HOW-TO: Red Hat 9 – Apache 2 – WebDAV

This document describes
setting up WebDAV on Apache 2 on a Red Hat 9 system. It assumes that apache is
more or less unmodified – if you’ve made changes, adjust accordingly.

Requirements

(…fix me…)

Outline

  1. Make sure apache, SSL, and mod_dav are
    installed
  • Ensure SSL is working with Apache
  • (…fix me…)

Detail

Ensure server has all
necessary packages

On Red Hat 9, httpd-2.0x
includes the apache WebDAV modules. Ensure httpd-2.0 is installed:

# rpm -qa | grep
httpd

httpd-2.0.40-21.5

Just checking to make sure
httpd-2.0 provides mod_dav:

# rpm -q
–provides httpd | grep dav

mod_dav.so
mod_dav_fs.so

The default Red Hat apache
configuration file (/etc/httpd/conf/httpd.conf) should contain directives
supporting WebDav. If you run into problems, see http://httpd.apache.org/docs-2.0/mod/mod_dav.html and compare this to the contents of
your httpd.conf.

In this document, we’re
going to use basic authentication over SSL – so ensure that openssl and mod_ssl
are installed:

# rpm -qa | grep
-i ssl

openssl096b-0.9.6b-12
openssl-devel-0.9.7a-20
openssl095a-0.9.5a-19
perl-Crypt-SSLeay-0.45-7
pyOpenSSL-0.5.1-8
docbook-style-dsssl-1.76-8
openssl-0.9.7a-20
openssl096-0.9.6-23.9
openssl-perl-0.9.7a-20
mod_ssl-2.0.40-21.5

 

Set up SSL

If you haven’t configured
SSL on your server yet, create an SSL certificate for your host. Red Hat 9 has
a make file that expedites this process.

Go to the directory
containing the make file and create a certificate and key file (.pem) for your
host. You can name it [anything].pem; naming it after the host seems handy:

# cd /etc/httpd/conf
# make www.myhost.org.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes
-x509 -days 365 -out $PEM2 ; \

cat $PEM1 > www.myhost.org.pem ; \
echo „“ >> www.myhost.org.pem ; \
cat $PEM2 >> www.myhost.org.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
…………………………………….++++++
………..++++++
writing new private key to ‚/tmp/openssl.c7ucXb‘
—–
You are about to be asked to enter information that will be
incorporated

into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.

There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‚.‘, the field will be left blank.
—–
Country Name (2 letter code) [GB]:
US
State or Province Name
(full name) [Berkshire]:
CT
Locality Name (eg, city)
[Newbury]:
HappyTown
Organization Name (eg,
company) [My Company Ltd]:
Happiness
Organizational Unit Name
(eg, section) []:
Happy Department
Common Name (eg, your
name or your server’s hostname) []:
www.myhost.org
Email Address []:sysadmin@myhost.org

Move the certificate to the certificate directory:

# mv /etc/httpd/conf/www.myhost.org.pem /etc/httpd/conf/ssl.crt/

Indicate the location of the certificate in apache’s SSL configuration file,
/etc/httpd/conf.d/ssl.conf. You don’t need the default SSLCertificateFile and SSLCertificateKeyFile directives, so comment them out by putting a # at the beginning of those lines.
Then add an SSLCertificateFile directive that
points to your new certificate:

SSLCertificateFile
/etc/httpd/conf/ssl.crt/www.myhost.org.pem

An SSLCertificateKeyFile directive
isn’t necessary since the key is contained along with the cert in .pem files.

Start (or restart) apache:

# service httpd start

If the service fails to start, check the log files in /var/log/httpd/ for
clues.

Assuming apache starts, access it over SSL with a web browser:

https://www.myhost.org/

Since you’re using a self-signed certificate, you’ll probably get a warning
stating that it’s certified by an unknown authority – that’s OK.

 

Create WebDAV directory

You must create a directory
on the server where apache will keep files stored by WebDAV (each user will
have a subdirectory in this directory). The webdav directory must belong to the
apache service account. For Red Hat 9, this account is probably
„apache“. If apache is running you can determine the account by
checking the list of running processes:

# ps axu | grep httpd

 

root      1262  0.0  0.0 81048  884 ?        S    Jan06   0:42 /usr/sbin/httpd –

 

apache   26102  0.0  0.2 82524 2380 ?        S    Jan29   0:00 /usr/sbin/httpd –

 

apache   26103  0.0  0.2
82528 2392 ?        S    Jan29   0:00 /usr/sbin/httpd –

 

apache   26104  0.0  0.2 82528 2896 ?        S    Jan29   0:00 /usr/sbin/httpd –

 

apache   26105  0.0  0.2 82528 2400 ?        S    Jan29   0:00 /usr/sbin/httpd –

 

apache   26106  0.0  0.2 82528 2432 ?        S    Jan29   0:00 /usr/sbin/httpd –

 

apache   26107  0.0  0.2 82524 2372 ?        S    Jan29   0:00 /usr/sbin/httpd –

 

apache   26108  0.0  0.2 82524 2424 ?        S    Jan29   0:00 /usr/sbin/httpd –

 

apache   26109  0.0  0.2 82524 2404 ?        S    Jan29   0:00 /usr/sbin/httpd –

 

root     32025  0.0  0.0  1740  596 pts/0    S    03:26   0:00 grep httpd

 

        

 

Looks like it’s
„apache“ (first column). You can also check the apache configuration
file for the „User“ and „Group“ statements (filtering out
comments):

# grep „User
“ /etc/httpd/conf/httpd.conf | grep -v ^#

User apache
#
grep „Group “ /etc/httpd/conf/httpd.conf | grep -v ^#

Group apache

We will use /var/www/webdav as the WebDAV directory:

# mkdir /var/www/webdav

This is outside of apache’s document root, var/www/html. Later we will use
an Alias directive in ssl.conf to tell apache
where to find it.

Change ownership and make the webdav directory readable by the apache
service account:

# chown root:apache /var/www/webdav
# chmod 750 /var/www/webdav

We’ll come back to this directory and create subdirectories for individual
users later.

 

Authentication

There are several ways apache can authenticate users. In this document we’ll
use htpasswd to create a user authentication file named passwd.dav.

Create a place to put passwd.dav and set permissions so that only the apache
service account can read it:

# mkdir /etc/httpd/passwd
# chown root:apache /etc/httpd/passwd
# chmod 750 /etc/httpd/passwd

 

Now use htpasswd to create the password file and add our first user:

# htpasswd -c /etc/httpd/passwd/passwd.dav flacco
New password:
Re-type new password:
Adding password for user flacco

NOTE – use the -c flag to htpasswd only the first time you use it
– this creates the password file. If you use -c subsequently, you will
overwrite the password file (and any existing passwords).

Set ownership and permissions so that only the apache service account can
read it:

# chown root:apache /etc/httpd/passwd/passwd.dav
# chmod 640 /etc/httpd/passwd/passwd.dav

 

User directories

Create a directory for our user (flacco) to store his files via webdav:

# mkdir
/var/www/webdav/flacco

Change ownership and
permissions on this directory so that it’s accessible only by the apache
service account:

# chown apache:apache /var/www/webdav/flacco
# chmod 750 /var/www/webdav/flacco

NOTE – mod_dav assumes that it will have exclusive access to
files accessed via WebDAV; allowing users to access/modify these files via
other means is discouraged. Read more here: http://www.webdav.org/mod_dav/

Set up access rules to the WebDAV directory

In apache’s SSL config file, /etc/httpd/conf.d/ssl.conf:

Somewhere between <VirtualHost _default_:443> and </VirtualHost>, add the following:

Alias /webdav/ „/var/www/webdav/“ <Directory
/var/www/webdav> DAV on AuthType Basic AuthName „WebDAV Storage“
AuthUserFile /etc/httpd/passwd/passwd.dav </Directory>

The Alias directive tells apache where to
look for requests for /webdav/

The DAV on directive turns on WebDAV in the
directory (and its subdirectories).

The Auth* directives specify that access to
anything in the webdav directory should use basic authentication using the
password file we created earlier.

Under that, add directives for each WebDAV user’s directory:

<Directory /var/www/webdav/flacco/> require user
flacco </Directory>

Save and exit your editor, and restart apache:

# service httpd restart

If the startup fails, check the server logs for clues.

Test authentication over
SSL

Create a test file in the
user’s WebDAV directory and change ownership/permissions to the apache service
account:

# echo ‚hello
world!‘ > /var/www/webdav/flacco/test.txt

# chown apache:apache /var/www/webdav/flacco/test.txt
# chmod 640 /var/www/webdav/flacco/test.txt

Try to access the test file
with a browser, without using SSL:

http://www.myhost.org/webdav/flacco/test.txt

You should get a 404
(object not found) error. If you don’t, there’s a problem (perhaps you put the
webdav directory inside the apache document root, e.g. /var/www/html/webdav).

Now try to access the test
file using SSL:

https://www.myhost.org/webdav/flacco/test.txt

You might get a certificate
warning – accept the certificate – and then a login dialog. Log in with the
account information you created earlier using htpasswd. If all goes well, you
should see this in your browser:

hello world!

At this point, you’re ready
to test storing data to the server via WebDAV. For that you’ll need a WebDAV
client – like Mozilla Calendar. See
this how-to for instructions on publishing
Mozilla Calendar events to a WebDAV server (remember to use https:// instead of
http://). If you encounter problems, go back to the server and check the server
logs for clues.