Skip to content

Add argon2id documentation #486

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add argon2id documentation #486

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion src/docs/markdown/caddyfile/directives/basic_auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ basic_auth [<matcher>] [<hash_algorithm> [<realm>]] {
}
```

- **&lt;hash_algorithm&gt;** is the name of the password hashing algorithm (or KDF) used for the hashes in this configuration. Default: `bcrypt`
- **&lt;hash_algorithm&gt;** specifies the password hashing algorithm (or key derivation function) used for the hashes in this configuration. Available options include `argon2id`, the default is `bcrypt`.

- **&lt;realm&gt;** is a custom realm name.

Expand Down Expand Up @@ -64,3 +64,17 @@ example.com {
}
```

`argon2id` example

```caddy
example.com {
root * /srv

basic_auth /secret/* argon2id {
# Username "Bob", password "hiccup"
Bob $argon2id$v=19$m=47104,t=1,p=1$zJPvVe48N64JUa9MFlVhiw$b5Tznu0PxnA4TciY6qYe2BFPxncF1ePQaeNukHhH1cU
}

file_server
}
```
33 changes: 31 additions & 2 deletions src/docs/markdown/command-line.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,11 +251,40 @@ Formats or prettifies a Caddyfile, then exits. The result is printed to stdout u

Convenient way to hash a plaintext password. The resulting hash is written to stdout as a format usable directly in your Caddy config.

`--plaintext` is the plaintext form of the password. If omitted, interactive mode will be assumed and the user will be shown a prompt to enter the password manually.
`--plaintext`
The password to hash. If omitted, it will be read from stdin.
If Caddy is attached to a controlling TTY, the input will not be echoed.

`--algorithm` may be `bcrypt` or any installed hash algorithm. Default is `bcrypt`.
`--algorithm`
Selects the hashing algorithm. Valid options are:
* `argon2id` (recommended for modern security)
* `bcrypt` (legacy, slower, configurable cost)

bcrypt-specific parameters:

`--bcrypt-cost`
Sets the bcrypt hashing difficulty. Higher values increase security by
making the hash computation slower and more CPU-intensive.
Must be within the valid range [bcrypt.MinCost, bcrypt.MaxCost].
If omitted or invalid, the default cost is used.

Argon2id-specific parameters:

`--argon2id-time`
Number of iterations to perform. Increasing this makes
hashing slower and more resistant to brute-force attacks.

`--argon2id-memory`
Amount of memory to use during hashing.
Larger values increase resistance to GPU/ASIC attacks.

`--argon2id-threads`
Number of CPU threads to use. Increase for faster hashing
on multi-core systems.

`--argon2id-keylen`
Length of the resulting hash in bytes. Longer keys increase
security but slightly increase storage size.


### `caddy help`
Expand Down