From

---

Current revision as of 20:09, 7 February 2012

Contents 1 WebDAV 1.1 WebDAV Server Installation 1.1.1 Install Apache webserver 1.1.2 Open your firewall 1.1.3 Enable the Apache2 WebDAV modules 1.1.4 Create a folder for WebDAV use 1.1.5 Create or edit the virtual host file 1.1.6 Create password access for the WebDAV folders 1.1.7 Testing WebDAV 1.1.8 Set up Digest Authorization (encrypted passwords) 1.1.9 Enable WebDAV lock 1.2 Multiple WebDAV servers on a LAN using a single IP address and router 1.3 WebDAV with LDAP 1.4 WebDAV Clients 1.4.1 Dolphin 1.4.2 Nautilus 1.4.3 Firefox 1.4.4 Konqueror/Rekonq 1.4.5 Cadaver 1.4.6 Windows 1.4.6.1 Creating passwords for Windows clients 1.4.7 Android 1.5 References

WebDAV

WebDAV is a method for allowing remote access to local folders via an HTTP-based web browser. In other words, an HTTP-based file server is created (using the Apache2 server platform in these examples, since the Apache2 webserver has a built-in WebDAV module).

This can be combined with user authentication (using LDAP or a number of other password mechanisms).

WebDAV Server Installation

Install Apache webserver

• Apache2 must be installed, either alone or as part of a LAMP server.

sudo apt-get install apache2

or

sudo apt-get install tasksel
sudo tasksel install lamp-server

Open your firewall

Remember, WebDAV is an HTTP server. The incoming default HTTP and/or HTTPS ports (80 and/or 443) should be open to the server. It is, of course, also possible to use custom ports by changing the allowed incoming ports in the firewall, the virtual host configuration file, and, of course, the URL used to reach the WebDAV server.

Enable the Apache2 WebDAV modules

• Enable the dav and dav_fs modules:

sudo a2enmod dav_fs

• Restart Apache2:

sudo /etc/init.d/apache2 restart

Create a folder for WebDAV use

There are two options:

• Create a WebDAV directory in the /var/www folder:

sudo mkdir /var/www/WebDAV1

or

Create a WebDAV directory in the /home/user/ (also known as ~/) folder and create a symbolic link:

mkdir ~/WebDAV1
sudo ln -s ~/WebDAV1 /var/www/

• Create a subdirectory for files:

mkdir /var/www/WebDAV1/files

• Note: In the next several steps, file/folder ownership and permissions can also be adjusted from a File Manager (such as Dolphin in Kubuntu or Nautilus in Ubuntu) as root:

sudo dolphin

or

sudo nautilus

• Make sure the owner of whichever WebDAV folder was created (and its subfolders, using the -R recursive switch) is www-data (the user ID for Apache2) and the group is that of your user ID (or, alternatively, root):

sudo chown -R www-data:user /var/www/WebDAV1

or

sudo chown -R www-data:user ~/WebDAV1

Alternatively you could create a webdav user group so that some group of local users could access the files locally (instead of through WebDAV). Add the individual users to that group and use webdav as the group instead of a single user (or root), for example:

sudo chown -R www-data:webdav /var/www/WebDAV1

• To allow files in the WebDAV folder (and its subfolders, using the -R recursive switch) to be Read/Write but not eXecutable (which may be a security risk on some servers):

sudo chmod 664 -R /var/www/WebDAV1

or

sudo chmod 664 -R ~/WebDAV1

Create or edit the virtual host file

• Edit the virtual host (vhost) file used for the URL through which WebDAV will be accessed (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):

sudo kate /etc/apache2/sites-available/mydomainhost

where mydomainhost is the name of the virtual host configuration file used for your URL. If you are using the default virtual host file, edit that one.

Add the line

Alias /webdav1 /var/www/WebDAV1/files

so that accessing the WebDAV folder using the URL

http://myhost.mydomain.org/webdav1

will forward to the correct folder (/var/www/WebDAV1) on the computer.

• The final virtual host file ought to resemble:

<VirtualHost *>
#
# UseCanonicalName off
# ServerName webdav1.mydomain.org
 ServerName myhost.mydomain.org
 ServerAlias 192.168.0.155 webdav1.mydomain.org
#
 ServerAdmin root@localhost
 DocumentRoot /var/www/
#
 Alias /webdav1 /var/www/WebDAV1/files
#
 <Directory /var/www/WebDAV1/>
  Options Indexes MultiViews
  AllowOverride None
  Order allow,deny
  allow from all
 </Directory>
</VirtualHost>

In this example, the WebDAV server is on the primary server, so the URL is the same as that of the primary server (and would be accessed from http://myhost.mydomain.org/webdav1). The primary server's IP address on the LAN (in this example) is 192.168.0.155, so to access it from the LAN, this address could also be used: http://192.168.0.155/webdav1.

• Enable the virtual host (vhost):

sudo ln -s /etc/apache2/sites-available/mydomainhost /etc/apache2/sites-enabled/

• Restart Apache2:

sudo /etc/init.d/apache2 restart

• Test that the folders are reachable through Apache2 using:

http://localhost/webdav1

or

http://192.168.0.155/webdav1

Create password access for the WebDAV folders

• Note: This method uses HTTP Basic Authentication as outlined in the Apache documentation. However, this same documentation recommends against routine use of HTTP Basic Authentication (which transmits unencrypted passwords, inviting password sniffing) and instead recommends HTTP Digest Authentication (or at least HTTP Basic Authentication over SSL). Refer to the Apache documentation for more details.

• Create the WebDAV password file /var/www/WebDAV1/passwd.dav with the user testuser. For more info see here. (The -c switch creates the file if it does not exist.):

sudo htpasswd -c /var/www/WebDAV1/passwd.dav testuser

Type in a password for the user testuser.

We will later use this userID when connecting to the WebDAV URL:

http://myhost.mydomain.org/webdav1

• Add other users (e.g. testuser2, testuser3, etc.) as needed. (Omit the -c switch because the password file already exists.)

sudo htpasswd /var/www/WebDAV1/passwd.dav testuser2

Note: See below for adding a password for users accessing WebDAV folders from Windows clients.

• Change the permissions of the /var/www/WebDAV1/passwd.dav file so that only www-data (as owner) and user (or, alternatively, root) as the group can access it:

sudo chown www-data:user /var/www/WebDAV1/passwd.dav
sudo chmod 660 /var/www/WebDAV1/passwd.dav

Note: I personally use chmod 460, which does not allow the www-data owner to write to the file (only read permissions are allowed). Only members of the local group user can read/write to the file using this chmod 460 setting.

• Edit the virtual host (vhost) file /etc/apache2/sites-available/mydomainhost (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):

sudo kate /etc/apache2/sites-available/mydomainhost

and add the following lines to it:

#
 <Location /webdav1>
  DAV On
  AuthType Basic
  AuthName "webdav1"
  AuthUserFile /var/www/WebDAV1/passwd.dav
  Require valid-user
 </Location>

The final virtual host (vhost) file should resemble:

<VirtualHost *>
#
# UseCanonicalName off
# ServerName webdav1.mydomain.org
 ServerName myhost.mydomain.org
 ServerAlias 192.168.0.155 webdav1.mydomain.org
#
 ServerAdmin root@localhost
 DocumentRoot /var/www/
#
 Alias /webdav1 /var/www/WebDAV1/files
#
 <Directory /var/www/WebDAV1/>
  Options Indexes MultiViews
  AllowOverride None
  Order allow,deny
  allow from all
 </Directory>
#
 <Location /webdav1>
  DAV On
  AuthType Basic
  AuthName "webdav1"
  AuthUserFile /var/www/WebDAV1/passwd.dav
  Require valid-user
 </Location>
</VirtualHost>

• Reload Apache:

/etc/init.d/apache2 reload

Testing WebDAV

• Install cadaver, a command-line WebDAV client:

sudo apt-get install cadaver

• Test if WebDAV works:

cadaver http://localhost/webdav1/

You should be prompted for a user name. Type in testuser and then the password for testuser. If all goes well, you should be granted access which means WebDAV is working ok. To leave the WebDAV shell, type quit:

server1:~# cadaver http://localhost/webdav1/
Authentication required for test on server `localhost':
Username: testuser
Password: *******
dav:/webdav1/> quit
Connection to `localhost' closed.
server1:~#

Set up Digest Authorization (encrypted passwords)

• Enable the HTTP Digest Authentication module:

sudo a2enmod auth_digest

• Create a digest authorization password file:

sudo htdigest -c /var/www/WebDAV1/digestpasswd.dav webdav1digest testuser

• Add other users (e.g. testuser2, testuser3, etc.) as needed. (Omit the -c switch because the password file already exists.)

sudo htdigest /var/www/WebDAV1/digestpasswd.dav webdav1digest testuser2

Note: See below for adding a password for users accessing WebDAV folders from Windows clients.

• Change the permissions of the /var/www/WebDAV1/digestpasswd.dav file so that only www-data (as owner) and user (or, alternatively, root) as the group can access it:

sudo chown www-data:user /var/www/WebDAV1/digestpasswd.dav
sudo chmod 660 /var/www/WebDAV1/digestpasswd.dav

Note: I personally use chmod 460, which does not allow the www-data owner to write to the file (only read permissions are allowed). Only members of the local group user can read/write to the file using this chmod 460 setting.

• Edit the virtual host (vhost) file /etc/apache2/sites-available/mydomainhost (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):

sudo kate /etc/apache2/sites-available/mydomainhost

and this time add the following lines to it:

#
 <Location /webdav1>
  DAV On
  AuthType Digest
  AuthName "webdav1digest"
  AuthUserFile /var/www/WebDAV1/digestpasswd.dav
  Require valid-user
 </Location>

so that the final file resembles:

<VirtualHost *>
#
# UseCanonicalName off
# ServerName webdav1.mydomain.org
 ServerName myhost.mydomain.org
 ServerAlias 192.168.0.155 webdav1.mydomain.org
#
 ServerAdmin root@localhost
 DocumentRoot /var/www/
#
 Alias /webdav1 /var/www/WebDAV1/files
#
<Directory /var/www/WebDAV1/>
   Options Indexes MultiViews
   AllowOverride None
   Order allow,deny
   allow from all
 </Directory>
#
# <Location /webdav1>
#  DAV On
#  AuthType Basic
#  AuthName "webdav1"
#  AuthUserFile /var/www/WebDAV1/passwd.dav
#  Require valid-user
# </Location>
#
 <Location /webdav1>
  DAV On
  AuthType Digest
  AuthName "webdav1digest"
  AuthUserFile /var/www/WebDAV1/digestpasswd.dav
  Require valid-user
 </Location>
</VirtualHost>

Enable WebDAV lock

Although optional, the lock database prevents multiple users from overwriting the same file simultaneously.

• Create a global Apache2 configuration file (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):

sudo kate /etc/apache2/conf.d/webdav

and add the single line:

DavLockDB /var/lock/apache2/DAVLock

It may be necessary to also add this line to the dav_fs configuration file:

sudo kate /etc/apache2/mods-available/dav_fs.conf

This directive indicates that the locking database files will be named DAVLock by the dav_lock module. These database files will be stored by Apache in the /var/lock/apache2 folder.

• By default, Apache2 allows a WebDAV client to set the file lock time. Many WebDAV clients, for example, impose a file lock time of 2 minutes. A longer lock time can optionally be imposed by the WebDAV server by adding an additional line:

DAVMinTimeout 5

where in this example the minimum file lock time is set to 5 minutes for all clients. (The default is DAVMinTimeout 0, which indicates that no minimum file lock time is imposed by the server and it is left up to the individual WebDAV clients).

• Enable the Apache2 dav_lock module:

sudo a2enmod dav_lock

• Restart Apache2:

sudo /etc/init.d/apache2 restart

Multiple WebDAV servers on a LAN using a single IP address and router

Note: This section is undergoing editing.

• To run multiple servers (including WebDAV servers) on multiple computers on a LAN using only a single IP address and router, see this solution using reverse proxies in Apache.

• Each server should have a unique WebDAV folder name. Instead of using WebDAV1 and webdav1, different names, such as WebDAV2 and webdav2, WebDAV3 and webdav3, WebDAV4 and webdav4, etc., should be used on each of the individual computers.

• Each computer's WebDAV folder would then be reached by its own unique label, e.g.

http://myhost.mydomain.org/webdav1

or

http://myhost.mydomain.org/webdav2

or

http://myhost.mydomain.org/webdav3

Alternatively, if each computer has its own unique URL, the unique URL can be used. Adjust the reverse proxy virtual host file (on the primary server that acts as the proxy/reverse proxy to the other servers) accordingly in order to enable this.

This does not always work and a lot of troubleshooting and trial and error is needed to perfect rewrite rules. Sometimes a more relaible method is to just use the RedirectMatch rule with the actual LAN IP address of the second server.

Here is a detailed example, although there are many ways to accomplish this.

• On the primary server of the LAN (the one to which the router initially directs port 80 traffic), make sure the proxy/reverse proxy modules of Apache2 are enabled and then restart Apache:

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo /etc/init.d/apache2 restart

Also makes sure the rewrite module is on:

sudo a2enmod rewrite

• This example assumes the primary server has its own set of WebDAV folders (as in the steps outlined above), labeled webdav1/WebDAV1.

• Duplicate the steps for the second server, substituting webdav2 and WebDAV2 in each step.

• On the primary server, edit the virtual host file for the primary URL (e.g. /etc/apache2/sites-available/mydomainhost) by which the LAN is reached (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):

sudo kate /etc/apache2/sites-available/mydomainhost

• Near the beginning of the file add the lines:

#
 UseCanonicalName off
# 
 RewriteEngine On
 RedirectMatch (.*)/webdav2 http://192.168.0.156/webdav2

This example assumes, of course, that the second server is located on the LAN at IP address 192.168.0.156. This ensures that the newly transformed URL gets sent to the correct IP address on the LAN. This is the proxy function of the first server. (It also specifies the reverse process.)

The file should now resemble:

<VirtualHost *>
#
 UseCanonicalName off
# 
 RewriteEngine On
 RedirectMatch (.*)/webdav2 http://192.168.0.156/webdav2
# 
# ServerName webdav1.mydomain.org
 ServerName myhost.mydomain.org
 ServerAlias 192.168.0.155 webdav1.mydomain.org
#
 ServerAdmin root@localhost
 DocumentRoot /var/www/
#
 Alias /webdav1 /var/www/WebDAV1/files
#
<Directory /var/www/WebDAV1/>
   Options Indexes MultiViews
   AllowOverride None
   Order allow,deny
   allow from all
 </Directory>
#
# <Location /webdav1>
#  DAV On
#  AuthType Basic
#  AuthName "webdav1"
#  AuthUserFile /var/www/WebDAV1/passwd.dav
#  Require valid-user
# </Location>
#
 <Location /webdav1>
  DAV On
  AuthType Digest
  AuthName "webdav1digest"
  AuthUserFile /var/www/WebDAV1/digestpasswd.dav
  Require valid-user
 </Location>
</VirtualHost>

While this method is not required, it allows the second WebDAV server to be accessed from another computer on the LAN either by http://myhost.mydomain.org/webdav2 or by http://webdav2.mydomain.org. Using this method, by editing only the virtual host file on the primary server (that acts as proxy), access to the secondary WebDAV server can be selectively restricted to the LAN only or can be enabled for complete access from the Internet at large.

WebDAV with LDAP

Note: This section is undergoing editing.

If an LDAP server exists already, you can use the Apache2 mod_authnz_ldap module.

Do you intend to place each person's website in a separate directory below the common DAV root? If so, you'll probably want to limit access to each directory to its specific user for security. An .htpasswd file in each directory is the easiest solution, but it's safer to put all the access rules in the global WebDAV configuration file located in the /etc/apache2/sites-enabled folder.

WebDAV Clients

Dolphin

The Dolphin File Manager used in the KDE desktop of Kubuntu has built-in WebDAV support. A folder on a WebDAV server can be accessed directly by entering its location in the location bar. Examples:

webdav://localhost/webdav1

or

webdav://myhost.mydomain.org/webdav1

Note that a location can be made a permanent folder in Dolphin by right-clicking on the leftmost Places panel --> Add entry... -> Location: webdav://localhost/webdav1

Nautilus

The Nautilus File Manager used in the Gnome desktop of Ubuntu has built-in WebDAV support. A folder on a WebDAV server can be accessed directly.

Nautilus -> File -> Connect to Server -> Service Type: WebDAV (HTTP) -> Server: localhost/webdav1

or

Nautilus -> File -> Connect to Server -> Service Type: WebDAV (HTTP) -> Server: myhost.mydomain.org/webdav1

Firefox

The Firefox web browser natively recognizes WebDAV folders. Merely enter the URL of the WebDAV folder in the location bar:

http://myhost.mydomain.org/webdav1

Konqueror/Rekonq

The Konqueror (now Rekonq) web browser of the KDE desktop in Kubuntu natively recognizes WebDAV folders. Merely enter the URL of the WebDAV folder in the location bar:

http://myhost.mydomain.org/webdav1

Cadaver

Cadaver is a command-line interface for WebDAV. It can be useful for automated and script-based command-line functions, such a remote copying. Install:

sudo apt-get install cadaver

Windows

Windows Explorer in Windows has built-in WebDAV support. Map the WebDAV folder to a lettered drive:

Windows Explorer -> Tools -> Map network drive... -> Folder: http://myhost.mydomain.org/webdav1

Creating passwords for Windows clients

Some Windows clients (including Windows Explorer in XP) append the URL of the WebDAV folder to the user name. For example, when a WebDAV request is made by testuser3 to the WebDAV server at http://myhost.mydomain.org/webdav1, Windows will send a request for access as myhost.mydomain.org\testuser3. To accommodate this behavior, additional user accounts in the Windows format must be added to the password file on the WebDAV server. Note the extra \ .

• If using Basic Authentication, add the user to the password file:

sudo htpasswd /var/www/WebDAV1/passwd.dav myhost.mydomain.org\\testuser

• If using Digest Authentication, add the user to the password file:

sudo htdigest /var/www/WebDAV1/digestpasswd.dav webdav1digest myhost.mydomain.org\\testuser

• Note: There is a bug in the Windows WebDAV redirector when used with Digest Authentication. (See this tutorial for more details.) A workaround entails mapping the WebDAV folder to a drive letter using the command line. This can only be done in a Windows computer that has just been booted.

• Mount the WebDAV folder to a Windows drive letter with the Net use command. Enter the following into the Windows Start menu -> Run... command line:

net use * "http://myhost.mydomain.org/webdav1/" testuserpassword /user:myhost.mydomain.org\testuser

• A specific drive letter (such as W:) can be used instead of the *. The * option specifies to mount the resource to the next available Windows drive letter.

• To make the mapping permanent, add the option /persistent:yes

• A (.bat) batch file can be created that contains this net use command. A Windows shortcut to this batch file can then be placed in the Windows Start menu -> Programs -> Start folder. This will run the net use command (from the batch file) at every bootup (following the start of all basic services). The batch file may need to address the net command by its absolute folder location:

C:\WINDOWS\system32\net use * "http://myhost.mydomain.org/webdav1/" testuserpassword /user:myhost.mydomain.org\testuser

• To disconnect a web folder (either from the Start menu -> Run... dialog box or from a batch file, where X: is mounted Windows drive letter:

net use X: /delete

Android

• The Android web browser natively recognizes WebDAV folders. Merely enter the URL of the WebDAV folder in the location bar:

http://myhost.mydomain.org/webdav1

References

• Simple WebDAV setup and WebDAV authentication (from the ArchLinux wiki)
• Debian Administration article on WebDAV
• Tutorial for using a Windows client to access a WebDAV folder.
• WebDAV in Apache