WebDav/Server
WebDAV-Server
This can be combined with user authentication (using LDAP or a number of other password mechanisms).
WebDAV Server Installation
Install Apache webserver
Apache2 must be installed, either alone or as part of a LAMP server.
# APT install apache2
or
apt-get install tasksel tasksel install lamp-server
Open your firewall
- Remember, WebDAV is an HTTP server. The incoming default HTTP and/or HTTPS ports (80 and/or 443) should be open to the server.
- It is, of course, also possible to use custom ports by changing the allowed incoming ports in the firewall, the virtual host configuration file, and, of course, the URL used to reach the WebDAV server.
Enable the Apache2 WebDAV modules
Enable the dav and dav_fs modules:
# a2enmod dav_fs
Restart Apache2
# systemctl restart apache2
Create a folder for WebDAV use
There are two options:
- Create a WebDAV directory in the /var/www folder:
sudo mkdir /var/www/WebDAV1
or
Create a WebDAV directory in the /home/user/ (also known as ~/) folder and create a symbolic link:
mkdir ~/WebDAV1 sudo ln -s ~/WebDAV1 /var/www/* Create a subdirectory for files: mkdir /var/www/WebDAV1/files* Note: In the next several steps, file/folder ownership and permissions can also be adjusted from a File Manager (such as Dolphin in Kubuntu or Nautilus in Ubuntu) as root: sudo dolphin
or
sudo nautilus
- Make sure the owner of whichever WebDAV folder was created (and its subfolders, using the -R recursive switch) is www-data (the user ID for Apache2) and the group is that of your user ID (or, alternatively, root):
sudo chown -R www-data:user /var/www/WebDAV1
or
sudo chown -R www-data:user ~/WebDAV1
Alternatively you could create a WebDAV user group so that some group of local users could access the files locally (instead of through WebDAV). Add the individual users to that group and use WebDAV as the group instead of a single user (or root), for example:
sudo chown -R www-data:WebDAV /var/www/WebDAV1
To allow files in the WebDAV folder (and its subfolders, using the -R recursive switch) to be Read/Write but not eXecutable (which may be a security risk on some servers):
sudo chmod 664 -R /var/www/WebDAV1
or
sudo chmod 664 -R ~/WebDAV1* Some users find that broader permissions may be required, and instead allow Read/Write/eXecute for the Owner / Group (but not all users):
sudo chmod 770 -R /var/www/WebDAV1
or
sudo chmod 770 -R ~/WebDAV1
Create or edit the virtual host file
- Edit the virtual host (vhost) file used for the URL through which WebDAV will be accessed
# kate /etc/apache2/sites-available/mydomainhost
where mydomainhost is the name of the virtual host configuration file used for your URL. If you are using the default virtual host file, edit that one.
Add the line
Alias /WebDAV1 /var/www/WebDAV1/files
so that accessing the WebDAV folder using the URL
http://myhost.mydomain.org/WebDAV1
will forward to the correct folder (/var/www/WebDAV1) on the computer.
The final virtual host file ought to resemble:
<VirtualHost *> # # UseCanonicalName off # ServerName WebDAV1.mydomain.org ServerName myhost.mydomain.org ServerAlias 192.168.0.155 WebDAV1.mydomain.org # ServerAdmin root@localhost DocumentRoot /var/www/ # Alias /WebDAV1 /var/www/WebDAV1/files # <Directory /var/www/WebDAV1/> Options Indexes MultiViews AllowOverride None Order allow,deny allow from all </Directory> </VirtualHost>
- In this example, the WebDAV server is on the primary server, so the URL is the same as that of the primary server (and would be accessed from http://myhost.mydomain.org/WebDAV1).
- The primary server's IP address on the LAN (in this example) is 192.168.0.155, so to access it from the LAN, this address could also be used: http://192.168.0.155/WebDAV1. *
Enable the virtual host (vhost):
# ln -s /etc/apache2/sites-available/mydomainhost /etc/apache2/sites-enabled/*
Restart Apache2:
# /etc/init.d/apache2 restart*
Test that the folders are reachable through Apache2 using:
http://localhost/WebDAV1
or
http://192.168.0.155/WebDAV1
Create password access for the WebDAV folders
- Note: This method uses HTTP Basic Authentication as outlined in the Apache documentation. However, this same documentation recommends against routine use of HTTP Basic Authentication (which transmits unencrypted passwords, inviting password sniffing) and instead recommends HTTP Digest Authentication (or at least HTTP Basic Authentication over SSL). Refer to the Apache documentation for more details.
- Create the WebDAV password file /var/www/WebDAV1/passwd.dav with the user testuser. For more info see here. (The -c switch creates the file if it does not exist.):
sudo htpasswd -c /var/www/WebDAV1/passwd.dav testuser
Type in a password for the user testuser.
We will later use this userID when connecting to the WebDAV URL:
http://myhost.mydomain.org/WebDAV1 * Add other users (e.g. testuser2, testuser3, etc.) as needed. (Omit the -c switch because the password file already exists.)
sudo htpasswd /var/www/WebDAV1/passwd.dav testuser2
Note: See below for adding a password for users accessing WebDAV folders from Windows clients. * Change the permissions of the /var/www/WebDAV1/passwd.dav file so that only www-data (as owner) and user (or, alternatively, root) as the group can access it:
sudo chown www-data:user /var/www/WebDAV1/passwd.dav sudo chmod 660 /var/www/WebDAV1/passwd.dav
Note: I personally use chmod 460, which does not allow the www-data owner to write to the file (only read permissions are allowed). Only members of the local group user can read/write to the file using this chmod 460 setting. * Edit the virtual host (vhost) file /etc/apache2/sites-available/mydomainhost (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):
sudo kate /etc/apache2/sites-available/mydomainhost
and add the following lines to it:
# <Location /WebDAV1> DAV On AuthType Basic AuthName "WebDAV1" AuthUserFile /var/www/WebDAV1/passwd.dav Require valid-user </Location>
The final virtual host (vhost) file should resemble:
<VirtualHost *> # # UseCanonicalName off # ServerName WebDAV1.mydomain.org ServerName myhost.mydomain.org ServerAlias 192.168.0.155 WebDAV1.mydomain.org # ServerAdmin root@localhost DocumentRoot /var/www/ # Alias /WebDAV1 /var/www/WebDAV1/files # <Directory /var/www/WebDAV1/> Options Indexes MultiViews AllowOverride None Order allow,deny allow from all </Directory> # <Location /WebDAV1> DAV On AuthType Basic AuthName "WebDAV1" AuthUserFile /var/www/WebDAV1/passwd.dav Require valid-user </Location> </VirtualHost>
Reload Apache:
/etc/init.d/apache2 reload
Testing WebDAV
Install cadaver, a command-line WebDAV client:
sudo apt-get install cadaver* Test if WebDAV works: cadaver http://localhost/WebDAV1/
You should be prompted for a user name. Type in testuser and then the password for testuser. If all goes well, you should be granted access which means WebDAV is working ok. To leave the WebDAV shell, type quit:
server1:~# cadaver http://localhost/WebDAV1/ Authentication required for test on server `localhost': Username: testuser Password: ******* dav:/WebDAV1/> quit Connection to `localhost' closed. server1:~#
Set up Digest Authorization (encrypted passwords)
Enable the HTTP Digest Authentication module:
sudo a2enmod auth_digest* Create a digest authorization password file: sudo htdigest -c /var/www/WebDAV1/digestpasswd.dav WebDAV1digest testuser* Add other users (e.g. testuser2, testuser3, etc.) as needed. (Omit the -c switch because the password file already exists.) sudo htdigest /var/www/WebDAV1/digestpasswd.dav WebDAV1digest testuser2
Note: See below for adding a password for users accessing WebDAV folders from Windows clients. * Change the permissions of the /var/www/WebDAV1/digestpasswd.dav file so that only www-data (as owner) and user (or, alternatively, root) as the group can access it:
sudo chown www-data:user /var/www/WebDAV1/digestpasswd.dav sudo chmod 660 /var/www/WebDAV1/digestpasswd.dav
Note: I personally use chmod 460, which does not allow the www-data owner to write to the file (only read permissions are allowed). Only members of the local group user can read/write to the file using this chmod 460 setting.
Edit the virtual host (vhost) file /etc/apache2/sites-available/mydomainhost (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):
sudo kate /etc/apache2/sites-available/mydomainhost
and this time add the following lines to it:
# <Location /WebDAV1> DAV On AuthType Digest AuthName "WebDAV1digest" AuthUserFile /var/www/WebDAV1/digestpasswd.dav Require valid-user </Location>
so that the final file resembles:
<VirtualHost *> # # UseCanonicalName off # ServerName WebDAV1.mydomain.org ServerName myhost.mydomain.org ServerAlias 192.168.0.155 WebDAV1.mydomain.org # ServerAdmin root@localhost DocumentRoot /var/www/ # Alias /WebDAV1 /var/www/WebDAV1/files # <Directory /var/www/WebDAV1/> Options Indexes MultiViews AllowOverride None Order allow,deny allow from all </Directory> # # <Location /WebDAV1> # DAV On # AuthType Basic # AuthName "WebDAV1" # AuthUserFile /var/www/WebDAV1/passwd.dav # Require valid-user # </Location> # <Location /WebDAV1> DAV On AuthType Digest AuthName "WebDAV1digest" AuthUserFile /var/www/WebDAV1/digestpasswd.dav Require valid-user </Location> </VirtualHost>
Enable WebDAV lock
Although optional, the lock database prevents multiple users from overwriting the same file simultaneously.
- Create a global Apache2 configuration file (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):
sudo kate /etc/apache2/conf.d/WebDAV
and add the single line:
DavLockDB /var/lock/apache2/DAVLock
It may be necessary to also add this line to the dav_fs configuration file:
sudo kate /etc/apache2/mods-available/dav_fs.conf
This directive indicates that the locking database files will be named DAVLock by the dav_lock module. These database files will be stored by Apache in the /var/lock/apache2 folder. * By default, Apache2 allows a WebDAV client to set the file lock time. Many WebDAV clients, for example, impose a file lock time of 2 minutes. A longer lock time can optionally be imposed by the WebDAV server by adding an additional line:
DAVMinTimeout 5
where in this example the minimum file lock time is set to 5 minutes for all clients. (The default is DAVMinTimeout 0, which indicates that no minimum file lock time is imposed by the server and it is left up to the individual WebDAV clients). * Enable the Apache2 dav_lock module:
sudo a2enmod dav_lock* Restart Apache2: sudo /etc/init.d/apache2 restart
Multiple WebDAV servers on a LAN using a single IP address and router
Note: This section is undergoing editing. * To run multiple servers (including WebDAV servers) on multiple computers on a LAN using only a single IP address and router, see this solution using reverse proxies in Apache.
- Each server should have a unique WebDAV folder name. Instead of using WebDAV1 and WebDAV1, different names, such as WebDAV2 and WebDAV2, WebDAV3 and WebDAV3, WebDAV4 and WebDAV4, etc., should be used on each of the individual computers.
- Each computer's WebDAV folder would then be reached by its own unique label, e.g.
http://myhost.mydomain.org/WebDAV1
or
http://myhost.mydomain.org/WebDAV2
or
http://myhost.mydomain.org/WebDAV3
Alternatively, if each computer has its own unique URL, the unique URL can be used. Adjust the reverse proxy virtual host file (on the primary server that acts as the proxy/reverse proxy to the other servers) accordingly in order to enable this.
This does not always work and a lot of troubleshooting and trial and error is needed to perfect rewrite rules. Sometimes a more relaible method is to just use the RedirectMatch rule with the actual LAN IP address of the second server.
Here is a detailed example, although there are many ways to accomplish this. * On the primary server of the LAN (the one to which the router initially directs port 80 traffic), make sure the proxy/reverse proxy modules of Apache2 are enabled and then restart Apache:
sudo a2enmod proxy sudo a2enmod proxy_http sudo /etc/init.d/apache2 restart
Also makes sure the rewrite module is on:
sudo a2enmod rewrite
* This example assumes the primary server has its own set of WebDAV folders (as in the steps outlined above), labeled WebDAV1/WebDAV1.
- Duplicate the steps for the second server, substituting WebDAV2 and WebDAV2 in each step.
- On the primary server, edit the virtual host file for the primary URL (e.g. /etc/apache2/sites-available/mydomainhost) by which the LAN is reached (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):
sudo kate /etc/apache2/sites-available/mydomainhost* Near the beginning of the file add the lines:
# UseCanonicalName off # RewriteEngine On RedirectMatch (.*)/WebDAV2 http://192.168.0.156/WebDAV2
This example assumes, of course, that the second server is located on the LAN at IP address 192.168.0.156. This ensures that the newly transformed URL gets sent to the correct IP address on the LAN. This is the proxy function of the first server. (It also specifies the reverse process.)
The file should now resemble:
<VirtualHost *> # UseCanonicalName off # RewriteEngine On RedirectMatch (.*)/WebDAV2 http://192.168.0.156/WebDAV2 # # ServerName WebDAV1.mydomain.org ServerName myhost.mydomain.org ServerAlias 192.168.0.155 WebDAV1.mydomain.org # ServerAdmin root@localhost DocumentRoot /var/www/ # Alias /WebDAV1 /var/www/WebDAV1/files # <Directory /var/www/WebDAV1/> Options Indexes MultiViews AllowOverride None Order allow,deny allow from all </Directory> # # <Location /WebDAV1> # DAV On # AuthType Basic # AuthName "WebDAV1" # AuthUserFile /var/www/WebDAV1/passwd.dav # Require valid-user # </Location> # <Location /WebDAV1> DAV On AuthType Digest AuthName "WebDAV1digest" AuthUserFile /var/www/WebDAV1/digestpasswd.dav Require valid-user </Location> </VirtualHost>
While this method is not required, it allows the second WebDAV server to be accessed from another computer on the LAN either by http://myhost.mydomain.org/WebDAV2 or by http://WebDAV2.mydomain.org. Using this method, by editing only the virtual host file on the primary server (that acts as proxy), access to the secondary WebDAV server can be selectively restricted to the LAN only or can be enabled for complete access from the Internet at large.
WebDAV with LDAP
Note: This section is undergoing editing.
If an LDAP server exists already, you can use the Apache2 mod_authnz_ldap module.
Do you intend to place each person's website in a separate directory below the common DAV root? If so, you'll probably want to limit access to each directory to its specific user for security. An .htpasswd file in each directory is the easiest solution, but it's safer to put all the access rules in the global WebDAV configuration file located in the /etc/apache2/sites-enabled folder.
References
- Simple WebDAV setup and WebDAV authentication (from the ArchLinux wiki)
- Debian Administration article on WebDAV
- Tutorial for using a Windows client to access a WebDAV folder.
- WebDAV in Apache