diff --git a/src/docs/markdown/caddyfile/directives/basic_auth.md b/src/docs/markdown/caddyfile/directives/basic_auth.md index 3ac0b7a0..2145c825 100644 --- a/src/docs/markdown/caddyfile/directives/basic_auth.md +++ b/src/docs/markdown/caddyfile/directives/basic_auth.md @@ -26,7 +26,7 @@ basic_auth [] [ []] { } ``` -- **<hash_algorithm>** is the name of the password hashing algorithm (or KDF) used for the hashes in this configuration. Default: `bcrypt` +- **<hash_algorithm>** specifies the password hashing algorithm (or key derivation function) used for the hashes in this configuration. Available options include `argon2id`, the default is `bcrypt`. - **<realm>** is a custom realm name. @@ -64,3 +64,17 @@ example.com { } ``` +`argon2id` example + +```caddy +example.com { + root * /srv + + basic_auth /secret/* argon2id { + # Username "Bob", password "hiccup" + Bob $argon2id$v=19$m=47104,t=1,p=1$zJPvVe48N64JUa9MFlVhiw$b5Tznu0PxnA4TciY6qYe2BFPxncF1ePQaeNukHhH1cU + } + + file_server +} +``` diff --git a/src/docs/markdown/command-line.md b/src/docs/markdown/command-line.md index e61a1a30..fe9e159e 100644 --- a/src/docs/markdown/command-line.md +++ b/src/docs/markdown/command-line.md @@ -251,11 +251,40 @@ Formats or prettifies a Caddyfile, then exits. The result is printed to stdout u Convenient way to hash a plaintext password. The resulting hash is written to stdout as a format usable directly in your Caddy config. -`--plaintext` is the plaintext form of the password. If omitted, interactive mode will be assumed and the user will be shown a prompt to enter the password manually. +`--plaintext` + The password to hash. If omitted, it will be read from stdin. + If Caddy is attached to a controlling TTY, the input will not be echoed. -`--algorithm` may be `bcrypt` or any installed hash algorithm. Default is `bcrypt`. +`--algorithm` + Selects the hashing algorithm. Valid options are: + * `argon2id` (recommended for modern security) + * `bcrypt` (legacy, slower, configurable cost) +bcrypt-specific parameters: +`--bcrypt-cost` + Sets the bcrypt hashing difficulty. Higher values increase security by + making the hash computation slower and more CPU-intensive. + Must be within the valid range [bcrypt.MinCost, bcrypt.MaxCost]. + If omitted or invalid, the default cost is used. + +Argon2id-specific parameters: + +`--argon2id-time` + Number of iterations to perform. Increasing this makes + hashing slower and more resistant to brute-force attacks. + +`--argon2id-memory` + Amount of memory to use during hashing. + Larger values increase resistance to GPU/ASIC attacks. + +`--argon2id-threads` + Number of CPU threads to use. Increase for faster hashing + on multi-core systems. + +`--argon2id-keylen` + Length of the resulting hash in bytes. Longer keys increase + security but slightly increase storage size. ### `caddy help`