.webodesign.net\/?p=2315"},"modified":"2023-01-08T19:34:31","modified_gmt":"2023-01-08T18:34:31","slug":"5-restrictions-dacces-6-controles-dacces","status":"publish","type":"post","link":"https:\/\/www.webodesign.net\/?p=2315","title":{"rendered":"5. Restrictions d\u2019acc\u00e8s 6. Contr\u00f4les d\u2019acc\u00e8s"},"content":{"rendered":"\n<div class=\"wp-block-uagb-container uagb-block-5c76fbc9 alignfull uagb-is-root-container\"><div class=\"uagb-container-inner-blocks-wrap\">\n<div class=\"wp-block-columns is-layout-flex wp-container-11\">\n<div class=\"wp-block-column is-layout-flow\">\n<div class=\"wp-block-group is-layout-flow\">\n<div class=\"wp-block-group is-layout-flow\" style=\"border-style:none;border-width:0px;border-radius:0px\">\t\t\t\t<div class=\"wp-block-uagb-table-of-contents uagb-toc__align-left uagb-toc__columns-1  uagb-block-4ea44a8f     \"\n\t\t\t\t\tdata-scroll= \"1\"\n\t\t\t\t\tdata-offset= \"30\"\n\t\t\t\t\tstyle=\"\"\n\t\t\t\t>\n\t\t\t\t<div class=\"uagb-toc__wrap\">\n\t\t\t\t\t\t<div class=\"uagb-toc__title\">\n\t\t\t\t\t\t\tSommaire\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"uagb-toc__list-wrap\">\n\t\t\t\t\t\t<ol class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#5-restrictions-dacc\u00e8s\" class=\"uagb-toc-link__trigger\">5. Restrictions d\u2019acc\u00e8s<\/a><ul class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#51-apache\" class=\"uagb-toc-link__trigger\">5.1. Apache<\/a><li class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#52-nginx\" class=\"uagb-toc-link__trigger\">5.2. Nginx<\/a><\/li><\/ul><\/li><li class=\"uagb-toc__list\"><a href=\"#6-contr\u00f4les-dacc\u00e8s\" class=\"uagb-toc-link__trigger\">6. Contr\u00f4les d\u2019acc\u00e8s<\/a><ul class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#34-diff\u00e9rences-et-comparaison-des-contextes-et-directives-apache-et-nginx\" class=\"uagb-toc-link__trigger\">3.4. Diff\u00e9rences et comparaison des contextes et directives Apache et Nginx<\/a><li class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#62-lauthentification-basique\" class=\"uagb-toc-link__trigger\">6.2. L\u2019authentification basique<\/a><ul class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#621-apache\" class=\"uagb-toc-link__trigger\">6.2.1. Apache<\/a><li class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#622-nginx\" class=\"uagb-toc-link__trigger\">6.2.2. Nginx<\/a><\/li><\/ul><li class=\"uagb-toc__list\"><a href=\"#63-lauthentification-digest\" class=\"uagb-toc-link__trigger\">6.3. L\u2019authentification digest<\/a><\/ul><\/ul><\/ol>\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\n\n\n<h1 class=\"has-text-color wp-block-heading\" id=\"1-i-pr%C3%A9sentation\" style=\"color:#fffdf8;margin-top:0;margin-right:0;margin-bottom:0;margin-left:0;padding-top:0;padding-right:0;padding-bottom:0;padding-left:0;font-size:1px\">5. Restrictions d\u2019acc\u00e8s<\/h1>\n\n\n\n<div class=\"wp-block-group has-border-color has-vivid-cyan-blue-border-color has-background is-layout-flow\" style=\"border-style:dotted;border-width:2px;border-radius:8px;background-color:#fffdf8;padding-right:7px;padding-bottom:15px;padding-left:7px\">\n<p>Il est parfois n\u00e9cessaire de restreindre l\u2019acc\u00e8s \u00e0 une ressource afin de s\u2019assurer que seules les personnes autoris\u00e9es consultent la ressource.<\/p>\n\n\n\n<p>Une m\u00e9thode simple consiste \u00e0 prendre en compte l\u2019adresse IP du client afin de lui autoriser ou refuser l\u2019acc\u00e8s \u00e0 la ressource.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-border-color has-vivid-cyan-blue-border-color has-background is-layout-flow\" style=\"border-style:dotted;border-width:2px;border-radius:8px;background-color:#fffdf8;padding-right:7px;padding-bottom:15px;padding-left:7px\">\n<h2 class=\"has-text-color wp-block-heading\" id=\"1-i-pr%C3%A9sentation\" style=\"color:#fffdf8;margin-top:0;margin-right:0;margin-bottom:0;margin-left:0;padding-top:0;padding-right:0;padding-bottom:0;padding-left:0;font-size:1px\">5.1. Apache<\/h2>\n\n\n\n<div class=\"qubely-block-accordion  qubely-block-d34844\" data-item-toggle=\"true\">\n<div class=\"wp-block-qubely-accordion-item qubely-block-a8f2f4\"><div class=\"qubely-accordion-item qubely-type-fill qubely-accordion-active\"><div class=\"qubely-accordion-panel qubely-icon-position-right\"><span class=\"qubely-accordion-panel-handler\" role=\"button\"><span class=\"qubely-accordion-panel-handler-label\">5.1. Apache<\/span><span class=\"qubely-accordion-icon fa fa-plus\"><\/span><\/span><\/div><div class=\"qubely-accordion-body\" style=\"display:block\"><div itemprop=\"text\">\n<p>Certaines directives et conteneurs permettent de d\u00e9finir des restrictions d\u2019acc\u00e8s \u00e0 tous les fichiers d\u2019un r\u00e9pertoire, <em>via<\/em> les conteneurs <code>&lt;Directory&gt;<\/code> ou <em>via<\/em> le fichier <code>.htaccess<\/code> (ce type de restriction ne peut pas \u00eatre associ\u00e9 directement \u00e0 un fichier donn\u00e9). Ces directives sont fournies par des modules <code>mod_auth*_*<\/code>, dont un sous-ensemble est g\u00e9n\u00e9ralement activ\u00e9 par d\u00e9faut par les distributions.<\/p>\n\n\n\n<p>Dans Apache 2.2 (que vous rencontrerez peut-\u00eatre un jour ou l\u2019autre), les restrictions sont mises en place au moyen des directives <code>Order<\/code>, <code>Allow<\/code> et <code>Deny<\/code>. Ces directives sont obsol\u00e8tes avec Apache 2.4, elles sont donc \u00e0 \u00e9viter (bien qu\u2019on puisse les utiliser gr\u00e2ce au module <code>mod_access_compat<\/code>).<\/p>\n\n\n\n<p>La directive permettant les restrictions est, depuis Apache 2.4, la directive <code>Require<\/code>. Les modules <code>mod_authz_core<\/code> et <code>mod_authz_host<\/code> mettent \u00e0 disposition des fournisseurs d\u2019autorisation g\u00e9n\u00e9riques utilisables avec la directive Require.<\/p>\n\n\n\n<p>On les utilise ainsi&nbsp;:<\/p>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre class=\"CodeMirror\" data-setting=\"{&quot;mode&quot;:&quot;htmlmixed&quot;,&quot;mime&quot;:&quot;text\/html&quot;,&quot;theme&quot;:&quot;material&quot;,&quot;lineNumbers&quot;:false,&quot;styleActiveLine&quot;:false,&quot;lineWrapping&quot;:false,&quot;readOnly&quot;:true,&quot;language&quot;:&quot;HTML&quot;,&quot;modeName&quot;:&quot;html&quot;}\">Require *option* *fournisseur d'autorisation* *arguments*<\/pre><\/div>\n\n\n\n<p>Parmi les fournisseurs d\u2019autorisation, citons&nbsp;:<\/p>\n\n\n\n<ul>\n<li><code>all<\/code>, qui prend en argument <code>granted<\/code> ou <code>denied<\/code> pour autoriser ou bloquer toutes les requ\u00eates&nbsp;;<\/li>\n\n\n\n<li><code>ip<\/code>, qui prend une ou plusieurs adresse IP ou r\u00e9seaux&nbsp;;<\/li>\n\n\n\n<li><code>host<\/code>, qui prend en argument tout ou partie d\u2019un nom d\u2019h\u00f4te qui sera compar\u00e9 au nom d\u2019h\u00f4te du client via une double interrogation DNS (\u00e0 \u00e9viter)&nbsp;;<\/li>\n\n\n\n<li><code>local<\/code>, qui ne prend pas d\u2019argument, et qui autorisera l\u2019acc\u00e8s si le client est la machine locale (<code>127.0.0.0\/8<\/code>, <code>::1<\/code> ou si l\u2019IP du client et du serveur sont les m\u00eames)&nbsp;;<\/li>\n\n\n\n<li><code>method<\/code>, qui prend en argument une ou plusieurs m\u00e9thodes HTTP.<\/li>\n<\/ul>\n\n\n\n<p>Il est \u00e0 noter que pour les fournisseurs d\u2019autorisation <code>ip<\/code> et <code>host<\/code> peuvent prendre en argument des adresses IP partielles (\u00e9quivalentes \u00e0 des adresses r\u00e9seaux) ou des noms d\u2019h\u00f4te partiels (c-\u00e0-d que le nom d\u2019h\u00f4te du client finit comme le param\u00e8tre de la directive)&nbsp;:<\/p>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre class=\"CodeMirror\" data-setting=\"{&quot;mode&quot;:&quot;htmlmixed&quot;,&quot;mime&quot;:&quot;text\/html&quot;,&quot;theme&quot;:&quot;material&quot;,&quot;lineNumbers&quot;:false,&quot;styleActiveLine&quot;:false,&quot;lineWrapping&quot;:false,&quot;readOnly&quot;:true,&quot;language&quot;:&quot;HTML&quot;,&quot;modeName&quot;:&quot;html&quot;}\">Require ip 192.168\nRequire host .net<\/pre><\/div>\n\n\n\n<p>L\u2019adresse partielle <code>192.168<\/code> correspond au r\u00e9seau <code>192.168.0.0\/16<\/code>, qu\u2019il est possible de noter <code>192.168.0.0\/255.255.0.0<\/code> (<code>ip<\/code> accepte ces trois syntaxes).<\/p>\n\n\n\n<p>Pour inverser une requ\u00eate, on utilisera l\u2019option <code>not<\/code><a href=\"https:\/\/luc.frama.io\/cours-asrall\/serveurs_web\/5_restrictions_d_acces.html#fn1\"><sup>1<\/sup><\/a>&nbsp;:<\/p>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre class=\"CodeMirror\" data-setting=\"{&quot;mode&quot;:&quot;htmlmixed&quot;,&quot;mime&quot;:&quot;text\/html&quot;,&quot;theme&quot;:&quot;material&quot;,&quot;lineNumbers&quot;:false,&quot;styleActiveLine&quot;:false,&quot;lineWrapping&quot;:false,&quot;readOnly&quot;:true,&quot;language&quot;:&quot;HTML&quot;,&quot;modeName&quot;:&quot;html&quot;}\">Require not local<\/pre><\/div>\n\n\n\n<p>Notez que <code>not<\/code> \u00e9tant la n\u00e9gation d\u2019une valeur, il ne peut pas \u00eatre utilis\u00e9 pour autoriser ou interdire une requ\u00eate, car <em>non vrai<\/em> ne sera pas interpret\u00e9 par Apache comme <em>faux<\/em>. Ainsi, pour interdire la visite d\u2019une page \u00e0 l\u2019aide d\u2019une n\u00e9gation, le bloc doit contenir un \u00e9l\u00e9ment \u00e9valu\u00e9 \u00e0 vrai ou faux.<\/p>\n\n\n\n<p>Pour grouper diff\u00e9rentes directives d\u2019autorisation, on pourra utiliser les conteneurs <code>&lt;RequireAll&gt;<\/code> (toutes les directives doivent correspondre pour autoriser l\u2019acc\u00e8s), <code>&lt;RequireAny&gt;<\/code> (au moins une directive doit correspondre) ou <code>&lt;RequireNone&gt;<\/code> (aucune directive ne doit correspondre).<\/p>\n\n\n\n<p>Si les directives ne sont pas dans un conteneur <code>&lt;Require*&gt;<\/code>, on consid\u00e9rera qu\u2019elles sont dans un conteneur <code>&lt;RequireAny&gt;<\/code>.<\/p>\n\n\n\n<p>Vous trouverez un peu de documentation sur <a href=\"https:\/\/httpd.apache.org\/docs\/2.4\/fr\/howto\/access.html\">https:\/\/httpd.apache.org\/docs\/2.4\/fr\/howto\/access.html<\/a>.<\/p>\n\n\n\n<p>Exemples&nbsp;:<\/p>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre class=\"CodeMirror\" data-setting=\"{&quot;mode&quot;:&quot;htmlmixed&quot;,&quot;mime&quot;:&quot;text\/html&quot;,&quot;theme&quot;:&quot;material&quot;,&quot;lineNumbers&quot;:false,&quot;styleActiveLine&quot;:false,&quot;lineWrapping&quot;:false,&quot;readOnly&quot;:true,&quot;language&quot;:&quot;HTML&quot;,&quot;modeName&quot;:&quot;html&quot;}\"># La ressource n\u2019est accessible qu\u2019au r\u00e9seau 192.168.1.0\/24\n&lt;Directory \/var\/www\/lan&gt;\n    Require ip 192.168.1.0\/24\n&lt;\/Directory&gt;\n# La ressource est interdite au r\u00e9seau 10.10.0.0\/16\n&lt;Directory \/var\/www\/other_lan&gt;\n    &lt;RequireAll&gt;\n        Require all granted\n        Require not ip 10.10.0.0\/16\n    &lt;\/RequireAll&gt;\n&lt;\/Directory&gt;<\/pre><\/div>\n<\/div><\/div><\/div><\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-border-color has-vivid-cyan-blue-border-color has-background is-layout-flow\" style=\"border-style:dotted;border-width:2px;border-radius:8px;background-color:#fffdf8;padding-right:7px;padding-bottom:15px;padding-left:7px\">\n<h2 class=\"has-text-color wp-block-heading\" id=\"1-i-pr%C3%A9sentation\" style=\"color:#fffdf8;margin-top:0;margin-right:0;margin-bottom:0;margin-left:0;padding-top:0;padding-right:0;padding-bottom:0;padding-left:0;font-size:1px\">5.2. Nginx<\/h2>\n\n\n\n<div class=\"qubely-block-accordion  qubely-block-d34844\" data-item-toggle=\"true\">\n<div class=\"wp-block-qubely-accordion-item qubely-block-0b3dca\"><div class=\"qubely-accordion-item qubely-type-fill qubely-accordion-active\"><div class=\"qubely-accordion-panel qubely-icon-position-right\"><span class=\"qubely-accordion-panel-handler\" role=\"button\"><span class=\"qubely-accordion-panel-handler-label\">5.2. Nginx<\/span><span class=\"qubely-accordion-icon fa fa-plus\"><\/span><\/span><\/div><div class=\"qubely-accordion-body\" style=\"display:block\"><div itemprop=\"text\">\n<p>C\u2019est le module <code>ngx_http_access_module<\/code><a href=\"https:\/\/luc.frama.io\/cours-asrall\/serveurs_web\/5_restrictions_d_acces.html#fn2\"><sup>2<\/sup><\/a> qui fournit les directives <code>allow<\/code> et <code>deny<\/code>, auquelles on donnera un param\u00e8tre (une adresse IP, un r\u00e9seau au format CIDR ou <code>all<\/code>).<\/p>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre class=\"CodeMirror\" data-setting=\"{&quot;mode&quot;:&quot;shell&quot;,&quot;mime&quot;:&quot;text\/x-sh&quot;,&quot;theme&quot;:&quot;material&quot;,&quot;lineNumbers&quot;:false,&quot;styleActiveLine&quot;:false,&quot;lineWrapping&quot;:false,&quot;readOnly&quot;:true,&quot;showPanel&quot;:false,&quot;language&quot;:&quot;Shell&quot;,&quot;modeName&quot;:&quot;shell&quot;}\">deny 192.0.2.1;\nallow 192.0.2.0\/24;\nallow 198.51.100.0\/24;\ndeny all;<\/pre><\/div>\n\n\n\n<p>Les directives sont \u00e9valu\u00e9es de haut en bas&nbsp;: la premi\u00e8re qui correspond s\u2019applique. Attention donc \u00e0 ne jamais placer un <code>allow all;<\/code> ou un <code>deny all;<\/code> en haut de la liste, les autres directives d\u2019acc\u00e8s ne seraient jamais \u00e9valu\u00e9es&nbsp;!<\/p>\n<\/div><\/div><\/div><\/div>\n<\/div>\n<\/div>\n\n\n\n<h1 class=\"has-text-color wp-block-heading\" id=\"1-i-pr%C3%A9sentation\" style=\"color:#fffdf8;margin-top:0;margin-right:0;margin-bottom:0;margin-left:0;padding-top:0;padding-right:0;padding-bottom:0;padding-left:0;font-size:1px\">6. Contr\u00f4les d\u2019acc\u00e8s<\/h1>\n\n\n\n<div class=\"wp-block-group has-border-color has-vivid-cyan-blue-border-color has-background is-layout-flow\" style=\"border-style:dotted;border-width:2px;border-radius:8px;background-color:#fffdf8;padding-right:7px;padding-bottom:15px;padding-left:7px\">\n<h2 class=\"has-text-color wp-block-heading\" id=\"1-i-pr%C3%A9sentation\" style=\"color:#fffdf8;margin-top:0;margin-right:0;margin-bottom:0;margin-left:0;padding-top:0;padding-right:0;padding-bottom:0;padding-left:0;font-size:1px\">3.4. Diff\u00e9rences et comparaison des contextes et directives Apache et Nginx<\/h2>\n\n\n\n<p>Nous avons d\u00e9j\u00e0 \u00e9tudi\u00e9 pr\u00e9c\u00e9demment quelles \u00e9taient les possibilit\u00e9s de restrictions en fonction de l\u2019origine d\u2019un client (directives <code>Require<\/code> pour Apache et <code>allow<\/code> et <code>deny<\/code> pour Nginx). D\u2019autres directives permettent de contr\u00f4ler l\u2019acc\u00e8s \u00e0 une page ou \u00e0 un ensemble de pages.<\/p>\n\n\n\n<p>Le protocole d\u2019authentification HTTP pr\u00e9voit 2 m\u00e9thodes d\u2019authentification diff\u00e9rentes&nbsp;: le mode <em>basic<\/em> (o\u00f9 les informations correspondantes transitent en clair) et le mode <em>digest<\/em> (o\u00f9 les informations correspondantes sont chiffr\u00e9es).<\/p>\n\n\n\n<p><strong>NB<\/strong>&nbsp;: Nginx ne supporte pas le mode <em>digest<\/em>, uniquement le <em>basic<\/em>.<\/p>\n\n\n\n<div class=\"qubely-block-accordion  qubely-block-d34844\" data-item-toggle=\"true\">\n<div class=\"wp-block-qubely-accordion-item qubely-block-0f48b9\"><div class=\"qubely-accordion-item qubely-type-fill qubely-accordion-active\"><div class=\"qubely-accordion-panel qubely-icon-position-right\"><span class=\"qubely-accordion-panel-handler\" role=\"button\"><span class=\"qubely-accordion-panel-handler-label\">6.1. Diff\u00e9rences entre authentification basic et digest<\/span><span class=\"qubely-accordion-icon fa fa-plus\"><\/span><\/span><\/div><div class=\"qubely-accordion-body\" style=\"display:block\"><div itemprop=\"text\">\n<p>Dans l\u2019authentification basique, le couple identifiant \/ mot de passe est envoy\u00e9 encod\u00e9 en base64 (et donc d\u00e9codable) dans l\u2019en-t\u00eate <code>Authorization<\/code>. Ainsi, pour l\u2019utilisatrice <code>dr<\/code> avec le mot de passe <code>who<\/code>, on enverra&nbsp;:<\/p>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre class=\"CodeMirror\" data-setting=\"{&quot;mode&quot;:&quot;htmlmixed&quot;,&quot;mime&quot;:&quot;text\/html&quot;,&quot;theme&quot;:&quot;material&quot;,&quot;lineNumbers&quot;:false,&quot;styleActiveLine&quot;:false,&quot;lineWrapping&quot;:false,&quot;readOnly&quot;:true,&quot;language&quot;:&quot;HTML&quot;,&quot;modeName&quot;:&quot;html&quot;}\">Authorization: Basic ZHI6d2hv<\/pre><\/div>\n\n\n\n<p>(<code>ZHI6d2hv<\/code> correspond \u00e0 <code>dr:who<\/code> encod\u00e9 en base64&nbsp;: <code>echo -n dr:who | base64<\/code>)<\/p>\n\n\n\n<p>Les informations envoy\u00e9es dans l\u2019authentification <em>digest<\/em> d\u00e9pendent de param\u00e8tres envoy\u00e9s par le serveur et ne contiennent pas de donn\u00e9es d\u00e9codables. Exemple&nbsp;:<\/p>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre class=\"CodeMirror\" data-setting=\"{&quot;mode&quot;:&quot;htmlmixed&quot;,&quot;mime&quot;:&quot;text\/html&quot;,&quot;theme&quot;:&quot;material&quot;,&quot;lineNumbers&quot;:false,&quot;styleActiveLine&quot;:false,&quot;lineWrapping&quot;:false,&quot;readOnly&quot;:true,&quot;language&quot;:&quot;HTML&quot;,&quot;modeName&quot;:&quot;html&quot;}\">Authorization\n    Digest username=&quot;luc&quot;, realm=&quot;foo&quot;,\n        nonce=&quot;ZklQHRbRBQA=caebe745c92bc7932ad1b071631990d13cda189d&quot;,\n        uri=&quot;\/digest\/&quot;,\n        algorithm=MD5,\n        response=&quot;98cee1c3b1eb9733695538b0d6e464d9&quot;,\n        qop=auth,\n        nc=00000006,\n        cnonce=&quot;848b920ed0422c15&quot;<\/pre><\/div>\n\n\n\n<p>Si l\u2019authentification <em>digest<\/em> semble plus robuste, elle ne suffit pas pour autant am\u00e9liorer la s\u00e9curit\u00e9 de mani\u00e8re significative par rapport \u00e0 l\u2019authentification basique. En outre, le stockage du mot de passe sur le serveur est encore moins s\u00fbr dans le cas d\u2019une authentification \u00e0 base de condens\u00e9 que dans le cas d\u2019une authentification basique. C\u2019est pourquoi l\u2019utilisation de l\u2019authentification basique associ\u00e9e \u00e0 un chiffrement de la connexion via SSL\/TLS constitue une bien meilleure alternative.<\/p>\n<\/div><\/div><\/div><\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-border-color has-vivid-cyan-blue-border-color has-background is-layout-flow\" style=\"border-style:dotted;border-width:2px;border-radius:8px;background-color:#fffdf8;padding-right:7px;padding-bottom:15px;padding-left:7px\">\n<h2 class=\"has-text-color wp-block-heading\" id=\"1-i-pr%C3%A9sentation\" style=\"color:#fffdf8;margin-top:0;margin-right:0;margin-bottom:0;margin-left:0;padding-top:0;padding-right:0;padding-bottom:0;padding-left:0;font-size:1px\">6.2. L\u2019authentification basique<\/h2>\n\n\n\n<div class=\"qubely-block-accordion  qubely-block-d34844\" data-item-toggle=\"true\">\n<div class=\"wp-block-qubely-accordion-item qubely-block-4d5626\"><div class=\"qubely-accordion-item qubely-type-fill qubely-accordion-active\"><div class=\"qubely-accordion-panel qubely-icon-position-right\"><span class=\"qubely-accordion-panel-handler\" role=\"button\"><span class=\"qubely-accordion-panel-handler-label\">6.2. L\u2019authentification basique<\/span><span class=\"qubely-accordion-icon fa fa-plus\"><\/span><\/span><\/div><div class=\"qubely-accordion-body\" style=\"display:block\"><div itemprop=\"text\">\n<p>Cette m\u00e9thode ne chiffrant pas les informations d\u2019authentification, celle-ci ne doit \u00eatre mise en place en production que sur un serveur s\u00e9curis\u00e9 via le protocole HTTPS (sauf pour des tests, bien s\u00fbr).<\/p>\n\n\n\n<p>Pour ce premier mode, il faut tout d\u2019abord cr\u00e9er un fichier texte contenant les logins et les mots de passe. Le logiciel <code>htpasswd<\/code> (disponible sur Debian via le paquet <code>apache2-utils<\/code>) peut \u00eatre utilis\u00e9 pour cela.<\/p>\n\n\n\n<p>Il accepte en particulier les options suivantes&nbsp;:<\/p>\n\n\n\n<ul>\n<li><code>-c<\/code>&nbsp;: cr\u00e9ation d\u2019un nouveau fichier&nbsp;;<\/li>\n\n\n\n<li><code>-b<\/code>&nbsp;: consid\u00e8re le mot de passe de la ligne de commande au lieu de le demander interactivement (utile lorsque l\u2019on veut automatiser la cr\u00e9ation des comptes).<\/li>\n<\/ul>\n\n\n\n<p>Pour cr\u00e9er le fichier&nbsp;:<\/p>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre class=\"CodeMirror\" data-setting=\"{&quot;mode&quot;:&quot;shell&quot;,&quot;mime&quot;:&quot;text\/x-sh&quot;,&quot;theme&quot;:&quot;material&quot;,&quot;lineNumbers&quot;:false,&quot;styleActiveLine&quot;:false,&quot;lineWrapping&quot;:false,&quot;readOnly&quot;:true,&quot;languageLabel&quot;:&quot;no&quot;,&quot;language&quot;:&quot;Shell&quot;,&quot;modeName&quot;:&quot;shell&quot;}\">htpasswd -c fichier nom_de_l_utilisatrice<\/pre><\/div>\n\n\n\n<p>Pour modifier le fichier&nbsp;:<\/p>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre class=\"CodeMirror\" data-setting=\"{&quot;mode&quot;:&quot;shell&quot;,&quot;mime&quot;:&quot;text\/x-sh&quot;,&quot;theme&quot;:&quot;material&quot;,&quot;lineNumbers&quot;:false,&quot;styleActiveLine&quot;:false,&quot;lineWrapping&quot;:false,&quot;readOnly&quot;:true,&quot;languageLabel&quot;:&quot;no&quot;,&quot;language&quot;:&quot;Shell&quot;,&quot;modeName&quot;:&quot;shell&quot;}\">htpasswd fichier nom_de_l_utilisatrice<\/pre><\/div>\n\n\n\n<p>Pour ajouter une utilisatrice au fichier&nbsp;:<\/p>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre class=\"CodeMirror\" data-setting=\"{&quot;mode&quot;:&quot;shell&quot;,&quot;mime&quot;:&quot;text\/x-sh&quot;,&quot;theme&quot;:&quot;material&quot;,&quot;lineNumbers&quot;:false,&quot;styleActiveLine&quot;:false,&quot;lineWrapping&quot;:false,&quot;readOnly&quot;:true,&quot;languageLabel&quot;:&quot;no&quot;,&quot;language&quot;:&quot;Shell&quot;,&quot;modeName&quot;:&quot;shell&quot;}\">htpasswd fichier nom_de_l_autre_utilisatrice<\/pre><\/div>\n\n\n\n<p>Une fois le fichier des mots de passe cr\u00e9\u00e9, il est alors n\u00e9cessaire de configurer le serveur Web pour l\u2019utiliser.<\/p>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-b93f5ca4\"><h3 class=\"uagb-heading-text\">6.2.1. Apache<\/h3><\/div>\n\n\n\n<p>L\u2019utilisation du fichier de mots de passe se fait dans les contextes <em>r\u00e9pertoire<\/em> ou <em>.htaccess<\/em> \u00e0 l\u2019aide de plusieurs directives.<\/p>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre class=\"CodeMirror\" data-setting=\"{&quot;mode&quot;:&quot;htmlmixed&quot;,&quot;mime&quot;:&quot;text\/html&quot;,&quot;theme&quot;:&quot;material&quot;,&quot;lineNumbers&quot;:false,&quot;styleActiveLine&quot;:false,&quot;lineWrapping&quot;:false,&quot;readOnly&quot;:true,&quot;language&quot;:&quot;HTML&quot;,&quot;modeName&quot;:&quot;html&quot;}\">&lt;Location \/private&gt;\n    AuthName &quot;closed site&quot;\n    AuthType basic\n    AuthBasicProvider file\n    AuthUserFile \/usr\/local\/apache2\/auth\/userfile\n    Require user user1 user2 \u2026\n&lt;\/Location&gt;<\/pre><\/div>\n\n\n\n<p>Dans l\u2019exemple ci-dessus, l\u2019authentification en elle-m\u00eame est assur\u00e9e par les 4 premi\u00e8res lignes, commen\u00e7ant toutes par <code>Authxxx<\/code>. La derni\u00e8re ligne (<code>Require<\/code>) est utilis\u00e9e une fois l\u2019authentification effectu\u00e9e. C\u2019est une directive d\u2019<em>autorisation<\/em>, d\u00e9taillant les utilisatrices autoris\u00e9s<a href=\"https:\/\/luc.frama.io\/cours-asrall\/serveurs_web\/6_controle_d_acces.html#fn1\"><sup>1<\/sup><\/a>. Nous aurions pu choisir d\u2019autoriser toutes les utilisatrices du fichier plut\u00f4t que quelques-unes avec <code>Require valid-user<\/code>.<\/p>\n\n\n\n<p>Les directives d\u2019authentification (<code>Authxxx<\/code>) sont fournies par diff\u00e9rents modules Apache (via des fichiers, une base de donn\u00e9es, un annuaire LDAP\u2026). Regardez les modules dont le nom commence par <code>mod_auth<\/code> sur <a href=\"https:\/\/httpd.apache.org\/docs\/2.4\/mod\/\">https:\/\/httpd.apache.org\/docs\/2.4\/mod\/<\/a>.<\/p>\n\n\n\n<p>Notez bien que l\u2019authentification basique ne se rapporte pas \u00e0 la m\u00e9thode d\u2019authentification sous-jacente (fichier, base de donn\u00e9es, annuaire LDAP\u2026) mais \u00e0 la mani\u00e8re dont se fait la recherche<\/p>\n\n\n\n<ul>\n<li><code>AuthName<\/code> sert g\u00e9n\u00e9ralement \u00e0 donner une indication \u00e0 la personne voulant s\u2019authentifier\u2026 ou pas. Mettez ce que vous voulez.<\/li>\n\n\n\n<li><code>AuthType<\/code> sert \u00e0 indiquer le module d\u2019authentification utilis\u00e9&nbsp;: <code>basic<\/code> dans notre cas.<\/li>\n\n\n\n<li><code>AuthBasicProvider<\/code> est une directive propre au module <code>mod_auth_basic<\/code> (que nous avons choisi via <code>AuthType basic<\/code>) et indique la source de donn\u00e9es \u00e0 utiliser pour l\u2019authentification&nbsp;: fichier, base de donn\u00e9es, annuaire LDAP, etc.<\/li>\n\n\n\n<li><code>AuthUserFile<\/code> est une directive propre au module <code>mod_authn_file<\/code>, que nous avons d\u00e9sign\u00e9 comme fournisseur de la source de donn\u00e9es pour l\u2019authentification avec <code>AuthBasicProvider file<\/code>. Il s\u2019agit du chemin du fichier contenant les identifiants des utilisatrices.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-uagb-advanced-heading uagb-block-7bffd7f8\"><h3 class=\"uagb-heading-text\">6.2.2. Nginx<\/h3><\/div>\n\n\n\n<p>Le support de l\u2019authentification est plus sommaire dans Nginx. Ainsi, il n\u2019est pas possible de sp\u00e9cifier un sous-ensemble des utilisatrices autoris\u00e9es&nbsp;:<\/p>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre class=\"CodeMirror\" data-setting=\"{&quot;mode&quot;:&quot;htmlmixed&quot;,&quot;mime&quot;:&quot;text\/html&quot;,&quot;theme&quot;:&quot;material&quot;,&quot;lineNumbers&quot;:false,&quot;styleActiveLine&quot;:false,&quot;lineWrapping&quot;:false,&quot;readOnly&quot;:true,&quot;language&quot;:&quot;HTML&quot;,&quot;modeName&quot;:&quot;html&quot;}\">location \/ {\n    auth_basic           &quot;closed site&quot;;\n    auth_basic_user_file conf\/htpasswd;\n}<\/pre><\/div>\n\n\n\n<ul>\n<li><code>auth_basic<\/code> peut prendre une cha\u00eene de caract\u00e8res en argument ou <code>off<\/code> (pour d\u00e9sactiver l\u2019authentification).<\/li>\n\n\n\n<li><code>auth_basic_user_file<\/code> prendra en argument le chemin du fichier des utilisatrices et de leurs mots de passe. Cet argument peut inclure des variables (comme par exemple <code>\/etc\/nginx\/auth\/$host<\/code>).<\/li>\n<\/ul>\n\n\n\n<p>Le module fournissant l\u2019authentification est <code>ngx_http_auth_basic_module<\/code><a href=\"https:\/\/luc.frama.io\/cours-asrall\/serveurs_web\/6_controle_d_acces.html#fn2\"><sup>2<\/sup><\/a>.<\/p>\n\n\n\n<p>Notez que contrairement \u00e0 Apache, on ne peut pas autoriser que quelques utilisatrices&nbsp;: toutes les utilisatrices pr\u00e9sentes dans le fichier sont autoris\u00e9es.<\/p>\n<\/div><\/div><\/div><\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-border-color has-vivid-cyan-blue-border-color has-background is-layout-flow\" style=\"border-style:dotted;border-width:2px;border-radius:8px;background-color:#fffdf8;padding-right:7px;padding-bottom:15px;padding-left:7px\">\n<h2 class=\"has-text-color wp-block-heading\" id=\"1-i-pr%C3%A9sentation\" style=\"color:#fffdf8;margin-top:0;margin-right:0;margin-bottom:0;margin-left:0;padding-top:0;padding-right:0;padding-bottom:0;padding-left:0;font-size:1px\">6.3. L\u2019authentification <em>digest<\/em><\/h2>\n\n\n\n<div class=\"qubely-block-accordion  qubely-block-d34844\" data-item-toggle=\"true\">\n<div class=\"wp-block-qubely-accordion-item qubely-block-457eb8\"><div class=\"qubely-accordion-item qubely-type-fill qubely-accordion-active\"><div class=\"qubely-accordion-panel qubely-icon-position-right\"><span class=\"qubely-accordion-panel-handler\" role=\"button\"><span class=\"qubely-accordion-panel-handler-label\">6.3. L\u2019authentification digest<\/span><span class=\"qubely-accordion-icon fa fa-plus\"><\/span><\/span><\/div><div class=\"qubely-accordion-body\" style=\"display:block\"><div itemprop=\"text\">\n<p>Si le principe de fonctionnement de l\u2019authentification <em>digest<\/em> est diff\u00e9rent de la m\u00e9thode <em>basic<\/em>, son principe de mise en \u0153uvre est relativement similaire. Vous trouverez plus d\u2019informations sur <a href=\"https:\/\/httpd.apache.org\/docs\/current\/mod\/mod_auth_digest.html\">https:\/\/httpd.apache.org\/docs\/current\/mod\/mod_auth_digest.html<\/a>.<\/p>\n\n\n\n<p>L\u2019utilisation de ce mode d\u2019authentification \u00e9tant d\u00e9suet depuis la g\u00e9n\u00e9ralisation du web s\u00e9curis\u00e9, nous ne nous \u00e9tendrons pas plus sur l\u2019authentification <em>digest<\/em>.<\/p>\n<\/div><\/div><\/div><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-column uag-hide-tab uag-hide-mob is-layout-flow\" style=\"flex-basis:170px\">\n\n<div class=\"cleanlogin-container\">\t\t\n\n\t<form class=\"cleanlogin-form\" method=\"post\" action=\"https:\/\/www.webodesign.net\/?page_id=2385\" onsubmit=\"submit.disabled = true; return true;\">\n\t\t\t\n\t\t<fieldset>\n\n\t\t\t\t\t\t<div class=\"cleanlogin-field\">\n                <label for=\"log\">Identifiant<\/label>\n\t\t\t\t<input class=\"cleanlogin-field-username\" type=\"text\" name=\"log\" placeholder=\"Identifiant\" aria-label=\"Identifiant\">\n\t\t\t<\/div>\n\t\t\t\n\t\t\t<div class=\"cleanlogin-field\">\n                <label for=\"pwd\">Mot de passe<\/label>\n\t\t\t\t<input class=\"cleanlogin-field-password\" type=\"password\" id=\"pwd\" name=\"pwd\" placeholder=\"Mot de passe\" aria-label=\"Mot de passe\">\n                <i class=\"bi bi-eye-slash\" id=\"togglePassword\"><\/i>\n\t\t\t<\/div>\n\n\t\t\t\t\t\n\t\t\t<input type=\"hidden\" name=\"clean_login_wpnonce\" value=\"e994c14fba\">\n            \n\t\t\t\t\t<\/fieldset>\n\t\t\n\t\t<fieldset>\n\t\t\t<input class=\"cleanlogin-field\" type=\"submit\" value=\"Se connecter\" name=\"submit\">\n\t\t\t<input type=\"hidden\" name=\"action\" value=\"login\">\n\t\t\t\n\t\t\t<div class=\"cleanlogin-field cleanlogin-field-remember\">\n\t\t\t\t<input type=\"checkbox\" id=\"rememberme\" name=\"rememberme\" value=\"forever\">\n\t\t\t\t<label for=\"rememberme\">Se souvenir de moi\u00a0?<\/label>\n\t\t\t<\/div>\n\t\t<\/fieldset>\n\n\t\t\n\t\t<div class=\"cleanlogin-form-bottom\">\n\t\t\t\n            \n\t\t\t\t\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\t<\/form>\n\n<\/div>\n\n<script>\nconst togglePassword = document.querySelector('#togglePassword');\nconst password = document.querySelector('#pwd');\n\ntogglePassword.addEventListener('click', function (e) {\n    const type = password.getAttribute('type') === 'password' ? 'text' : 'password';\n    password.setAttribute('type', type);\n    this.classList.toggle('bi-eye');\n});\n<\/script>\n<\/div>\n<\/div>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>5. Restrictions d\u2019acc\u00e8s Il est parfois n\u00e9cessaire de restreindre l\u2019acc\u00e8s \u00e0 une ressource afin de s\u2019assurer que seules les personnes autoris\u00e9es consultent la ressource. Une m\u00e9thode simple consiste \u00e0 prendre en compte l\u2019adresse IP du client afin de lui autoriser ou refuser l\u2019acc\u00e8s \u00e0 la ressource. 5.1. Apache 5.2. Nginx 6. Contr\u00f4les d\u2019acc\u00e8s 3.4. Diff\u00e9rences [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":2316,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"qubely_global_settings":"","qubely_interactions":"","_uag_custom_page_level_css":""},"categories":[16],"tags":[],"qubely_featured_image_url":{"full":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06.jpg",940,490,false],"landscape":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06.jpg",940,490,false],"portraits":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06-540x320.jpg",540,320,true],"thumbnail":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06-150x150.jpg",150,150,true],"medium":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06-300x156.jpg",300,156,true],"medium_large":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06-768x400.jpg",768,400,true],"large":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06.jpg",940,490,false],"1536x1536":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06.jpg",940,490,false],"2048x2048":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06.jpg",940,490,false],"qubely_landscape":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06.jpg",940,490,false],"qubely_portrait":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06-540x320.jpg",540,320,true],"qubely_thumbnail":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06-140x100.jpg",140,100,true]},"qubely_author":{"display_name":"R\u00e9mi","author_link":"https:\/\/www.webodesign.net\/?author=3"},"qubely_comment":0,"qubely_category":"<a href=\"https:\/\/www.webodesign.net\/?cat=16\" rel=\"category\">Tutoriels Linux-Debian<\/a>","qubely_excerpt":"5. Restrictions d\u2019acc\u00e8s Il est parfois n\u00e9cessaire de restreindre l\u2019acc\u00e8s \u00e0 une ressource afin de s\u2019assurer que seules les personnes autoris\u00e9es consultent la ressource. Une m\u00e9thode simple consiste \u00e0 prendre en compte l\u2019adresse IP du client afin de lui autoriser ou refuser l\u2019acc\u00e8s \u00e0 la ressource. 5.1. Apache 5.2. Nginx 6. Contr\u00f4les d\u2019acc\u00e8s 3.4. Diff\u00e9rences\u2026","uagb_featured_image_src":{"full":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06.jpg",940,490,false],"thumbnail":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06-150x150.jpg",150,150,true],"medium":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06-300x156.jpg",300,156,true],"medium_large":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06-768x400.jpg",768,400,true],"large":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06.jpg",940,490,false],"1536x1536":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06.jpg",940,490,false],"2048x2048":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06.jpg",940,490,false],"qubely_landscape":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06.jpg",940,490,false],"qubely_portrait":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06-540x320.jpg",540,320,true],"qubely_thumbnail":["https:\/\/www.webodesign.net\/wp-content\/uploads\/2023\/01\/apache-ngnix-servers-05-06-140x100.jpg",140,100,true]},"uagb_author_info":{"display_name":"R\u00e9mi","author_link":"https:\/\/www.webodesign.net\/?author=3"},"uagb_comment_info":0,"uagb_excerpt":"5. Restrictions d\u2019acc\u00e8s Il est parfois n\u00e9cessaire de restreindre l\u2019acc\u00e8s \u00e0 une ressource afin de s\u2019assurer que seules les personnes autoris\u00e9es consultent la ressource. Une m\u00e9thode simple consiste \u00e0 prendre en compte l\u2019adresse IP du client afin de lui autoriser ou refuser l\u2019acc\u00e8s \u00e0 la ressource. 5.1. Apache 5.2. Nginx 6. Contr\u00f4les d\u2019acc\u00e8s 3.4. Diff\u00e9rences\u2026","_links":{"self":[{"href":"https:\/\/www.webodesign.net\/index.php?rest_route=\/wp\/v2\/posts\/2315"}],"collection":[{"href":"https:\/\/www.webodesign.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webodesign.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webodesign.net\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webodesign.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2315"}],"version-history":[{"count":1,"href":"https:\/\/www.webodesign.net\/index.php?rest_route=\/wp\/v2\/posts\/2315\/revisions"}],"predecessor-version":[{"id":2317,"href":"https:\/\/www.webodesign.net\/index.php?rest_route=\/wp\/v2\/posts\/2315\/revisions\/2317"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.webodesign.net\/index.php?rest_route=\/wp\/v2\/media\/2316"}],"wp:attachment":[{"href":"https:\/\/www.webodesign.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2315"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webodesign.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2315"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webodesign.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2315"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}