Time for another enhancement for the Apache web server. If you followed my other 2 Apache postings, you will have a secure web server configuration which has SSL enabled and is monitored by the mod_security application level firewall. Now it is time to setup the WebDAV module so that you can use your web server as an external file storage.
The first step is to activate the dav_fs module:
a2enmod dav_fs
The rest of the configuration needs to be done inside one of your virtual host configuration files. Please note that it is recommended to enable the WebDAV service in an SSL secured virtual host, because Windows seems to have issues connecting to WebDAV services which are not secured via SSL.
In the first Apache tutorial we have created the virtual host foobar.org. To add the WebDAV service to that virtual host, open the configuration file /etc/apache2/sites-available/foobar.org and add a new Directory-directive into the SSL-enabled VirtualHost:
<virtualhost *:443> SSLEngine On .... <Directory /srv/www/vhosts/foobar.org/httpsdocs/webdav> DAV On AllowOverride AuthConfig AuthType Basic AuthName "WebDAV Login" AuthUserFile /srv/www/vhosts/foobar.org/webdav-users Require valid-user </Directory> </VirtualHost>
The above configuration defines a new subdirectory in the foobar.org SSL webspace which has the WebDAV module activated and is secured via a basic login mechanism. So if you try to access the address https://www.foobar.org/webdav you will be prompted for a login and password. The logins are stored in the file /srv/www/vhosts/foobar.org/webdav-users. We need to create this file and define a valid user:
htpasswd -c /srv/www/vhosts/foobar.org/webdav-users username
Where username ist the login you would like to use. You will be prompted for a password and the user will be created in the specified file.
Now create the webdav directory and make it writeable for the Apache server:
mkdir /srv/www/vhosts/foobar.org/httpsdocs/webdav chown www-data.www.data /srv/www/vhosts/foobar.org/httpsdocs/webdav chmod g+w /srv/www/vhosts/foobar.org/httpsdocs/webdav
That’s it. After restarting your Apache server, you can now mount the above directory via WebDAV with the address https://www.foobar.org/webdav and use it as an external file store.
If you want to restrict only write access to the WebDAV directory and allow read-only access to anybody, replace Require valid-user with:
<LimitExcept GET>
Require valid-user
</LimitExcept>This change will only require a login when uploading, modifying or deleting files in the WebDAV directory. You could also enable directory browsing with the following configuration setting:
Options Indexes
Should you use mod_security you also need to disable some rules which would block WebDAV traffic. This is best done inside of the above Directory-directive:
<IfModule mod_security2.c> SecRuleRemoveById 960032 960038 960904 </IfModule>
Please note that the rule ids may change depending on the mod_security version you use. So if WebDAV does not seem to work, take a look at the mod_security audition log to see which rules are blocking your traffic.
Hi Peter,
I did something similar some time ago. However, instead of using a login/password for authentication, I decided to go with SSL client certificates. For this to work, the VirtualHost section needs to be expanded / changed like this:
/path/to/CAcert.pem is the certificate of the CA you used to create the client certificates, “organization” is the organization name you used for generating your client certificates.
Actually, I used a tag instead of , but I don’t think that should matter.
Cheers,
Achim
Hi Achim,
Very good tip!
Thanks a lot
The last sentence in my comment should read:
Actually, I used a “Location” tag instead of “Directory”, but I don’t think that should matter.
Pingback: "Logbuch des Captains´ - Rainbowarrior.at