WebDAV Setup

From Research
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Goals

We want to provide SSL access for users, to their home-directories, using WebDAV. Why WebDAV? Because it is well supported under Windows, OS-X, and Linux, and lowers the barriers to productivity for less-technically-inclined users: setup is minimal, and usage is drag-and-drop familiar.

Constraints

If we have user-home-dirs with restrictive permissions (0700 - no-one else can do anything), then Apache cannot traverse and serve these directories :-( One solution is to run Apache as root:root, which then permits access.

Implementation Overview

We will use two instances of Apache:

  • one public-facing instance which runs safely as apache:apache on ports 80 and 443. Use ProxyPass and ProxyPassReverse to talk to the second instance of Apache
    • this instance of apache will run chrooted in a vserver-guest environment, as a matter of security and convenience. However it could just as easily run on a "regular" non-chrooted / non-virtualized server.
  • a second, private instance of Apache, which runs chrooted (in a Gentoo verserver-guest) as root:root, and communicates with port 8080 internally, to the public-facing instance of Apache. This instance of apache must be handled with care, because of the potential for serious havoc as root!
    • autofs doesn't (yet?) work with verserver-guests, so all user-home-dirs are NFS-mounted, all the time, via /etc/fstab entries

Reference Basic DAV and LDAP Setup

Environment

  • Gentoo Linux Vserver guest, with the host running kernel 2.6.22-vs2.2.0.6-gentoo
  • Apache 2.2.8 for both the public-facing and private instances of Apache.
  • LDAP auth working, for authenticating WebDAV users. The public-facing instance of Apache is responsible for authenticating, and any authenticated LDAP user is then permitted to access their WebDAV share (authorization = valid user).
    • LDAP can run on a remote machine; in our reference example, OpenLDAP happens to run in yet another vserver-guest environment.
  • Testing was performed using WebDAV-capable clients:
    • Konqueror web-browser under Linux, with syntax: webdavs://<your_server>/<DAV_share>
    • Cadaver Linux command-line DAV client
    • Nautilus under Linux, through the Connect to Server dialogue either found in Nautilus, or accessed from the Gnome > Places menu
    • Mac OS-X: Finder > Go > Connect to Server with syntax https://<your_server>/<DAV_share>
    • Windows XP: use the Add Network Place Wizard with syntax https://<your_server>/<DAV_share>


Implementation Details

Private Apache Running as Root

Apache won't run as root, normally (and, to be sure, this is a GOOD thing :-) ). In order to convince Apache to run as root, you must recompile it with a new CFLAG -DBIG_SECURITY_HOLE; set this in Gentoo's /etc/make.conf like this: 

CFLAGS="-march=nocona -O2 -pipe -DBIG_SECURITY_HOLE"

[ebuild   R   ] www-servers/apache-2.2.8  USE="ldap ssl -debug -doc (-selinux) -sni -static -suexec -threads" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex  cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif speling status unique_id userdir usertrack vhost_alias -asis -authn_alias -cern_meta -charset_lite -dumpio -log_forensic -proxy_ftp -version" APACHE2_MPMS="-event -itk -peruser -prefork -worker" 0 kB

Private Apache Startup and Configuration Directives

Place in /etc/conf.d/apache2 for Gentoo: 

APACHE2_OPTS="-D DEFAULT_VHOST -D LANGUAGE -D DAV -D DAV_FS -D USERDIR"

Changes needed in /etc/apache/httpd.conf: 

# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
User root
Group root

Representative entries in /etc/apache2/modules.d/45_mod_dav.conf 

<IfDefine DAV>

<IfModule dav_module>
<IfModule dav_fs_module>
<IfModule alias_module>

#
# Distributed authoring and versioning (WebDAV)
#
DavLockDB "/var/lib/dav/lockdb"

UserDir /home/*

<Directory /home/>
    Dav On
    DAVMinTimeout 600

#   so we can ~see~ PHP, rather than interpret/execute
    ForceType text/plain
    DavDepthInfinity On
    Options Indexes FollowSymLinks MultiViews

#   don't give an .htaccess any any cred :-)
    AllowOverride None
    Order allow,deny
    Allow from all

</Directory>

</IfModule>
</IfModule>
</IfModule>

#
# The following directives disable redirects on non-GET requests for
# a directory that does not include the trailing slash.  This fixes a 
# problem with several clients that do not appropriately handle 
# redirects for folders with DAV methods.
#
<IfModule setenvif_module>
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012345]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
</IfModule>

</IfDefine>

Representative entries in /etc/apache2/vhosts.d/00_default_vhost.conf 

# Virtual Hosts
#
# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs/2.2/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.

<IfDefine DEFAULT_VHOST>
# see bug #178966 why this is in here

# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 8080

# Use name-based virtual hosting.
NameVirtualHost *:8080

# When virtual hosts are enabled, the main host defined in the default
# httpd.conf configuration will go away. We redefine it here so that it is
# still available.
#
# If you disable this vhost by removing -D DEFAULT_VHOST from
# /etc/conf.d/apache2, the first defined virtual host elsewhere will be
# the default.
<VirtualHost *:8080>
	ServerName localhost
	Include /etc/apache2/vhosts.d/default_vhost.include

	<IfModule mpm_peruser_module>
		ServerEnvironment root root
	</IfModule>
</VirtualHost>
</IfDefine>

Private Apache NFS Configuration

Entry in /etc/fstab 

192.168.0.191:/home	 /home	nfs	rw,soft,intr	0 0

Public-Facing Apache

Compile with some set of Gentoo USE-flags resembling this:

Public-Facing Apache Startup Directives

These go in /etc/conf.d/apache2 for Gentoo: 

APACHE2_OPTS="-D DEFAULT_VHOST -D STATUS -D MANUAL -D LANGUAGE -D PHP5 -D LDAP -D AUTH_LDAP -D PROXY -D SSL -D SSL_DEFAULT_VHOST"

Define a virtual host, in the directory /etc/apache2/vhosts.d/ that resembles this example: 

<VirtualHost *:443>
ServerName pritchard.dyndns.org:443
	   ProxyPass / http://192.168.0.130:8080/
	   ProxyPassReverse / http://192.168.0.130:8080/

<Proxy *>

<IfModule authnz_ldap_module>
#
#   don't give an .htaccess any any cred :-)
    AllowOverride None
    Order allow,deny
    Allow from all

#        Do basic password authentication in the clear
         AuthType Basic
#        LDAP Authentication & Authorization is final; do not check other databases
         AuthzLDAPAuthoritative on
#        Name which will appear in the browser's user/pass dialogue (realm)
         AuthName "Webdav - Restricted Access"
         AuthBasicProvider ldap
         AuthLDAPURL ldap://192.168.0.110:389/ou=users,dc=whiterock?uid?one
         AuthLDAPBindDN "cn=Reader,dc=whiterock"
         AuthLDAPBindPassword <super_secret>

# Use only one of the following possible sections.

#        Explicitly list the permitted users, ~after~ authentication has succeeded.
#        Effectively a 2nd gate, at the authourization phase.
#        Add as many as desired.
         require ldap-user <your_permitted_user_list>

#        There will be times when it's sufficient for an authenticated-user to be
#        authourized and granted access; it they're good in LDAP, they're OK by me.
#        In this case, any LDAP valid user is fine; apache won't restrict further.
#         require valid-user

</IfModule>

</Proxy>
</VirtualHost>


Testing

  • Check that DAV-root is OK, and that DAV is actually serving with DAVfs, by turning off all authentication / authourization
    • change the <Limit> </Limit> containers above, to <LimitExcept> </LimitExcept>
    • anyone, anywhere can now browse your DAV share!! Don't put valuable stuff in your DAV-root, just test-files
  • Before adding in the complexity of authentication, check that the server-box is able to contact the LDAP-box; this should produce a lot of (LDIF) output:
hostname ~ # ldapsearch -h 192.168.0.192 -D 'cn=Reader,dc=whiterock' -b "dc=whiterock" -x -s one -W
Enter LDAP Password: ultra_secret
  • in a dedicated console-window, you can watch what Apache thinks of your DAV and http connection-attempts:
hostname ~ # tail -f /var/log/apache2/error_log
  • to test-connect:
hostname ~ # cadaver http://localhost/<your_DAV_share>
  • Connection-attempt results:
    • Apache status code 200 or 207 is what you're after: things are good
    • Apache status 405 (Method not Allowed) probably means you don't really have a DAV filesystem serving
      • check compile options
      • check apache startup directives
      • check /etc/apache2/modules.d/45_mod_dav.conf
      • take authentication / authourization out of the picture (disable) until you can clear this fundamental DAV protocol issue
    • Apache status codes 401 and 403 are common with authentication/authourization problems




Reference DAV, LDAP and AutoFS

To make WebDAV really useful, we want to have our user authenticate, get authourized, then access their home-directory.

===Setup Automounting=== Walk before running (with scissors :-) ) - get AutoFS (automounting) working first, independently of any other complexity: 

hostname ~ # emerge -pv nfs-utils autofs

Edit the master autofs file to look like: 

hostname ~ # emacs -nw /etc/autofs/auto.master

/home  /etc/autofs/auto.home

Now that we've referred autofs to use the auto.home file, we'd better create it; just one line: 

hostname ~ # emacs -nw /etc/autofs/auto.home

*       -rw,soft,intr   192.168.0.192:/home/&

Now, fire up the services, and then check that portmap and automount are running (with ps aux for example) 

hostname ~ # /etc/init.d/nfsmount start
hostname ~ # /etc/init.d/autofs start

Verify that you can automount something - typically by changing to a directory such as /home/gordonp and performing an ls. You should see all the stuff you'd normally see in that home-dir.

Make these seervices stick between reboots: 

hostname ~ # rc-update add nfsmount default
hostname ~ # rc-update add autofs default

Retrieved from "https://research.wiki.iat.sfu.ca/research/index.php?title=WebDAV_Setup&oldid=4665"