This chapter is from the book
This chapter is from the book
This chapter is from the book
Apache and DAV
Apache 2 provides DAV support via the mod_dav module. This module is included with the standard Apache distribution, but it is not compiled by default. You can enable DAV support by using the --with-dav option at compile time, and add support for the file system backend with the --enable-dav-fs option.
If you are using Windows or a Unix binary installation that has loadable module support, you need to add or uncomment the appropriate lines that load the DAV module and the file system backend:
LoadModule dav_module modules/mod_dav.so LoadModule dav_fs_module modules/mod_dav_fs.so
Configuring DAV
The first step is defining a lock database using the DavLockDB directive. This directive takes one argument: the path to the database file that will be used to coordinate lock acquisition and release when multiple clients are working on the same resources. A sample setting is
DavLockDB logs/dav_lock_db
The path to the file can be absolute or relative to your Apache installation (as in the example). The DavLockDB directive must be placed either at the top level of the configuration file or in a <VirtualHost> container.
The next configuration step is to specify the directories and locations you want to make available via the DAV protocol by using the DAV directive. DAV on enables the DAV protocol in a given container and DAV off disables it.
Listing 13.1 shows how simple it is to add DAV support for a specific directory.
Listing 13.1 Enabling DAV Support
<Directory /usr/local/apache2/htdocs/davdocs> Dav On </Directory>
A Dav directive placed in a <Directory> section enables or disables DAV support for that directory and its subdirectories. Placing a Dav directive inside a <Location> section enables or disables DAV support for URLs prefixed with that location.
Finally, if your DAV server will be accessed via Windows Web folders, you need to add the following configuration directive to work around some buggy Microsoft behavior:
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
This directive is already included commented out in the configuration file, so you need only to uncomment it.
Restricting Access
Because mod_dav is an Apache module, it can take advantage of the access control mechanisms of Apache. As Hour 7, "Restricting Access," explained, you can control access based on IP address or hostname, the request method, whether the user has successfully been authenticated, and so on.
In addition, the DAV protocol adds new HTTP method protocols that can be used for fine-grained access control. For example, you can allow read access for most users but restrict updating of information to a few authenticated users.
You can use the <Limit> and <LimitExcept> containers to restrict access based on the HTTP method. Listing 13.2 enables read-only DAV access to the /usr/local/apache2/htdocs/davdocs directory.
Listing 13.2 Enable Read-Only DAV Access
<Directory /usr/local/apache2/htdocs/davdocs> Dav On <LimitExcept GET POST OPTIONS PROPFIND> Order allow,deny Deny from all </LimitExcept> </Directory>
Advanced Configuration
The DAV module for Apache provides additional directives for some advanced configuration tuning.
DAVMinTimeout
This DAVMinTimeout directive specifies the minimum time in seconds before a lock expires. This setting overrides the lock timeout value requested by a client if it is less than the specified value. This is useful in certain situations to reduce the network traffic or reduce the possibility of clients being dropped out constantly because the timeout setting is not big enough. For example, DAVMinTimeout 120 will set the timeout value to two minutes.
You can disable this feature by setting its value to 0, which is the default.
LimitXMLRequestBody
This directive is built in to Apache and enables you to specify a maximum allowed size for an XML body request, such as the ones used by mod_dav. By default, it is set to a value of LimitXMLRequestBody 1000000 (1 million bytes). You can disable the size limit by setting the value of LimitXMLRequestBody to 0. This directive can appear in the top level of the configuration file, virtual hosts, and directory and location containers.
The main reason you want to limit the size of requests is to avoid denial of service attacks because the server needs to parse and process the submitted XML. You might also want to have a look at LimitRequestBody and similar directives, which will be described in Hour 16, "Tuning Apache."
DavDepthInfinity
The DAV protocol allows clients to request meta information about all objects in a DAV repository, recursively. If the number of objects is big enough, this can cause performance problems and could be used as a denial of service attack. To avoid this, mod_dav disables this feature by default. You can enable it with the following configuration directive:
DavDepthInfinity On