Basic Auth

The basic_auth block lets you configure basic auth for your gateway. Like all access control types, the basic_auth block is defined in the definitions block and can be referenced in all configuration blocks by its required label.

If both user/password and htpasswd_file are configured, the incoming credentials from the Authorization request HTTP header field are checked against user/password if the user matches, and against the data in the file referenced by htpasswd_file otherwise.

The user is accessible via request.context.<label>.user variable for successfully authenticated requests.

Example

Using inline credentials

server {
  api {
    endpoint "/private" {
      access_control = ["myauth"]
      proxy {
        backend = "my_backend"
      }
    }
  }
}

definitions {
  basic_auth "myauth" {
    user     = "john"
    password = "s3cr3t"
  }
}

Using an htpasswd file

definitions {
  basic_auth "myauth" {
    htpasswd_file = "htpasswd"
  }
}

The htpasswd file uses Apache’s htpasswd format:

john:$2y$05$/uonQYUtwm...
jane:$argon2id$v=19$m=65536,t=3,p=4$salt$hash

Attribute htpasswd_file

Couper supports the following password hash algorithms:

When generating your own password hashes, argon2id is the recommended choice as it provides a balanced approach to resisting both side-channel and GPU-based attacks (see OWASP Password Storage Cheat Sheet).

The file is loaded once at startup. Restart Couper after you have changed it.