auth_digest_evasion_time
The `auth_digest_evasion_time` directive sets the time limit for digest authentication evasion attempts.
Description
The auth_digest_evasion_time directive in NGINX controls the time duration (in seconds) that is allocated for potential evasion attacks during digest authentication. When a user requests access to a protected resource, this directive establishes a window of opportunity for the server to identify whether an unauthorized or invalid request has been made after several unsuccessful authentication attempts. Setting this value helps to mitigate brute force attacks by determining how long the server should treat further requests as legitimate attempts during the evasion period. If an attacker tries to bypass authentication during this defined time frame, their requests may be logged or rejected based on other security policies enforced by the server.
The auth_digest_evasion_time parameter takes a numeric value that represents the time period in seconds. The directive can be placed within the http, server, or location contexts of the NGINX configuration file, allowing for flexible configuration based on application needs. It works in conjunction with other related parameters, such as timeout and maxtries, providing a comprehensive security framework for protecting resources from unauthorized access.
Config Example
location /secure {
auth_digest_user_file /etc/nginx/digest.passwd;
auth_digest_realm "Protected Area";
auth_digest_evasion_time 300;
}Ensure the value is a positive integer; setting it too low may increase the risk of brute force attacks.
Setting excessively high values may inadvertently allow attackers more time to attempt evasion attacks.