Difference between revisions of "Mod dav"

From SME Server
Jump to navigationJump to search
m (Unnilennium moved page DAV to Mod dav)
 
(4 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
{{Level|Easy}}
 
{{Level|Easy}}
  
=== Maintainer ===
+
===Maintainer===
 
[mailto:smeserver-contribs@snetram.nl Jonathan Martens]
 
[mailto:smeserver-contribs@snetram.nl Jonathan Martens]
  
=== Version ===
+
===Version===
{{ #smeversion: smeserver-mod_dav }}
+
{{#smeversion: smeserver-mod_dav }}
  
=== Description ===
+
===Description===
 
This contrib provides mod_dav for SME Server, it has been written to make sure it is installed as it is required by my Subversion contrib, but it can be used independently to add DAV to i-bays as well, this way you can, for instance, use it to store your [http://en.wikipedia.org/wiki/ICal iCal] web calendar files, using the [http://www.webdav.org/ WebDAV] protocol.
 
This contrib provides mod_dav for SME Server, it has been written to make sure it is installed as it is required by my Subversion contrib, but it can be used independently to add DAV to i-bays as well, this way you can, for instance, use it to store your [http://en.wikipedia.org/wiki/ICal iCal] web calendar files, using the [http://www.webdav.org/ WebDAV] protocol.
  
=== Installation ===
+
===Installation===
 
Install the contrib:
 
Install the contrib:
 
  yum install smeserver-mod_dav --enablerepo=smecontribs
 
  yum install smeserver-mod_dav --enablerepo=smecontribs
  
=== Configuration ===
+
===Configuration===
 
DAV access is disabled for all ibays by default.
 
DAV access is disabled for all ibays by default.
 +
 +
DAV enforcement in ibays, will force PHP and CGI to be disabled, even if the property is enable. You can manually set a property to reenable this. When DAV is enabled for an ibat https will be force, whatever is the setting for SSL for that ibay. The use of DAV include the use of httpd-auth and you do not want your password to travael unprotected over the network, even in your own LAN.
 +
Finally starting SME10, DAV will respect the usual setting of an ibay in term of local and remote access (including the ibay dedicated password), except you will have the choice to use the ibay password or the one of an user member of the group owning the ibay. Also, the read/write setting per group will be respected. Remember that those are just login rights, and webserver is running as www. So files must have permissions to also allow the www user to retrieve your file.
  
 
====Enable/disable DAV access for an ibay====
 
====Enable/disable DAV access for an ibay====
Line 31: Line 34:
 
  db accounts setprop ibay-name ModDav-FileETag none
 
  db accounts setprop ibay-name ModDav-FileETag none
 
More information on possible FileETag options can be found in the [http://httpd.apache.org/docs/2.0/mod/core.html#fileetag Apache documentation].
 
More information on possible FileETag options can be found in the [http://httpd.apache.org/docs/2.0/mod/core.html#fileetag Apache documentation].
 +
 +
==== Disabled PHP and CGI on WebDAV ibays ====
 +
Starting SME10, by default we disable execution of php and CGI on an ibay where webdav is enabled. This is a security measure. If you are certain and want to have both php or CGI and DAV enabled then you have to do :
 +
db accounts setprop ibay-name ModDavSecureEXEC  disabled
 +
signal-event ibay-modify ibay-name
 +
 +
==== Directory index disabled ====
 +
On SME 10 because of a bug on httpd 2.4, you can not have this directive enabled or most of client will fail connecting. By default we hence have it disabled to allow connection. IF you want to display directory index anyway, then do :
 +
db accounts setprop ibay-name ModDavNoDirectoryIndex  enabled
 +
signal-event ibay-modify ibay-name
 +
 +
==== Allow anonymous access without password ====
 +
Starting SME10, we organized the webdav behaviour most like ftp / samba. It will follow the remote access and group write read permission. For the read by "Everyone" by default it will be  the member of the group shared that will be used, if you rather a read only without password access on the ibay you will have to set this to enabled. PAy attention that if you use a mode where ibay password is asked (either on lan, or remote) then the password directive will override this setting and you will need to use the ibay name and ibay password for the "anonymous" access (i.e. without a real user) .
 +
db accounts setprop ibay-name ModDavAnonymousRead  enabled
 +
signal-event ibay-modify ibay-name
 +
Hide PHP files
 +
 +
When php handler is disabled, you can see the source code of php as anonymous user or anonymous like, this is a security threat. By default we have deny access and listing to php files, if you need to keep that access then do (only available when ModDavSecureEXEC is enabled) :
 +
db accounts setprop ibay-name ModDavHidePHP  disabled
 +
signal-event ibay-modify ibay-name
 +
<br />
  
 
===Usage===
 
===Usage===
  
 
====Accessing a DAV enabled ibay====
 
====Accessing a DAV enabled ibay====
DAV-enabled Ibays can be accessed in any of several ways:
+
DAV-enabled Ibays can be accessed in any of several ways. Note that starting SME10, https is mandatory to access to your DAV.
  
 
=====through Windows My Network Places=====
 
=====through Windows My Network Places=====
# Open "My Network Places"
+
 
# Select "Add a network place"
+
#Open "My Network Places"
# Choose "Next"
+
#Select "Add a network place"
# Choose "Another network location"
+
#Choose "Next"
# Enter the address to your DAV enabled ibay, for instance <nowiki>http://server/data</nowiki> or <nowiki>https://server/data</nowiki>
+
#Choose "Another network location"
 +
#Enter the address to your DAV enabled ibay, for instance <nowiki>http://server/data</nowiki> or <nowiki>https://server/data</nowiki>
  
 
=====through Internet Explorer=====
 
=====through Internet Explorer=====
Line 49: Line 74:
 
As a (normal) link:
 
As a (normal) link:
  
  <a href="<nowiki>http://localhost/data/</nowiki>">Link to folder</a>
+
  <a href="&lt;nowiki&gt;http://localhost/data/&lt;/nowiki&gt;">Link to folder</a>
  
 
As a webfolder:
 
As a webfolder:
  
  <a href="" folder="<nowiki>http://localhost/data/</nowiki>">Link to data folder</a>
+
  <a href="" folder="&lt;nowiki&gt;http://localhost/data/&lt;/nowiki&gt;">Link to data folder</a>
 +
 
 +
===Known issues===
 +
=====httpd-2.4 bug with mod_dir=====
 +
you have to disable  see https://bz.apache.org/bugzilla/show_bug.cgi?id=54914
 +
We hence have enforced that in the contrib for ibay but you might get the same issue if you use mod DAV for a contrib
 +
 
 +
===== Fedora complain about lack of compatibility to mount dav =====
 +
If you see this error : "/sbin/mount.davfs: mounting failed; the server does not support WebDAV"
 +
you need to do the following, then it will work
 +
sudo echo "ignore_dav_header 1" >> /etc/davfs2/davfs2.conf
 +
 
 +
===== character encoding =====
 +
Pay attention to the character encoding used by you operating system, having different OS connecting to the same DAV could create issues with encoding. Also you are responsible to use characters authorized by your different operating system or they will not be able to display the files or folders.
  
=== Bugs ===
+
===Bugs===
 
Please raise bugs under the SME-Contribs section in {{BugzillaFileBug|product=|component=|title=bugzilla}}and select the smeserver-mod_dav component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-mod_dav|title=this link}}.  
 
Please raise bugs under the SME-Contribs section in {{BugzillaFileBug|product=|component=|title=bugzilla}}and select the smeserver-mod_dav component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-mod_dav|title=this link}}.  
 
{{#bugzilla:columns=id,product,version,status,summary |sort=id|order=desc |component=smeserver-mod_dav|noresultsmessage="No open bugs found."}}
 
{{#bugzilla:columns=id,product,version,status,summary |sort=id|order=desc |component=smeserver-mod_dav|noresultsmessage="No open bugs found."}}
Line 62: Line 100:
 
Only released version in smecontrib are listed here.
 
Only released version in smecontrib are listed here.
  
{{ #smechangelog: smeserver-mod_dav}}
+
{{#smechangelog: smeserver-mod_dav}}
 
----
 
----
 
[[Category: Contrib]]
 
[[Category: Contrib]]
 
[[Category: Administration:File and Directory Access]]
 
[[Category: Administration:File and Directory Access]]

Latest revision as of 20:50, 2 April 2021


PythonIcon.png Skill level: Easy
The instructions on this page can be followed by a beginner.


Maintainer

Jonathan Martens

Version

Contrib 10:
Contrib 9:
smeserver-mod_dav
The latest version of smeserver-mod_dav is available in the SME repository, click on the version number(s) for more information.


Description

This contrib provides mod_dav for SME Server, it has been written to make sure it is installed as it is required by my Subversion contrib, but it can be used independently to add DAV to i-bays as well, this way you can, for instance, use it to store your iCal web calendar files, using the WebDAV protocol.

Installation

Install the contrib:

yum install smeserver-mod_dav --enablerepo=smecontribs

Configuration

DAV access is disabled for all ibays by default.

DAV enforcement in ibays, will force PHP and CGI to be disabled, even if the property is enable. You can manually set a property to reenable this. When DAV is enabled for an ibat https will be force, whatever is the setting for SSL for that ibay. The use of DAV include the use of httpd-auth and you do not want your password to travael unprotected over the network, even in your own LAN. Finally starting SME10, DAV will respect the usual setting of an ibay in term of local and remote access (including the ibay dedicated password), except you will have the choice to use the ibay password or the one of an user member of the group owning the ibay. Also, the read/write setting per group will be respected. Remember that those are just login rights, and webserver is running as www. So files must have permissions to also allow the www user to retrieve your file.

Enable/disable DAV access for an ibay

To enable DAV access to an ibay use the following commands:

db accounts setprop ibay-name ModDav enabled
signal-event ibay-modify ibay-name

To disable DAV access to an ibay use the following commands:

db accounts setprop ibay-name ModDav disabled
signal-event ibay-modify ibay-name

ETag http response header (FileETag) settings

According to bugzilla:4482 there seems to be a problem when using Sunbird calendar sharing in DAV enabled ibays. To fix this you can define the FileETag setting to a value of none using the following command:

db accounts setprop ibay-name ModDav-FileETag none

More information on possible FileETag options can be found in the Apache documentation.

Disabled PHP and CGI on WebDAV ibays

Starting SME10, by default we disable execution of php and CGI on an ibay where webdav is enabled. This is a security measure. If you are certain and want to have both php or CGI and DAV enabled then you have to do :

db accounts setprop ibay-name ModDavSecureEXEC  disabled 
signal-event ibay-modify ibay-name

Directory index disabled

On SME 10 because of a bug on httpd 2.4, you can not have this directive enabled or most of client will fail connecting. By default we hence have it disabled to allow connection. IF you want to display directory index anyway, then do :

db accounts setprop ibay-name ModDavNoDirectoryIndex  enabled
signal-event ibay-modify ibay-name

Allow anonymous access without password

Starting SME10, we organized the webdav behaviour most like ftp / samba. It will follow the remote access and group write read permission. For the read by "Everyone" by default it will be the member of the group shared that will be used, if you rather a read only without password access on the ibay you will have to set this to enabled. PAy attention that if you use a mode where ibay password is asked (either on lan, or remote) then the password directive will override this setting and you will need to use the ibay name and ibay password for the "anonymous" access (i.e. without a real user) .

db accounts setprop ibay-name ModDavAnonymousRead  enabled
signal-event ibay-modify ibay-name

Hide PHP files

When php handler is disabled, you can see the source code of php as anonymous user or anonymous like, this is a security threat. By default we have deny access and listing to php files, if you need to keep that access then do (only available when ModDavSecureEXEC is enabled) :

db accounts setprop ibay-name ModDavHidePHP  disabled
signal-event ibay-modify ibay-name


Usage

Accessing a DAV enabled ibay

DAV-enabled Ibays can be accessed in any of several ways. Note that starting SME10, https is mandatory to access to your DAV.

through Windows My Network Places
  1. Open "My Network Places"
  2. Select "Add a network place"
  3. Choose "Next"
  4. Choose "Another network location"
  5. Enter the address to your DAV enabled ibay, for instance http://server/data or https://server/data
through Internet Explorer

According to this post you can allow Windows/Internet Explorer users to open your DAV-enabled Ibays in Explorer for read-write access directly from your website by using code similar to the lines below.

As a (normal) link:

<a href="<nowiki>http://localhost/data/</nowiki>">Link to folder</a>

As a webfolder:

<a href="" folder="<nowiki>http://localhost/data/</nowiki>">Link to data folder</a>

Known issues

httpd-2.4 bug with mod_dir

you have to disable see https://bz.apache.org/bugzilla/show_bug.cgi?id=54914 We hence have enforced that in the contrib for ibay but you might get the same issue if you use mod DAV for a contrib

Fedora complain about lack of compatibility to mount dav

If you see this error : "/sbin/mount.davfs: mounting failed; the server does not support WebDAV" you need to do the following, then it will work

sudo echo "ignore_dav_header 1" >> /etc/davfs2/davfs2.conf
character encoding

Pay attention to the character encoding used by you operating system, having different OS connecting to the same DAV could create issues with encoding. Also you are responsible to use characters authorized by your different operating system or they will not be able to display the files or folders.

Bugs

Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-mod_dav component or use this link .

"No open bugs found."

Changelog

Only released version in smecontrib are listed here.

smeserver-mod_dav Changelog: SME 10 (smecontribs)
2022/07/28 Jean-Philippe Pialasse 1.1-8.sme
- update to apache 2.4 access syntax [SME: 12051]
2021/06/21 Terry Fage 1.1-7.sme
- Ensure persistence of/var/run/davlocks on reboot/reconfig [SME: 11630]

2021/03/01 Jean-Philipe Pialasse 1.1-6.sme
- fix security issues [SME: 11077]

 where user could access ibay he was not member of group

- improve ibay dav template [SME 4564]

 force ssl, secure php file, disable cgi and php 
when DAV enabled on ibay, and respect rmeote access settings

- descriptive login box [SME: 5337]

- fix some typos and propertie names
2021/02/28 Jean-Philipe Pialasse 1.1-4.sme
- add createlinks and add -update event [SME: 11070]
2020/10/29 Brian Read 1.1-3.sme
- Initial import into SME10 tree [SME: 11070]