1,870
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − + + + + + − + + + + + + + + + + + + + + + + + + + + + + + + + Line 7:
Line 35: − +
How to set up a secure webdav area on an Apache 2.0 server that is mountable from windows (view source)
Revision as of 02:56, 29 August 2007
, 02:56, 29 August 2007→Authentication using HTTP Basic Auth
There is plenty of help on the web regarding how to set up a webdav area on an Apache 2.0 server using the mod_dav apache module. If this is enabled on an area of the site secured with SSL/TLS (reachable by urls beginning with https:) there are a few extra steps, also widely documented. What was not so easy to figure out how to do was how to do client authentication based on client certificates. Most of the sites out there assume that people should use http basic authentication and type passwords all of the time. I wanted to use my client certificate instead. The short answer is that it is only possible if there is only one certificate used to access the webdav area. In this case, one can configure the webdav directory as follows.
There is plenty of help on the web regarding how to set up a webdav area on an Apache 2.0 server using the mod_dav apache module. If this is enabled on an area of the site secured with SSL/TLS (reachable by urls beginning with https:) there are a few extra steps, also widely documented. What was not so easy to figure out how to do was how to do client authentication based on client certificates.
== Authentication with a Client Certificate ==
Most of the sites out there assume that people should use http basic authentication and type passwords all of the time. I wanted to use my client certificate instead. This should be possible if you are willing to configure a separate webdav area for each user. In this case, one can configure a webdav directory for each user in ssl.conf as follows.
<pre>
<pre>
<Directory "/home/www/dav/">
Alias /davusers/ "/home/www/davusers/"
<Directory "/home/www/davusers/newman/">
DAV On
SSLVerifyClient on
SSLVerifyDepth 10
SSLRequire %{SSL_CLIENT_S_DN_CN} =~ m/^Alfred E\. Newman/
</Directory>
</pre>
Note the trailing slashes on all of the webdav area directories, both actual and alias. These slashes are necessary in order to be compatible with the Windows XP explorer webdav interface.
This seemed to work at first, in that I was able to access files using the normal Windows explorer interface. This seems to be because explorer had cached the directory contents from a former session, because a bit later I tried to refresh the window and it failed with the following complaint
<pre>
Documents in this folder are not available.
The folder may have been moved or deleted,
or network problems may be preventing a connection
to the server.
</pre>
The Apache server ssl error logs showed SSL library error reason code 199, which means that the client did not provide a client certificate. It seems that the Windows XP webdav client is not smart enough to supply a client certificate, even though the interface that explorer uses to fetch a file from the same directory (probably an IE component) does. Bummer.
== Authentication using HTTP Basic Auth ==
Alternatively one can chose to use basic http authentication based on passwords. This seems to be the preferred solution among people who have written documentation that I found on the web. Compared to pki it is clunky, but at least it works with Windows explorer.
<pre>
Alias /davusers/ "/home/www/davusers/"
<Directory "/home/www/davusers/newman/">
DAV On
DAV On
AuthType Basic
AuthType Basic
AuthUserFile /home/www/.htpasswd/webdav.htpasswd
AuthUserFile /home/www/.htpasswd/webdav.htpasswd
<LimitExcept OPTIONS>
<LimitExcept OPTIONS>
Require user webdav
Require user newman
</LimitExcept>
</LimitExcept>
SSLVerifyClient off
SSLVerifyClient off
</Directory>
</Directory>
</pre>
</pre>