Securing Your WebDAV Configuration


<LimitExcept GET HEAD OPTIONS>     require user davuser   </LimitExcept>


By default, enabling DAV presents a serious security risk. Users will be able to read and modify your web content. This potentially includes the source code for CGI or PHP scripts that may contain sensitive usernames and passwords. It is thus necessary to protect access to DAV-enabled resources. Since DAV is built on top of HTTP, this can be accomplished using standard Apache access-control modules. The example shows how to require a valid username and password for write access to a DAV resource such as MKCOL. This is done using mod_auth, as covered in Chapter 6, and the <LimitExcept> directive.

Listing 8.1. Protecting DAV Access

<Location /> Dav On AuthType basic AuthName "DAV Resource" AuthUserFile /usr/local/apache2/conf/htusers <LimitExcept GET HEAD OPTIONS>     require user davuser   </LimitExcept> </Location>

<Limit> and <LimitExcept> are two container directives that allow you to apply certain configuration parameters only to specific request methods. While this is not very useful for regular HTTP, it can be very useful for DAV setups. The example allows everyone to access the web content using pure HTTP methods, but restricts DAV access to only authorized users.

There are additional measures you can take, such as running DAV on a separate, single-purpose instance of Apache. This Apache server can run in a separate port and be easily trimmed down and secured. You can also configure it to require SSL or IP-based access control for additional protection.




Apache(c) Phrase Book(c) Essential Code and Commands
Apache Phrasebook
ISBN: 0672328364
EAN: 2147483647
Year: 2006
Pages: 254

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net