Re: webdav

From: Gordon Messmer (yinyang@eburg.com)
Date: 08/02/01 

Date: Thu, 2 Aug 2001 00:22:44 -0700 (PDT)
From: Gordon Messmer <yinyang@eburg.com>
To: tfing <tenfingers@ifrance.com>
Subject: Re: webdav
Message-ID: <Pine.LNX.4.33.0108012346090.30873-100000@localhost>

On Wed, 1 Aug 2001, tfing wrote:

> i would have like to know your opinion about webdav and its
> implementation in the mod_dav apache module (with security in mind of
> course) i want to use it as an ftp replacement it seems perfect to me
> because you can store the login/passwords in an apache password file
> but i still want another point of view

If you're comparing DAV to FTP, then there's very little comparison. DAV
wins hands down. For one thing, it works over SSL. Ever try to find an
FTP client that supported SSL? Or a good graphical SFTP client? I'm
still looking.

With regard to security, you should make sure that the files related to
locks and passwords are either outside the web root (best solution) or
will not be served by the http server (it works...). Use MD5 hashes in
the .htpasswd files to make brute forcing more difficult.

My setup looks sorta like this (the relevant bits, anyway):
The names have been changed to protect the innocent.
###
DAVLockDB /var/www/dav/DAVLock
<Files ~ "^\.DAV">
    Order allow,deny
    Deny from all
</Files>
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>
<VirtualHost 127.0.0.1:80>
        ServerName mydomain.com
        ServerAlias mydomain.com *.mydomain.com
        DocumentRoot "/home/someuser/mydomain.com/html"
        <Directory "/home/someuser/mydomain.com/html">
            Options Indexes Includes FollowSymLinks
            AllowOverride All
        </Directory>
        Alias /site "/home/someuser/mydomain.com"
        <Location /site>
            DAV On
            ForceType text/plain
            Require valid-user
            AuthName mydomain
            AuthType basic
            AuthUserFile /home/someuser/mydomain.com/.htpasswd
        </Location>
</VirtualHost>
###

Users login to https://mydomain.com/site to use DAV, and the ForceType
directive insures that .php and cgi files are treated as just text
documents.

The .htpasswd file could just as easily be stored at
/home/someuser/.mydomain.com.htpasswd, but I think this user wanted to
manage the file with DAV.

MSG 

-- 
If I had a dollar for every brain that you don't have,
	I'd have one dollar. - Squidward to SpongeBob

Relevant Pages

  • AW: webdav
    ... > If you're comparing DAV to FTP, ... > FTP client that supported SSL? ... you can't reliably stop the WebDAV module from serving them. ...
    (Focus-Linux)
  • AW: webdav
    ... > If you're comparing DAV to FTP, ... > FTP client that supported SSL? ... you can't reliably stop the WebDAV module from serving them. ...
    (Focus-Linux)
  • Win XP Prof / IIS 5.1: WebDAV included?
    ... Is there webdav included in the XP prof version of ... IIS 5.1? ... If there's no DAV included i'll have to use the FTP ...
    (microsoft.public.inetserver.iis)
  • Re: ftp versus WebDav
    ... Sent via Windows Mail on Windows Vista, ... I thought that I might use WebDav on one w2003 member server on my SBS2003 and eliminate the standalone FTP site but keep a good level of security. ...
    (microsoft.public.windows.server.sbs)
  • Re: Access in remotley
    ... > configure iis web server to support of ftp or WebDAV, ...
    (microsoft.public.windowsxp.network_web)