Difference between revisions of "Mod dav"
m |
Unnilennium (talk | contribs) |
||
(11 intermediate revisions by 4 users not shown) | |||
Line 2: | Line 2: | ||
{{Level|Easy}} | {{Level|Easy}} | ||
− | === Maintainer === | + | ===Maintainer=== |
[mailto:smeserver-contribs@snetram.nl Jonathan Martens] | [mailto:smeserver-contribs@snetram.nl Jonathan Martens] | ||
− | === Version === | + | ===Version=== |
− | {{ #smeversion: smeserver-mod_dav }} | + | {{#smeversion: smeserver-mod_dav }} |
− | === Description === | + | ===Description=== |
− | This contrib provides mod_dav for SME Server, it has been written to make sure it is installed as it is required by my Subversion contrib. | + | This contrib provides mod_dav for SME Server, it has been written to make sure it is installed as it is required by my Subversion contrib, but it can be used independently to add DAV to i-bays as well, this way you can, for instance, use it to store your [http://en.wikipedia.org/wiki/ICal iCal] web calendar files, using the [http://www.webdav.org/ WebDAV] protocol. |
− | === Installation === | + | ===Installation=== |
Install the contrib: | Install the contrib: | ||
yum install smeserver-mod_dav --enablerepo=smecontribs | yum install smeserver-mod_dav --enablerepo=smecontribs | ||
− | === Configuration === | + | ===Configuration=== |
DAV access is disabled for all ibays by default. | DAV access is disabled for all ibays by default. | ||
+ | |||
+ | DAV enforcement in ibays, will force PHP and CGI to be disabled, even if the property is enable. You can manually set a property to reenable this. When DAV is enabled for an ibat https will be force, whatever is the setting for SSL for that ibay. The use of DAV include the use of httpd-auth and you do not want your password to travael unprotected over the network, even in your own LAN. | ||
+ | Finally starting SME10, DAV will respect the usual setting of an ibay in term of local and remote access (including the ibay dedicated password), except you will have the choice to use the ibay password or the one of an user member of the group owning the ibay. Also, the read/write setting per group will be respected. Remember that those are just login rights, and webserver is running as www. So files must have permissions to also allow the www user to retrieve your file. | ||
====Enable/disable DAV access for an ibay==== | ====Enable/disable DAV access for an ibay==== | ||
Line 31: | Line 34: | ||
db accounts setprop ibay-name ModDav-FileETag none | db accounts setprop ibay-name ModDav-FileETag none | ||
More information on possible FileETag options can be found in the [http://httpd.apache.org/docs/2.0/mod/core.html#fileetag Apache documentation]. | More information on possible FileETag options can be found in the [http://httpd.apache.org/docs/2.0/mod/core.html#fileetag Apache documentation]. | ||
+ | |||
+ | ==== Disabled PHP and CGI on WebDAV ibays ==== | ||
+ | Starting SME10, by default we disable execution of php and CGI on an ibay where webdav is enabled. This is a security measure. If you are certain and want to have both php or CGI and DAV enabled then you have to do : | ||
+ | db accounts setprop ibay-name ModDavSecureEXEC disabled | ||
+ | signal-event ibay-modify ibay-name | ||
+ | |||
+ | ==== Directory index disabled ==== | ||
+ | On SME 10 because of a bug on httpd 2.4, you can not have this directive enabled or most of client will fail connecting. By default we hence have it disabled to allow connection. IF you want to display directory index anyway, then do : | ||
+ | db accounts setprop ibay-name ModDavNoDirectoryIndex enabled | ||
+ | signal-event ibay-modify ibay-name | ||
+ | |||
+ | ==== Allow anonymous access without password ==== | ||
+ | Starting SME10, we organized the webdav behaviour most like ftp / samba. It will follow the remote access and group write read permission. For the read by "Everyone" by default it will be the member of the group shared that will be used, if you rather a read only without password access on the ibay you will have to set this to enabled. PAy attention that if you use a mode where ibay password is asked (either on lan, or remote) then the password directive will override this setting and you will need to use the ibay name and ibay password for the "anonymous" access (i.e. without a real user) . | ||
+ | db accounts setprop ibay-name ModDavAnonymousRead enabled | ||
+ | signal-event ibay-modify ibay-name | ||
+ | Hide PHP files | ||
+ | |||
+ | When php handler is disabled, you can see the source code of php as anonymous user or anonymous like, this is a security threat. By default we have deny access and listing to php files, if you need to keep that access then do (only available when ModDavSecureEXEC is enabled) : | ||
+ | db accounts setprop ibay-name ModDavHidePHP disabled | ||
+ | signal-event ibay-modify ibay-name | ||
+ | <br /> | ||
===Usage=== | ===Usage=== | ||
====Accessing a DAV enabled ibay==== | ====Accessing a DAV enabled ibay==== | ||
− | DAV-enabled Ibays can be accessed in any of several ways | + | DAV-enabled Ibays can be accessed in any of several ways. Note that starting SME10, https is mandatory to access to your DAV. |
=====through Windows My Network Places===== | =====through Windows My Network Places===== | ||
− | # Open "My Network Places" | + | |
− | # Select "Add a network place" | + | #Open "My Network Places" |
− | # Choose "Next" | + | #Select "Add a network place" |
− | # Choose "Another network location" | + | #Choose "Next" |
− | # Enter the address to your DAV enabled ibay, for instance <nowiki>http://server/data</nowiki> or <nowiki>https://server/data</nowiki> | + | #Choose "Another network location" |
+ | #Enter the address to your DAV enabled ibay, for instance <nowiki>http://server/data</nowiki> or <nowiki>https://server/data</nowiki> | ||
=====through Internet Explorer===== | =====through Internet Explorer===== | ||
Line 49: | Line 74: | ||
As a (normal) link: | As a (normal) link: | ||
− | <a href=" | + | <a href="<nowiki>http://localhost/data/</nowiki>">Link to folder</a> |
As a webfolder: | As a webfolder: | ||
− | <a href="" folder=" | + | <a href="" folder="<nowiki>http://localhost/data/</nowiki>">Link to data folder</a> |
+ | |||
+ | ===Known issues=== | ||
+ | =====httpd-2.4 bug with mod_dir===== | ||
+ | you have to disable see https://bz.apache.org/bugzilla/show_bug.cgi?id=54914 | ||
+ | We hence have enforced that in the contrib for ibay but you might get the same issue if you use mod DAV for a contrib | ||
− | === Bugs === | + | ===== Fedora complain about lack of compatibility to mount dav ===== |
+ | If you see this error : "/sbin/mount.davfs: mounting failed; the server does not support WebDAV" | ||
+ | you need to do the following, then it will work | ||
+ | sudo echo "ignore_dav_header 1" >> /etc/davfs2/davfs2.conf | ||
+ | |||
+ | ===== character encoding ===== | ||
+ | Pay attention to the character encoding used by you operating system, having different OS connecting to the same DAV could create issues with encoding. Also you are responsible to use characters authorized by your different operating system or they will not be able to display the files or folders. | ||
+ | |||
+ | ===Bugs=== | ||
Please raise bugs under the SME-Contribs section in {{BugzillaFileBug|product=|component=|title=bugzilla}}and select the smeserver-mod_dav component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-mod_dav|title=this link}}. | Please raise bugs under the SME-Contribs section in {{BugzillaFileBug|product=|component=|title=bugzilla}}and select the smeserver-mod_dav component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-mod_dav|title=this link}}. | ||
+ | {{#bugzilla:columns=id,product,version,status,summary |sort=id|order=desc |component=smeserver-mod_dav|noresultsmessage="No open bugs found."}} | ||
+ | |||
+ | ===Changelog=== | ||
+ | Only released version in smecontrib are listed here. | ||
+ | |||
+ | {{#smechangelog: smeserver-mod_dav}} | ||
---- | ---- | ||
[[Category: Contrib]] | [[Category: Contrib]] | ||
+ | [[Category: Administration:File and Directory Access]] |
Latest revision as of 20:50, 2 April 2021
Maintainer
Version
Description
This contrib provides mod_dav for SME Server, it has been written to make sure it is installed as it is required by my Subversion contrib, but it can be used independently to add DAV to i-bays as well, this way you can, for instance, use it to store your iCal web calendar files, using the WebDAV protocol.
Installation
Install the contrib:
yum install smeserver-mod_dav --enablerepo=smecontribs
Configuration
DAV access is disabled for all ibays by default.
DAV enforcement in ibays, will force PHP and CGI to be disabled, even if the property is enable. You can manually set a property to reenable this. When DAV is enabled for an ibat https will be force, whatever is the setting for SSL for that ibay. The use of DAV include the use of httpd-auth and you do not want your password to travael unprotected over the network, even in your own LAN. Finally starting SME10, DAV will respect the usual setting of an ibay in term of local and remote access (including the ibay dedicated password), except you will have the choice to use the ibay password or the one of an user member of the group owning the ibay. Also, the read/write setting per group will be respected. Remember that those are just login rights, and webserver is running as www. So files must have permissions to also allow the www user to retrieve your file.
Enable/disable DAV access for an ibay
To enable DAV access to an ibay use the following commands:
db accounts setprop ibay-name ModDav enabled signal-event ibay-modify ibay-name
To disable DAV access to an ibay use the following commands:
db accounts setprop ibay-name ModDav disabled signal-event ibay-modify ibay-name
ETag http response header (FileETag) settings
According to bugzilla:4482 there seems to be a problem when using Sunbird calendar sharing in DAV enabled ibays. To fix this you can define the FileETag setting to a value of none using the following command:
db accounts setprop ibay-name ModDav-FileETag none
More information on possible FileETag options can be found in the Apache documentation.
Disabled PHP and CGI on WebDAV ibays
Starting SME10, by default we disable execution of php and CGI on an ibay where webdav is enabled. This is a security measure. If you are certain and want to have both php or CGI and DAV enabled then you have to do :
db accounts setprop ibay-name ModDavSecureEXEC disabled signal-event ibay-modify ibay-name
Directory index disabled
On SME 10 because of a bug on httpd 2.4, you can not have this directive enabled or most of client will fail connecting. By default we hence have it disabled to allow connection. IF you want to display directory index anyway, then do :
db accounts setprop ibay-name ModDavNoDirectoryIndex enabled signal-event ibay-modify ibay-name
Allow anonymous access without password
Starting SME10, we organized the webdav behaviour most like ftp / samba. It will follow the remote access and group write read permission. For the read by "Everyone" by default it will be the member of the group shared that will be used, if you rather a read only without password access on the ibay you will have to set this to enabled. PAy attention that if you use a mode where ibay password is asked (either on lan, or remote) then the password directive will override this setting and you will need to use the ibay name and ibay password for the "anonymous" access (i.e. without a real user) .
db accounts setprop ibay-name ModDavAnonymousRead enabled signal-event ibay-modify ibay-name
Hide PHP files
When php handler is disabled, you can see the source code of php as anonymous user or anonymous like, this is a security threat. By default we have deny access and listing to php files, if you need to keep that access then do (only available when ModDavSecureEXEC is enabled) :
db accounts setprop ibay-name ModDavHidePHP disabled signal-event ibay-modify ibay-name
Usage
Accessing a DAV enabled ibay
DAV-enabled Ibays can be accessed in any of several ways. Note that starting SME10, https is mandatory to access to your DAV.
through Windows My Network Places
- Open "My Network Places"
- Select "Add a network place"
- Choose "Next"
- Choose "Another network location"
- Enter the address to your DAV enabled ibay, for instance http://server/data or https://server/data
through Internet Explorer
According to this post you can allow Windows/Internet Explorer users to open your DAV-enabled Ibays in Explorer for read-write access directly from your website by using code similar to the lines below.
As a (normal) link:
<a href="<nowiki>http://localhost/data/</nowiki>">Link to folder</a>
As a webfolder:
<a href="" folder="<nowiki>http://localhost/data/</nowiki>">Link to data folder</a>
Known issues
httpd-2.4 bug with mod_dir
you have to disable see https://bz.apache.org/bugzilla/show_bug.cgi?id=54914 We hence have enforced that in the contrib for ibay but you might get the same issue if you use mod DAV for a contrib
Fedora complain about lack of compatibility to mount dav
If you see this error : "/sbin/mount.davfs: mounting failed; the server does not support WebDAV" you need to do the following, then it will work
sudo echo "ignore_dav_header 1" >> /etc/davfs2/davfs2.conf
character encoding
Pay attention to the character encoding used by you operating system, having different OS connecting to the same DAV could create issues with encoding. Also you are responsible to use characters authorized by your different operating system or they will not be able to display the files or folders.
Bugs
Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-mod_dav component or use this link .
Changelog
Only released version in smecontrib are listed here.
- update to apache 2.4 access syntax [SME: 12051]
- Ensure persistence of/var/run/davlocks on reboot/reconfig [SME: 11630]
2021/03/01 Jean-Philipe Pialasse 1.1-6.sme
- fix security issues [SME: 11077]
where user could access ibay he was not member of group
- improve ibay dav template [SME 4564]
force ssl, secure php file, disable cgi and php
when DAV enabled on ibay, and respect rmeote access settings
- descriptive login box [SME: 5337]
- add createlinks and add -update event [SME: 11070]
- Initial import into SME10 tree [SME: 11070]