Jeremy Labadie

How-To: Setup HTTP Basic Authentication on Akamai

Blog Post created by Jeremy Labadie Employee on Jul 8, 2015

Recently I have had a few of my customers ask me if there is any way for Akamai to protect some content with HTTP basic auth.

 

The short answer is yes, it is something that can be setup within a property manager configuration.  The use-case is pretty common.  Many people run basic auth for specific content, and manage the auth at the web server.  Their goal is to move the auth off of the web server and up to Akamai.

 

Before I get into my short tutorial, I want to take a second to point out that basic auth is generally considered to be a pretty weak authentication method for quite a few reasons.  If you are OK with using basic auth, here is how you go about setting it up on Akamai.

 

When using property manager, I am a big fan of organizing my rules and grouping them.  If you have a large rule list, this makes it a lot easier.  When setting up basic auth, I opted to go with three rules; a single parent rule named Auth, and two child rules named Auth Check and Auth Passed.

Edit___v10___jlabadie-downloads___Luna_Property_Manager.jpg

 

First lets look at the parent rule.

Edit___v10___jlabadie-downloads___Luna_Property_Manager_path.jpg

 

Within the parent rule I perform a simple path check.  In this case, check for the path /auth.  If this matches, then we move onto the two child rules.  If this does not match, then the child rules are skipped.

 

I set this up with the expectation that only a certain part of the site needs to be behind basic auth (in my case, /auth).  You can replace this check with whatever you think is appropriate.  I am matching on a path, but there are a lot of match criteria options.

 

So now any request with /auth in the path will match this rule, and we will move onto the child rules.

 

The first child rule is named Auth Check.

Edit___v10___jlabadie-downloads___Luna_Property_Manager_check.jpg

 

Here I am looking for the Authorization header and 1) making sure it exists, and 2) ensuring only the correct value is used.  In my case I am just using a base64 encode of user:pass, but you can encode any username/password combo, and check for it here.

If the Authorization header does not exist, or it ’s value does not match, then I set the response code to 401, add the WWW-Authenticate response header, and deny access.  This results in the end user being denied access, and receiving the auth prompt in their browser.

 

The next child rule is named Auth Passed, and this rule handles a successful authentication.

Edit___v10___jlabadie-downloads___Luna_Property_Manager_passed.jpg

 

Here we are checking to make sure that the Authorization header value is correct.  Again, I am just base64 encoding user:pass here.  If the Authorization header is correct, then I am returning some very simple HTML saying that it worked.

 

That’s it!

 

Here are a few test examples.

 

Here is a request without any auth header set.  Notice that it fails with a 401 as expected.  If done in a browser, you would receive a login prompt.

curl -I http://testurl/auth

 

HTTP/1.1 401 Unauthorized

Server: AkamaiGHost

Mime-Version: 1.0

Content-Type: text/html

Content-Length: 280

Expires: Wed, 08 Jul 2015 05:15:49 GMT

Date: Wed, 08 Jul 2015 05:15:49 GMT

Connection: keep-alive

WWW-Authenticate: Basic realm="secure"

 

And another request with the auth header set, but an incorrect value.  It also fails with a 401.

curl -IH "Authorization: Basic 12345ABCabc" http://testurl/auth

 

HTTP/1.1 401 Unauthorized

Server: AkamaiGHost

Mime-Version: 1.0

Content-Type: text/html

Content-Length: 280

Expires: Wed, 08 Jul 2015 05:18:03 GMT

Date: Wed, 08 Jul 2015 05:18:03 GMT

Connection: keep-alive

WWW-Authenticate: Basic realm="secure"

 
And now a request with the proper auth header.
curl -IH "Authorization: Basic dXNlcjpwYXNz" http://testurl/auth

 

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 188

Date: Wed, 08 Jul 2015 05:17:02 GMT

Connection: keep-alive

 

And another successful request, except this time using the username and password (instead of manually setting the Authorization header).

curl -I -u user:pass http://testurl/auth

 

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 188

Date: Wed, 08 Jul 2015 05:26:22 GMT

Connection: keep-alive

 

Thank you to Angel Nogueras Palomar and Mikko Kortesluoma for their contributions to this tutorial.

Outcomes