Add Basic Apache Authentication for extra security

sightbeagle · May 15, 2017, 11:21pm

I'm doing this because I want to add an additional layer of security to OwnCloud. I would like to have two logins, first the Basic Apache Auth, and then the Owncloud login. I've done a lot of digging and can't seem to find an answer I understand. This is on a Ubuntu server 14.04 with OwnCloud 9.1.5

I've added the below to /etc/apache2/sites-available/owncloud.conf

AuthName "Password Required"
AuthType Basic
AuthUserFile /some/directory/.htpasswd
AuthGroupFile /dev/null
require valid-user

This works fine when going to:
https://mydomain.com/owncloud

But when I share a folder and generate a https: link, like below
https://mydomain.com/owncloud/index.php/s/9p8x9hy3YdQI6BN

When I go to the link, I get a loop that keeps prompting for the Basic Apache Auth (login/password)

Your help is much appreciated!

anon81984126 · May 16, 2017, 5:42am

Hi,

it is known that you can't use an additional Basic Auth in front of ownCloud for the simple reason that oC is using an own Basic Auth in various functions like those shared links etc.

You can't have two basic auths (one by apache and one by ownCloud's WebDAV). If it has worked, it worked by luck, as the behavior of a daisy chained basic auth is undefined.

-> https://github.com/owncloud/client/issues/1618#issuecomment-38775347

sightbeagle · May 16, 2017, 2:56pm

Thank you for your help and confirming that the addition of Apache Basic Authorization on top of Owncloud is not an option. The post confirming this from 2014 still stands true.

hodyroff · May 16, 2017, 5:13pm

Correct. We recommend a 2FA in such a case for added security. From an Open Source perspective you can look into PrivacyIdea! Thats also available in the Marketplace.

cornelinux · May 21, 2017, 9:56pm

The question is why @sightbeagle wants to add basic authentication. The interesting thing is, that you can defend the application on the layer of the webserver.

privacyIDEA uses oC's 2FA framework, i.e. an attacker would already be at the ownCloud code.
Nevertheless, you can assign any kind of authentication device to the users - smartphone apps, yubikeys, U2F and also... ...simple passwords - adding a 2nd password or a site password or group password to the originial oC credentials of the user. Also - this does not interfere with the download links.

Kind regards
Cornelius

sightbeagle · May 23, 2017, 4:17pm

I wanted to add basic auth because if there was ever a bug in ownCloud that compromised the login page, it would act as a protection against that. However, I don't know the intricacies of how the ownCloud login works, so my thinking is very possibly flawed. I like the idea of 2FA, but I was unable to find an easy to understand "how to" guide to get this setup. I settled on using an alternate https port and setting up Fail2Ban to block failed login attempts.